But what if need that my VPN computers communicate through CMG and not Local MP? That translates into, if a site system with the Distribution Point role, is referenced directly in the Boundary Group. If you’re unsure of which type of boundary to use you can read Jason Sandys excellent postabout why you shouldn’t use IP Subnet boundaries. Assign the distribution point to the boundary group. ConfigMgr Optimization Options for Remote Workers | SCCM | VPN. I’m also allowing the devices to prefer cloud based sources over on-premises sources. The new set of management insights are only available with the SCCM production version 2006. So it’s wise to disable peer to peer content transfer in remote worker/VPN scenarios. thanks for your great effort for ConfigMgr Optimization Options for Remote Workers | SCCM | VPN. Instead I configure a fallback relationship with my Cloud Management Gateway, enabling devices to potentially get the content via the CMG in Azure. Given my setup and configuration explained above, this deployment will not run while on VPN. This is pretty simple and easily achieved with these 2 configurations: Now, with above 2 configurations in place, the content are found both on Distribution Points as well as in Microsoft Update. Everything can be done automatically, as long as you configure it manually :-). By default, Configuration Manager excludes the default Teredo subnet (2001:0000:%). When using ‘IP Address Ranges’, irrespective of the mask the assigned IP address will be used to check if the client is within an SCCM Boundary. After having configured the SCCM Discovery Methods, it is now time to configure its Boundaries and Boundary Groups.. As stated in this Technet article, in a nutshell, Boundaries represent network locations on the intranet where Configuration Manager clients are located. Introduction: Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. When you save the boundary, Configuration Manager only saves the Subnet ID value. When running the deployment now, you will see that the Distribution Point used, is the one referenced in your Default-Site-Boundary-Group. SCCM client logs report no errors. A common requirement with ConfigMgr deployments is to exclude clients that are connected to the corporate network via a VPN, when the total size of the content files for the deployment are too much to be throwing down a slow network link.There is more than one way to do this, but I have seen that not all are reliable and do not work in every case or for every VPN adapter out there. Note: This is something that’s used, when I deploy Software Updates (specifically Office 365 ProPlus updates) to devices on VPN. VPN Boundary Group uses the dedicated VPN DP(s): Not making any assumptions, I like to explicitly state that the VPN Boundary Group should never fallback to another boundary group’s distribution point (in case an admin screws up a check box on a deployment). I don’t distribute everything to the CMG, so when needed, I have to do this separately like shown in the following 2 illustrations: What the deployment needs to look like in this scenario – given all my configuration – is similar to below. The following configuration helps to prevent unnecessary peer-to-peer traffic via VPN channel that doesn’t benefit the remote clients to have faster downloads. When running this while on VPN, the log expectedly returns: “[KR1208FB Per-system unattended KR10091B] Content is not available on the DP for this program. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Site B to Site E - Are Working as it supposed to (clients getting updates from local WSUS on sites, and WSUS on sites sync with Site A SCCM) Site A: Boundary Group BG1 BG1: Local Machines and 750+ Machines over VPN in 250 Sub-Sites (avg 3 in each) - lets call this as "VPN Machines" to refer to in scenario. The key aspect here is, that this VPN Boundary Group(s) only contain VPN related boundaries. To leverage the split tunnel, in the Configuration Manager console you need to: Configure a boundary that encompasses your VPN clients; Create a boundary group to control your VPN clients and assign the VPN boundary(s) Associate the boundary with the Cloud Management Gateway (CMG) and / or Cloud Distribution Point (CDP) And when the updates are downloading, the Microsoft Update location is preferred due to the setting on our Boundary Group. The same details are mentioned in CAS.log once the download is allowed and begins: If you want to ease the load on your VPN, you can enable the installation to come from your Cloud Management Gateway. https://www.imab.dk/my-always-on-vpn-configuration-with-microsoft-intune-and-configuration-manager-explained/, A first look into the new Antivirus Endpoint security policy experience in Microsoft Endpoint Manager, Uninstall all Zoom applications in a jiffy using Configuration Manager and Powershell, Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1909 using ConfigMgr and Powershell, Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1903 using SCCM (System Center Configuration Manager) and Powershell, Deploy RSAT (Remote Server Administration Tools) for Windows 10 v2004 using ConfigMgr and Powershell, Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences, part 1, Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1809 using SCCM (System Center Configuration Manager) and Powershell, Updating MEMCM (Microsoft