Just in case if anybody is interested, this is how we achieved it
1. Enabled SCCM Internet DP to support Intranet and Internet clients (earlier Internet only) 2. Moved VPN boundaries in SCCM from other on premise DPs to Internet DP 3. Reroute traffic from VPN NIC to Internet NIC (Network/VPN team does it) 4. Added IBCM Internet hostname in VPN DNS Server with Public IP Address (this DNS server is used for VPN clients only) 5. SCCM Clients are tested to see that they get the content from Internet server, when on VPN Probably you can develop further based on your scenario and so on... From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin Sent: Monday, December 11, 2017 10:31 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! ...this is what I've seen/experienced in the number of times I've implemented IBCM, going back to CM07. Troy L. Martin | Technical Architect 1E | Software Lifecycle Automation for the Digital Business US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141 troy.mar...@1e.com<mailto:troy.mar...@1e.com> | www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs&e=> Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE&e=> | Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI&e=> | YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U&e=> | Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg&e=> | RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII&e=> [1E Local]<http://info.1e.com/1e-regional-events> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne Sent: Monday, December 11, 2017 8:21 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! I am confused. If this were true then blocking access to the intranet MP on VPN would make the clients switch. That was not the case in my experience. Dewayne From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin Sent: Friday, December 8, 2017 1:47 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! What is the CCMSetup.exe command-line used to install the client in your environment? At a minimum, it should include the following: CCMSetup.exe /UsePKICert CCMHOSTNAME="SMSMP01.corp.contoso.com<http://SMSMP01.corp.contoso.com>" If you want to force the clients to "always" be Internet clients, then add the following to the command-line: CCMALWAYSINF=1 In short, when clients VPN in they are connected to your intranet and will have access to the (intranet) MP e.g. default management point. When the CM client detects its connecting to a different network, it always attempts to contact the (intranet) MP; if it cannot, then "switches" to IBCM mode attempting to connect to the fqdn/site system defined in the CCMHOSTNAME property during the client install. CM client also checks for the default MP during service restarts, and also every 25 hours It is not based upon being able to access DC/GC. Troy L. Martin | Technical Architect 1E | Software Lifecycle Automation for the Digital Business US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141 troy.mar...@1e.com<mailto:troy.mar...@1e.com> | www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs&e=> Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE&e=> | Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI&e=> | YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U&e=> | Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg&e=> | RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII&e=> [1E Local]<https://urldefense.proofpoint.com/v2/url?u=http-3A__info.1e.com_1e-2Dregional-2Devents&d=DwMF-g&c=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM&r=Wg9UbMloqnAg5b7NQWKLNw&m=NOCaMetsOttjgU5XwpMi-7H1hbI5IPoLvxL4ni_4lzE&s=IwWRreo9luOKjhaMkWcOK2O7RF4p8qf__b702h_KZpo&e=> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miriyala, Vasu Sent: Thursday, December 7, 2017 11:59 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! Thanks all for responses, Yes, I tried blocking internal MP but client failed and gone nowhere to pick IBCM. DC/Global Catalog block is an obvious rule out. Instead of tweaking firewall rules, is there any we can think of to tweak on clients itself when sensing it is on VPN to force to IBCM thru some script or that we can deploy before hand to clients... just a curious thought, sure some IF/BUTS will be there.. Thanks, Vasu From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne Sent: Thursday, December 7, 2017 10:07 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! That is correct. If the client can talk to a global catalog then it will mark itself as internal. I fought this fight with Direct Access and IBCM. Creating a firewall rule to block access to the internal MP didn't make a difference. Dewayne From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum Sent: Thursday, December 7, 2017 11:09 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers ! I had some offline conversations about this.... I think that documentation may be wrong or outdated. You'd have to test it but I think so long as the client can communicate with a domain controller the client will not be internet based. Sensitivity: Confidential between partners From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Stuart Watret Sent: Thursday, December 7, 2017 8:09 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] Redirect VPN clients traffic to IBCM servers ! What would be nice in this scenario, is the azure hosted mp/dp taking over, rather than the old world internet facing MP shnizzle. Just a thought. Stuart On 7 Dec 2017, at 05:54, Miriyala, Vasu <vasu.miriy...@capgemini.com<mailto:vasu.miriy...@capgemini.com>> wrote: Thanks John I will try this Just want to reiterate to gain more clarity * Even though client CAN connect to CORPNet, Domain, AD server are reachable, as long as it cannot make successful connection to assigned MP, client will talk to Internet MP as next avenue ? * Once after establishing a connection with IBCM server for MP, SUP, DP services... hope it doesn't have any chance of revisiting its decision intermittently to try for default/assigned MP, which may cause disruption of actively going services like policies, package download so on... ? --Vasu From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum Sent: Wednesday, December 6, 2017 7:32 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Redirect VPN clients traffic to IBCM servers ! According to this if a client cannot connect to it's assigned MP it assumes it's on the Internet. Maybe you can someone block access to the MP from VPN subnet? When this network change is detected, the client computer will first attempt to communicate with its assigned management point on the intranet. If this succeeds, the client computer behaves as a standard intranet client. However, if the client computer cannot connect to its assigned management point, it then attempts communication with its configured Internet management point, using the Internet fully qualified domain name that is configured on the management point and registered with Internet DNS servers. When the Internet management point responds, the client computer then uses as required, the distribution points and software updates point that are also configured for Internet-based client management. Sensitivity: Confidential between partners From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miriyala, Vasu Sent: Tuesday, December 5, 2017 11:39 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Redirect VPN clients traffic to IBCM servers ! Hi Champs, Currently internet clients, after establishing VPN connection, starts to use on-premises MP, DP etc which is good and by design, however Network team wants to avoid this to redirect that traffic from VPN bandwidth to Internet IBCM servers as project uses these bandwidth and sometimes is choked due to SCCM usage Is there a inbuilt or custom configuration (@ SCCM or Network front) that helps us to tell IBCM client not to use on-premises SCCM servers when on VPN, rather forcing them to go use IBCM servers only ? Thanks, Vasu This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. ________________________________ Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract. ________________________________ Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
