Determine Administrator Roles and Processes for Internet-Based Client Management

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

In a production environment, implementing Internet-based client management will require interaction and collaboration with a number of different groups across the enterprise. For example, these groups might include the following:

  • Active Directory Domain Services service administrators to extend the schema and configure the System Management container with required security permissions.


Extending the schema for Configuration Manager is not a requirement for Internet-based client management. However, when you have clients that will be managed on both the intranet and the Internet, it is much easier to configure native mode clients on the intranet when Configuration Manager is publishing to Active Directory Domain Services.

  • Active Directory Domain Services data administrators to create any accounts that might be needed if the Internet-based site systems are deployed in a separate Active Directory forest.

  • Public key infrastructure (PKI) specialists to create, deploy, and manage the PKI certificates required for native mode.

  • Infrastructure architects and security advisors to decide the most suitable network topology and server placement that will be used to support Internet-based client management.

  • Windows Server administrators to build, configure, and harden the servers that will support connections from the Internet.

  • Firewall and Web proxy administrators to make configuration changes on firewalls and network devices required to support Internet-based connections.

  • DNS administrators to add host entries for the Internet-based site systems.

  • Database administrators to configure SQL replication if this is part of your Internet-based site design.

  • Packaging administrators to create the installation package that will install and configure the Configuration Manager client from removable media, for the clients that cannot install on the intranet.

  • Help Desk engineers who will receive calls from users on the Internet who are experiencing problems receiving application and software updates over the Internet.

  • End users who might require training about how to install the client from removable media, how to change their Internet-based management point and proxy server settings, and what processes to follow if they experience problems.

Because implementing a site to support Internet-based client involves so many roles, it is critical that you identify early who is responsible for the various roles, and work with them to incorporate their requirements and their processes.

For example, if updating public DNS servers can take a month, initiate this request early enough so that it's completed when you are ready to configure clients for their Internet-based site, rather than leaving it until the day before on the assumption that it will be completed quickly.

A successful ongoing implementation will depend on identifying and adhering to processes that coordinate the various functions between the roles.

Some of the potential consequences of not having and following defined processes when implementing Internet-based client management in a production environment are as follows:

  • A critical component, such as DNS configuration or firewall configuration, delays deployment because it wasn't requested in a timely manner.

  • Users receive an installation disk with no instructions, and the Help Desk also has no information about the disk when users ask for more information.

  • The corporate security policy is violated by installing servers in the perimeter network without the usual security hardening measures.

  • There is no network connectivity between the Internet-based site systems and the site server because of a failure to identify that the back-end firewall requires configuration.

Use a methodology such as ITIL or Microsoft Operations Framework ( to help you implement Internet-based client management within a framework of defined processes. Make sure you document your design, testing procedures, the areas of responsibility, and the processes to follow for configuration and troubleshooting, and then disseminate this information, making sure that it is centrally available and updated.


Review existing company security policies and, if necessary, modify them to include the implementation of Internet-based client management.

See Also


Administrator Workflow: Configuring a Site for Internet-Based Client Management
Overview of Internet-Based Client Management

Other Resources

Planning for Internet-Based Client Management

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email