How to configure SCCM Boundaries for VPN connections

We are a member of a large AD Domain. Our Corporate office has its own SCCM system which is used for clients in their country. In our region we also have an SCCM 2007 system. We have 3 sites, one Central and two Parent sites. Our AD has been configured with Supernets. I understand that we cannot use Supernets in SCCM. We have configured our boundaries with all of the subnets individually. Our issue is how do we configure the Boundaries for our VPN clients, many who rarely if ever visit the office? We have Colos providing our VPN connections to our Network. Our users use one Colo in most cases. We have identified the IP subnets that they are using. But anyone in the company could connect using this colo and receive an ip address within those subnets. If we add those subnets to our Boundaries, is there a risk that those computers would be added to our SCCM system and receive microsoft updates or application install packages etc from our SCCM system? How should we configure the Boundaries for our users who connect to our network through the VPN?
Thank you. CBenson
Who is Participating?
merowingerConnect With a Mentor Commented:
- There are several things that must happen that the SCCM Agent is installed on machines automatically which your not responsible for
1. Make sure that Clients are not discoverd by any SCCM discovery method like AD System Discovery, Network discovery, etc. If the Client has no object in SCCM, there's no risk that it is getting managed by you
2. Make sure the Client Push Installation is not configured or the Client Push Installation Account has no permissons on that machines to install the SCCM Agent

If the above is given, the Clients could be within the same Boundaries like your Clients without being managed by you. Logically they are assigned.

Best would be if the Clients would be in seperate Subnet ranges.
Can you define your Boundaries based on specific ranges like: -

It's always the best to define IP Ranges as AD Sites are normally not detailed enought and using AD Boundaries has known bugs
cbensonICSAuthor Commented:
Hello Merowinger,
The one thing that might save us in this situation is that the client push installation account will not have permissions on the computers from other countries. Is that enough? I do not want to turn off the Discovery Methods. Thank you, Charisse Benson
merowingerConnect With a Mentor Commented:
Which discovery methods are enabled? Can you restrict them e.g. AD Discovery only for specific OU's.
I think it's not nice that there could be Client Objects within SCCM even if your not able to manage them
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

cbensonICSAuthor Commented:
Hello Merowinger, Active Directory System Group Discovery, Active Directory Security Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery.
The Active Directory Discovery are limited by OU.
Thank you, Charisse Benson
merowingerConnect With a Mentor Commented:
The only Discovery from them which can create Computer Objects in SCCM is "Active Directory System Discovery".
If you have limited to OU's where only your clients are member of, your good to go.
Also make sure Network Discovery is not enabled or configured correctly
cbensonICSAuthor Commented:
Hello Merowinger, Thank you. Network Discovery is not enabled. I think we are good and appreciate your help.
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.