I decided to take a couple of posts here to discuss some of the findings we have made
in our lab regarding SMS clients outside of our Corporate Firewall. Back in the pre-beta
discussions, Microsoft talked a lot about how the Mobile Client (now the Advanced
Client) would be able to report to SMS no matter where it connected. This was exciting
to us as we have a lot of computers that leave our network and never connect back.
(Apps are run via citrix, email over outlook web access, no VPN is used).
After the release, there wasn’t a lot more mentioned about this. There is plenty about
how the advanced client can move between sites, but we were only using one site. What
we wanted to know was whether or not an advanced client would continue to report inventory
daily if it was outside the firewall and not connected over a vpn.
We searched around on the web and in the documentation, even read through a couple
of good SMS 2003 books. No mention was made about advanced client mobility outside
of its ability to move between sites. Our answer came accidentally as one of our engineers
was doing reports on IP subnets. He noticed several machines with 65.x.x.x ip
addresses, and some with 192.168.x.x ip addresses. We started the search and soon
confirmed it. We had clients outside of our firewall, some with internet valid
ip addresses (65.x.x.x) and some with private ip addresses (192.168.x.x)!
We generated a query, and determined that the list of computer actively reporting
from outside the firewall was around 30 (we have around 800 clients). We were fairly
happy since SMS 2003 had only been deployed for a little over two months.
So how were they reporting? The default website on the SMS Management Point (Server
Name= smsserver) had a host header added for http://smsserver.company.com.
We were also publishing port 80 for this server through our firewall using NAT and
we had an entry on our external DNS server for http://smsserver.company.com.
The strange part is that we use a child domain internally for all of our clients (smsserver.co.company.com).
So I have yet to determine where the client holds a reference that would tell
it too look for http://smsserver.company.com instead
of http://smsserver.co.company.com when
it is outside, but it does.
Once we determined this part was working, we plugged a machine with the client installed
up on our test network (a DSL connection) and started testing some other ideas we
had, like did the computer need to have a valid computer account on our domain,could
we deploy software and could we install the client on a computer after it was outside
the firewall. I will discuss these in a later part.
Random Posts
Loading…