Thanks all for responses, Yes, I tried blocking internal MP but client failed and gone nowhere to pick IBCM. DC/Global Catalog block is an obvious rule out.
Instead of tweaking firewall rules, is there any we can think of to tweak on clients itself when sensing it is on VPN to force to IBCM thru some script or that we can deploy before hand to clients... just a curious thought, sure some IF/BUTS will be there.. Thanks, Vasu From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne Sent: Thursday, December 7, 2017 10:07 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! That is correct. If the client can talk to a global catalog then it will mark itself as internal. I fought this fight with Direct Access and IBCM. Creating a firewall rule to block access to the internal MP didn't make a difference. Dewayne From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum Sent: Thursday, December 7, 2017 11:09 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! I had some offline conversations about this.... I think that documentation may be wrong or outdated. You'd have to test it but I think so long as the client can communicate with a domain controller the client will not be internet based. Sensitivity: Confidential between partners From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Stuart Watret Sent: Thursday, December 7, 2017 8:09 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] Redirect VPN clients traffic to IBCM servers ! What would be nice in this scenario, is the azure hosted mp/dp taking over, rather than the old world internet facing MP shnizzle. Just a thought. Stuart On 7 Dec 2017, at 05:54, Miriyala, Vasu <vasu.miriy...@capgemini.com<mailto:vasu.miriy...@capgemini.com>> wrote: Thanks John I will try this Just want to reiterate to gain more clarity * Even though client CAN connect to CORPNet, Domain, AD server are reachable, as long as it cannot make successful connection to assigned MP, client will talk to Internet MP as next avenue ? * Once after establishing a connection with IBCM server for MP, SUP, DP services... hope it doesn't have any chance of revisiting its decision intermittently to try for default/assigned MP, which may cause disruption of actively going services like policies, package download so on... ? --Vasu From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum Sent: Wednesday, December 6, 2017 7:32 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Redirect VPN clients traffic to IBCM servers ! According to this if a client cannot connect to it's assigned MP it assumes it's on the Internet. Maybe you can someone block access to the MP from VPN subnet? When this network change is detected, the client computer will first attempt to communicate with its assigned management point on the intranet. If this succeeds, the client computer behaves as a standard intranet client. However, if the client computer cannot connect to its assigned management point, it then attempts communication with its configured Internet management point, using the Internet fully qualified domain name that is configured on the management point and registered with Internet DNS servers. When the Internet management point responds, the client computer then uses as required, the distribution points and software updates point that are also configured for Internet-based client management. Sensitivity: Confidential between partners From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miriyala, Vasu Sent: Tuesday, December 5, 2017 11:39 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Redirect VPN clients traffic to IBCM servers ! Hi Champs, Currently internet clients, after establishing VPN connection, starts to use on-premises MP, DP etc which is good and by design, however Network team wants to avoid this to redirect that traffic from VPN bandwidth to Internet IBCM servers as project uses these bandwidth and sometimes is choked due to SCCM usage Is there a inbuilt or custom configuration (@ SCCM or Network front) that helps us to tell IBCM client not to use on-premises SCCM servers when on VPN, rather forcing them to go use IBCM servers only ? Thanks, Vasu This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.