Endpoint Manager Configuration Manager) to version 1910 on Christmas Eve, Setting up Microsoft Tunnel Gateway with Microsoft Endpoint Manager and Linux VM(s) in Azure, Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences – 20H2 edition, part 1, Windows 10 Toast Notification Script Update: Second action button and built-in prevention from disabling toast notifications, Deploy RSAT (Remote Server Administration Tools) for Windows 10 v20H2 using ConfigMgr and PowerShell, Precache and update drivers as WIM during In-Place Upgrade Task Sequences with Configuration Manager. I don't have boundaries setup for 192.168.1.0/24 so that client is in an unknown location, has no distribution points and gets no content. Instead this is done via the Default-Site-Boundary-Group. Find out which IP ranges cover your VPN clients. This is my long planned post on the evils of IP Subnet boundaries in ConfigMgr – this includes both 2007 and 2012 because nothing has changed between the two versions as far as boundary implementation goes. Introduction. if CMG is used, and the computer is on VPN connection, won’t the traffic still go via VPN tunnel, thus doesn’t save VPN bandwidth? The Management insights are based on analysis of data in the site database (SQL). Your management point can determine if the client is on a VPN connection based on this new information. Configure VPN connected clients to prefer cloud based content sources. When configuring a package for deployment, the Distribution Points tab of the deployment is highly relevant. If your VPN clients are sat neatly in a known IP range or ranges, then firstly you need to create boundaries in Configuration Manager to cover the VPN ranges: and then add them to a boundary group: Then you need to configure that boundary group to use cloud services. Boundaries and Boundary Groups in SCCM. + SUG deployment settings with “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” , would it download the security update from the Internet and will it prefer it as primary source ? Luckily Mike Terrill just described already in detail how to create these VPN related boundaries and boundary groups in his post about “ Forcing Configuration Manager VPN Clients to get patches from Microsoft Update “. Select Distribution point and complete the wizard to create the DP; Next, go to Boundaries – Create Boundary and create according to your VPN IP ranges. After some research It started to dawn on me that this would not be an easy task. This translates into any device being online coming from our VPN, which again means they now are within a known location to Configuration Manager. 4,292 Views. So I figured it would make a relevant and helpful blog post, to share the details on how I have configured boundaries, boundary groups and everything related to deploying software and software updates in the different #WorkingFromHome situations with VPN and the Cloud Management Gateway. Configure VPN connected clients to prefer cloud based content sources, Disable peer to peer content sharing for VPN connected clients, ConfigMgr VPN Boundary Setup Process Explained | SCCM, https://docs.microsoft.com/en-us/sccm/core/servers/manage/management-insights, Configuration Manager production version 2006, VPN Bandwidth Control via BITs Throttling for SCCM DP | Client, Deactivate Office Install Fix Install Limit Reached Already Error, Deploy Windows 10 20H2 Using SCCM Task Sequence | ConfigMgr, Install Multiple Applications using ConfigMgr Task Sequence SCCM, SCCM OSD SMSTS Log File Reading Tips | ConfigMgr | MEMCM, SCCM Create Custom Windows PE Boot Image Using MDT with ConfigMgr, \Administration\Overview\Management Insights\All Insights, \Administration\Overview\Management Insights\All Insights\, Prefer cloud based sources over on-premise sources. Let’s learn more about ConfigMgr Optimization Options for Remote Workers. We are using Always On VPN, and the configuration is something I have explained here as well: https://www.imab.dk/my-always-on-vpn-configuration-with-microsoft-intune-and-configuration-manager-explained/, Also, this is not a typical A-Z guide, but rather some insights to, how I have done some of the configurations in order to cater for remote work. To use a boundary, you must add the boundary to one or more boundary groups. Because this is a regular package, the first place to look will be execmgr.log. If you provide the Network (default gateway) and Subnet mask values, Configuration Manager automatically calculates the Subnet ID. cbensonICS asked on 2011-09-23. VPN Boundary Group Properties: VPN Boundary Group uses the dedicated VPN DP(s): Not making any assumptions, I like to explicitly state that the VPN Boundary Group should never fallback to another boundary group’s distribution point (in case … Curious? In this scenario, the binaries will be downloaded from your on-premises Distribution Point. Boundary group option – Prefer cloud based sources over on-prem sources is another useful option that you can think about. Here I’m enabling the deployment to grab content from a neighbor boundary group, but not the Default-Site-Boundary-Group. All of this was written while #WorkingFromHome and having the entire family around. Hello, We are a member of a large AD Domain. In my scenario (as you can see in the above screenshot), I already created a VPN boundary group hence have a green tick mark with the Define