ConfigMgr VPN Boundary Setup Process Explained | SCCM

ConfigMgr VPN boundary is the new functionality introduced in the ConfigMgr 2006 version. The new boundary type got introduced with Configuration Manager 2006 is VPN. This helps the SCCM admin to support remote working scenarios more efficiently.

We have already learned how to create Boundaries and boundary Groups in ConfigMgr. What will happen when someone accidentally deletes all your SCCM CB boundaries and boundary groups? We have already learned to recover the boundaries as well.

Starting with SCCM 2111, you can have additional configurations. You have a new option called Start With to enable more flexibility to have a unique identifier with the Connection Name or Connection Description options.

Prerequisites

All the boundary details are selected based on the Windows 10 client configuration and connectivity. The VPN boundary also works with the live connectivity of your Windows 10 device. You can use the IPConfig command to understand more about this and explain it below.

Patch My PC
  • Server infrastructure should be 2006 or later
  • ConfigMgr 2006 or later Client
  • Boot Image with client binaries for OSD scenarios
  • Understanding VPN configuration in your organization

NOTE! – Although each SCCM boundary group supports both site assignment and site system reference, create a separate set of boundary groups to use only for site assignment. Avoid overlapping boundaries for automatic site assignment.

How to Create VPN Boundary

Let’s learn how to create VPN boundaries in this section:

  • Launch Configuration Manager Console
  • Navigate \Administration\Overview\Hierarchy Configuration\Boundaries
  • Right-click on the Boundaries node
  • Select Create New Boundary
ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM
  • Select the General tab
  • Configure the setting for the boundary
    • Enter Description– Name of the Boundary – HTMD VPN
    • Select Type of the boundary as VPN
ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM

Configure VPN Boundary

There are three options given to you while creating a VPN boundary. It’s important to understand each option in the SCCM VPN configuration. Let’s deep dive into it!

Auto Detect VPN

  • Auto Detect VPN – This is the default option in the VPN boundary configuration. I don’t think many SCCM admins would be able to use this option.
ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM

Connection Name for VPN Boundaries

Now, let’s understand where you can get the VPN boundary configuration details called connection Name. You can log in to a Windows 10 device that is connected to a VPN network. Once logged in try to run the command line “IPCONFIG“.

Adaptiva
  • Connection Name – You can use the connection name option in the boundary settings to specify the name of the VPN connection on the Windows 10 device.
    • You can run the ipconfig command on the Windows 10 device to identify whether you can use this boundary configuration setting called Connection Name or not.
ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM
  • Enter the value for VPN configuration
    • Connection Name = VPN Connection
ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM

Connection Description

Now let’s understand the Connection Description field configuration from the SCCM VPN boundary. You can log in to a Windows 10 device that is connected to a VPN network. Once logged in try to run the command line “IPCONFIG“.

  • Connection Description – You can use the Connection Description option in the boundary settings to specify the name of the VPN connection on the Windows 10 device.
    • You can run the ipconfig command on the Windows 10 device to identify whether you can use this boundary configuration setting called Connection Description or not.
ConfigMgr VPN Boundary Setup Process Explained | SCCM 1

Connection Description (above screenshot) = VPN Connection

ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM

Complete the configuration by clicking on OK.

You have a new option called Start With to enable more flexibility to have a unique identifier with the Connection Name or Connection Description options. This is with SCCM 2111.

ConfigMgr VPN Boundary Setup Process Explained | SCCM 2

Add VPN Boundary to Boundary Groups

You can learn to create the VPN boundary groups from the below blog post. Let’s learn how to create boundary groups and how to configure the boundary groups.

https://www.anoopcnair.com/create-boundary-groups-in-configmgrsccm-boundar/#Create_Boundary_Groups

ConfigMgr VPN Boundary Creation Process Explained | SCCM
ConfigMgr VPN Boundary Creation Process Explained | SCCM

Result

You can confirm the server-side configuration from the ConfigMgr console. You can check results from the console (\Administration\Overview\Hierarchy Configuration\Boundaries) after creating VPN boundaries.

  • Type – VPN
  • Boundary – Description:VPN Connection
ConfigMgr VPN Boundary Setup Process Explained | SCCM 3

Client-side validation can be done using locationservices.log. The main things to notice here are given below. Either one of the two attributes mentioned below can be used while configuring the VPN boundary.

  • Adapter Name=”Ethernet”
  • Description=”Microsoft Hyper-V Network Adapter”

NOTE! – This client (following log snippet) is not connected to the VPN. If it was a connected VPN network, then ConfigMgr should have collected the VPN adapter and description information via location services.

WSUSLocationRequest : <WSUSLocationRequest SchemaVersion="1.00" BGRVersion="1"><Content ID="{1074285A-82C7-474F-B242-1EE20F8C3CE5}" Version="11"/><AssignedSite SiteCode="MEM"/><ClientLocationInfo OnInternet="0"><ADSite Name="Default-First-Site-Name"/><Forest Name="memcm.com"/><Domain Name="memcm.com"/><IPAddresses><IPAddress SubnetAddress="10.1.0.0" Address="10.1.0.9"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="reddog.microsoft.com" Description="Microsoft Hyper-V Network Adapter"/></Adapters><BoundaryGroups BoundaryGroupListRetrieveTime="2020-10-09T10:33:31.803"><BoundaryGroup GroupID="16777218" GroupGUID="b1995968-348a-4fa4-9aaf-26be9f06ff98" GroupFlag="2"/></BoundaryGroups></ClientLocationInfo></WSUSLocationRequest>

Resource

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.