Hi,
I’m looking at ways to manage the bandwidth across our always on VPN better. Generally we’ll have 20% people in the office and 80% working from home on any given day but everyone will come into the office at some point. Security are a blocker for split-tunnelling at the moment which will hopefully get resolved.
We have:
- A head office with one ConfigMgr Server which has all of the roles except SQL. Most people based in this office will wfh the majority of time
- There are 1500 users
- ConfigMgr on HTTPS
- Co-mgmt but only for Device Compliance, no CMG as everyone is on VPN
- Al devices are laptops
- One new branch with 50 users who are in the office 90% of the time*the network is not controlled by the business but by the building and they just use VPN
- One very new branch office with 100 users from a merger who are in the office 30% of the time. Plans for a DP to be placed in this office
- The VPN is generally slow and can be impacted by update deployments
The areas of consideration are:
BITS
- Enable BITS to limit background traffic. Done via a GPO setting or SCCM. Bit old fashioned now I guess to use this and better to go with LEDBAT I would assume?
- It affects all traffic, not just ConfigMgr traffic. It can still overload your VPN solutions and is not recommended .
LEDBAT
- Is this a bit of a no-brainer? Does it work the same across VPN and local networks - assuming it does
- It would help to rule out ConfigMgr being an issue with slow network speeds is my thinking
BranchCache
- Again, is this worth it if the majority of devices are on the VPN? Is there a way to run BranchCache off for the VPN subnet
- Or maybe it is if you use it in local caching mode which basically dedupe’s data but without P2P
ConfigMgr PeerCache
- Seems pointless to enable this when the majority of users are remote, using laptops and on vpn. It would make the traffic worse
- Might be worth enabling for the remote branches and not place a DP there if there were desktop’s but they are all laptops
Delivery Optimisation / Microsoft Connected Cache
- The use case for this seems to be if you are using WUfB and the majority of your users are in the office. Then you would enable DO and install MCC. Maybe if you are using SCCM for updates but have allowed Edge and Defender updates via the Internet this could be worth considering?
- Assuming to just not implement this until the switch to WUfB is made?
- Should this be used if the majority of people are wfh and on vpn?
- Read that this needs Express updates to be enabled for this to work with ConfigMgr which I remember being flaky?
Useful Research Links
- https://damgoodadmin.com/2020/05/19/all-my-devices-left-me-im-scared-what-do-i-do-now/
- https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/mastering-configuration-manager-bandwidth-limitations-for-vpn/ba-p/1280002
- https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895
- https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444