In a sense, it is the clients that need configured, less so the VPN relay itself.
If you create relays that accept clients connect to the VPN networks, then you in effect have VPN relays. Another option is to have relays that only accept clients connected to the VPN networks so that they don’t end up handling too much traffic from both internal and VPN clients. This also has the benefit that if a client is talking to a designated VPN relay, then you know it is a device on the VPN.
There is some discussion here:
Generally you have 3 different kinds of client to relay connections:
In this specific case, you are talking about only have 2 of the 3.
Many devices never leave the building, so they are always “Internal”… Servers and Desktops for example.
Other devices can switch between any of the 3 possible modes.
For those devices, it is key to enable
_BESClient_RelaySelect_AlwaysOnIPListChange so that changes to network connection will cause the relay to select a new relay automatically. BigFix will do this by default, but ONLY if the network connection currently being used goes away, while in the case of VPN, you are adding a new connection in addition to the existing one. This actually matters most to have clients go from DMZ relay to VPN relay, less so if the only options are internal or VPN relay.
Is relay auto-selection currently in use?
Does ICMP work over the VPN?
If ICMP (ping) doesn’t work for the clients to the VPN relays, then automatic relay selection will not work, in which case you should use the failover relay list settings for VPN or DMZ relays… otherwise should allow ICMP on the VPN to the VPN relays.
If ICMP (ping) does work for the clients to the VPN relays, then automatic relay selection should just work, but you can use relay affiliation groups to augment how it works. Generally you want a client to prefer connecting to an internal relay, then if that fails, try a VPN relay, then if that fails, try DMZ relays.
You should generally have at least 1 relay configured as a failover relay in case automatic relay selection does not work. This might just be a typical VPN or DMZ relay, but if you have a large number of clients, you might actually want a specific failover relay that is only for clients using the failover mechanism so that you know that clients currently talking to it are having an issue. Also, in this case, you probably want the failover relay to accept any client, internal, external, or VPN, so that it can be used as the failover for all cases, or using a failover list, this could actually be 3 different relays in an ordered list: internal;VPN;DMZ