Information Technology Reference
In-Depth Information
Internet-based clients
You can use Configuration Manager to manage clients on internal networks and clients on
external networks with Internet connectivity. Clients on external networks that have Internet
connectivity are referred to as Internet-based clients. Configuration Manager uses HTTPS to
communicate securely with these clients. To configure a client for Internet-based client man-
agement, you must obtain a computer certificate from a trusted certification authority (CA).
You must also configure the client with the Internet fully qualified domain name (FQDN) of
the management point. After you configure the client, you can manage it as long as the client
retains connectivity to the Internet-facing site systems for its assigned Configuration Manager
site.
To support HTTPS, you need to deploy a certificate from a trusted CA on the
Configuration Manager site systems with which clients communicate. This can be from an
internal CA that the client is configured to trust or from an external trusted CA. When using
an internal enterprise CA, you can use only version 2 templates because Configuration
Manager does not support certificates issued from version 3 and version 4 templates.
Internet-based clients do not support all Configuration Manager features. Specifically,
Configuration Manager does not support the following client features on the Internet:
■
Client deployment over the Internet, such as client push and software update-based
client deployment. Use manual client installation instead.
■
Auto-site assignment.
■
Network Access Protection (NAP).
■
Wake On LAN (WOL).
■
Operating system deployment. However, you can deploy task sequences that do not
deploy an operating system, such as task sequences that run scripts and maintenance
tasks on clients.
■
Remote control.
■
Out-of-band management, which enables you to manage the computer before the
operating system is active.
■
Software deployment to users unless the Internet-based management point can
authenticate the user in AD DS by using Windows authentication (Kerberos authentica-
tion or Windows NT LAN Manager). This is possible when the Internet-based manage-
ment point trusts the forest in which the user account resides.
An alternative to Internet-based client management is to use DirectAccess, a feature sup-
ported for clients running the Enterprise editions of Windows 7, Windows 8, and
Windows 8.1 operating systems. DirectAccess enables clients on the Internet to access inter-
nal network resources through an always-on, computer-authenticated virtual private network
(VPN). DirectAccess has prerequisites, including a requirement that the computers be domain
joined and that you deploy a DirectAccess server. A further alternative is to manage Internet-
based clients by using Intune.
