Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Tips and Tricks: Using Internet-Only Client Management on the Intranet
Published Sep 07 2018 06:30 PM 298 Views
First published on CloudBlogs on Mar, 03 2009

[Today's post is brought to you by Carol Bailey ]

When you read the product documentation for using Internet-based client management in Configuration Manager 2007, you will see in the overview information that there are three different management states that a Configuration Manager client can be in when assigned to a site that's configured for Internet-based client management:

  • intranet-only
  • Internet-only
  • Internet or intranet

An intranet-only client is a client that's assigned to a site configured for Internet-based management but isn't currently configured to be managed over the Internet.  It has the capability to be managed over the Internet but cannot do so until it is assigned to the Internet-based management point.  Not everybody wants all their clients to be configured for Internet client management - and there's little point in making an additional configuration for servers and workstations that do not move.

An Internet-only client will never attempt to find the default management point on the intranet, and consequently will never be managed as an intranet client with all the features that this offers.  This includes finding the nearest distribution points when roaming into another site on the intranet, Network Access Protection, Wake on LAN, operating system deployment, and features that require access to Active Directory Domain Services - such as distributing software to users rather than computers.

A client that supports both intranet and Internet client management can seamlessly move between being managed on the intranet as an intranet client, and being managed on the Internet.  This can even include switching from an Internet-based distribution point to an intranet-based distribution point in the middle of a download.  When the client detects a change in network, this kicks off service location to find its intranet management point (the default management point in its assigned site or proxy management point if it's within the boundaries of a secondary site that belongs to its assigned site).  If service location fails, the client deduces that it must be on the Internet and so tries to communicate with its assigned Internet-based management point.  The assigned Internet-based management point always directs the client to the Internet-based site systems in the site, and never to intranet-based site systems or to Internet-based site systems in another site.

Being able to move seamlessly from the intranet to the Internet was one of the main feature requirements for the product group.  As long as you have configured the client with the Internet-based management point, there's nothing extra to configure on the client to support this behavior.  In comparison, there is extra configuration to support Internet-only client management because this is a client installation property and cannot be changed post installation.  So why would you ever configure a client for Internet-only management?

The documentation tells you that this is applicable for two scenarios:

  • When the client will never connect to the intranet (why waste cycles and make network calls that won't be productive?).
  • When the client is a workgroup computer or from an untrusted forest (a support limitation).

However, as a tip or trick, I'm proposing that you also consider using Internet-only management on the intranet, for the following two reasons:

  • Simplicity.  There is no need to define boundaries for these clients, which eliminates the possibility of overlapping boundaries.  Additionally, the client functionality on the Internet/intranet is identical, which provides a consistent user experience.
  • Testing.  This allows you to confirm whether Configuration Manager is configured correctly for Internet-based client management and the required certificates are in place.  Because the clients are on the intranet, this is helpful in eliminating some of the Internet infrastructure pieces that might be blocking successful connections from the Internet - such as firewalls and proxy servers.

When a Configuration Manager client is installed as Internet-only and is connected to the intranet, the client continues to behave as if it is still connected to the Internet, without affecting non-Configuration Manager functionality.  This means that the client will continue to contact the Internet-based management point to download policy and upload information such as inventory, compliance information, and status messages.  The client will download packages from any of the Internet-based distribution points in its site (they are all considered equal because there is no concept of "nearest distribution point" with Internet-based client management), even if it's within the boundaries of another site in the hierarchy.  It will scan against the Internet-based software update point, and it will continue to communicate with the Internet-based fallback status point.

For this scenario to work, both of these conditions must be met:

  • The Internet FQDNs must successfully resolve to the Internet-based site systems from the intranet.  If you are using split-brain DNS with the same FQDN for both intranet and Internet, this will not work.  If you use a proxy server for incoming Internet connections, the Internet DNS records will resolve to the proxy server and not directly to the Internet-based site systems - so for clients on the intranet you will need to add A records to your clients' DNS zone so that the Internet FQDNs resolve directly to the Internet-based site system servers and not to the proxy server.
  • If your Internet-based site systems are in the perimeter network and you have a backend firewall, it must allow HTTPS connections from the intranet to the Internet-based servers - this is unlikely to be problem but might have to specifically configured.

I know customers who use this configuration for the simplicity factor, but I particularly like this strategy for testing when the site is first configured for Internet-based client management.  Configuring Internet-based client management in Configuration Manager isn't difficult - but it is "bitty" and it's easy to slip up with something like a typo in an FQDN or simply miss out one of the steps.  Testing on the intranet helps to narrow the scope for more efficient troubleshooting.

For Internet-based client management to work, these are the key configuration steps within Configuration Manager:

  • The site must be in native mode and the Internet-based site systems must have installed and configured in IIS a certificate with server authentication capability, which contains the Internet FQDN in either the certificate subject or the subject alternative name (SAN).  If the certificate contains both an Internet FQDN and an intranet FQDN, specify these in the SAN.
  • The Internet-based site system must be configured with the same Internet FQDN in the site system properties.
  • The Internet-based site system must be configured to accept client connections from the Internet.
  • Clients must be directly assigned to the site and configured with the Internet FQDN of the management point.
  • All the Internet FQDNs must successfully resolve (either directly to the Internet-based server or to a firewall/proxy that will redirect the connection).

For a more complete list of checks, see the following:

To install the client as Internet-only, use the CCMALWAYSINF=1 property with CCMSetup.exe.  You will also need to specify at minimum, /native and the site code and the Internet FQDN of the management point. When the client has installed, view the Configuration Manager client properties and confirm that the ConfigMgr Connection Type on the General tab displays Always Internet .  When this is displayed, the client will never communicate with the intranet-based site systems, so if the client successfully communicates with the site, it must be using the Internet-based site systems.  If this works when the client is on the intranet but no longer works when the client is moved to the Internet, you have eliminated misconfiguration within Configuration Manager, and it's time to look over the network infrastructure between the client and the intranet.

There are a number of ways to confirm that the client is successfully communicating with the site, including:

  • Change one of the client agents in the Configuration Manager console from disabled to enabled, and confirm the status change using the Components tab on the client.
  • Send a test advertisement to the client, such as a script that loads the command prompt.
  • Use Policy Spy from the Configuration Manager 2007 toolkit to confirm that the client is receiving policy.

If you decide to use Internet-only client management on the intranet as a long term strategy, rather than a short term testing strategy, make sure that you don't need any of the features or capabilities that are not supported in this configuration.  Review "Features that Are Not Supported on the Internet" in the topic Overview of Internet-Based Client Management .  If you install clients as Internet-only and later decide that you need any of these intranet features, reinstall the client without the CCMALWAYSINF=1 property.

Although the Internet-only capability wasn't designed with these two uses in mind, this configuration can be a useful tip or trick to keep in your arsenal.

-- Carol Bailey

This posting is provided "AS IS" with no warranties and confers no rights.

Version history
Last update:
‎Sep 07 2018 06:30 PM
Updated by: