hi,  I've got some design questions around IBCM.  We're planning to setup IBCM for customer in 2 DMZ locations (Americas / Europe).  Current thinking would be to have 1 MP; 2x DP's in each of the DMZ.  Our exisiting configuration consist of 1 CAS and 3x Primary sites (120,000 end points)  (SCCM 2010 SP1 CU2) will be upgrading to R2 next month.

here are some questions I have

- I know that the MP need to have Public DNS name, I guess this is also needed for the DP's in the DMZ otherwise the clients will not be able to connect to these?

- do I need to create new SCCM site for each DMZ, or can the DMZ MP's be joined to the existing site for that region?

-DP,  When installing the DP role, I guess no boundaries can be assigned, when Internet Clients request for Content the clients will get list of DP's and will select first the http(s) enabled DP's vs. http DP's is that correct?

- SUP, do I need to install Full WSUS or is the WSUS console sufficient enough for installing the SUP Role ?  Is there any issue/problem with adding the SUP Role alongside to the MP or DP?  Current thinking is that we will have max. 10,000 clients globally configured for IBCM, so I don't think should be any issue from performance point of view.

- Clients? Currently all our clients are installed as "Intranet" clients, to make them IBCM aware is it necessary to do full re-install of the SCCM Client, and then pass along the MP and Cert info, or can this be done with registry tweak? The client certs will be deployed using AD.

- Public name for DP: yes.

- DMZ Site: No. Internet facing systems are generally part of an existing internal site.

- IBCM DP and boundaries: Correct, boundaries (and boundary groups) are meaningless for Internet clients

- SUP: A SUP requires a full instance of WSUS -- the console is not an instance of WSUS, it's just the console (and SDK) which don't do anything. A single WSUS instance and SUP will support 10,000 client fine.

- Clients: No, you only need to reinstall them if you want to configure them as "Internet only". Other clients will pick up the necessary info from AD and ConfigMgr policy allowing them to switch between Intranet and Internet modes.

One side notes here also:

- Why two DPs in the DMZ? Clients don't know how to pick between them and code wise they actually order them alphabetically and so in reality will only ever pick one.

Jason,

thx for the quick reply on this.

for the SUP, thx for clarifying.  If I install the role on my MP, is it then correct to say that I cannot use the same port

DP ==>  https (443)

SUP ==> https (8531)?

your comment on 2 DP's in DMZ, I guess being paranoid, in case 1DP is not available, it can switch over to the other DP.

For the Management Point is the following assumption correct, if I have the following:

MP1 - DMZ1 - Site1 | MP2 - DMZ2 - Site2

My client is configured for Site1 (Internet&Intranet), so when on the Internet he will get the policies from MP1.  in the likelyhood that MP1 is down or not available, will he be redirected to MP2 automatically?  For my Intranet Clients we have forewseen 2 MP's/site when the client queries AD, he gets list of the 2 MP's for that site so if 1 is down or not available client will be redirected to other MP, will that be the case also on the Internet?

Thx for your help, I might come back with some other questions.

Clients communicate with the various roles based on the URLs thus there are different sub-directories for each of the roles within IIS and thus they can all use the same port on the same system -- there's actually no other way to do it as you can't change the port for roles individually except WSUS (note that clients don't actually communicate with the SUP but with the WSUS instance that the SUP is installed on top of) and in server 2012/2012 R2 it defaults to 8530/8531 and a custom website automatically (although it can be changed, it's not exactly straight-forward to so).

Availability is certainly a good reason for two DPs.

Sites do not provide any availability whatsoever, thus no to your multiple questions about clients "switching" between sites and MPs whether internal or on the Internet. Availability for MPs, DPs, and SUPs is achieved by having multiple of those roles within the same primary site. Primary sites are about scalability and not availability (in any way).