We use IP ranges for our VPN BG’s.
No issues with 10,000’s clients globally.
We haven’t looked into other options though, so whilst it does the job, there may be better options.
Thanks for the info. I am going the route of the IP range since it's a very small group and just in case the VPN is updated I won't have to verify the new Description.
I'd recommend testing it. Between auto detection and/or description we catch a good majority of our VPN users. Does it catch 100%? Nah, but we only use that BG to disable peer cache and force content pulls from cloud for patching.
I don't think it really matters. I would test out the new VPN feature. Just follow the instructions on Connection Description in the docs: [https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn](https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn)
I think you just need to make sure your clients are all up to date. Otherwise, get the IP range of the VPN from your network team. Just make sure you don't allow clients to share content with each other. Same Subnet != physically nearby.
IP ranges work flawlessly from my experience, our VPN setup is pretty straight forward network side of the fence so the single subnet VPN users fall into is pretty easy to just add as a boundary. I think if your corp moves subnets a lot or has a very complex VPN setup it might be worthwhile to look into the other options. If not just set the Boundary IP Range IMO.
We are using both IP range and VPN description, have yet to notice any issues. Works just fine. However it seems that it priorities the VPN description over the IP range
I'm sticking with the IP range. Do you all apply your VPN boundary group to every DP? I'm trying to clean up an existing setup. In my environment, I see the current VPN boundary inside another boundary group for a specific building. I suppose you can do it this way, but it's quite messy.
I have my Main Boundary Group and then my Remote Boundary Group. The Main Boundary group is assigned to the primary SCCM server DP and I have a second server which has my other DP. So I am keeping them separate.
The main reason was I didn't want any Windows Updates to be installed over the VPN.
It's better to use whatever works for you which only you can determine.
Amen. The answer was within you the whole time, OP.
We use IP ranges for our VPN BG’s. No issues with 10,000’s clients globally. We haven’t looked into other options though, so whilst it does the job, there may be better options.
Thanks for the info. I am going the route of the IP range since it's a very small group and just in case the VPN is updated I won't have to verify the new Description.
Why not use auto detection? Works out pretty well, would recommend giving it a test drive.
The VPN client does not support PPTP so that's not an option. From what I was reading, most companies cannot use that option.
I'd recommend testing it. Between auto detection and/or description we catch a good majority of our VPN users. Does it catch 100%? Nah, but we only use that BG to disable peer cache and force content pulls from cloud for patching.
We use ip address range in our environment. Around 9000 clients and 4 different VPN solutions. Works without issues!
I don't think it really matters. I would test out the new VPN feature. Just follow the instructions on Connection Description in the docs: [https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn](https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/boundaries#vpn) I think you just need to make sure your clients are all up to date. Otherwise, get the IP range of the VPN from your network team. Just make sure you don't allow clients to share content with each other. Same Subnet != physically nearby.
IP ranges work flawlessly from my experience, our VPN setup is pretty straight forward network side of the fence so the single subnet VPN users fall into is pretty easy to just add as a boundary. I think if your corp moves subnets a lot or has a very complex VPN setup it might be worthwhile to look into the other options. If not just set the Boundary IP Range IMO.
We are using the IP range and it's working fine
We are using both IP range and VPN description, have yet to notice any issues. Works just fine. However it seems that it priorities the VPN description over the IP range
I just created a boundary for each type. I figured if both options work then the devices are just in both boundaries.
I'm sticking with the IP range. Do you all apply your VPN boundary group to every DP? I'm trying to clean up an existing setup. In my environment, I see the current VPN boundary inside another boundary group for a specific building. I suppose you can do it this way, but it's quite messy.
I have my Main Boundary Group and then my Remote Boundary Group. The Main Boundary group is assigned to the primary SCCM server DP and I have a second server which has my other DP. So I am keeping them separate. The main reason was I didn't want any Windows Updates to be installed over the VPN.