All server placement references below refer to a primary site only; secondary sites do not support Internet-based client management.
Server Placement for Sites that Do Not Need to Also Manage Intranet Client
If the Configuration Manager 2007 site does not need to support both Internet clients and intranet clients, Scenarios 1 and 2 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.
Scenario to support Internet clients only | Advantage | Disadvantage | Server Placement |
Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet: · The management point that supports Internet-based clients communicates directly with the SQL server in the intranet. | The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency. | The back-end firewall requires some configuration to allow SQL traffic and Server Message Block (SMB) traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · Site server · SQL Server (can be running on the site server) |
Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet: · The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network. | The site server is protected from Internet traffic by being in the intranet. The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network. | The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. SQL replica requires a server with associated costs, and there will be some replication latency between the replica and the site server. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point · SQL Server configured for replication Intranet: · Site server · SQL Server (can be running on the site server) |
Scenario 2: The Internet-based site is contained within the perimeter network: · This site is a child site of your Configuration Manager 2007 hierarchy. | No Internet traffic is passing to the intranet. Just one configuration is required on the back-end firewall from the child site server to parent site server. Supports centralized management and reporting. | The site server is more vulnerable to attacks from the Internet than if it was located in the intranet. Requires the back-end firewall to be configured to allow inbound SMB traffic. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in the parent site requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. Alternatively, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · None |
Scenario 2: The Internet-based site is contained within the perimeter network: · This site is the only site in your Configuration Manager 2007 hierarchy. | No Internet traffic is passing to the intranet. Nothing to configure on the back-end firewall. | The site server is more vulnerable to attacks from the Internet than if it was located in the intranet. No support for centralized management and reporting. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · None |
Server Placement for Sites that Manages Clients on the Internet and the Intranet
If the Configuration Manager 2007 site needs to support both Internet clients and intranet clients, Scenarios 3 and 4 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.
Scenario to support clients on the Internet and on the intranet | Advantage | Disadvantage | Server Placement |
Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet: · The management point that supports Internet-based clients communicates directly with the SQL server in the intranet. · To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import. | The site server is protected from Internet traffic by being in the intranet. The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic. There is no SQL Server replica to configure and no associated replication latency. | More servers are required for the Internet-based connections, with associated costs. The manual export and import of software updates metadata incurs administrative overhead. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · Site server · SQL Server (can be running on the site server) · Fallback status point · Distribution points · Software update point · All other site systems |
Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet: · The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network. · To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import. | The site server is protected from Internet traffic by being in the intranet. The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic. The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network. | More servers are required for the Internet-based connections, with associated costs. The manual export and import of software updates metadata incurs administrative overhead. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point · SQL Server Intranet: · Site server · SQL Server (can be running on the site server) · Fallback status point · Distribution points · Software update point · All other site systems |
Scenario 4: The site bridges the perimeter network and intranet: · Internet-based site systems have two network cards. | Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency. | There is no security boundary between the perimeter network and the intranet, which is not a recommended solution. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · Same site systems as on the perimeter network because they are on both networks · Site server · SQL Server (can be running on the site server) · All other site systems |
Scenario 4: The site bridges the perimeter network and intranet: · Internet-based site systems are in the intranet and can accept both Internet connections and intranet connections. | Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency. | Requires a reverse proxy configuration between the perimeter network and the intranet so that the Internet-based site systems on the intranet are published to Internet clients. Internet clients are traversing a security boundary to make connections to servers on the intranet. You can help mitigate this threat by using SSL bridging rather than SSL tunneling on the proxy server. For more information, see Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management. | Perimeter Network: · None Intranet: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point · All other site systems |
Scenario 4: The site bridges the perimeter network and intranet: · Internet-based site systems are in the perimeter network and can accept both Internet connections and intranet connections. | Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency. | Intranet clients are traversing a security boundary to make connections to servers that are exposed to Internet traffic. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration. | Perimeter Network: · Internet-based management point · Internet-based fallback status point · Internet-based distribution points · Internet-based software update point Intranet: · Site server · SQL Server (can be running on the site server) · All other site systems |
No comments:
Post a Comment