Choose SCCM DP Vs Secondary site Vs BDP

1) Implementing the Secondary site

Pros:-

    Ø  Traffic  can be compressed/ Scheduled/Throttled & rate limit on the  address

Ø  Secondary sites do not require additional Configuration Manager 2007 server licenses.

Ø  Secondary sites do not require an additional SQL Server database at the secondary site.

Ø  Clients can be managed across a slow network connection link, such as a wide area network (WAN) connection between sites, without the need to configure client agent settings.

Ø  Secondary sites can have management points (called proxy management points) to help prevent client reporting information, such as inventory reports and status messages, from traversing slow network connections to the primary site.

Ø  Remote sites can be managed centrally from a parent primary site without the need for an on-site administrator at the secondary site. Less administration when compared with primary sites, After enabling client push binaries can be pushed from here.

 

Cons:-

Ø  Required a server OS

Recommendations: - below are the direct links from Microsoft

http://technet.microsoft.com/en-us/library/bb680869.aspx

http://technet.microsoft.com/en-us/library/bb693570.aspx

http://technet.microsoft.com/en-us/library/bb680853.aspx

2) Implementing the Distribution points:-

Pros: -

Ø  Distribution points can be configured as Protected DP

Ø  Can configure DP Groups for easy selection of DP’s

Cons: -

Ø  DP’s always a SMB copy (that cannot be scheduled, compressed or throttled).

Ø  Required a Server OS and Drive space

Ø  Up to 100 per site, each capable of supporting up to 4,000 clients

 

Recommendations: - below are the direct links from Microsoft

http://technet.microsoft.com/en-us/library/bb680869.aspx

http://technet.microsoft.com/en-us/library/bb693570.aspx

http://technet.microsoft.com/en-us/library/bb680853.aspx

3) Implementing the BDP’s:-

 

Pros:-

Ø  Can be configured on any SCCM Client OS (Server and Workstation systems)

Ø  Communication will happened over the BITS and can be resumed

Ø  Computer Client Agent Properties can be configured with BITS Throttle period

Ø  Content can be set to on demand for clients

Ø  Can have multiple BDP’s

Ø  Will fit for Branch offices where 2 -100 systems

Ø  Will download the package from Standard DP

Cons:-

Ø  Branch Distribution Points cannot be placed on server shares

Limitations:

 

Ø  Up to 2,000 per site, each capable of supporting up to 100 clients

 

Recommendations: - below are the direct links from Microsoft

 http://technet.microsoft.com/en-us/library/bb680869.aspx

http://technet.microsoft.com/en-us/library/bb693570.aspx

http://technet.microsoft.com/en-us/library/bb680853.aspx

 

My recommendations are:-

 

Number of Systems	Recommended Role
50 – above 150	If you don’t care about up & downwards bandwidth then choose DP
2 - 100	BDP - Protected
100 above	Secondary site

if there is a below 100 systems then just go for BDP role on Server based OS

Determine Server Placement for Internet-Based Client Management - IBC

All server placement references below refer to a primary site only; secondary sites do not support Internet-based client management.

Server Placement for Sites that Do Not Need to Also Manage Intranet Client

If the Configuration Manager 2007 site does not need to support both Internet clients and intranet clients, Scenarios 1 and 2 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.

 

Scenario to support Internet clients only	Advantage	Disadvantage	Server Placement
Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet: ·         The management point that supports Internet-based clients communicates directly with the SQL server in the intranet.	The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency.	The back-end firewall requires some configuration to allow SQL traffic and Server Message Block (SMB) traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         Site server ·         SQL Server (can be running on the site server)
Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet: ·         The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network.	The site server is protected from Internet traffic by being in the intranet. The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network.	The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. SQL replica requires a server with associated costs, and there will be some replication latency between the replica and the site server. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point ·         SQL Server configured for replication Intranet: ·         Site server ·         SQL Server (can be running on the site server)
Scenario 2: The Internet-based site is contained within the perimeter network: ·         This site is a child site of your Configuration Manager 2007 hierarchy.	No Internet traffic is passing to the intranet. Just one configuration is required on the back-end firewall from the child site server to parent site server. Supports centralized management and reporting.	The site server is more vulnerable to attacks from the Internet than if it was located in the intranet. Requires the back-end firewall to be configured to allow inbound SMB traffic. A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in the parent site requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. Alternatively, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         None
Scenario 2: The Internet-based site is contained within the perimeter network: ·         This site is the only site in your Configuration Manager 2007 hierarchy.	No Internet traffic is passing to the intranet. Nothing to configure on the back-end firewall.	The site server is more vulnerable to attacks from the Internet than if it was located in the intranet. No support for centralized management and reporting.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         None

Server Placement for Sites that Manages Clients on the Internet and the Intranet

If the Configuration Manager 2007 site needs to support both Internet clients and intranet clients, Scenarios 3 and 4 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.

 

Scenario to support clients on the Internet and on the intranet	Advantage	Disadvantage	Server Placement
Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet: ·         The management point that supports Internet-based clients communicates directly with the SQL server in the intranet. ·         To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.	The site server is protected from Internet traffic by being in the intranet. The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic. There is no SQL Server replica to configure and no associated replication latency.	More servers are required for the Internet-based connections, with associated costs. The manual export and import of software updates metadata incurs administrative overhead. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         Site server ·         SQL Server (can be running on the site server) ·         Fallback status point ·         Distribution points ·         Software update point ·         All other site systems
Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet: ·         The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network. ·         To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.	The site server is protected from Internet traffic by being in the intranet. The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic. The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network.	More servers are required for the Internet-based connections, with associated costs. The manual export and import of software updates metadata incurs administrative overhead. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point ·         SQL Server Intranet: ·         Site server ·         SQL Server (can be running on the site server) ·         Fallback status point ·         Distribution points ·         Software update point ·         All other site systems
Scenario 4: The site bridges the perimeter network and intranet: ·         Internet-based site systems have two network cards.	Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency.	There is no security boundary between the perimeter network and the intranet, which is not a recommended solution. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         Same site systems as on the perimeter network because they are on both networks ·         Site server ·         SQL Server (can be running on the site server) ·         All other site systems
Scenario 4: The site bridges the perimeter network and intranet: ·         Internet-based site systems are in the intranet and can accept both Internet connections and intranet connections.	Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency.	Requires a reverse proxy configuration between the perimeter network and the intranet so that the Internet-based site systems on the intranet are published to Internet clients. Internet clients are traversing a security boundary to make connections to servers on the intranet. You can help mitigate this threat by using SSL bridging rather than SSL tunneling on the proxy server. For more information, see Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management.	Perimeter Network: ·         None Intranet: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point ·         All other site systems
Scenario 4: The site bridges the perimeter network and intranet: ·         Internet-based site systems are in the perimeter network and can accept both Internet connections and intranet connections.	Fewer servers to configure and maintain for both intranet connections and Internet connections. The site server is protected from Internet traffic by being in the intranet. There is no SQL Server replica to configure and no associated replication latency.	Intranet clients are traversing a security boundary to make connections to servers that are exposed to Internet traffic. The back-end firewall requires some configuration to allow SQL traffic and SMB traffic. The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration.	Perimeter Network: ·         Internet-based management point ·         Internet-based fallback status point ·         Internet-based distribution points ·         Internet-based software update point Intranet: ·         Site server ·         SQL Server (can be running on the site server) ·         All other site systems