A best practice in ConfigMgr 2007 was to have remote distribution points “protected” so that client in other subnets would not incidentally download content from them. This was particularly important for DPs that were slow WAN links. In ConfigMgr 2012 however, having a protected DP looks different. Instead of the old checkbox on the DP settings, now you add the Boundary (IP address range/subnets or AD Sites) into it’s own Boundary Group. In this way only clients in that subnet will pull from that DP.