SCCM Remote Control needed in an isolated environment

Question

We're already having a Stand Alone Primary Site and mutiple DPs. However, there is a proposed restricted environment being set up which needs a dedicated layered network. This is based on a Network Layering Concept. This network segmentation concept is based on logical/physical segmentation reference architecture from IEC 62443 (ANSI/ISA-99). and the goal is to maintain segregation of the dedicated systems to prevent (un)intentionally interference of independent systems. Systems will be assigned to security zones where defined security measures are employed to achieve the desired target security level.

We have Layer 4, Layer 3.5 and subsequently Layers 3, 2, and 1. And basically Layers 3, 2, and 1 are part of a controlled environment.

The Primary Site and existing Infra is in Layer 4. The Common Services like DNS, AD, etc in Layer 3.5 and there is bi-directional communication allowed between Layer 4 and Layer 3.5. However only Layer 3.5 and Layer 3 have bi-directional communication allowed between them. But not beyond layer 3. Also, Layer 3 can communicate with Layer 2 but not the other way around.. And similar for Layer 2 and Layer 1.

So in this context, we've been asked to suggest a solution for implementing SCCM Remote Control in the controlled environment (Layers 3, 2, and 1). What would be the minimum considerations to make this possible? Per my understanding, SCCM Remote Control gets enabled through a Client Settings policy for which we would need the client and Management Point communication to be established (over port 80).
Once this is in place we would need the ports opened like 2701 between SCCM Console and client.
And hence it would be ideal to place the MP in Layer 3.5 and the clients in Layer 3 would be able to be managed accordingly. If there are clients to be administered in Layers 2 and 3 we might need the communication allowed on ports 80 and 2701 to MP (in layer 3.5). Does this sound reasonable given the requirements? Any corrections, suggestions would be appreciated.

Thank You.

Answer 1

Without a more detailed interaction and knowledge, I won't even begin to address your design as that should be done by someone you bring in and pay for professional advice and not in a social channel.

However, the requirements in ConfigMgr are clear. The client agent must be able to communicate with an MP over TCP port 80 or 443 if you are using HTTPS client communication although these are customizable.

For remote control, the requirement is also clear but is completely unrelated to your MP as you've called out. It is TCP port 2701 from/to the system running the remote-control viewer app (which is typically launched from the console) to the system being remote controlled. The console and remote-control viewer app can be installed anywhere so you need to take this into account.

How you route and allow that traffic is based on your network design and not ConfigMgr.