Your priority rules are only half of the equation. Your internal Agent Handler also needs to have the IP ranges for your internal subnets defined so that only internal systems use it. Everything else will fail over to the agent handler next in the list.
I have one Agent Handler in the DMZ so I use "Handler Priority" (found under "Agent Handler Assignment") to create a custom handler list. The local ePO server is listed first and the AH in the DMZ is listed second. When the nodes come back in it does take a couple of Agent cycles before they drop the AH in the DMZ and pick up the local ePO.
Thanks for your input so far.
To give you a further idea, internally our machines are denied access to the internet using a hardware firewall, hence why we need the laptops to look internally first. At the moment some laptops seem to want to check the public agent handler every time first, then fail over to internal. However, the laptops are often taken out of the organisation hence the need to have them continuing to contact the EPO when they are at home using their wifi connections etc. So they should never use one agent handler exclusively, they need both sites as options, I just want it to use the internal first.
Currently (using the default assignment rule) when I look in 'about' on the client, I can see the the two agent handlers (or published addresses in any case). On some machines the public agent handler is first on the list and the internal is second on the list, and vice-versa (I'm not sure if this is significant)
When trying to troubleshoot, I setup priority rules, I did specifiy our IP ranges. So anthing on the local subnet would use the internal agent handler, and then the public agent handler was second in the priority list. However, when I did this, the public agent handler disappeared from the sitelist on the client and in 'about'. So when taken off the local subnet it had nowhere else to look.
I'm going to continue to play about with this today, but any guidance would be great. I'm pretty sure I'm missing something obvious and what you've posted above makes sense, but when I setup the internal agent handler to deal with all clients with the IP range criteria I set, the public address disappears from the client
Not to start up an old thread, but I am having the same issue.... I have an AH in the DMZ that I do not want internal people to use. I have set up AH priority so internal people should not use the DMZ AH, but it appears a number of machines insist on going out the the DMZ AH when on the internal network. I plan on to learn more about how this really functions, but any tips on a similar setup? I'm considering putting in a firewall rule so internal clients can't get to the DMZ AH via 443.
I ended up having to define internal IP ranges to only use the internal AH (ePO Server) and everything else will failover to the AH in the DMZ. If you have laptops though they will hit the AH in the DMZ when they are off your network.