Hi All, Our users have laptops that they use in the office and remotely, the problem we have is when the users are working from home they connect via VPN into our network – the clients are assigned an IP address which is on a different subnet i.e. (10.1.210.0). The problem we are having is that when the user connects via VPN the address is registered in DNS and because of this SCCM is not working correctly i.e. cannot push out client because the address that has been updated in SCCM is the VPN IP address and because this changes quite often it causes issues. I have setup scavenging on our DNS server but this has not made a difference, I have also turned off DDNS updates on our DHCP server for the VPN DHCP scope but this is still not fool proof unless you turn off the option “register this connection in DNS” on the VPN adaptor settings and i know this can be done in Group policy but because these are domain machines im not sure what impact this will have. What I wanted to know is if there was a way in SCCM to exclude specific subnets from being discovered, we are using AD system discovery. Thanks Craig

There's basically no problem if those clients are discovered. Disocvery just adds information to the database. So the problem is that you cannot push the client, because the IP changes too often? Use a GPO or WSUS instead to install the client.

Is the VPN subnet in the boundaries of your site? John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Hi John, Yes our VPN subnet is included in the Boundaries because we are using AD sites and services, i'm guessing that if i created a boundarie of all our subnets and not include the VPN subnet would probably resolve the issue. We are using the push and GPO to install the client. The issue i have is that we have multiple sites and subnets, therefore this would be an administration nightmare. Thanks

Have the AD guys break the VPN subnet out into it's own AD site not the same site as the local subnet. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |

Hi John, Our current AD Sites and services is using 10.240.0.0 as the subnet for the site, our VPN subnet is using 10.240.210.0 - in order for this to work we would have to break up all the subnets (LAN DATA, LAN Voice, VPn etc) and create a AD site subnet for each range and then create the boundaries in SCCM without including the VPN subnet. Do you think that is the best option. Thanks

There's basically no problem if those clients are discovered. Disocvery just adds information to the database. So the problem is that you cannot push the client, because the IP changes too often? Use a GPO or WSUS instead to install the client. My bigger concern was that his VPN subnet is inside of his fast boundaries as if it's a local subnet therefore clients are going to want to pull packages over the VPN. Personally I would get that subnet taken out of the AD Site. John Marcum | http://myitforum.com/cs2/blogs/jmarcum |