As a consequence of the current COVID-19 pandemic many people are working from home. Some of these use modern online services or dial into the company network using a VPN. At many companies the VPN infrastructure is not designed for such a large volume of users. Infrastructure is put under further stress if companies wish to provide software or patches that also need to be transferred via VPN. 

The Microsoft Endpoint Configuration Manager (MECM, formerly System Center Configuration Manager, SCCM) offers various methods of using a smart configuration to save bandwidth and increase user productivity. 

 

1. Boundary Groups

The classic way to limit bandwidth is via the configuration of boundary groups. Boundary groups are used to define which distribution points are responsible for which systems. These are configured for IP subnetworks or active directory sites, for example. 

If a boundary group is created for the VPN area and subsequently linked to an existing area, when providing applications or software updates it is possible to precisely define whether the content can be drawn from just one local distribution point or also from an neighbor distribution point. This makes it possible to configure, for example, that software updates can be downloaded via the VPN but larger applications only via the LAN.

This also illustrates the major weakness of this method: The individual provisions need to be configured precisely to the requirements.

If a specific user is to receive a larger application, although he is dialed in via VPN, a second provision needs to be created for him enabling the download. However, this can only be assigned to this user. This considerably increases the complexity within the SCCM environment, especially if a helpdesk is to undertake this assignment. 

A further method for reducing network traffic is the option of VPN clients downloading the software updates from Microsoft Update rather than via the VPN connection. This also requires establishing a boundary group for the VPN area. For the provision of software updates, it is now possible to choose that the client should download the updates from Microsoft if they are not available at his allocated distribution point.

However, this setting only makes sense if the VPN client does not pass the entire internet traffic through the VPN tunnel. Other content, such as applications, can still be loaded via the VPN connection. 

 

3. Internet-based client management via the Microsoft Endpoint Configuration Manager

Internet-based client management takes a different approach. This requires the provision of at least one MECM server within a demilitarized zone (DMZ, between two firewalls). MECM clients can connect via the internet to the DMZ system. They receive their policies, applications and software updates without using a VPN connection or one even needing to be present. A number of requirements need to be met to ensure that internet-based client management functions properly:

• At least one MECM site server needs to be provided in the DMZ
• One public name must be provided in the DNS for each MECM site server in the DMZ
• A certificate for the public DNS names must be provided for each MECM site server in the DMZ. 
  
• MECM clients that are to connect via the internet need to be operated in PKI mode. This means that each client requires a certificate. 

To enable this method to reduce network traffic on the VPN, the VPN client may not send the entire internet traffic through the VPN. In addition, there is also no improvement if the VPN traffic and the internet traffic of the DMZ systems enter via the same interface.

 

4. Cloud Management Gateway

The Cloud Management Gateway is the most modern variant of managing MECM clients via the internet. It functions in a similar way to internet-based client management, but with the major difference that the infrastructure does not need to be manually established in the DMZ but is instead created automatically in Azure. Clients download guidelines and content from the Cloud Management Gateway or the integrated Cloud Distribution Point.

To enable MECM clients to communicate with the Cloud Management Gateway they must either have a certificate or be part of the Azure Active Directory via “hybrid/pure-cloud join”.

The Cloud Management Gateway has a further major advantage. Those using Microsoft Intune or planning to do so in the future can use the Cloud Management Gateway to operate their MECM clients in co-management. Clients are managed by both MECM and Intune in this case. 

A comparison between MECM and Intune can be found here.

Here too, the rule is: If the VPN client makes the complete network traffic pass through the VPN tunnel, no bandwidth whatsoever is saved.

 

5. Cloud Distribution Point

For the sake of completeness, the Cloud Distribution Point should also be mentioned here. This is automatically part of the Cloud Management Gateway. In addition, it can also be used in combination with internet-based client management. MECM clients communicate with the Management Point and the Software Update Point via the VPN connection and download applications, software updates or similar from the Cloud Distribution Point.

 

6. Conclusion regarding the Microsoft Endpoint Configuration Manager

The Microsoft Endpoint Configuration Manager offers numerous options for reducing the network load on the VPN route. Most methods require the VPN client to allow “split tunneling”. This involves the VPN client only passing traffic over the VPN that is destined for the company network. The remainder of the traffic is not sent through the tunnel. If the VPN client is unable or not allowed to be operated in split tunneling mode, it is at least possible to limit what content can be transferred.