Manage CM Clients on DMZ

Ranjithkumar Duraisamy 231 Reputation points
2022-08-03T19:50:15.43+00:00

Hello, Trying to make the Clients from DMZ speak with Site server. Thought other pre-requisites like Ports, Agent are fine Clients are still missing PKI Cert. Could you please help with an appropriate way to get PKI Certs for DMZ Clients?

Microsoft Security | Intune | Configuration Manager | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2022-08-03T21:15:38.21+00:00

    PKI certificate issuance is a separate task from ConfigMgr and highly depends upon your PKI infrastructure. Without knowing all of the details of your PKI, not a whole lot can be said, i.e., this is almost certainly much bigger than a simple forum post could or should handle. I've added the Windows Server Security tag as well for visibility, because as noted, this isn't specific to ConfigMgr.

    One additional note here is that there's nothing special about managed systems in a DMZ from a ConfigMgr perspective that requires them to use HTTPS communication. Thus, unless you already require HTTPS communication for all managed clients, you may not need to worry about this.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 39,926 Reputation points
    2022-08-05T15:27:05.377+00:00

    Hi there,

    Please check this,

    · Internet-based site systems must be in a domain, but if they are in a DMZ there doesn’t have to be a trust relationship between their forest and the intranet.
    · The IBCM site must be a primary site.

    The PKI certificates are an external dependency, just like Active Directory is an external dependency for the site systems - and we similarly don’t document how to design Active Directory or configure domain controllers.

    You can refer the below article which sheds some insights about this .
    PKI certificates needed for the DMZ server https://social.technet.microsoft.com/Forums/en-US/33d69f45-6b05-4f91-80ea-16691131a4f8/pki-certificates-needed-for-the-dmz-server?forum=configmgrgeneral

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    -----------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    1 person found this answer helpful.
    0 comments No comments

  3. Jason Sandys 31,411 Reputation points Microsoft Employee Moderator
    2022-08-10T17:17:42.31+00:00

    Based on the above, the client does not have a valid client certificate. Without seeing the entire log file for each of these, I can't say much more. Also, keep in mind that these are text log files, so posting screenshots of text files make helping you more difficult. I do suggest that you open a support case for further help though as I probably won't be able to review full log files.

    1 person found this answer helpful.
    0 comments No comments

  4. Ranjithkumar Duraisamy 231 Reputation points
    2022-08-04T08:59:47.367+00:00

    Hi @Jason Sandys , Thank you so much for your valuable response. Yes, I do agree your points and I was bit hesitant to post this thread before but thought of giving a good start to clarify the path I'm proceeding with.

    If I'm correct PKI Infrastructure is setup to issue CERT to domain joined clients only and It may need new template to issue CERTs to workgroup clients. Let me follow the thread to understand if that's correct or different approach needs to be followed.

    And Yes, ConfigMgr is set to use HTTPS only using internal PKI.

    0 comments No comments

  5. Simon Ren-MSFT 40,341 Reputation points Microsoft External Staff
    2022-08-05T08:09:14.397+00:00

    Hi @Ranjithkumar Duraisamy ,

    Thanks for your reply.

    Agree with @Jason Sandys here, it's really dependent on your PKI and its configuration. You could try to create Workgroup Certificate Template. Similar threads for your reference:

    SCCM – Certificates for Windows Workgroup Clients
    Issue PKI cert to Non-Domain joined DMZ
    SCCM Workgroup Clients with PKI
    Note: The non-Microsoft links are just for your reference.

    Hope it helps. Thanks for your time.

    Best regards,
    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.