As a consequence of the current health situation worldwide many people are working from home. Some of these use modern online services or dial into the company network using a VPN. At many companies the VPN infrastructure is not designed for such a large volume of users. Infrastructure is put under further stress if companies wish to provide software or patches that also need to be transferred via VPN.
The Microsoft Configuration Manager (MEM, formerly Microsoft Endpoint Configuration Manager, MECM, and System Center Configuration Manager, SCCM) offers various methods of using a smart configuration to save bandwidth and increase user productivity. .
The classic way to limit bandwidth is via the configuration of boundary groups. Boundary groups are used to define which distribution points are responsible for which systems. These are configured for IP subnetworks or active directory sites, for example.
If a boundary group is created for the VPN area and subsequently linked to an existing area, when providing applications or software updates it is possible to precisely define whether the content can be drawn from just one local distribution point or also from an neighbor distribution point. This makes it possible to configure, for example, that software updates can be downloaded via the VPN but larger applications only via the LAN.
This also illustrates the major weakness of this method: The individual provisions need to be configured precisely to the requirements.
If a specific user is to receive a larger application, although he is dialed in via VPN, a second provision needs to be created for him enabling the download. However, this can only be assigned to this user. This considerably increases the complexity within the SCCM environment, especially if a helpdesk is to undertake this assignment.
A further method for reducing network traffic is the option of VPN clients downloading the software updates from Microsoft Update rather than via the VPN connection. This also requires establishing a boundary group for the VPN area. For the provision of software updates, it is now possible to choose that the client should download the updates from Microsoft if they are not available at his allocated distribution point.
Internet-based client management takes a different approach. This requires the provision of at least one MEM server within a demilitarized zone (DMZ, between two firewalls). MEM clients can connect via the internet to the DMZ system. They receive their policies, applications and software updates without using a VPN connection or one even needing to be present. A number of requirements need to be met to ensure that internet-based client management functions properly:
To enable this method to reduce network traffic on the VPN, the VPN client may not send the entire internet traffic through the VPN. In addition, there is also no improvement if the VPN traffic and the internet traffic of the DMZ systems enter via the same interface.
The Cloud Management Gateway is the most modern variant of managing MEM clients via the internet. It functions in a similar way to internet-based client management, but with the major difference that the infrastructure does not need to be manually established in the DMZ but is instead created automatically in Azure. Clients download guidelines and content from the Cloud Management Gateway or the integrated Cloud Distribution Point.
To enable MEM clients to communicate with the Cloud Management Gateway they must either have a certificate or be part of the Azure Active Directory via “hybrid/pure-cloud join”.
The Cloud Management Gateway has a further major advantage. Those using Microsoft Intune or planning to do so in the future can use the Cloud Management Gateway to operate their MEM clients in co-management. Clients are managed by both MEM and Intune in this case.
A comparison between MEM and Intune can be found here.
Here too, the rule is: If the VPN client makes the complete network traffic pass through the VPN tunnel, no bandwidth whatsoever is saved.
The Microsoft Configuration Manager offers numerous options for reducing the network load on the VPN route. Most methods require the VPN client to allow “split tunneling”. This involves the VPN client only passing traffic over the VPN that is destined for the company network. The remainder of the traffic is not sent through the tunnel. If the VPN client is unable or not allowed to be operated in split tunneling mode, it is at least possible to limit what content can be transferred.
However, this setting only makes sense if the VPN client does not pass the entire internet traffic through the VPN tunnel. Other content, such as applications, can still be loaded via the VPN connection.
Our Adoption Change Management team can help your remote workers learn to love new technology.
Our Adoption Change Management team can help your remote workers learn to love new technology.
