SCCM Cloud Management gateway VPN

Leon Taljaard 61 Reputation points
2021-06-17T07:21:21.193+00:00

Hi,

I would like to know or at least get some confirmation. We are setting up a Cloud Management Gateway so that we can deploy software updates as well as manage the devices if needed that are internet-based. Now my question is this, do clients have to always be connected to VPN to receive policy or the monthly updates or once they receive policy the first time initially making them aware of the CMG then they will just be able to install the deployed updates from SCCM because they will receive policy from the CMG MP/SUP and they will just download from the internet?

Would we still also need to set following below option in the update deployment for them as well?

106532-tempsnip.png

Appreciate any info

Thanks

Leon

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,286 Reputation points Microsoft Employee
    2021-06-18T00:18:34.42+00:00

    The download settings for Internet connected clients is irrelevant. However, clients connected to the VPN are not Internet clients as they communicate as if they were on your intranet -- that's the entire point of a VPN.

    For a fairly comprehensive discussion on this topic, see https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895


1 additional answer

Sort by: Most helpful
  1. AllenLiu-MSFT 44,111 Reputation points Microsoft Vendor
    2021-06-18T07:47:02.91+00:00

    Hi, @Leon Taljaard
    Thank you for posting in Microsoft Q&A forum.

    Now my question is this, do clients have to always be connected to VPN to receive policy or the monthly updates or once they receive policy the first time initially making them aware of the CMG then they will just be able to install the deployed updates from SCCM because they will receive policy from the CMG MP/SUP and they will just download from the internet?

    It's recommended to use VPN Split tunneling with boundary groups to download updates from Microsoft Update sites, so clients have to always be connected to VPN. VPN split tunneling needs to be configured where all the Microsoft Update URLs will connect to direct internet without coming to the on-premises datacenter. Clients get management policies, agent communication from VPN connection, and for software updates, it will connect to the Internet.

    You may refer to the detailed guidance:
    https://www.terminalworks.com/blog/post/2020/05/17/deploy-windows-updates-through-internet-using-sccm-work-from-home-scenario
    (Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.)


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.