Install SCCM 2012 agent in DMZ
If you find yourself attempting to install the SCCM 2012 agent and the Endpoint Protection 2012 agent on a server in the DMZ, follow these instructions to protect your DMZ servers. Also, if you are looking for a great reference book, take a look at Meyler’s book below. This book gets a lot of use at my job!
1. The DMZ server must be able to resolve and locate the management point, therefore you must edit the host file on each DMZ Server to include the host records for the SCCM server. You must be able to resolve or get to the SCCM server on the internal network from the DMZ. The host file can be found at C:\Windows\System32\drivers\etc\hosts. See the following example host file records to access sccmserver.domain.com
172.16.9.41 SCCMServer
172.16.9.41 sccmserver.domain.com
2. Copy the client installation to the DMZ server
Copy the files from \\sccmserver\<SMS_dir>\Client to the DMZ server
3. Install SCCM 2012 agent manually by opening a command prompt and run the following command on the DMZ server
ccmsetup /mp:sccmserver.domain.com SMSSLP=sccmserver SMSSITECODE=<site code> DNSSUFFIX=domain.com
** Make sure you open TCP port 445 on the DMZ server to the SCCM server and you MUST make sure to create a DMZ Boundary and include the IP range for your DMZ network in the SCCM Server Administration before continuing.
You will notice the ccmsetup.exe and msiexec processes running in Task Manager
4. Wait for the installation to complete. Open the System Center Configuration Manager Console. Select Assets and Compliance, then Devices. Search for the DMZ server name. It may take several minutes to appear. Once it does, right-click on the DMZ Server and select Approve.
5. Once the device is approved, right-click on it again and select Add Selected Items, then Add Selected Items to Existing Device Collection. Select the device collection named DMZ Servers.
6. On the DMZ Server, open Control Panel, then Configuration Manager. Select the Actions tab and run the Machine Policy Retrieval & Evaluation Cycle. This will force communication from the SCCM agent back to the SCCM Management Point (sccmserver).
7. After a few minutes, open the Configuration Manager on the DMZ Server and note the Client Properties. Make sure it looks similar to the image below.
8. Select the Actions tab, note that you should see more Actions then you did in step 6. Run theMachine Policy Retrieval & Evaluation Cycle again and wait a few minutes.
9. Wait another couple of minutes and you should see the SCEP icon in the System tray. If for some reason you do not, you can manually install the System Center Endpoint Protection 2012 (SCEP) application. Navigate to where you copied the SCCM 2012 agent in step 2 and run the scepinstall.exe installation file. Accept the defaults and complete the installation. But if everything is working OK, you shouldn’t have to do this.
10. Look for the SCEP icon in the system tray, right click and Open. Select the down arrow near Help at the top right and then select About. Note the Policy Name being applied. It should read DMZ Server Antimalware Policy.
Hi George
Could you explane a bit more about the Firewall Rules?
Thanks
Sven
Hi Sven, sorry for the delay. There are no firewall rules other than the normal SMB File Sharing ports that you need to open in the DMZ. Please restrict the incoming IP address for this FW rule to the SCCM server. It is recommended to do a manual install of the SCCM client which is what my post describes. SCCM need to be able to access the SMB administrative share (i.e. \\server\admin$ on each DMZ server). I hope this answers your question. Thank you!
Thanks George, really helped me out
No problem Ralph. Glad it helped. Thanks for commenting!
George – Do you have to setup the primary site to use a PKI certificate?
No, you do not need to use a certificate. I reviewed my post and notice three things: 1. I had a typo on the install command. Here is what it should be: ccmsetup /mp:sccmserver.domain.com SMSSLP=sccmserver SMSSITECODE= DNSSUFFIX=domain.com 2. Please make sure you open TCP port 445 on the DMZ server to the SCCM server. I forgot to add this to my post. 3. You MUST make sure to create a DMZ Boundary and include the IP range for your DMZ network in the SCCM Server Administration Yikes! I guess I need to do a better job of editing. I fixed… Read more »
Thanks, I had the problem that appear only two actions on clients at DMZ.
That parameters really helped me!!
Jonatan, thanks for commenting. I’m really happy that it helped you out.
I’ve got SCCM working for the DMZ Servers, but not the SCEP part. It’s installed but basically unmanaged and not applying any Antimalware policies. Thoughts?
JohnAnon, My apologies for the late reply! If you’ve opened up your firewall to the proper ports so that your dmz can communicate to your SCCM server and modified your hosts file so that you can resolve your internal SCCM server then you should be all set. I’m assuming you have created an Automatic Deployment Rule in SCCM to deploy your updates to your DMZ server/s. Do you have any logs that you’d be willing to share? I’d like to help you out if I can.
George, I am so close to getting this setup on my DMZ. I’ve done this successfully in the past so I am very familiar with the process. But ONE sticking point I’m having is the client cannot query our internal DNS for the MP SRV record. I see it in the logs on the client. My company refuses to open this port up for all the DMZ servers, am I missing something here? Are there other options to get this working?
Tom, you have to open TCP port 445 on the DMZ server to your SCCM server inside your network and you MUST make sure to create a DMZ Boundary and include the IP range for your DMZ network in the SCCM Server Administration. Your network team is going to have to open the firewall so that your inside SCCM server can communicate to your DMZ servers in the DMZ. You need to do this otherwise you’ll never get it to work. The other thing I did was to add host records on each of my DMZ servers which pointed back… Read more »
Does this same process also work to deploy Microsoft Updates from internal SCCM to DMZ clients?
Sorry for the late response John. The answer is YES, however I have found that if you have an internal WSUS server that you’d like to use then you will need to uninstall the SCCM agent from the DMZ server. The reason for this is because when the SCCM agent (which is the Configuration Manager program in the Control Panel) talks to the SCCM server, it will reset the WSUS server to your SCCM server. In other words, if you make the necessary firewall changes and edit your hosts file to point to your internal WSUS server, the SCCM agent… Read more »
ccmsetup /mp:sccmserver.domain.com SMSSLP=sccmserver SMSSITECODE= DNSSUFFIX=domain.com
Its work for me.
Thank you 🙂
Thank you for posting your solution Arindam! Hope the post was helpful.
Hi George, I am not sure if you want to take this on, but I have been trying to install the SCCM client on a DMZ server. Our network guy even temporarily opened up all of the ports for me, but I continue to fall down and nothing ever shows up in my C:WindowsccmsetupLogs directory, except for the failing log. Here are some tail end messages at the end of the log, I have tried many different permutations of the ccmsetup command, this is my latest attempt: ccmsetup.exe /Source:C:TEMPClient SMSSITECODE=MEL SMSMP=aumelsc00.corp.iplgroup.net DNSSUFFIX=corp.iplgroup.net Let me know if you are interested in… Read more »
Eunice, we’ll email privately about this. Thank you for posting.
thank you for the post. it works.. really helped me out.
Thanks for your comments Sean. So glad some of these old posts are still helping folks out there!