Using System Center to Reduce VPN Congestion from Remote Workstation Updates

Written by Rory McCaw on Tuesday, April 28th 2020 — Categories: Azure, Patching, SCCM, Enterprise Applications, IT Operations

During this challenging time, we need to make sure our infrastructure is available for our quickly evolving remote workforce while ensuring security and compliance.

Many organizations have sent devices home with employees so they can work remotely. Your standard monthly Windows and security updates — typically distributed across a high speed, corporate network — can now potentially create bandwidth and user performance issues if received over the corporate VPN. It’s critical to maintain patching and compliance schedules while minimizing traffic spikes over your VPN that can cause connectivity and performance issues.

In the below charts, you can see a real-world example of how customer’s traffic quintupled in the last few weeks as all employees began working remotely and connecting via the corporate VPN.

The graphic below shows the customer’s devices connecting via VPN or internet-based clients. The goal to reduce load from the VPN would be to shift clients from the intranet MP (orange) to either the Internet MP (green) or the Cloud Management Gateway (blue).

vpn traffic spikes from remote work devices

Using System Center to Minimize the Impact of Updates on the VPN

When you are sending updates to these remote clients, the network undergoes further strain. For example, I recently spoke with one of my coworkers, whose wife works for a state government agency. Their remote system access was completely choked last Friday as the VPN could not handle the simultaneous influx of traffic. While she was happy enough to call it a weekend early, that kind of disruption should not become the norm for remote work.

There are two System Center tools that help offload on-premise software distribution to Azure cloud resources, reducing the load on your corporate VPN.

A combination of the Cloud Management Gateway and Cloud Distribution Points allows you to manage SCCM clients on the internet and push software content to internet-based clients using a Platform as a Service portal.

This has the dual benefits of cloud-enablement of your content distribution, which reduces the need for traditional on-prem distribution points, while avoiding exposure of your on-prem infrastructure to the public internet.

The 280 clients in the above charts are internet-based and get their content from the Cloud Distribution Point or Microsoft Update. The benefit with this strategy is that the VPN load will be reduced, providing better performance to all remote workers. The VPN clients cause the intranet-connected client numbers to peak by around 1,000 each day. Using traditional patching approaches will result in updates being pushed to these Intranet managed remote workers via the VPN. This will likely put significant load on the VPN and reduce performance, potentially impacting the remote employee’s access to critical business platforms.

Ultimately, Azure and System Center offer several ways to minimize disruption to your network and compute resources as your distributed workforce and corporate owned computing resources require patches and updates. If you need guidance around how best to accomplish VPN optimization or patching and compliance in this new paradigm, Green House Data is ready to help.