We kept having issues with Forfront updates being pushed out to clients during the day. The updates would get pushed immediately to all workstations (before the site distribution points got the update.) Unfortunately, 10-20 clients taking a modest update at the same time can still crush a T1 or other small WAN circuit.
The solution / workaround for us was to completely block communication to our SCCM system during normal production hours (ex: 7:00 AM - 6:00 PM) at the sites.
The rule looks slightly different depending on the type of hardware / circuit. For example, a Cisco router with a T1 would look similar to this:
time-range WorkWeek
periodic weekdays 7:00 to 18:00
exit
ip access-list extended DenySCCM
deny ip host 1.1.1.1 any time-range WorkWeek
permit ip any any
exit
interface serial0/0/0
ip access-group DenySCCM in
exit
While a Cisco ASA might look more like this:
time-range WorkWeek
periodic weekdays 7:00 to 18:00
exit
access-list DenySCCM extended deny ip 1.1.1.1 255.255.255.255 any time-range WorkWeek
access-list DenySCCM extended permit ip any any
!
Int VLAN2
access-group DenySCCM in interface inside
!
No comments:
Post a Comment