Manage CM Clients on DMZ

PKI certificate issuance is a separate task from ConfigMgr and highly depends upon your PKI infrastructure. Without knowing all of the details of your PKI, not a whole lot can be said, i.e., this is almost certainly much bigger than a simple forum post could or should handle. I've added the Windows Server Security tag as well for visibility, because as noted, this isn't specific to ConfigMgr.

One additional note here is that there's nothing special about managed systems in a DMZ from a ConfigMgr perspective that requires them to use HTTPS communication. Thus, unless you already require HTTPS communication for all managed clients, you may not need to worry about this.

Hi there,

Please check this,

· Internet-based site systems must be in a domain, but if they are in a DMZ there doesn’t have to be a trust relationship between their forest and the intranet.
· The IBCM site must be a primary site.

The PKI certificates are an external dependency, just like Active Directory is an external dependency for the site systems - and we similarly don’t document how to design Active Directory or configure domain controllers.

You can refer the below article which sheds some insights about this .
PKI certificates needed for the DMZ server https://social.technet.microsoft.com/Forums/en-US/33d69f45-6b05-4f91-80ea-16691131a4f8/pki-certificates-needed-for-the-dmz-server?forum=configmgrgeneral

I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

-----------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Based on the above, the client does not have a valid client certificate. Without seeing the entire log file for each of these, I can't say much more. Also, keep in mind that these are text log files, so posting screenshots of text files make helping you more difficult. I do suggest that you open a support case for further help though as I probably won't be able to review full log files.

Hi @Jason Sandys , Thank you so much for your valuable response. Yes, I do agree your points and I was bit hesitant to post this thread before but thought of giving a good start to clarify the path I'm proceeding with.

If I'm correct PKI Infrastructure is setup to issue CERT to domain joined clients only and It may need new template to issue CERTs to workgroup clients. Let me follow the thread to understand if that's correct or different approach needs to be followed.

And Yes, ConfigMgr is set to use HTTPS only using internal PKI.

Hi @Ranjithkumar Duraisamy ,

Thanks for your reply.

Agree with @Jason Sandys here, it's really dependent on your PKI and its configuration. You could try to create Workgroup Certificate Template. Similar threads for your reference:

SCCM – Certificates for Windows Workgroup Clients
Issue PKI cert to Non-Domain joined DMZ
SCCM Workgroup Clients with PKI
Note: The non-Microsoft links are just for your reference.

Hope it helps. Thanks for your time.

Best regards,
Simon

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.