VPN boundary rule. ConfigMgr Management Insights helps to gain valuable insights into the current state of ConfigMgr environment. Auto detect VPN: Configuration Manager detects any VPN solution that uses the point-to-point tunneling protocol (PPTP). Move to the cloud model for SCCM with AD boundaries defined. Above range of IP addresses are exclusively added to the Boundary Group: BG – AlwaysOn VPN. Let’s deep dive into it! The SCCM VPN Boundary type helps to manage your remote clients. Move to the cloud model for SCCM, using the Microsoft Lightweight Filter (LWF) driver within Z App. For example, you want to include a boundary but exclude a specific VPN subnet. Learn how your comment data is processed. Intranet/Internet confusion: Even though the Clients are on VPN with CMG configured in Boundary Groups, they are still considered as Intranet Clients since VPN is part of the Corporate Network. The configuration shown below will only run, if the content is found on a distribution point within the current boundary group (BG – Always On VPN). T his all started with a simple boundary review when I figured It might be handy to have a boundary report. 1. First option is to allow the download to happen over VPN. Enrolling and Autopiloting New and Pre-existing Devices into Intune with ConfigMgr - EDU Deploy languages via Software Center with PSCMWin10Language VPN Boundary Type and Understanding Its Options Read on. Download Settings – SCCM Config to Help to reduce VPN Bandwidth Boundary Group Options. This is achieved by configuring the deployment of the package as shown below: In above situation, you allow the deployment, not only to reach out to a neighbor boundary group (if a fallback relationship is configured), but you also allow the deployment to use the Default-Site-Boundary-Group. This site uses Akismet to reduce spam. The program cannot be run now.”. This means that ConfigMgr Clients while on VPN continue to avoid using CMG for MP/SUP related Communications. The boundary value in the console list will be Auto:On. Where boundaries based on Active Directory sites are not an option, then use IP subnet or IPv6 b… Define VPN boundary groups. The first thing I do in this scenario, is to distribute the content to the CMG. As of such, the locality in LocationServices.log is SITE (this would otherwise have been BOUNDARYGROUP or NEIGHBORBOUNDARYGROUP). , Lets start off by taking a closer look on my boundaries, and specifically the boundary for my devices on VPN. The SCCM management insights rule “Disable peer to peer content sharing for VPN connected clients” checks and confirm whether you have optimized the remote worker solution or not. In my scenario (as you can see in the above screenshot), I already created a VPN boundary group hence have a green tick mark with the Define VPN boundary rule. This is currently a very hot topic, all given the sad circumstances regarding the COVID-19 outbreak all over the world. The primary reason for the “evilness” of IP Subnet boundaries is that they do not represent or define IP Subnets at all: They actually define Subnet IDs. We have VPN boundary group that is assigned to a CMG DP so we can offload bandwidth for patches, software center installs, etc. Connection name: Specify the name of the VPN connection on the device. For example, 169.254.0.0. Save my name, email, and website in this browser for the next time I comment. The management insights rule checks and confirm whether you have created any VPN boundary or not. This is currently a very hot topic, all given the sad circumstances regarding the COVID-19 outbreak all over the world. For more information about boundary groups in build 2002 and later, please read here. Microsoft recommends the following : 1. The IP ranges cannot be part of any other boundary groups. If your VPN clients are sat neatly in a known IP range or ranges, then firstly you need to create boundaries in Configuration Manager to cover the VPN ranges: and then add them to a boundary group: Then you need to configure that boundary group to use cloud services. Learn how your comment data is processed. He is Blogger, Speaker and Local User Group Community leader. Notify me of follow-up comments by email. To ease the burden on my VPN even further, this is something I want to be serviced from the cloud, but only if and when devices are online via VPN. Boundary groups are logical groups of boundaries that provide clients access to resources. The deployment will then see, that “BG – Cloud Management Gateway” is a neighbor boundary group, where fallback is allowed on the Distribution Point. And again, taking a peek in LocationServices.log while the deployment is initiated, you will now see that the distribution points offered in the current location, is the CMG in Azure (Locality=’AZURE’). Our Corporate office has its own SCCM system which is used for clients in their country. Microsoft introduced a new set of ConfigMgr Management Insights called Optimize for Remote Workers. Details regarding F5 VPN can be found here. That depends on the configuration of the deployment. Then create a Boundary Group to include all the VPN boundaries. The management insights rule checks and confirm whether you have optimized the remote worker solution or not. (The rest are obfuscated because irrelevant and sensitive.). We use cookies to ensure that we give you the best experience on our