For ease of management, updates, and security, I'd like functionality within BNR similar to Protection Groups that would allow me to manage and remotely update Veeam Console endpoints.
Create a group called "Internal IT computers"
Add endpoints by DNS or IP
Console gets deployed and a public/private key exchange takes place between BNR and endpoints
Now these users are allowed to even attempt port connection; BNR filters all other requests
Users must still authenticate as another layer of protection
When I upgrade BNR, automatically consoles get updated as well