SMS expects a fully-working NetBIOS layer. However, for security reasons, no one on the network segment in question can access any other outside machine (they're in their own workgroup, and NetBIOS is blocked on the router, but not established TCP sessions.) We still want to Remote Control without disabling the NetBIOS filter so this is what you need to do:

1. First, since this segment is not in our site boundaries, we needed to force the client to join our site. To do this, place the following registry key on the client before you run SMSMAN:
   
   "HKLM\Software\Microsoft\SMS\Client\Sites\Forced Sites = <your three-letter site code>"
   
   
2. On an unprotected network segment, install your client using "SMSMAN" (or, if you have Discovery turned on, you can let it install the client.) Make sure the client is in the same workgroup name that it will be in on the locked-down segment.
   
    
3. Wait until all the components you need are installed on the client. Hit "Update Configuration" within the "SMS" Control Panel applet to resync your computer one last time on the NetBIOS-enabled network.
   
    
4. Move your client to the locked-down segment and change its IP address (or have DHCP do it for you.)
   
    
5. Go to the "SMS" Control Panel applet and press the "Update Configuration" button again. Nothing will appear to happen, the time won't change, and you won't sync the client with the site server...YET!
   
    
6. Now go to your Site Server. Click on your client's record in the Admin console, and start a Remote Tools session. This will take some time, since it will try NetBIOS and the last-known IP address before actually finding the client on its new address.
   
    
7. Open "File Transfer". On the remote client, go to:
   
   "%SYSTEMROOT%\MS\SMS\CORE\DATA"
   
   and select the "SMSDISC.DDR" file. Transfer the file to the "<SMS_dir>\inboxes\ddm.box" folder. The Discovery Data Manager processes the file, and updates the record in the database.
   
    
8. Update the Collections to see the results. Essentially, what just happened is a forced client update cycle. Since the client can't send NetBIOS data, the DDR in the client's data outbox never gets transferred to the CAP. Here, *you* manually perform that step.

Note: In this situation, about the only thing you can do is Remote Tools (just as well they changed SMS 2.0 Remote Control to use TCP!!). Software Distribution won't work, because the client won't be able to check the CAP for new advertisements. Inventory can't send DDR files either. However, this method provides you with at least a record of the IP address of the machine, and the ability to Remote Control it from an admin console on the other side of the barrier. It isn't pretty, but hopefully most people don't have this situation.