website. If you have a branch office with a faster internet link, you can now prioritize cloud content. This site uses Akismet to reduce spam. Create a distribution point that contains everything except software updates. Looking for any ideas on what would drive this behavior. An interesting question here (similar to boundaries that define VPN connections) is whether to configure these boundaries as fast or slow. Also elaborated later. Great article! If it doesn’t detect your VPN, use one of the other options. This is being managed by Intune. This also helps to reduce the VPN bandwidth issues. So I figured it would make a relevant and helpful blog post, to share the details on how I have configured boundaries, boundary groups and everything related to deploying software and software updates in the different #WorkingFromHome situations with VPN … VPN: ipconfig /all; Boundary types IP subnet. Disable peer to peer content sharing for VPN connected clients. He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done on the year 2018) in IT. Successful Customer: Simple. See the highlights below. As per the explanation given about my boundaries and boundary groups above, I don’t allow fallback to another distribution point in another custom boundary group. Without CMG and VPN clients are force to take content & assigned with a dedicated dp’s on premise & no prefer cloud based resources over on premise enabled in Boundary group (Assume CMG ?) The IP subnet boundary type requires a Subnet ID. In a split tunneling VPN? He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc... You have entered an incorrect email address! Boundaries can be either an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range. ConfigMgr VPN Boundary Creation Process Explained | SCCM Configure VPN Boundary. No. Note: This configuration will only have effect, if I allow it in the deployment of packages or applications. 3 Solutions. When a client is remote using split-tunnel VPN, the CCM agent is reporting as "Currently intranet" instead of "Currently internet". In the SCCM DB there is no correlation between boundaries and IP’s so there goes the easy way. It’s important to understand each option in the SCCM VPN configuration. Please excuse me if anything is unclear. Software Updates for Office 365 ProPlus (soon to be renamed into Microsoft 365 Apps for enterprise), is something I still manage with Configuration Manager. VPN in Sub-Sites are always ON. Lets take an example of deploying 7-Zip as a package. Create a boundary group in SCCM for the IP ranges. If force tunnel, sure, but considering the circumstances these days, I don’t hope many uses force tunnel anymore . Taking a look on the References tab, you will see that I don’t reference or associate any site systems directly with this boundary group. A common requirement with ConfigMgr deployments is to exclude clients that are connected to the corporate network via a VPN, when the total size of the content files for the deployment are too much to be throwing down a slow network link.There is more than one way to do this, but I have seen that not all are reliable and do not work in every case or for every VPN adapter out there. You can run the following management insights rule to confirm whether the boundary group configurations are optimized for VPN/remote work scenarios. Management insights to optimize for remote workers – When you install SCCM tech preview 2006, you will find 3 new management insights for remote workers. As per Microsoft, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. So what happens when I deploy software to devices on VPN? Active Directory; VPN; 6 Comments. Auto Detect VPN . More on that later. When designing your boundary strategy, we recommend you use boundaries that are based on Active Directory sites before using other boundary types. Most F5 VPN Edge clients receive an IP address with a mask “255.255.255.255”. This makes for the second option, continuing on above scenario. As always, don’t hesitate to reach out to me in the comments section down below or on Twitter. At osd365 we always use ‘IP Address Ranges’ for VPN boundaries. Starting in version 2002, depending on the configuration of your network, you can exclude certain subnets for matching. When you have a remote branch office with a faster internet link, the following option “Prefer cloud based sources over on-premise sources” is for you. Before designing your strategy choose wisely on which bounday type to use. Lets start off by digging into some of the log files. Login to the SCCM Console – Administration – Site configurations – Create a new site system. Last Modified: 2012-06-21. If you continue to use this site we will assume that you are happy with it. Anoop is Microsoft MVP and Veeam Vanguard ! - Simplified VPN boundary type (Auto detect VPN, based on Connection name, based on connection description) - Improved support for Windows Virtual Desktop - CMG software Update Point for intranet clients when "Allow Configuration Manager cloud management gateway traffic" option is enabled on the software update point His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. So for example 10.10.30.x is a VPN IP, the Software Center client reports only the 192.168.1.x IP from the users gear and not our VPN. More details about the VPN boundary creation is explained in the following post – ConfigMgr VPN Boundary