question

pasha-mayerov avatar image
0 Votes"
pasha-mayerov asked pasha-mayerov commented

SCCM multiple SUP DMZ/noDMZ

Hello.
Structure:
1 domain controller;
Primary site(mp, dp, sup, wsus);
Secondary site (mp. dp, sup, wsus).
Primary site is configured for noDMZ clients
Secondary site is configured for DMZ clients
How can configure Secondary site client updates without opening 8531 access to Primary site?

mem-cm-updates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered pasha-mayerov commented

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

You could refer to this: Installing SCCM site systems in a DMZ environment

Best regards,
Simon


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

There's no such thing as "configured for DMZ clients". There's nothing special or magic about a client in a screened or segregated network and thus there's no configuration in ConfigMgr either.

You need to account for client to client-facing site system traffic. That can be done in various ways depending on your org's security posture and standards as well as whether or not systems in this network have access to an AD domain.

Options include:
- Placing a site system hosting the MP, DP, SUP roles in this screened network and allowing traffic for it back and forth with the primary site server, primary site database, and primary site SUP. This assumes this site system can be successfully joined to an AD domain.
- Allowing the managed clients to directly communicate with existing site systems that host MP, DP, and SUP roles.
- Reverse proxy (this would require HTTPS client communication to my knowledge).
- Use a CMG

A secondary site cannot be used for screened network/subnet as it is not a gateway and does not tunnel all client traffic.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.