Organizations use Microsoft System Center Configuration Manager (SCCM) to install updates to devices. SCCM is a client-to-server application that works on a user’s local area network (LAN) or wide area network (WAN) by gathering system configuration and update details from the SCCM server. If there is an update, the SCCM server will direct the client to a distribution point to gather the update information and install the update.
Clients use boundary groups to identify the assigned distribution point where the client can install software. A boundary group is a group of network locations on the intranet. When a client needs to download software based on the boundary group, it contacts a server configured as a distribution point.
Distribution points deliver content to the clients and are used to reduce the WAN traffic, similarly to a content delivery network (CDN). For example, in a location with 100 devices, rather than pulling updates across the WAN, the devices have a distribution point where they receive their updates.
When users are remote, the distribution server is identified as the closest to the point where the client's traffic enters the network. With a traditional VPN, the distribution point is selected based on the client IP address assigned by the VPN gateway. For ZPA, the client is never placed on the network, which means the client never gets an IP address for the data center network. However, it is possible to support SCCM deployments over ZPA.
Use one of the following methods for configuring SCCM boundaries:
Boundaries based on Active Directory site names
Active Directory sites are detected by a domain-joined device by using DNS SRV record requests. Once the device receives the domain controller IP address, it sends a Lightweight Directory Access Protocol (LDAP) ping to make sure that the domain controller belongs to the same Active Directory site as the device. The LDAP ping does not send the IP address in its header. Hence, the domain controller relies on the source IP address of the packet. For ZPA, the IP address seen by the domain controller is the App Connector's source IP address, which needs to be added to the Active Directory site.
To configure Microsoft SCCM in ZPA for Active Directory Site Names:
Create an application segment that contains a wildcard to enable the SRV resolution in ZPA.
Add the App Connector’s interface IP address to the correct Active Directory site.
Complete this for all App Connectors that require SCCM updates.Confirm that the SCCM boundary has the type set to Active Directory site.
Boundaries based on IP subnets and IP ranges
In order for ZPA to function correctly with SCCM, you must configure the IP addresses that users will realistically come from when ZPA is enabled. The user’s device will have a private IP address based on RFC1918 address space since ZPA does not assign an IP address to the client. The SCCM client will report this private IP address as part of the communication to discover the closest distribution point. This means you must create boundaries that cover all RFC1918 addresses (e.g. 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8).
If it is not possible to add the RFC1918 address space as a SCCM boundary, another option is to configure Zscaler Client Connector with the Tunnel Driver Type as Route Based. If Zscaler Client Connector is configured this way, it will install a virtual network adapter with an IP address in the CGNAT address space. This means adding a SCCM boundary group for RFC6598-100.64.0.0/24.
To configure Microsoft SCCM in ZPA for IP Subnets and IP Ranges:
Create boundaries for RFC1918 ranges and RFC6598.
Use "IP Range" as the condition and configure as below:
10.0.0.0 - 10.255.255.255 (10/8 prefix)172.16.0.0 - 172.31.255.255 (172.16/12 prefix)192.168.0.0 - 192.168.255.255 (192.168/16 prefix)100.64.0.0 - 100.64.255.255 (100.64/24 prefix)Add the boundaries to a boundary group.
Assign the boundary group to a distribution point close to your App Connectors.
Create an application segment that includes the FQDNs of all the SCCM distribution points.
Assign the application segment to a server group configured for Dynamic Server Discovery.
"Ensure that the assigned server groups are only associated with App Connector groups close to the SCCM distribution points."
