Several sites/distribution points but only one centralized connection gateway (for external devices

[ak01]

We have several sites, divided into subgroups and for each subgroup a distribution point. We have one centralized KSC. All the laptops are divided into their site group so that they get updates locally.

Now, we want to also manage the laptops when they are at home (home office and so on), therefore we would like to set up a connection gateway within the DMZ.
According to https://support.kaspersky.com/13756#block3 a connection gateway also needs to be bound to a subgroup or a network location (“set of devices associated with this update agent”). However, do we need the same amount of connection gateways than distribution points (one for each site) or can we use one centralized CG for all of them?
Is it possible to leave that CG subgroup binding blank and to create a new network connection profile in network agent policy to point external devices (when they are external) to that one new CG?

Is this possible and how would this be possible?

[ak01]

The solution is to do it according to the manual. The laptops (wherever they are, they do not have to be member of the specific subgroup) should get a new agent policy. Within the agent policy, there must be a new network profile which points to the connection gateway (in the appropriate filed) and a rule which only switches to the CG e.g. when the Windows domain is not reachable anymore (otherwise, the default KSC is used -> I have not touched that).

Therefore, I created a subgroup “Notebooks” in every site subgroup and put a specific agent policy in every “Notebooks” subgroup (see above). However, the CG is only bound to a specific subgroup (e.g. “external devices”) and the laptops are not member of that subgroup (and it works as well).