Tuesday, September 20, 2011

SCCM 2007 Native or Mixed mode?



SCCM 2007 Native mode - don't Go there! :)

In my opion there is to much cons vs pros with native mode. And this will be solved in another matter with 2012. No mixed or Native mode there. Insted you can setup and enable https MPs etc..

If you do want to go Native, to get the functionality run more secure, and be able to patch your internet clients.
Think through your PKI infrastructure, do you have several forrests, domains. How is your DMZ.
Are there any other Client Certificates at the time beeing.




Choose between Native Mode and Mixed Mode
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If you install a new Configuration Manager 2007 site, you must choose between native mode and mixed mode during Setup. If you have an existing Configuration Manager 2007 site, you can choose to migrate the site to native mode after Setup or keep the site in mixed mode.

Choose native mode if any of the following conditions apply:
  • You require the highest security controls, using industry-standard protocols.
  • You require Internet-based client management.
Choose mixed mode if any of the following conditions apply:
  • You do not have the supporting public key infrastructure (PKI).
  • You have not installed the specific certificates required by Configuration Manager 2007.
  • The site contains SMS 2003 clients.
  • The site contains clients running Windows 2000 Professional or Windows Server 2000.
  • The parent site is configured for mixed mode.
  • Site systems running Internet Information Services (IIS) are not dedicated to Configuration Manager, and you cannot configure a custom Web site.
  • You must use WINS as the means by which clients can find their default management point.
  • You do not want the site's secondary sites to be automatically migrated.

Advantages and Disadvantages of the Two Site Modes

If you cannot choose the site mode based on these conditions, you should consider the advantages and disadvantages of both site modes to best meet your business requirements.
The following table outlines the advantages and disadvantages of native-mode and mixed-mode site configuration to help you choose which site mode to configure.

Site ModeAdvantageDisadvantage
Native ModeMore secure solution than mixed mode because it provides better authentication, encryption, and signing using standard industry security protocols.
Supports Internet-based client management.
Does not use WINS as the means by which clients locate their default management point.
Can integrate with existing PKI deployment, and the security controls can be managed independently from the product.
Requires a PKI deployment and specific certificates.
The parent site (if applicable) must be in native mode.
Clients that roam into this site from a mixed-mode site will not be able to download content from the site's distribution points.
Must configure a custom Web site if the site systems running Internet Information Services (IIS) are not dedicated to Configuration Manager.
Might require registering fully qualified domain names (FQDNs) in DNS (FQDNs are a requirement for Internet-based client management, and recommended for native mode on the intranet).
If a mixed-mode client roams into the site, it will not be able to download local content.
Mixed ModeDoes not require a PKI deployment, so it has no external dependencies.
Supports clients running SMS 2003.
Supports WINS for the means by which clients locate their default management point if Active Directory and DNS cannot be used.
Provides less comprehensive signing, encryption, and authentication.
Does not support Internet-based client management.
Requires approval of clients before they can receive policies that might contain sensitive data.
Clients that roam into this site from a native-mode site will not be able to download local content unless their site is configured with the option: Allow HTTP Communication for Roaming and Site Assignment.

No comments:

Post a Comment