Does BatchPatch Work Over a VPN Connection?

One of the common questions we regularly receive is will BatchPatch be able to work over a VPN? BatchPatch *can* work over a VPN connection, but the real question is will BatchPatch work over *your* VPN connection? It really depends on how your VPN and VPN firewall are configured, not on how BatchPatch is configured.

In corporate environments we usually see two ways that VPNs are deployed. In one configuration a site-to-site VPN configuration might be used to effectively connect a remote office to a corporate headquarters in order for the users in the remote office to be able to connect to all the resources in the corporate headquarters just as if those users were connected directly to the LAN in the headquarters office. Typically in this kind of site-to-site VPN configuration there is little to no firewalling between the two offices, because the goal is for the remote office users to have an identical experience to the users who are directly connected to the main LAN back at headquarters. When a firewall is used to block ports or services between sites, the experience for remote users is quickly degraded because they don’t get the same unfettered access to resources that users in headquarters get. This diminished experience in turn makes it harder, sometimes, for remote users to complete their duties. Similarly, if there is significant firewalling of ports or services between the two offices, IT administrators who work in the main office might not be able to perform all of the duties that they need to perform on remote office computers. Furthermore, in the typical site-to-site VPN setup, users do not have to run special VPN client software on their computers. In fact, when they are plugged into the LAN in the remote office, they should have a seamless experience in which they cannot even tell that there is any difference to be connected to the main office. Plugging a computer into either the home office or the remote office should yield the same experience for the end user.

In the second type of configuration, instead of setting up a complete site-to-site VPN with little to no restrictions between the two sites, remote users might install a VPN client software on their computers. Whenever they want or need to connect to services in the main corporate headquarters they simply launch the VPN client software, click the ‘connect’ button, and then the VPN software establishes a tunnel to the corporate LAN. Once connected, the users are able to access various services that have been pre-configured by the IT department. In this case where VPN client software is used, it seems to be much more common in corporate environments for firewall configurations to be more tightly locked down such that only designated sites and services are made available to the end users who connect through the VPN. Frequently in this type of VPN configuration, if an application has not bee pre-approved and pre-configured to work across the tunnel, it won’t. And similarly, IT staff frequently are not able to connect from the main office to the VPN-connected client computers in order to manage them in the same way that they would be able to manage the computers that are directly connected to the corporate LAN. But again, it all depends on how the firewalls are configured.

So, when it comes to BatchPatch, if you’re not sure if it will work over your VPN, here is what I would suggest:

1. Download the free evaluation version of BatchPatch from

2. Test BatchPatch on your main LAN without involving any VPNs. After all, if you can’t get BatchPatch working without using the VPN, then you’re certainly not going to get it working over the VPN. Please carefully review the ‘Getting Started‘ page to learn how to configure your environment to work with BatchPatch.

3. Once you have BatchPatch working on your main LAN, then go ahead and test it over the VPN. If it doesn’t work, visit the administrator or engineer who controls the VPN and firewall devices in your environment, and work with him or her to get everything configured for BatchPatch to function properly. In some cases if corporate policy prevents them from modifying the existing VPN to allow BatchPatch to function, they might still be willing or able to configure a specially permissioned VPN that is strictly for IT staff and that has less restrictions in place so that software like BatchPatch can be allowed to work over it.

This entry was posted in Blog, General, Tutorials and tagged . Bookmark the permalink. Both comments and trackbacks are currently closed.