Use Existing SCCM Config to Help to Reduce VPN Bandwidth | ConfigMgr

SCCM Config to Help to reduce VPN Bandwidth

Let’s learn how to use an existing SCCM configuration to help to cater to remote work scenarios. In this post, let’s understand the opportunity to improve end-user experience in Work from home scenarios.

I hope, this post helps to Learn and Use Existing SCCM Config to Help to reduce VPN Bandwidth.

Related Post Bits Throttling options for SCCM Distribution Point and SCCM Clients. & SCCM IBCM Vs CMG Differences a Real World Comparison

Updated on April 4th, 2020 -You can refer to the post from Rob York on 1.” Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager” 2. “Managing Patch Tuesday with Configuration Manager in a remote work world“.

Updated on April 5th, 2020 – Post from Jonas, Roland and Stefan. ✔ Mastering Configuration Manager Bandwidth limitations for VPN connected Clients

Introduction

We have modern options like cloud management gateway (CMG) & Cloud distribution points (CDP) to avoid traffic coming into the on-prem data center. Yes, also WUfB policies controlled by Microsoft Intune.

But the main question is “Are these options help to reduce the VPN bandwidth without slipt tunneling and appropriate proxy configurations.“?

Yes. If you have Configuration Manager infrastructure is cloud-enabled or cloud-attached with all modern features, then you are in good shape already.

Existing Path - Credit to Microsoft - TechCommunity Pos
Existing Path – Credit to Microsoft – TechCommunity Post

NOTE! – CMG & CDP might not be efficient if you don’t have spilt tunneling enabled for those kinds of traffic.

Many organizations are not using cloud management gateway or cloud distribution points. In this scenario what are the best options to avoid SCCM using all VPN bandwidth two batch windows devices?

Let’s see whether we can use the existing SCCM Config to Help to reduce VPN Bandwidth. Mainly to cover critical scenarios like Software updates (patching).

NOTE! – This is critical because if all of your workforces forced to work from home in a scenario like COVID19 for several coming months.

Split Tunneling & Proxy

Split tunneling and proxy configurations are pretty much critical in these scenarios. Even if configure everything OK from SCCM and Intune.

NOTE – When there is no appropriate spilt tunneling and proxy configurations, then the SCCM|Intune configuration changes might not help at all.

More details available in the following Microsoft documentation to build exceptions for Microsoft related services.

SCCM CMG - Firewall Ports Proxy Requirements - SCCM Config to Help to reduce VPN Bandwidth
SCCM CMG – Firewall Ports Proxy Requirements – SCCM Config to Help to reduce VPN Bandwidth

Office 365 Communications

Even spilt tunneling and proxy configuration changes are applicable for Office 365 traffic as well. If you have a VPN and proxy are configured to route all the traffic via a VPN tunnel, then this is going to impact the entire VPN tunnel.

More Details – Microsoft Office 365 Network Team’s Take on Split Tunnelling – TechCommunity Post

This shall in term impact your entire business application echo system as well. The users are connecting through the VPN in a work from home scenario won’t be able to perform any work at all.

Credit to Microsoft Details about Split Tunnelling - TechCommunity Post
Credit to Microsoft Details about Split Tunnelling – TechCommunity Post

Network & Proxy Team

In this scenario, we should get in touch with our network team members to understand the possibility of enabling split tunneling for these kinds of cloud services. Probably, they can help us to implement split tunneling for the following Microsoft services which impact the workplace.

Network Proxy Team to help Workplace - SCCM Config to Help to reduce VPN Bandwidth
Network Proxy Team to help Workplace – SCCM Config to Help to reduce VPN Bandwidth
  • Office 365
  • Software updates (Patching)
  • CMG or CDP connectivity

NOTE! – This will help to reduce the VPN bandwidth usage and the critical business applications which need connectivity to on Prem so worse can work seamlessly in a remote working scenario like this.

