question

AlexeySemibratov-2474 avatar image
0 Votes"
AlexeySemibratov-2474 asked Jason-MSFT answered

Issue with SCCM client recognizing internet / intranet

My customer has a solution that makes domain controllers always available using a third party solution (but I also tried it in my lab with Always-on VPN), so client can authenticate from domain-joined (Hybrid AAD) machine from the logon screen while connecting from the open internet.

It breaks the ability for SCCM client to correctly detect the Internet mode and switch to CMG. Client still keeps trying to reach out to internal Management Points, and never considers the CMG.

We are investing in Azure consumption, and want to switch from IBCM to CMG. We don't want clients to come back on-prem using the always-on VPN solution mentioned above.

It there any chance that Microsoft would look into it and change the algorithm in Location Manager to failover to CMG when MPs are not available and switch to Internet mode?

Thank you.

mem-cm-site-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

We are investigating adding an ability to address this gap. Today, the best you can do is map these clients to the CMG using boundary groups. This does involve making some assumptions about client IP addresses that may not be perfect. Alternatively, depending on the solution you are using, you may be able to use AD sites for the boundaries for the boundary groups.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered

Hi AlexeySemibratov-2474,

Thank you for posting in Microsoft Q&A forum.

Due to our limited experimental environment, I cannot restore your sccm environment to conduct experiments, so I did some searches and got some conclusions.

If we have both IBCM and CMG and both work normally, clients will receive policy for both services and they randomly select and use one of these internet-based services. We can check the LocationService.log on the client to confirm that.
And if the client has connected to internal based Management Points, then it will not be easily changed.
But after internal based Management Points shutdown and the client policy is refreshed, the client will switched from IBCM to CMG.
Here is a link that can be used as a reference, someone has done the related lab test:
https://www.reddit.com/r/SCCM/comments/6r7h97/ibcm_migration_to_cloud_management_gateway/
Note: This is not from MS, just for your reference.

Hope the information is helpful to you.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.