question

SrinivasM-1313 avatar image
0 Votes"
SrinivasM-1313 asked Jason-MSFT commented

Clarification on enabling enhanced HTTP in MECM before upgrading to 2103 version

Hi,

Please help in clarifying the below

  1. If we are already running http mode communication and want to enable enhanced http for our primary site server. Then the only settings we need to do is to select the site configuration --> properties--> Communication Security--> HTTPS or HTTP -->Use Configuration Manager-generated certificates for HTTP site systems. So no configuration changes required on DP or MP or SUP right.

  2. After enabling enhanced http, the management point adds the certificate to the IIS default web site bound to port 443. So please clarify whether all the client communication happens via http or https?**

  3. How does the client communication happen with SUP after enabling enhanced http? Is it secure?

  4. On SCCM server a self signed certificate is generated after enabling enhanced http. Does this also generates any certificates on SCCM clients and is that process automatic or any manual intervention is required for certificate generation on clients?

  5. What if we have multiple DPs and MPs in the same primary site. Does the certificate going to configure automatically on these site systems?

Thanks
Srinivas


mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

All the clients communication happens on HTTP.

This is not actually correct. With enhanced HTTP, clients do begin communicating over HTTPS for some communication. See https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#bkmk_scenario1

Also, for the client certificates, nothing changes when enhanced HTTP is enabled. Clients have always generated and used the two self-signed certs. The post linked to is not correct for this point.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered HanyunZhu-MSFT edited

Hi @SrinivasM-1313,

Thank you for posting in Microsoft Q&A forum.

1) Yes, if we have configured a DP and an MP for HTTP client connections, there's no configuration changes are required to DP or MP. But please confirm that the option to Allow clients to connect anonymously is not enabled. We can refer to the "Prerequisites" part of this article for more details:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#prerequisites
And for the SUP, its related communications already supports the use of secure HTTP, so it also does not need to change any configuration. Please check the Note in the "Features" part of this article:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#features

2) All the clients communication happens on HTTP.

3) Same as mentioned in the first point, SUP and related scenarios have always supported secure HTTP traffic with clients.

4) That's true, two Enhanced HTTP certificates will be a automatically created on client computer: SMS Signing Certificate & SMS Encryption Certificate.
Here's a link can be used as a reference:
https://www.prajwaldesai.com/enable-sccm-enhanced-http-configuration/
Note: This is not from MS, just for your reference.

5) Please check the "Configure the site" part of the article:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#configure-the-site
According to my understanding, the certificate will be automatically configured.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SrinivasM-1313 avatar image
0 Votes"
SrinivasM-1313 answered Jason-MSFT commented

Hi Jason \ HanyunZhu,

Thanks for your answers.

On the same primary site server we have configured a site system for IBCM with PKI certs.

So by enabling the enhanced HTTP on primary site server, does this have any impact on IBCM site system? Do the self-signed certificates have any conflicts with PKI certs in IBCM? please clarify.

Thanks
Srinivas

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, not following, why are you wanting to enable enhanced HTTP here at all if you already have HTTPS client communication enabled?

0 Votes 0 ·

Hi Jason,

Thanks for your inputs. So you suggest to manage the whole SCCM infra in HTTPS mode with PKI certs which is already available. Right?


Thanks
Srinivas

0 Votes 0 ·

Yes. If you already have a well configured and operational PKI, this is the path of least resistance and most security at this point so not sure why you'd want to enable enhanced HTTP at all.

0 Votes 0 ·