How to configure SCCM Boundaries for VPN connections

Posted on 2011-09-23
Last Modified: 2012-06-21
We are a member of a large AD Domain. Our Corporate office has its own SCCM system which is used for clients in their country. In our region we also have an SCCM 2007 system. We have 3 sites, one Central and two Parent sites. Our AD has been configured with Supernets. I understand that we cannot use Supernets in SCCM. We have configured our boundaries with all of the subnets individually. Our issue is how do we configure the Boundaries for our VPN clients, many who rarely if ever visit the office? We have Colos providing our VPN connections to our Network. Our users use one Colo in most cases. We have identified the IP subnets that they are using. But anyone in the company could connect using this colo and receive an ip address within those subnets. If we add those subnets to our Boundaries, is there a risk that those computers would be added to our SCCM system and receive microsoft updates or application install packages etc from our SCCM system? How should we configure the Boundaries for our users who connect to our network through the VPN?
Thank you. CBenson
Question by:cbensonICS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 31

Accepted Solution

merowinger earned 500 total points
ID: 36598863
- There are several things that must happen that the SCCM Agent is installed on machines automatically which your not responsible for
1. Make sure that Clients are not discoverd by any SCCM discovery method like AD System Discovery, Network discovery, etc. If the Client has no object in SCCM, there's no risk that it is getting managed by you
2. Make sure the Client Push Installation is not configured or the Client Push Installation Account has no permissons on that machines to install the SCCM Agent

If the above is given, the Clients could be within the same Boundaries like your Clients without being managed by you. Logically they are assigned.

Best would be if the Clients would be in seperate Subnet ranges.
Can you define your Boundaries based on specific ranges like: -

It's always the best to define IP Ranges as AD Sites are normally not detailed enought and using AD Boundaries has known bugs

Author Comment

ID: 36598978
Hello Merowinger,
The one thing that might save us in this situation is that the client push installation account will not have permissions on the computers from other countries. Is that enough? I do not want to turn off the Discovery Methods. Thank you, Charisse Benson
LVL 31

Assisted Solution

merowinger earned 500 total points
ID: 36599018
Which discovery methods are enabled? Can you restrict them e.g. AD Discovery only for specific OU's.
I think it's not nice that there could be Client Objects within SCCM even if your not able to manage them
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now


Author Comment

ID: 36709531
Hello Merowinger, Active Directory System Group Discovery, Active Directory Security Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery.
The Active Directory Discovery are limited by OU.
Thank you, Charisse Benson
LVL 31

Assisted Solution

merowinger earned 500 total points
ID: 36709787
The only Discovery from them which can create Computer Objects in SCCM is "Active Directory System Discovery".
If you have limited to OU's where only your clients are member of, your good to go.
Also make sure Network Discovery is not enabled or configured correctly

Author Comment

ID: 36709812
Hello Merowinger, Thank you. Network Discovery is not enabled. I think we are good and appreciate your help.
Thank you

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question