You have a System Center 2012 R2 Configuration Manager Service Pack 1 (SP1) stand-alone primary
site. Configuration Manager has Network Access Protection (NAP) configured. All Configuration
Manager servers reside on the internal network.
You use Configuration Manager to deploy applications and software updates to intranet clients.
Corporate security policies prevent the use of reverse proxies.
You need to configure Configuration Manager to manage Internet-based clients.
Which three additional Configuration Manager roles should you deploy? Each correct answer
presents part of the solution.

A.
secondary site server

B.
Management point

C.
Software update point

D.
Distribution point

E.
System Health Validator point

F.
Endpoint Protection point

Explanation:
B: In the Internet MP properties, make sure that HTTPS is enabled (checked), and depending upon
your requirement, that either “Allow Internet-only connections” or “Allow Internet and Intranet
connections” is checked.
BCD: Because of the higher security requirements of managing client computers on a public
network, Internet Based Client Management requires that the site is using certificates. This ensures
that connections to the management point, software update point and distribution points are
authenticated by an independent authority, and that data to and from these site systems is
encrypted using Secure Sockets Layer (SSL).

A closer look at Internet Based Client Management in ConfigMgr 2012
http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-basedclient-management-in-configmgr-2012.aspx