Boundary Groups and VPN Client

VPN
1

Hi, we have a “Cloud-VPN-Service”. the client is always running, and if the device is outside of office network, it connects via VPN.

Problem is, that devcies inside the office get the office boundary group AND the VPN-Boundary group. But at the office, we want clients only to connect to the local distribution point, to reduce internet traffic.

Only in case of failure, they should connect to DP in Azure. The DP in Azure is MP too (a second one is MP only). So we can’t just block traffic to the servers in Azure.

is there any way to prioritize one boundary group?

br Dirm

2

Just set up internal routing so the machines can’t reach the VPN DP and the clients will fall back to the in office dp

3

Does the VPN have a specific range of IPs allocated for it? If so you could use IP ranges instead of subnets for your boundaries.

Edit: grammar

4

This VPN adapter is always connected. ipconfig lists it always with an valid IP.

5

> devices inside the office get the office boundary group AND the VPN-Boundary group
Why is that? If the devices only connect if it’s outside the office network then how is a device on your network also in the VPN boundary group?

Also, what do you mean by ‘VPN boundary group’ exactly? Do you mean a range of IPs/Subnets/AD sites you’ve created or an actual ‘VPN Boundary’ type (docs)?

6

Sorry, I meant IP ranges. We use only IP ranges.

Clients always report their VPN IP and Ethernet/Wifi IP to SCCM.

Outside the office, Ethernet/Wifi IP doesn’t match any boundary → VPN Boundary only. St the office, both match.

It’s CATO VPN.

7

‘VPN boundary group’ is a subnet boundary group.

The VPN Client always assigns an IP, so SCCM get’s both IPs reported.

I had a look on the actual ‘VPN Boundary’ type, how does it determine if VPN is on? Traffic going over the interface or enabled adapter?

8

I guess I’m confused. Are your devices connecting to VPN while at the office? They shouldn’t be, and without an active VPN connection they shouldn’t be using your VPN boundary. Unless there is crossover in your IP ranges between the VPN and Office boundaries.

9

>how does it determine if VPN is on
I’m nearly certain that it’s based on the network adapter’s connection status. So if you have a network adapter that ConfigMgr recognizes as a VPN client and it reports at connected then it’s going to be in the proverbial mix.

I’ve never seen that scenario; every AoVPN solution I’ve seen have an option to not connect when it’s on the network it’s trying to connect to. I’m fairly certain you could create your VPN boundaries only as fallback boundaries (docs) so that they’re only used when the non-VPN adapters aren’t connected.

10

it’s a “Cloud Magic VPN solution” and yes the adapter is always connected in control panel. but it has a office mode, so it does not route always all traffic trough VPN.

thanks, the fallback idea sounds nice. I will try this. Adding no DP to the VPN boundary and only a fallback. If it’s in Office and VPN Boundary, it should get DP from Office. if a Device is in VPN boundary only, it will fallback to the Azure DPs.

11

We use GlobalProtect which is always running, but it can detect when it’s internal to your network and foregoes connecting the VPN tunnel. It works great with the VPN boundary type, too.