There’s no hard and fast rule about which needs to be setup first, but it usually helps the have the PKI setup with the servers being built and the certs issued after the servers are up.
Rich Sent from my iPhone On Feb 7, 2014, at 9:17 AM, "Brian McDonald" <[email protected]<mailto:[email protected]>> wrote: Thanks Troy - yup this is the plan. Question - should I implement PKI before building out the two servers in the DMZ? Does it matter? Thanks, Brian ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] DMZ CM servers Date: Thu, 6 Feb 2014 18:03:04 +0000 For security reasons, I would strongly consider splitting the site roles across multiple servers…based upon the type of protocol used to communicate with IIS: · All HTTP-enabled roles on Server A o FSP o PKI CRL-DP (Note: this is not a ConfigMgr site role. However, it is required if you the site is configured with CRL Checking enabled (and you absolutely should if you want the best security scenario ☺) · All HTTPS-enabled roles on Server B o DP o MP o SUP Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 [email protected]<mailto:[email protected]> | www.1e.com<http://www.1e.com/> Facebook<http://www.facebook.com/1eglobal> | Twitter<https://twitter.com/1e_global/> | YouTube<http://www.youtube.com/1enews> | Blogs<http://blogs.1e.com/> | RSS<http://blogs.1e.com/index.php/feed/> Please consider the environment before printing this e-mail From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Thursday, February 6, 2014 3:27 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] DMZ CM servers I'm going to be building two servers in the DMZ to support IBCM. One server will host FSP and the CRL website. I'm going to have another server that will have Software Update Point, Management Point and Distribution Point roles. Would these servers be best served with Client or Server OS? I don't have a need for PXE booting to these servers, so not sure why I wouldn't just throw Windows 7 or Windows 8.1 on these two machines. Unless there are other requirements I am overlooking. Thanks everyone, Brian ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. CONFIDENTIALITY NOTICE: This electronic mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may contain confidential and/or legally privileged information. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, be aware that any review, copying, printing, distribution, use or disclosure of the contents of this message is strictly prohibited. If you have received this electronic mail message in error, please delete it from your system without copying it, and contact sender immediately by Reply e-mail, or by calling 913-307-2300, so that our address records can be corrected. Although this e-mail and any attachments are believed to be free of any virus or other defect that might negatively affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way in the event that such a virus or defect exists.
