Content Management with Always on VPN at Remote Office (DO, Peer Cache, MCC)

Hi All,

My company has about 150 users at a remote region. they are in a shared office so they use the buildings network, not ours. All of the clients there are using Always On VPN. Rest of business is either in the main office or WFH on VPN as well. Is there any way to help improve their bandwidth? Non-Options I can see are:

  1. Peer Cache - but this would mean all devices everywhere would be sharing content, not just devices on VPN in that remote office so pointless with VPN.
  2. DO - Only works with Intune? Pointless with VPN anyway.
  3. Split Tunneling - This isn’t set up (security still blocking) but I assume it wouldn’t be any help anyway. It would ease the VPN traffic but still kill their shared office network
  4. DP - They would need their own network for this
  5. Microsoft Connected Cache - same as point 4, would need their own network
  1. Is the bottleneck the VPN connection to your on-prem DPs? Or is it the buildings network?

  2. DO is not for Intune only. Windows is what has the DO service built into it.

I’d be going with a content-enabled CMG and split tunnelling. Let the devices get the content directly from the DP Microsoft are hosting for you over the users internet connection rather than serving it yourself over VPN. This would also have the added benefit that all of your VPN clients will get their content from Microsoft over the users own internet connection, rather than clogging up your VPN.

I’d enable Branch Cache as well, as content will dedup lowering the content required for each download.

I asked this question a little while ago. I settled on treating them as Internet clients and having them connect to the CMG for content. Just like any other VPN user.

Thanks for the reply. It’s the building network we think.

Split-tunneling isn’t an option for the moment. Been trying to push that for 3 years

Also, not sure split-tunneling would work as that just means the VPN is out but they are all still downloading via the building network and not sharing amongst themselves and they are all on VPN so a MCC wouldn’t help

Cheers Gary. Do you mean enable it on the DP or on each each individual machine, or both?

thanks for the reply. We don’t have site to office VPN, have all the clients running VPN

I know how it feels. Pushing split tunneling for 4 years in my shop but no luck.

Correct, that’s why I asked that question. If the pipe is only letting you shovel X amount of shits per second and you don’t control the pipe…

In isolation (like your WFH users) split-tunneling would mainly shift the traffic route as you describe.

Split-tunneling could help at that office when combined with BranchCache and some DO tuning. If the clients at that office could share downloaded content, the load on the office’s WAN connection would be lowered - there may be plenty of bandwidth within the office but there is likely a bottleneck to get in or out of the office.

If you do not setup a CMG, LEDBAT could help ensure you are not swamping the office’s network.

DO is supposed to detect VPNs and not peer over it, but I’d try to verify that is working in your setup. It would be ugly if they were trying to peer with each other by routing the traffic over a VPN back to your central site then back through a VPN to get to a system in the next cube.

Enable BranchCache for ConfigMgr DPs so the content is BC enabled, then also on the End Points.

CM will natively do this for you with checking a few boxes on the DP and Setting the policy on the Client Setting Policy.

You can also use the 2Pint scripts to enable while in OSD and for a CI