Re: SMS 2003 - Clients in DMZ access through Firewall
- From: manoj <manoj@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 20 Oct 2008 13:50:01 -0700
hello Kim,
I do have a slightly similar problem ......, and wondering wheather you can
provide some help...
Here is what I have setit up....
a) created a new forest with a ONE WAY trust to our exsisting PROD domain SMS
b) new forest does not have WINS ,hence there is NO Name resolution for MP
c) There are 6 Servers in this new Domain ( Four 32 bit servers and Two 64
bit servers - all are WIN2K3)
d) SMS 2K3 client code is installed on thease servers as part of the Server
Image
e) Since there is NO wins , AUTO SITE code discovery did not work , how ever
, I managed to assign the Site code to all the 32 bit servers ,by using the
script given in KB826852 , BUT this script would not work on 64 bit servers!!
:-(
is there any otherway , that I could manually assign the sitecode to this 64
bit servers? (My evantual goal is to get all the SMS client working fine
first and then move this NEW doamin behind a Firwall , but before that I
want to make sure that everthing works before I put the firewall between the
DMZ(new doamin) and my Prod SMS )
Also , how do I hardcode the MP in to the clients WMI?
Appreciate your assistance
Regards
manoj
"Kim Oppalfens" wrote:
.
In article <C89955BD-5DD3-423D-BC93-A47188147917@xxxxxxxxxxxxx>,
HerbertPeil@xxxxxxxxxxxxxxxxxxxxxxxxx says...
Hi,
I want to connect our WinXP homeoffice (Workgroup pc's) to sms 2003 Sp1.
The XP Clients directly connect through an VPN Tunnel to the DMZ. The SMS
Primary Siteserver SMS 2003 Sp1 is in the private network with a W2k Domain
(AD and DNS).
How can I solve this?
1. I want to distribute software to the clients?
2. Inventory should function
3. and i want to use remote control or remote Assitance.
Some ideas:
The clients are in an workgroup, so i have to use the advanced SMS Client
(SMS2003 Sp1 supports only advanced clients)
Do I need a secondary Site or another primary site?
Where should be the 2nd Site DMZ or Privat network?
Where should be the MP; DP for this clients?
Please help
Thank you
Herbert
Ok, I have been meaning to test this for quite a while but haven't found
the time to do so, so if you go this route keep in mind that you are
"guinea pigging" for me. (I would appreciate success or failure reports
:)
If I understand correctly once the tunnel is open the clients are
actually in the dmz.
I believe that it should be feasible to have dmz clients working with
opening up just one port, and that is TCP port 80 by default.
Which should be open from all ip's in the dmz to all sms distribution
points & the sms management point.
To be able to get away with just opening one port there are some things
you will have to do though.
First of all, all your software distributions will have to Download &
execute (This way they use bits & by consequence port 80 communication).
Since these clients will not be able to query Active directory for the
correct MP, nor will they have access to wins you will have to hardcode
the sitecode for the client (which is easy enough). And you will have to
hardcode the Management point in wmi check the roo\ccm namespace on a
client more specifically you will have to set the CurrentManagementPoint
attribute in the SMS_AuthorityNamespace.
And since we are talking workgroup you obviously need to have an
advanced client network access account configured.
Using a secondary site in a DMZ doesn't sound like a good plan to me
since you would have to open up the file & print sharing ports on the
firewall for the 2 to communicate, and that would be a no-go if I was a
member of your security department.
--
Kim Oppalfens
MVP SMS
Computacenter Belgium
- Prev by Date: Client Installs Not Happening
- Next by Date: Re: Package is being retried distributed to obsolete SMS Server
- Previous by thread: Client Installs Not Happening
- Next by thread: BITS
- Index(es):
Relevant Pages
|
