We're already having a Stand Alone Primary Site and mutiple DPs. However, there is a proposed restricted environment being set up which needs a dedicated layered network. This is based on a Network Layering Concept. This network segmentation concept is based on logical/physical segmentation reference architecture from IEC 62443 (ANSI/ISA-99). and the goal is to maintain segregation of the dedicated systems to prevent (un)intentionally interference of independent systems. Systems will be assigned to security zones where defined security measures are employed to achieve the desired target security level.
We have Layer 4, Layer 3.5 and subsequently Layers 3, 2, and 1. And basically Layers 3, 2, and 1 are part of a controlled environment.
The Primary Site and existing Infra is in Layer 4. The Common Services like DNS, AD, etc in Layer 3.5 and there is bi-directional communication allowed between Layer 4 and Layer 3.5. However only Layer 3.5 and Layer 3 have bi-directional communication allowed between them. But not beyond layer 3. Also, Layer 3 can communicate with Layer 2 but not the other way around.. And similar for Layer 2 and Layer 1.
So in this context, we've been asked to suggest a solution for implementing SCCM Remote Control in the controlled environment (Layers 3, 2, and 1). What would be the minimum considerations to make this possible? Per my understanding, SCCM Remote Control gets enabled through a Client Settings policy for which we would need the client and Management Point communication to be established (over port 80).
Once this is in place we would need the ports opened like 2701 between SCCM Console and client.
And hence it would be ideal to place the MP in Layer 3.5 and the clients in Layer 3 would be able to be managed accordingly. If there are clients to be administered in Layers 2 and 3 we might need the communication allowed on ports 80 and 2701 to MP (in layer 3.5). Does this sound reasonable given the requirements? Any corrections, suggestions would be appreciated.
Thank You.