This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 55.00000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Hi, Can anyone advice on this. I have SCCM CMG + VPN setup, how to setup the Windows update to install on Devices without spiking Firewall and my proxy will not allow the windows update url *.windowsupdate.com.
What you should consider is configuring vpn split tunnelling to allow Microsoft urls to directly go over internet and intranet traffic to go via vpn. Make sure to include the cmg and blog storage urls in the split tunnelling configuration. Obviously your VPN needs to support this. Preferably URLs over IPs. See if you can find the list or else let me know and I can share it over here.
Once done, adjust or create boundary group in ConfigMgr for VPN subnets and add CMG as the resource.
Hi Rahul, Thank you for the reply. Unfortunately the VPN doesn't support the spilt tunneling. Can I use CMG as Software update DP?
Yes you can, but be prepared to incur huge egress and storage cost. If you can't use split tunneling then you have the option of allowing downloading of the content from the Microsoft CDN severs over VPN using your corporate bandwidth. However, this can increase VPN traffic and possibly overwhelming it. Which is why it is suggested to use split tunneling.
Which VPN solution do you have?
Reverse Split Tunnel with Citrix netscaler, which will not support allowing wild cards urls. Microsoft doesn't provided IP for the windows update URLs