I know that this have been discussed before but I want to raise the question if the possibilities have been change with CU3 for 2012 R2.
With CU3 we get the option to limit a client to one or more specific(s) MP. *This cumulative update introduces a new registry entry for clients. This entry will restrict which management point (MP) a client can communicate with. This can be useful in environments that have multiple MPs in different forests, and the clients can only communicate with a subset of them. Setting the registry value to only those MPs that can be reached by the client can improve overall efficiency. The new registry value is AllowedMPs, a REG_MULTI_SZ (multi-string) type that is under the following subkey: * *HKEY_LOCAL_MACHINE\Software\Microsoft\CCM* Does this mean that we now have a viable option for setting up an MP/DP/SUP in DMZ? If this is not an option what is the recommended/supported way for managing server/clients in a DMZ? What we want to do is basically patch and inventory servers (workgroup) in DMZ. We have PKI and certificates on all server already. Regards Mattias Benninge http://myitforum.com/myitforumwp/author/matbe/
