Install SCCM 2012 agent in DMZ

If you find yourself attempting to install the SCCM 2012 agent and the Endpoint Protection 2012 agent on a server in the DMZ, follow these instructions to protect your DMZ servers. Also, if you are looking for a great reference book, take a look at Meyler’s book below. This book gets a lot of use at my job!

1. The DMZ server must be able to resolve and locate the management point, therefore you must edit the host file on each DMZ Server to include the host records for the SCCM server. You must be able to resolve or get to the SCCM server on the internal network from the DMZ. The host file can be found at C:\Windows\System32\drivers\etc\hosts. See the following example host file records to access sccmserver.domain.com

172.16.9.41 SCCMServer
172.16.9.41
sccmserver.domain.com

2. Copy the client installation to the DMZ server
Copy the files from
\\sccmserver\<SMS_dir>\Client to the DMZ server

3. Install SCCM 2012 agent manually by opening a command prompt and run the following command on the DMZ server
ccmsetup /mp:sccmserver.domain.com SMSSLP=sccmserver SMSSITECODE=<site code> DNSSUFFIX=domain.com

** Make sure you open TCP port 445 on the DMZ server to the SCCM server and you MUST make sure to create a DMZ Boundary and include the IP range for your DMZ network in the SCCM Server Administration before continuing.

You will notice the ccmsetup.exe and msiexec processes running in Task Manager

4. Wait for the installation to complete. Open the System Center Configuration Manager Console. Select Assets and Compliance, then Devices. Search for the DMZ server name. It may take several minutes to appear. Once it does, right-click on the DMZ Server and select Approve.

5. Once the device is approved, right-click on it again and select Add Selected Items, then Add Selected Items to Existing Device Collection. Select the device collection named DMZ Servers.

6. On the DMZ Server, open Control Panel, then Configuration Manager. Select the Actions tab and run the Machine Policy Retrieval & Evaluation Cycle. This will force communication from the SCCM agent back to the SCCM Management Point (sccmserver).
endpoint1

7. After a few minutes, open the Configuration Manager on the DMZ Server and note the Client Properties. Make sure it looks similar to the image below.
image

8. Select the Actions tab, note that you should see more Actions then you did in step 6. Run theMachine Policy Retrieval & Evaluation Cycle again and wait a few minutes.
endpoint3

9. Wait another couple of minutes and you should see the SCEP icon in the System tray. If for some reason you do not, you can manually install the System Center Endpoint Protection 2012 (SCEP) application. Navigate to where you copied the SCCM 2012 agent in step 2 and run the scepinstall.exe installation file. Accept the defaults and complete the installation. But if everything is working OK, you shouldn’t have to do this.

10. Look for the SCEP icon in the system tray, right click and Open. Select the down arrow near Help at the top right and then select About. Note the Policy Name being applied. It should read DMZ Server Antimalware Policy.
endpoint4

 

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology Director. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

20 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Sven
Sven
10 years ago

Hi George
Could you explane a bit more about the Firewall Rules?

Thanks

Sven

Ralph
Ralph
8 years ago

Thanks George, really helped me out

Anonymous
Anonymous
8 years ago

George – Do you have to setup the primary site to use a PKI certificate?

Jonatan
Jonatan
8 years ago

Thanks, I had the problem that appear only two actions on clients at DMZ.
That parameters really helped me!!

JohnAnon
JohnAnon
8 years ago

I’ve got SCCM working for the DMZ Servers, but not the SCEP part. It’s installed but basically unmanaged and not applying any Antimalware policies. Thoughts?

Tom
Tom
8 years ago

George, I am so close to getting this setup on my DMZ. I’ve done this successfully in the past so I am very familiar with the process. But ONE sticking point I’m having is the client cannot query our internal DNS for the MP SRV record. I see it in the logs on the client. My company refuses to open this port up for all the DMZ servers, am I missing something here? Are there other options to get this working?

John
John
7 years ago
Reply to  George Almeida

Does this same process also work to deploy Microsoft Updates from internal SCCM to DMZ clients?

Arindam
Arindam
7 years ago

ccmsetup /mp:sccmserver.domain.com SMSSLP=sccmserver SMSSITECODE= DNSSUFFIX=domain.com
Its work for me.
Thank you 🙂

Eunice
Eunice
7 years ago
Reply to  George Almeida

Hi George, I am not sure if you want to take this on, but I have been trying to install the SCCM client on a DMZ server. Our network guy even temporarily opened up all of the ports for me, but I continue to fall down and nothing ever shows up in my C:WindowsccmsetupLogs directory, except for the failing log. Here are some tail end messages at the end of the log, I have tried many different permutations of the ccmsetup command, this is my latest attempt: ccmsetup.exe /Source:C:TEMPClient SMSSITECODE=MEL SMSMP=aumelsc00.corp.iplgroup.net DNSSUFFIX=corp.iplgroup.net Let me know if you are interested in… Read more »

Sean
Sean
4 years ago

thank you for the post. it works.. really helped me out.

20
0
Would love your thoughts, please comment.x
()
x