Hey,

Had a few questions lately about iPXE’s HTTP(S) support and what’s supported and not. First of I saw a customer who had set up a new HTTP only DP and distributed ALL his packages to that in order to use our 2PXE Server. As I pointed out to him, that aint needed, only the boot images needs to be on the HTTP DP. All the rest of the packages can be on a HTTPS mode DP, as they will be accessed from WinPE over HTTPS.

Ok, so some people have thought that is a bit of pain in the ass to set this up just to get booting. So what are we doing about this?

iPXE and HTTPS works today, just use a generic certificate that is trusted. The real problem is with ConfigMgr that requires not only HTTPS, but a client cert to be present in order to authenticate, also known as a Client Certificate. Not a technical issue but currently it requires you to create and build your own iPXE binary per certificate being used.

Now it goes without stating, that this is not very scalable for us or our customers, so we have ordered a tad bit work to be able to inject client certs on the fly, which arrives end of June. You can do this today actually, just not as elegant as we would like.

When all of this is in place the process will then be:

1. TFTP/HTTP from the 2PXE server as initial boot.
2. HTTPS back to the 2PXE server to get the right client cert.
3. HTTPS back to the DP to get the boot image.
4. Sit back and be securer than ever. Maybe a good time to start looking at our 802.1x stuff for PXE Booting? Give us a shout!

 

//2Pint Software in Italia working of laptop as all HW is unplugged due to severe T-Storms.