Recommended Infrastructure for Permanently Remote Clients who only use VPN

[ryancl02]

I am completely new to Configuration Manager. Currently I am planning the infrastructure for our brand new implementation of Configuration Manager 2012. I am looking for recommendations on how to set up the infrastructure components to support about 150 permanently remote users who only connect via a cisco vpn. We will have both a CAS and a single Primary site.

 

1. One option would be to just treat these users like any other group. They would report to our primary site like all the rest and when they connect over VPN then things would work. With this scenario I'm a little unsure of how boundary groups should be configured though. I would like to keep the 150 special users managed separately from the rest of our normal laptop users but when they connect they would all get the same vlan from our VPN. I think that I could get a separate VPN range for them though so maybe that is easiest?

 

2. I'm not totally sure what might be other good options. Make another Primary or Secondary site just for these 150 remote users? Put the potential new site out in a dmz, and leverage our corporate pki?

 

Any advice for the pki infrastructure and site configuration would be very helpful. The documentation for this option, both online and in my book is very sparse. Thank you in advance.

 

-Ryan

[Peter van der Woude]

Did you look at DirectAccess instead of VPN? Also why a CAS and a Primary? Do you have that many clients?

[ryancl02]

Hello Peter, Thank you very much for the reply.

1. I have not looked at DirectAccess before. Although we use mostly Windows Desktops we are not primarily a Microsoft Shop. Our remote access is currently 100% Cisco. I took a quick look at this and after your post and it sounds like the new version of DirectAccess with Server 2012 could meet our needs. The current version with Server 2008 sounded like it requires a UAG which we don't have and would need to implement as well. I would probably wait for this piece until Server 2012 comes out if we end up going that route. We might implement DirectAccess for only the special 150 users and use it in conjunction with the Cisco Client. I have some reading to do to see how this might work and thank you for the suggestion.

2. We don't have that many Clients (about 5000) and as I am looking over the decision to use a CAS I realize that I misread something. I thought that an Endpoint Protection Point could only reside on the CAS and not the Primary Site. Based on your comment I gave it another look though and realized my error. I am still considering topics such as redundancy and disaster recovery but yes, I think that we will probably nix the CAS for our design. (I hear if we needed a CAS later ConfigMan SP1 will let us add one at that time.)

I guess what I am most looking for is a solution that would not require me to make too many other additions of infrastructure. However, since I'm not giving you a complete description of my network infrastructure this would be difficult for you to do.

Let me still try to summarize though. If you knew that I had a Cisco VPN that supplied all remote access, a ConfigMan 2012 single Primary Site, two groups of remote people who use the same VPN vlan who would be managed separately, no RemoteAccess Server, and I didn't have the budget to implement more servers, then do you have any opinions of a good way to accomplish that setup?

Thank you again! (I am leaning toward waiting for Server 2012 and RemoteAccess for my special 150 users. But if I could bring them into the fray sooner that would be good.)

-Ryan

[Peter van der Woude]

So if I understand it correctly, the VPN users connect directly on your network. Right? If so, then there would be no need for an extra Site server in a DMZ. Also everything depends on what you want to manage for the VPN users.