SCCM Config to Help to Reduce VPN Bandwidth

Even if you don’t have CMG or CDP enabled for your SCM|ConfigMgr infrastructure, you can use the following option to keep your Windows 10 devices or Windows 7 devices secured.

Software update or patch deployment is a critical activity for all device management admins. SCCM can perform this activity without impacting critical business deliverables.

Let’s check the following option and test whether this is useful for you or not. This configuration as per Microsoft documentation helps to reduce VPN traffic.

Starting in version SCCM 1806, deploy software updates to devices without first downloading and distributing content to distribution points. This setting is beneficial when dealing with extremely large update content. More details – here.

Patch Windows 10 from Internet – SCCM Config to Help to reduce VPN Bandwidth

NO Deployment packageClients download contents from peers or the Microsoft cloud

Clients download contents from peers or the Microsoft cloud - SCCM Config to Help to reduce VPN Bandwidth
Clients download contents from peers or the Microsoft cloud – SCCM Config to Help to reduce VPN Bandwidth

While creating software updates packages in SCCM, there is a default option to download the content from the Internet instead of downloading the software update content from your on Prem distribution points. This SCCM Config to Help to reduce VPN Bandwidth.

TRY the following option – If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates.

Select the following setting to have clients download software updates from Microsoft Update. The Internet-based clients always go to Microsoft Update for software updates content (if you have appropriate VPN spit tunneling and proxy configurations).

download content from Microsoft Updates - SCCM Config to Help to reduce VPN Bandwidth
Download content from Microsoft Updates – SCCM Config to Help to reduce VPN Bandwidth

Hopefully, this setting along with split tunneling might help you to reduce the VPN bandwidth usage from SCCM perspective.

Download Settings - SCCM Config to Help to reduce VPN Bandwidth
Download Settings – SCCM Config to Help to reduce VPN Bandwidth

Boundary Group Options

Boundary group option – Prefer cloud based sources over on-prem sources is another useful option that you can think about.

If you have a branch office with a faster internet link, you can now prioritize cloud content. In ConfigMgr 1902, this setting is now titled Prefer cloud based sources over on-premise sources. Cloud based sources include the following – More details here.

Boundary Options – SCCM Config to Help to reduce VPN Bandwidth
  • Cloud distribution points
  • Microsoft Update (added in version 1902)
Prefer cloud based sources over on-prem sources - SCCM Config to Help to reduce VPN Bandwidth
Prefer cloud based sources over on-prem sources – SCCM Config to Help to reduce VPN Bandwidth

BITs Throttling Options for SCCM DP MP SUP

I have posted about the BITs Throttling Options for SCCM DP, MP, and SUP over https://anoopcnair.com/vpn-bandwidth-control-via-bits-throttling-for-sccm-dp-client

Results

Let me know what you think about it how many of you are thinking to implement this kind of option.

Resources

11 thoughts on “Use Existing SCCM Config to Help to Reduce VPN Bandwidth | ConfigMgr”

  1. Yeah. This is very good information. Never knew this can be controlled using bandwidth utilization split and proxy. Soon after our BITPRO event I implemented CMG but now I know that I was not utilizating properly. Thank you for this post.

    1. For most of the companies, Split tunnelling is required. You can check this easily (I feel) Check whether your work laptop’s internet access is available only when vpn is connected or not ? If it’s only available when you are connected to vpn, that means you might need to implement split tunnelling for CMG or CDP to work. If interest is available without any vpn, then you don’t need any spilt vpn (in 90% of cases). This means all internet communications are going directly out to internal without going back to on prem data center via vpn tunnel. Does this make sense ?

  2. Anoop – I do not see No deployment package (Clients download contents from peers or the Microsoft cloud) in my SCCM 1906 environment. Do we need to enable any features?

  3. Hi Ninoop,

    Nice information. Just like we discussed yesterday, are these settings applicable when 1E Nomad is in picture?

Leave a Comment

Your email address will not be published. Required fields are marked *