Solved

How to configure SCCM Boundaries for VPN connections

Posted on 2011-09-23
6
2,232 Views
Last Modified: 2012-06-21
Hello,
We are a member of a large AD Domain. Our Corporate office has its own SCCM system which is used for clients in their country. In our region we also have an SCCM 2007 system. We have 3 sites, one Central and two Parent sites. Our AD has been configured with Supernets. I understand that we cannot use Supernets in SCCM. We have configured our boundaries with all of the subnets individually. Our issue is how do we configure the Boundaries for our VPN clients, many who rarely if ever visit the office? We have Colos providing our VPN connections to our Network. Our users use one Colo in most cases. We have identified the IP subnets that they are using. But anyone in the company could connect using this colo and receive an ip address within those subnets. If we add those subnets to our Boundaries, is there a risk that those computers would be added to our SCCM system and receive microsoft updates or application install packages etc from our SCCM system? How should we configure the Boundaries for our users who connect to our network through the VPN?
Thank you. CBenson
0
Comment
Question by:cbensonICS
  • 3
  • 3
6 Comments
 
LVL 31

Accepted Solution

by:
merowinger earned 500 total points
ID: 36598863
- There are several things that must happen that the SCCM Agent is installed on machines automatically which your not responsible for
1. Make sure that Clients are not discoverd by any SCCM discovery method like AD System Discovery, Network discovery, etc. If the Client has no object in SCCM, there's no risk that it is getting managed by you
2. Make sure the Client Push Installation is not configured or the Client Push Installation Account has no permissons on that machines to install the SCCM Agent

If the above is given, the Clients could be within the same Boundaries like your Clients without being managed by you. Logically they are assigned.

Best would be if the Clients would be in seperate Subnet ranges.
Can you define your Boundaries based on specific ranges like:
192.168.0.1 - 192.168.0.50?

It's always the best to define IP Ranges as AD Sites are normally not detailed enought and using AD Boundaries has known bugs
0
 

Author Comment

by:cbensonICS
ID: 36598978
Hello Merowinger,
The one thing that might save us in this situation is that the client push installation account will not have permissions on the computers from other countries. Is that enough? I do not want to turn off the Discovery Methods. Thank you, Charisse Benson
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 500 total points
ID: 36599018
Which discovery methods are enabled? Can you restrict them e.g. AD Discovery only for specific OU's.
I think it's not nice that there could be Client Objects within SCCM even if your not able to manage them
0
 

Author Comment

by:cbensonICS
ID: 36709531
Hello Merowinger, Active Directory System Group Discovery, Active Directory Security Group Discovery, Active Directory System Discovery, Active Directory User Discovery, Heartbeat Discovery.
The Active Directory Discovery are limited by OU.
Thank you, Charisse Benson
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 500 total points
ID: 36709787
The only Discovery from them which can create Computer Objects in SCCM is "Active Directory System Discovery".
If you have limited to OU's where only your clients are member of, your good to go.
Also make sure Network Discovery is not enabled or configured correctly
0
 

Author Comment

by:cbensonICS
ID: 36709812
Hello Merowinger, Thank you. Network Discovery is not enabled. I think we are good and appreciate your help.
Thank you
CBenson
0

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Let’s list some of the technologies that enable smooth teleworking. 
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now