question

LeonTaljaard-1502 avatar image
0 Votes"
LeonTaljaard-1502 asked LeonTaljaard-1502 commented

SCCM Cloud Management gateway VPN

Hi,

I would like to know or at least get some confirmation. We are setting up a Cloud Management Gateway so that we can deploy software updates as well as manage the devices if needed that are internet-based. Now my question is this, do clients have to always be connected to VPN to receive policy or the monthly updates or once they receive policy the first time initially making them aware of the CMG then they will just be able to install the deployed updates from SCCM because they will receive policy from the CMG MP/SUP and they will just download from the internet?

Would we still also need to set following below option in the update deployment for them as well?

106532-tempsnip.png

Appreciate any info

Thanks

Leon


mem-cm-co-management
tempsnip.png (28.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered LeonTaljaard-1502 commented

The download settings for Internet connected clients is irrelevant. However, clients connected to the VPN are not Internet clients as they communicate as if they were on your intranet -- that's the entire point of a VPN.

For a fairly comprehensive discussion on this topic, see https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Jason-MSFT

Thank you for the response, I know what the point of VPN is, my question was not around the function of VPN but if it was a requirement for my clients to be connected to the VPN to receive policy to get which updates need to be downloaded.

I am however aware that when a CMG is in place then you have your internet clients get content from internet sources and alleviate the VPN and thus you set your deployments to allow download from Microsoft.

My question as above is, does the client need to be connected to the VPN to receive this instruction or would they just get the policy or update deployments from the CMG/SUP and then they would install the "deployed" updates.

So for example if the client knows that it has a CMG but it NEVER connects to the VPN, would it know which updates we deploy each month from within SCCM?

0 Votes 0 ·

I am however aware that when a CMG is in place then you have your internet clients get content from internet sources and alleviate the VPN and thus you set your deployments to allow download from Microsoft.

No, this is incorrect. Internet client always get update content from Windows Update regardless of the download settings for the deployment which is why I said the setting were irrelevant for Internet clients.

My question as above is, does the client need to be connected to the VPN to receive this instruction or would they just get the policy or update deployments from the CMG/SUP and then they would install the "deployed" updates.

This is the entire point of the CMG. It would be more or less worthless if it required a VPN for anything.



0 Votes 0 ·

@Jason-MSFT thank you very much for the information, this is exactly what I wanted confirmation on because a lot of the guides out there talk about configuring VPN and none of them really mention that you don't need a VPN connection/Boundary in place if you don't want one or have one.

0 Votes 0 ·
AllenLiu-MSFT avatar image
0 Votes"
AllenLiu-MSFT answered

Hi, @LeonTaljaard-1502
Thank you for posting in Microsoft Q&A forum.

Now my question is this, do clients have to always be connected to VPN to receive policy or the monthly updates or once they receive policy the first time initially making them aware of the CMG then they will just be able to install the deployed updates from SCCM because they will receive policy from the CMG MP/SUP and they will just download from the internet?

It's recommended to use VPN Split tunneling with boundary groups to download updates from Microsoft Update sites, so clients have to always be connected to VPN. VPN split tunneling needs to be configured where all the Microsoft Update URLs will connect to direct internet without coming to the on-premises datacenter. Clients get management policies, agent communication from VPN connection, and for software updates, it will connect to the Internet.

You may refer to the detailed guidance:
https://www.terminalworks.com/blog/post/2020/05/17/deploy-windows-updates-through-internet-using-sccm-work-from-home-scenario
(Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.