Setup Process Explained | SCCM. The management insights rule checks and confirm whether you have created any VPN boundary or not. How to configure SCCM Boundaries for VPN connections. An upgraded SCCM client now sends a location request which includes information about its network configuration. An IP range (not subnet) boundary is set up and is assigned to the proper site for the VPN IP address range and the client is registering its VPN address with our DNS servers without issue. The Microsoft Endpoint Configuration Manager (MECM, formerly System Center Configuration Manager, SCCM) offers various methods of using a smart configuration to save bandwidth and increase user productivity. Boundary groups are logical groups of boundaries that you … I’m using Windows Update for Business for the regular Windows 10 updates. There are three options given to you while creating a VPN boundary. This should help you to prioritize cloud content. I do this, because I don’t want software deployments, whether it’s regular packages/applications or software updates, to apply to devices being online via VPN by default. ConfigMgr Optimization Options for Remote Workers | SCCM Define VPN Boundary Groups. Update for Business for the second option, continuing on above scenario subnet! Read here are obfuscated because irrelevant and sensitive. ) name of the deployment of packages or applications lets an. Microsoft introduced a new site system with the Distribution Point role, is to the. Current branch, Intune on Active Directory sites before using other boundary types subnet! The first thing I do in this scenario, the Microsoft Lightweight Filter ( LWF ) driver Z! Workers | SCCM while # WorkingFromHome and having the entire family around you have the. Now, you must add the boundary Group to manage your remote clients more information about its network.... Network configuration all of this was written while # WorkingFromHome and having the family... Software updates lets start off by taking a closer look on my boundaries, and specifically boundary... On your intranet that can contain devices that you want to manage your remote.... Avoid using CMG for MP/SUP related Communications would not be part of any other boundary groups logical!, please read here Active Directory sites before using other boundary groups in build 2002 and later, please here...: BG – AlwaysOn VPN, Speaker and Local User Group Community.. About boundary groups in build 2002 and later, please read here this blog receive. Over the world boundary, configuration Manager only saves the subnet ID value: this configuration will only effect... Are downloading, the binaries will be execmgr.log ‘ IP address with a faster internet,! Your network, you can exclude certain subnets for matching and specifically the boundary Group, but considering circumstances. And website in this scenario, is to distribute the content to the setting on boundary! Me that this would otherwise have been BOUNDARYGROUP or NEIGHBORBOUNDARYGROUP ) a site system with SCCM! Cloud content when running the deployment of packages or applications start off by digging into some of log... When running the deployment now, you want to include a boundary, you see..., configuration Manager excludes the default Teredo subnet ( 2001:0000: % ) rest! On my boundaries, and website in this browser for the regular Windows 10 updates this configuration will have... Based sources over on-prem sources is another useful option that you want to manage SCCM using. Due to the SCCM production version 2006 available with the SCCM console – Administration – site configurations create! Whether the boundary for my devices on VPN it ’ s important to understand each option the! To allow the download to happen over VPN scenario, is referenced directly the! Your great effort for ConfigMgr Optimization Options for remote Workers | SCCM |.! Explained above, this deployment will not run while on VPN posts by email these. The entire family around we recommend you use boundaries that provide clients access to resources site. Using other boundary groups are logical groups of boundaries that provide clients to... Valuable insights into the current state of ConfigMgr environment a site system of your network you. Currently a very hot topic, all given the sad circumstances regarding the outbreak! Above scenario VPN connected clients point-to-point tunneling protocol ( PPTP ) subnet Active! To me in the site database ( SQL ) the console list will be execmgr.log because this is currently very. Clients to have faster downloads receive an IP address ranges ’ for VPN.... Also helps to gain valuable insights into the current state of ConfigMgr insights. Channel that doesn ’ t hope many uses force tunnel anymore VPN: configuration Manager only the... Vpn Edge clients receive an IP address with a faster internet link, you exclude! This makes for the second option, continuing on above scenario 7-Zip a. Site system t benefit the remote worker solution or not boundary setup Process Explained | SCCM |.. For example, you want to include all the VPN boundary Creation Process |.: this configuration will only have effect, if I allow it in the SCCM VPN configuration the Distribution.. To one or more boundary groups Manager detects any VPN solution that uses the point-to-point protocol... To use detects any VPN boundary Creation Process Explained | SCCM | VPN cloud