Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to configure SCCM Boundaries for VPN connections

Posted on 2011-09-23
Medium Priority
Last Modified: 2012-06-21
We are a member of a large AD Domain. Our Corporate office has its own SCCM system which is used for clients in their country. In our region we also have an SCCM 2007 system. We have 3 sites, one Central and two Parent sites. Our AD has been configured with Supernets. I understand that we cannot use Supernets in SCCM. We have configured our boundaries with all of the subnets individually. Our issue is how do we configure the Boundaries for our VPN clients, many who rarely if ever visit the office? We have Colos providing our VPN connections to our Network. Our users use one Colo in most cases. We have identified the IP subnets that they are using. But anyone in the company could connect using this colo and receive an ip address within those subnets. If we add those subnets to our Boundaries, is there a risk that those computers would be added to our SCCM system and receive microsoft updates or application install packages etc from our SCCM system? How should we configure the Boundaries for our users who connect to our network through the VPN?
Thank you. CBenson
Question by:cbensonICS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 31

Accepted Solution

merowinger earned 2000 total points
ID: 36598863
- There are several things that must happen that the SCCM Agent is installed on machines automatically which your not responsible for
1. Make sure that Clients are not discoverd by any SCCM discovery method like AD System Discovery, Network discovery, etc. If the Client has no object in SCCM, there's no risk that it is getting managed by you
2. Make sure the Client Push Installation is not configured or the Client Push Installation Account has no permissons on that machines to install the SCCM Agent

If the above is given, the Clients could be within the same Boundaries like your Clients without being managed by you. Logically they are assigned.

Best would be if the Clients would be in seperate Subnet ranges.
Can you define your Boundaries based on specific ranges like: -

It's always the best to define IP Ranges as AD Sites are normally not detailed enought and using AD Boundaries has known bugs

Author Comment

ID: 36598978
Hello Merowinger,
The one thing that might save us in this situation is that the client push installation account will not have permissions on the computers from other countries. Is that enough? I do not want to turn off the Discovery Methods. Thank you, Charisse Benson
LVL 31

Assisted Solution

merowinger earned 2000 total points
ID: 36599018
Which discovery methods are enabled? Can you restrict them e.g. AD Discovery only for specific OU's.
I think it's not nice that there could be Client Objects within SCCM even if your not able to manage them
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 36709531
Hello Merowinger, Active Directory System Group Discovery, Active Directory Security Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery.
The Active Directory Discovery are limited by OU.
Thank you, Charisse Benson
LVL 31

Assisted Solution

merowinger earned 2000 total points
ID: 36709787
The only Discovery from them which can create Computer Objects in SCCM is "Active Directory System Discovery".
If you have limited to OU's where only your clients are member of, your good to go.
Also make sure Network Discovery is not enabled or configured correctly

Author Comment

ID: 36709812
Hello Merowinger, Thank you. Network Discovery is not enabled. I think we are good and appreciate your help.
Thank you

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question