Client Management Suite

We are looking to impliment the CEM for our environment.

In reading through the prepare your environment steps I have some questions if anyone can answer them.

First I have to install certs and set my NS servers to use https, this is not a problem

The steps indicate to set "require SSL" as a step before it tells you to redirect.  I am thinking once I require SSL no clients will be able to commuinicate to get the update to redirect?  Is this correct?  If so it sounds more like I would install the cert but not require ssl until I am sure my clients switched over to using SSL.

Then with site servers that I have to set as internet it states "Running a Task Server on a Cloud-enabled, Internet-managed client computer is not supported and can lead to undesirable behavior".  Does this mean that my site server that I choose can not have Task Server installed?  Its not really a client computer its a site server, or is it?

Until you remove the HTTP port from IIS, the clients can still talk to the SMP via HTTP, allowing you to use the Advanced option of the client configuration policy to redirect them to the HTTPS URL

Yes, with the initial 7.5 release, Task Server is not supported by CEM.

for the task server I don't want to install it on the CEM, but I was hoping to utilize internal servers that I had already set up as package servers as the designated package servers for CEM to access.  These servers already have task on them and would prefer not to have to set up new servers specifically for this.  We purchased new servers for the CEM servers themselves but dont want to have to purchase additional package servers if possible

I suppose that would work as long as assigning those site servers to CEM does not prevent them from still servicing internal clients.

Ok I 'm going to go down this path as we impliment I'll reply here how it works once we get it up and running in a month or so.

Another note, if you are using aliasing, make sure that the certificate name matches the servers fqdn.  ie. your server fqdn is smp.domain.com and the certificate used the alias that hid the servername.  For example, ds uses the basic inventory fqdn instead of the alias for it's communication so it can fail if they don't match.  I can find the kbs for this if you need.

yeah our NS servers do use an alias.  We do already have certs for the main NS servers and got certs with both the true name and alias as part of the cert I forget what they call it in the cert something like an alternate name.  So hoping we are good to go there.  

I'll still have to have our root cert issue me a couple certs for the site servers we will be using and the cem's themselves, but those aren't going to have aliases that we have planned right now.