1E at MMS: What you need to know for System Center 2012 success #5: Managing clients over the Internet

The complexities of Native Mode in ConfigMgr 2007 no longer exist in ConfigMgr 2012 as the Mixed and Native Site modes are no more. Instead, the various Site system roles within the Site are configured to support HTTP or HTTPS connections (or both).
Within a Site, multiple Site systems (e.g. Management Points) can be deployed, allowing one or more servers situated in a DMZ to host internet-facing roles using HTTPS, with the same roles hosted on an internal server using HTTP. Use of HTTPS still requires a PKI to enroll Client and Server certificates (mutual authentication is still required), however the Site Server Document Signing Certificate is now created by the site as a self-signed certificate.
By default, if a client has a client authentication certificate issued by a trusted Certificate Authority (CA) it will use HTTPS and will be able to communicate with all Site systems that are configured to support HTTPS. If no such client authentication certificate exists, the client will use a self-signed certificate and use HTTP to communicate only with Site systems that are configured to support HTTP.
New to ConfigMgr 2012 is the possibility for Internet-based clients to evaluate user-based policy (such as Application Deployments). In order for this to occur, either the Management Point (MP) and user account must be in the same forest, or a trust must exist between the forests in which the MP and the user account reside. In either case, any perimeter firewall must allow AD authentication traffic between the MP and a Domain Controller in the user account’s forest.