In a previous post, I discussed how we discovered that the SMS client would communicate
with its management point from outside the firewall if the management point could
be contacted over port 80. This required that the sms client be installed on the computer
while it was on the domain, then carried outside.
We use only Active Directory and Heartbeat discovery, and while we couldn’t see a
tie in, we wanted to make sure that deleting a computer account in Active Directory
would not prevent the SMS client from reporting back. By default, Active Directory
computers renew their machine account every 45 days, so we clean up old computers
by deleting computer accounts with passwords older than 45 days.
So for testing, we took a computer that was functioning with the SMS client installed,
put it outside the firewall, then deleted its computer account on the internal network.
The client still functioned as a full sms client. As long as it was on the network
occasionally to send a heartbeat, hardware and software inventory still functioned.
By enabling our distribution point (which in our case was also our management point)
for BITS, and ensuring port 80 traffic was enabled to it through the firewall, we
were able to distribute software. As a test we distributed Office 2003 Professional
over a dsl connection.
In part III I will discuss some of the limitations we ran into trying to install the
client on a computer that was already outside of the domain, and I will share the
query we used to find clients that were reporting from outside the firewall.
Random Posts
Loading…
Just a quick note — the default computer password change interval is 30 days for W2K higher systems, and 7 days for NT4. This option is adjustable, but those are the Microsoft defaults.