ConfigMgr VPN Boundary Setup Process Explained | SCCM

ConfigMgr VPN boundary is the new functionality introduced in the ConfigMgr 2006 version. The new boundary type introduced with Configuration Manager 2006 is VPN. This helps the SCCM admin to support remote working scenarios more efficiently.

We have already learned how to create Boundaries and boundary Groups in ConfigMgr. What will happen when someone accidentally deletes all your SCCM CB boundaries and boundary groups? We have already learned to recover the boundaries as well.

Boundaries in Configuration Manager are specific network locations that contain devices you want to manage. Boundaries can be created based on criteria, such as an Active Directory site or a network IP address. The device is considered within that boundary when the Configuration Manager client identifies a matching network location.

Starting with SCCM 2111, you can have additional configurations. A new option called Start With enables more flexibility in having a unique identifier with the Connection Name or Connection Description options.

Patch My PC
Index
Prerequisites
How to Create a VPN Boundary
Configure VPN Boundary
Auto Detect VPN
Connection Name for VPN Boundaries
Connection Description
Add VPN Boundary to Boundary Groups
Result
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Table 1

Prerequisites

All the boundary details are selected based on the Windows 10 client configuration and connectivity. The VPN boundary also works with your Windows 10 device’s live connectivity. You can use the IPConfig command to learn more about this, which I have explained below.

  • Server infrastructure should be 2006 or later.
  • ConfigMgr 2006 or later Client
  • Boot Image with client binaries for OSD scenarios
  • Understanding VPN configuration in your organization

NOTE! – Although each SCCM boundary group supports site assignment and site system reference, create a separate set of boundary groups to use only for site assignment. Avoid overlapping boundaries for automatic site assignment.

Adaptiva

How to Create a VPN Boundary

Let’s learn how to create VPN boundaries in this section:

  • Launch Configuration Manager Console
  • Navigate \Administration\Overview\Hierarchy Configuration\Boundaries
  • Right-click on the Boundaries node
  • Select Create New Boundary
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.1
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.1

Select the General tab. Configure the setting for the boundary, then Enter Description– Name of the Boundary – HTMD VPN

  • Select the type of boundary as VPN
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.2
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.2

Configure VPN Boundary

When creating a VPN boundary, you are given three options. Understanding each option in the SCCM VPN configuration is essential. Let’s dive into it!

Auto Detect VPN

Auto Detect VPN is the default option in the VPN boundary configuration. I don’t think many SCCM admins would use it.

ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.3
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.3

Connection Name for VPN Boundaries

Now, let’s understand where you can get the VPN boundary configuration details called connection Name. You can log in to a Windows 10 device connected to a VPN network and, once logged in, try to run the command line “IPCONFIG“.

  • Connection Name – You can use the connection name option in the boundary settings to specify the name of the VPN connection on the Windows 10 device.
    • You can run the ipconfig command on the Windows 10 device to determine whether you can use this boundary configuration setting called Connection Name.
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.4
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.4

Enter the value for VPN configuration

  • Connection Name = VPN Connection
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.5
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.5

Connection Description

Let’s understand the Connection Description field configuration from the SCCM VPN boundary. Log in to a Windows 10 device connected to a VPN network. Once logged in, try to run the command line “IPCONFIG.”

  • Connection Description—The Connection Description option in the boundary settings allows you to specify the name of the VPN connection on the Windows 10 device.
    • You can run the ipconfig command on the Windows 10 device to identify whether you can use this boundary configuration setting called Connection Description.
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.6
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.6

Connection Description (above screenshot) = VPN Connection

ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.7
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.7

Complete the configuration by clicking on OK.

You have a new option called Start With with SCCM 2111, which enables more flexibility in creating a unique identifier with the Connection Name or Connection Description options.

ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.8
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.8

Add VPN Boundary to Boundary Groups

The blog post below lets you learn how to create VPN boundary groups. Let’s learn how to generate boundary groups and how to configure the boundary groups.

https://www.anoopcnair.com/create-boundary-groups-in-configmgrsccm-boundar/#Create_Boundary_Groups

ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.9
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.9

Result

You can confirm the server-side configuration from the ConfigMgr console. After creating VPN boundaries, you can check results from the console (\Administration\Overview\Hierarchy Configuration\Boundaries).

  • Type – VPN
  • Boundary – Description: VPN Connection
ConfigMgr VPN Boundary Setup Process Explained | SCCM - Fig.10
ConfigMgr VPN Boundary Setup Process Explained | SCCM – Fig.10

Client-side validation can be done using locationservices.log. The main things to notice here are given below. One of the two attributes mentioned below can be used while configuring the VPN boundary.

  • Adapter Name=“Ethernet”
  • Description=“Microsoft Hyper-V Network Adapter”

NOTE! This Client (following log snippet) is disconnected from the VPN. ConfigMgr should have collected the VPN adapter and description information via location services if it was a connected VPN network.

WSUSLocationRequest : <WSUSLocationRequest SchemaVersion="1.00" BGRVersion="1"><Content ID="{1074285A-82C7-474F-B242-1EE20F8C3CE5}" Version="11"/><AssignedSite SiteCode="MEM"/><ClientLocationInfo OnInternet="0"><ADSite Name="Default-First-Site-Name"/><Forest Name="memcm.com"/><Domain Name="memcm.com"/><IPAddresses><IPAddress SubnetAddress="10.1.0.0" Address="10.1.0.9"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="reddog.microsoft.com" Description="Microsoft Hyper-V Network Adapter"/></Adapters><BoundaryGroups BoundaryGroupListRetrieveTime="2020-10-09T10:33:31.803"><BoundaryGroup GroupID="16777218" GroupGUID="b1995968-348a-4fa4-9aaf-26be9f06ff98" GroupFlag="2"/></BoundaryGroups></ClientLocationInfo></WSUSLocationRequest>

Resource

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.