However, this setting only makes sense if the VPN client does not pass the entire internet traffic through the VPN tunnel. Other content, such as applications, can still be loaded via the VPN connection.
3. Internet-based client management via the Microsoft Endpoint Configuration Manager
Internet-based client management takes a different approach. This requires the provision of at least one MECM server within a demilitarized zone (DMZ, between two firewalls). MECM clients can connect via the internet to the DMZ system. They receive their policies, applications and software updates without using a VPN connection or one even needing to be present. A number of requirements need to be met to ensure that internet-based client management functions properly:
- At least one MECM site server needs to be provided in the DMZ
- One public name must be provided in the DNS for each MECM site server in the DMZ
- A certificate for the public DNS names must be provided for each MECM site server in the DMZ.
- MECM clients that are to connect via the internet need to be operated in PKI mode. This means that each client requires a certificate.
To enable this method to reduce network traffic on the VPN, the VPN client may not send the entire internet traffic through the VPN. In addition, there is also no improvement if the VPN traffic and the internet traffic of the DMZ systems enter via the same interface.
4. Cloud Management Gateway
The Cloud Management Gateway is the most modern variant of managing MECM clients via the internet. It functions in a similar way to internet-based client management, but with the major difference that the infrastructure does not need to be manually established in the DMZ but is instead created automatically in Azure. Clients download guidelines and content from the Cloud Management Gateway or the integrated Cloud Distribution Point.
To enable MECM clients to communicate with the Cloud Management Gateway they must either have a certificate or be part of the Azure Active Directory via “hybrid/pure-cloud join”.
The Cloud Management Gateway has a further major advantage. Those using Microsoft Intune or planning to do so in the future can use the Cloud Management Gateway to operate their MECM clients in co-management. Clients are managed by both MECM and Intune in this case.
A comparison between MECM and Intune can be found here.
Here too, the rule is: If the VPN client makes the complete network traffic pass through the VPN tunnel, no bandwidth whatsoever is saved.
5. Cloud Distribution Point
For the sake of completeness, the Cloud Distribution Point should also be mentioned here. This is automatically part of the Cloud Management Gateway. In addition, it can also be used in combination with internet-based client management. MECM clients communicate with the Management Point and the Software Update Point via the VPN connection and download applications, software updates or similar from the Cloud Distribution Point.
6. Conclusion regarding the Microsoft Endpoint Configuration Manager
The Microsoft Endpoint Configuration Manager offers numerous options for reducing the network load on the VPN route. Most methods require the VPN client to allow “split tunneling”. This involves the VPN client only passing traffic over the VPN that is destined for the company network. The remainder of the traffic is not sent through the tunnel. If the VPN client is unable or not allowed to be operated in split tunneling mode, it is at least possible to limit what content can be transferred.