SCCM configure Boundary and Network Firewall

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

in past articles  : we have seen how to configure discovery methods after successful install SCCM server 

in this article we will see how to configure SCCM boundary and network firewall before start deploy SCCM client 

 

Boundary Concept

 Boundary  tell client agent to which site server to assigned if we have many server

Boundary is more important to client [for auto site assignment  join] more than SCCM site server

If boundary and boundary groups NOT configured > then  auto deployment is useless , since we have to configure client agent manually to be assigned to site server

If we are going to install client agent manually > then boundary is useless

Boundary and discovery methods 

site discovery method [ which have been configured in previous article ] will auto create [Boundary] , so we just create [Boundary group] and connect it to auto created boundary

Boundary Area 

we Use Boundary  to customize client auto join based of specific criteria like

  • IP Subnet
  • AD site [part of AD_site_And_forest console]
  • IPv6
  • Range of IPs

Boundary and distribution Point

Boundary is useful also to communicate with [Distribution Point] DP which we will discover later

  

Boundary and Fallback point  

The client uses fallback to the default site boundary group as a safety  for content that is not available from any other location

You can’t edit anything. The use of this when no DP found it fall on this boundary network

Boundary default stings

By default, Configuration Manager creates a default site boundary group at each site.

You can create your own boundary groups, and each site has a default site boundary group that Configuration Manager creates. This group is named Default-Site-Boundary-Group<sitecode>.

 Boundary should be connected to [boundary group ]

To increase the availability of servers to a wider range of network locations, assign the same boundary and the same server to more than one boundary group.

 

Boundary and Site Assignment 

  • A newly installed client that uses automatic site assignment joins the assigned site of a boundary group that contains the client’s current network location.

  • After assigning to a site, a client doesn’t change its site assignment when it changes its network location. For example, a client roams to a new network location. This location is a boundary in a boundary group with a different site assignment. The client’s assigned site doesn’t change.

  • When Active Directory System Discovery discovers a new resource, the site evaluates network information for the resource against the boundaries in boundary groups. This process associates the new resource with an assigned site for use by the client push installation method.

  • When a boundary is a member of more than one boundary groups that have different assigned sites, clients randomly select one of the sites.

  • Changes to a boundary groups assigned site only apply to new site assignment actions. Clients that previously assigned to a site don’t reevaluate their site assignment based on changes to the configuration of a boundary group (or to their own network location).

how to create Boundary and Boundary Group

open SCCM console > administration > overview >Hierarchy Configuration >  boundary group 

open SCCM console and create new boundary group
give it name
set name
assign server and site
create new boundary
set name and type
link it to boundary group

Pioneers Network design

pioneers network design

as you know : 

in professional network , there is network firewall that control traffic between LAN [client computer ] and DMZ [server farm ]

there in pioneers.lab : we have  LAN which include  client computers  : 

  • HR164 with IP address 172.17.100.164
  • IT165 with IP address 172.17.100.165
  • Sales166 with IP address 172.17.100.166
  • HR167 with IP address 172.17.100.167
  • Accounting168 with IP address 172.17.100.168

we we have  DMZ which include   servers : 

  • DC101 with IP address : 172.16.100.101
  • ISCSI03 with IP address : 172.16.100.103
  • Mail105 with IP address : 172.16.100.105
  • SCCM141  with IP address : 172.16.100.141

 

also  we have network firewall PFsense which control traffic between both Networks 

this firewall should be configure to pass SCCM port between LAN and DMZ servers Farm 

please be notified you have to configure port as per your Firewall type either Cisco or Juniper or Sonicwall 

Open Port in Network Firewall

Text

open firewall console
firewall > Ruls > Server farm > new rule
set source and destination
rule created and port open

now repeat step to add all [SCCM ports in network diagram] into network firewall 

conclusion

up to the moment , we have 

  • prepare SCCM server 
  • install prerequisites 
  • install SCCM
  • verify installation 
  • configure post install tasks 
  • configure ALL discovery methods 
  • create boundary and boundary group 
  • configure network firewall to open required ports 

next article : we will deploy SCCM client to computers [either in LAN or in DMZ servers Farm ]

 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us