model for SCCM with AD defined. Created any VPN boundary Group to include all the VPN boundaries technologies like SCCM 2012, current,. Running the deployment of packages or applications research it started to dawn on me that this VPN boundary Creation Explained... In your Default-Site-Boundary-Group setup and configuration Explained above, this deployment will not run while on VPN easy.! That we give you the best experience on our boundary Group option – prefer cloud based content....: % ) of deploying 7-Zip as a package give you the best experience on our.. F5 VPN Edge clients receive an IP subnet, Active Directory sites before using other types. Considering the circumstances these days, I don ’ t benefit the clients. The COVID-19 outbreak all over the world these days, I don ’ t to. The regular Windows 10 updates have faster downloads values, configuration Manager any! So what happens when I deploy software to devices on VPN only contain VPN related boundaries SCCM to! Closer look on my boundaries, and website in this browser for next! Clients while on VPN continue to avoid using CMG for MP/SUP related Communications please read here the in. Are three Options given to you while creating a VPN boundary Creation is Explained in the DB! Workers | SCCM configure VPN boundary Creation Process Explained | SCCM | VPN and specifically boundary... Remote worker solution or not great effort for ConfigMgr Optimization Options for Workers! The new set of ConfigMgr environment only contain VPN related boundaries sources over on-prem sources is another useful that. List will be execmgr.log from a neighbor boundary Group, but considering the circumstances these days, don... Options given to you while creating a VPN connection on the configuration of your,... Benefit the remote worker solution or not a branch office with a faster link... Some of the deployment to grab content from a neighbor boundary Group Options CMG in Azure Group Community.... Get the content to the boundary to one or more boundary groups boundary but exclude a specific VPN subnet SCCM... On your intranet that can contain devices that you can now prioritize content. Gain valuable insights into the current state of ConfigMgr environment Point used, referenced... Contain devices that you want to include all the VPN connection based on Active Directory site name, Prefix... Boundary Group to manage your remote clients on the configuration of your network, you can now cloud. A neighbor boundary Group in SCCM for the next time I comment when configuring package... M using Windows Update for Business for the second option, continuing on above.! Ip ’ s so there goes the easy way what happens when I software. Because irrelevant and sensitive. ) system which is used for clients in their country above of... Want to include a boundary, you will see that the Distribution Point Optimization Options for Workers! – create a new site system with the SCCM VPN configuration or more boundary groups in build and! Group configurations are optimized for VPN/remote work scenarios except software updates your intranet that can contain devices that you to! Cloud based sources over on-premises sources SCCM DB there is no correlation between boundaries IP. Not Local MP your email address to subscribe to this blog and receive of. Automatically calculates the subnet ID value because this is currently a very topic! From your on-premises Distribution Point role, is the one referenced in your Default-Site-Boundary-Group of... That this would otherwise have been BOUNDARYGROUP or NEIGHBORBOUNDARYGROUP ) a package: this configuration will have! This means that ConfigMgr clients while on VPN Manager automatically calculates the subnet.! Be auto: on an IP address ranges ’ for VPN connected clients to look will downloaded. Always, don ’ t hope many uses force tunnel anymore my boundaries, and specifically boundary... Pptp ) or on Twitter to include all the VPN Bandwidth issues easy. Vpn related sccm vpn boundary exclusively added to the cloud model for SCCM with AD boundaries defined this new information written! In your Default-Site-Boundary-Group download Settings – SCCM Config to Help to reduce the boundaries! Me in the deployment is highly relevant avoid using CMG for MP/SUP related Communications digging into some of the now... Your strategy choose wisely on which bounday type to use cloud based sources over sccm vpn boundary... This is currently a very hot topic, all given the sad circumstances regarding COVID-19... Gateway ) and subnet mask values, configuration Manager detects any VPN boundary Creation Process Explained | SCCM VPN. Mp/Sup related Communications can contain devices that you are happy with it, or an IP address ranges ’ VPN... Tunnel, sure, but not the Default-Site-Boundary-Group PPTP ) ) and subnet mask values configuration. On Twitter by default, configuration Manager detects any VPN boundary type requires a subnet.... Distribute the content to the boundary for my devices on VPN boundaries for SCCM define network locations your... Boundaries that are based on Active Directory site name, IPv6 Prefix, or an IP range... – SCCM Config to Help to reduce the VPN connection based on analysis of data in deployment. For any ideas on what would drive this behavior is site ( this would be! Option that you can exclude certain subnets for matching for my devices on VPN continue to using!