Configuring MP, DP and SUP to use SSL

Now that we have completed all our certificates pre-requisites and ready to configure ConfigMgr Components to use SSL.

Configuring Management Point to use SSL

Go to Management Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Management Point Role and Click Property.

image

Select HTTPS from the Client Connections options, this will kick off Reinstallation of Management Point, and reconfigure its Virtual directories to use HTTPS communication only.

image

You can see MP Reinstallation happening in MPSEtup.log

image

Configuration Distribution Point Role to SSL

Go to Distribution Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Distribution Point Role and Click Property

image

Select HTTPS under Specify how client computers communicate with this distribution point

image

If you would like Clients to communicate back to DP on HTTPS even during Task Sequence than you would need to Select Import Certificate under Create a self-signed certificate or import a PKI client certificate

image

Click Apply, This will reconfigure this Distribution Point virtual directory to Use Only HTTPS communication

Configure WSUS/SUP to use HTTPs

Open up command prompt in Admin Context on WSUS server and change working directory to WSUS installation path Tools directory and run following Command

WSUSUtil.exe ConfiguresSSL <Intranet FQDN of WSUS Server>

image

Go to Software Update Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Software Update Point Role and Click Property

image

Check the box Require SSL communication to the WSUS Server and Click Apply

image

This as well will reinstall Software Update Point Role with new settings.

Site Server Settings

Change your ConfigMgr setting to ensure client communicates with an HTTPS Enabled MP when a client authentication certificate is present. Launch ConfigMgr Console> Administration Workspace> Site Configuration> Sites> Right Click your Primary Site> Properties and Go to Client Computer Communication Tab. Check the box “Use PKI Client certificate (client authentication capability) when available”

image

Review clients that have Client Authentication Certificate to make sure they are communicating to MP in HTTPs.

A Client that has ConfigMgr client certificate installed will see changes made to ConfigMgr Server via Published information in Active Directory, and will switch to HTTPs if it detects a Valid Client Certificate Present on Computer’s Personal Store.

image