Solved

How to configure SCCM Boundaries for VPN connections

Posted on 2011-09-23
6
2,493 Views
Last Modified: 2012-06-21
Hello,
We are a member of a large AD Domain. Our Corporate office has its own SCCM system which is used for clients in their country. In our region we also have an SCCM 2007 system. We have 3 sites, one Central and two Parent sites. Our AD has been configured with Supernets. I understand that we cannot use Supernets in SCCM. We have configured our boundaries with all of the subnets individually. Our issue is how do we configure the Boundaries for our VPN clients, many who rarely if ever visit the office? We have Colos providing our VPN connections to our Network. Our users use one Colo in most cases. We have identified the IP subnets that they are using. But anyone in the company could connect using this colo and receive an ip address within those subnets. If we add those subnets to our Boundaries, is there a risk that those computers would be added to our SCCM system and receive microsoft updates or application install packages etc from our SCCM system? How should we configure the Boundaries for our users who connect to our network through the VPN?
Thank you. CBenson
0
Comment
Question by:cbensonICS
  • 3
  • 3
6 Comments
 
LVL 31

Accepted Solution

by:
merowinger earned 500 total points
ID: 36598863
- There are several things that must happen that the SCCM Agent is installed on machines automatically which your not responsible for
1. Make sure that Clients are not discoverd by any SCCM discovery method like AD System Discovery, Network discovery, etc. If the Client has no object in SCCM, there's no risk that it is getting managed by you
2. Make sure the Client Push Installation is not configured or the Client Push Installation Account has no permissons on that machines to install the SCCM Agent

If the above is given, the Clients could be within the same Boundaries like your Clients without being managed by you. Logically they are assigned.

Best would be if the Clients would be in seperate Subnet ranges.
Can you define your Boundaries based on specific ranges like:
192.168.0.1 - 192.168.0.50?

It's always the best to define IP Ranges as AD Sites are normally not detailed enought and using AD Boundaries has known bugs
0
 

Author Comment

by:cbensonICS
ID: 36598978
Hello Merowinger,
The one thing that might save us in this situation is that the client push installation account will not have permissions on the computers from other countries. Is that enough? I do not want to turn off the Discovery Methods. Thank you, Charisse Benson
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 500 total points
ID: 36599018
Which discovery methods are enabled? Can you restrict them e.g. AD Discovery only for specific OU's.
I think it's not nice that there could be Client Objects within SCCM even if your not able to manage them
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:cbensonICS
ID: 36709531
Hello Merowinger, Active Directory System Group Discovery, Active Directory Security Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery.
The Active Directory Discovery are limited by OU.
Thank you, Charisse Benson
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 500 total points
ID: 36709787
The only Discovery from them which can create Computer Objects in SCCM is "Active Directory System Discovery".
If you have limited to OU's where only your clients are member of, your good to go.
Also make sure Network Discovery is not enabled or configured correctly
0
 

Author Comment

by:cbensonICS
ID: 36709812
Hello Merowinger, Thank you. Network Discovery is not enabled. I think we are good and appreciate your help.
Thank you
CBenson
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question