Tuesday 18 August 2020

CMG and VPN split tunnelling

Let's first consider some CMG scenarios. First and foremost we deploy a CMG to manage internet-based clients. However, when the CMG is in place it can also be used to alleviate traffic on the VPN, subject to configuration of VPN split tunnelling. It is important to note the distinction between internet-based clients and those using the VPN. They are both remote clients but ConfigMgr handles them differently. Clients using the VPN will be deemed to be on the Intranet because they can communicate with a domain controller and a management point. Otherwise they are deemed to be on the Internet. 

Scenario 1: 


No additional boundary/boundary group configuration - CMG can manage devices truly on the internet that are not connected via VPN. Policy and content requests will be directly to internet with no chance of using corporate network.


Scenario 2: 


Configure boundary group for VPN subnets and associate with CMG for policy and content - VPN devices will connect to CMG for policy and Cloud distribution point for content. These requests will be made through the corporate network unless the traffic is routed directly to internet. Split tunnelling configuration is required to implement.


So what do we need to add to the split tunnelling configuration? It's very straightforward if your VPN configuration supports URLs. You need entries for the CMG and the storage account. The URLs are easy to find.



You'll find the service name in the properties of the CMG in the ConfigMgr console. You can see that the example from my lab is https://gerryhcmg.emslab.ie



What about the storage account? You'll find that in the Azure portal. See the example from my lab https://gerryhcmg.blob.core.windows.net/


You can also see this information in the log files on a ConfigMgr client. I have a test client installing software over CMG.



You can see the CMG URL in the CAS.log file.



Have a look in the DataTransferService.log file for the URL of the storage account. You'll see a line like:


Modifying download source from https://gerryhcmg.emslab.ie:443/downloadrestservice.svc/getcontentxmlsecure?pid=GH100009&cid=CONTENT_4E6083C7-411E-4CAD-AF2C-2633F6A4DCAA.1&tid=GUID:6B6A5684-4D64-44D8-ACD7-1CB28AB77307&iss=MEM.HAMPSON.LOCAL&alg=1.2.840.113549.1.1.11&st=2020-08-18T08:32:19&et=2020-08-18T16:32:19 to https://gerryhcmg.blob.core.windows.net/content-gh100009/Content_4e6083c7-411e-4cad-af2c-2633f6a4dcaa.1 (pre download)


What do you do if your VPN does not support split tunnel configuration via URL? It will be necessary to use IP addresses and ranges

The IP address of the CMG will not be known until it is deployed.


Then you'll find it in the Azure portal. It's 52.174.178.234 in my lab.

The IP ranges for Azure storage are published by Microsoft in a json file. However, it can be challenging to extract the information needed for your region. A Microsoft PFE (Ken Wygant) has published a community script to extract this information.


https://pfe.tips/get-azure-ip-ranges-your-cloud-management-gateway/


It gives you a list of IP ranges like this (this example is for EastUS2 region).



Then you can configure your split tunnel.


Thanks to Bryan Dam and Sandy Zeng for helping me to figure this out on the MVP distribution list.


I hope this helps. Until next time.....
Posted by at
Labels: , , , , , , , ,

2 comments:

  1. Bob6 October 2020 at 19:05

    It really was a big help. Thanks a lot :)

    ReplyDelete
  2. aaj4 November 2021 at 13:13

    Hi,
    great article but there is one thing, is it not possible to still work with dynamic split tunnel to bypass the VPN?
    To work with a script and export this one is a old school / classic way.

    So with the pandemie it is possible to work for microsoft updates and upgrades to download them direct by them.

    ReplyDelete

Subscribe to: Post Comments (Atom)