Deploy SCCM Cloud Management Gateway Step by Step
by Ginu
About
Cloud Management Gateway is an Azure based solution which provides ability to manage internet-based clients. It creates a Virtual Machine in Azure to route internet-based client’s traffic to on premise site system server hosting CMG role “Cloud Management Gateway Connection Point” along with Management and Software Update Point.
The article will guide you to setup and configure Cloud Management Gateway along with configuring Client settings to manage clients when they are on internet.
Article Covers:
- Cloud Management Gateway Setup Prerequisites
- Certificates for Cloud Management Gateway
- Configure Azure Services in SCCM.
- Deploy Cloud Management Gateway
- Cloud Management Gateway Status/Log validation.
- Install Cloud Management Gateway Connection Point
- Configure client-facing roles for CMG traffic
- Configure Client Settings for Cloud Management Gateway
- Configure boundary groups for CMG
Cloud Management Gateway Setup Prerequisites
- An Azure subscription for hosting CMG services.
- An Azure administrator with below permissions:
- Global Admin: To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager
- Subscription Admin: To deploy the CMG
Note: Azure Admin account doesn’t need to have any permissions in SCCM. It can be a completely different account and can be deleted later if it is created only for deploying Cloud Management Gateway.
- Integration with Azure AD for deploying the service with Azure Resource Manager.
- The Microsoft.ClassicCompute & Microsoft.Storage resource providers must be registered within the Azure subscription otherwise your CMG deployment will fail. Refer to below article on registering Resource Providers in Azure.
- At least one on premise Windows server for hosting CMG Connection Point.
- The service connection point must be in online mode.
- A server authentication certificate for CMG deployment. Other certificates may be required which
- Clients must use IPv4.
Certificates for Cloud Management Gateway
Based on different scenarios, the certificate requirement may vary in different environments. In my environment, I have following setup:
I have my Management Point already configured on HTTPS and Client machines have Client Authentication Certificate on them. Now I would only require “CMG Server Authentication Certificate and Client Trusted Root Certificate to CMG” which I already created & exported on my Primary site server.
You can refer to below articles for all CMG related Certificates and Setting up Site on PKI.
Configure Azure Services in SCCM
We will configure Azure Services in SCCM using Web App and Native Client App. These apps provide subscription and configuration details and authenticate communications with Azure AD. The app replaces entering this same information each time you set up a new Configuration Manager Component or service with Azure.
- Navigate to Administration -> Overview -> Cloud Services -> Azure Services. Right click Azure Services and click Configure Azure Services.
- On Configure Azure Services, Select Cloud Management and Enter the Name and Description. Click Next
- On App Properties, Click on Browse for Web App.
- In Server App dialog box, Click on Create.
Note: If you have already created a Web Server App in Azure, you can import it in SCCM using Import Option give below else we can directly create them using below steps.
- Enter below details in Create Server Application box.
- Application Name: Enter any name.
- Home Page URL & App ID URI: I have kept the default values i.e. https://ConfigMgrService You can change it accordingly but make use this value should be unique in Azure.
- Secret Key Validity Period: Maximum 2 years is allowed as of now.
- Sign In: Click on this Button and you will be prompted to enter you Azure Admin Credentials.
- After successful sign in, Azure AD Tenant name will be automatically populated. Click OK to close the dialog box.
- Select the App that we created, Click OK.
- Now we will create Native Client App, Click on Browse
- In Client App dialog box, Click on Create.
- Enter the Client App Name and Click on Sign in Button. Click OK after successfully Sign in.
- Select the Client App, Click OK.
- Both Web and Client App are created. Click Next.
- On Configure Discovery Settings, we can leave both Azure AD User and Group Discovery option unchecked as it is not required for settings up Cloud Management Gateway.
- Click Next on Summary Page.
- Click Close on Completion Page.
- Under Azure Services, you will find Azure Services configured for Cloud Management Gateway.
- Under Azure Active Directory Tenants, you will find your Azure Tenant Name and ID along with both Web and Client Native App.
- You can find the same Apps configured in Azure.
Deploy Cloud Management Gateway
Finally we can start deploying Cloud Management Gateway
- Navigate to Administration -> Cloud Services -> Cloud Management Gateway. Right click Cloud Management Gateway and click on Create Cloud Management Gateway.
- Click on Sign In…. Button and Enter your Azure Admin Credentials.
After successful Sign In, Subscription ID, Azure AD App and Tenant name will be automatically populated. Click Next.
- On Settings Page, provide below details. The certificates which we exported above to add in CMG console will be used here.
- Certificate File: Click on Browse Button and choose the .PFX file for “CMG Server Authentication Certificate”. It will prompt for password, enter the certificate password and click OK.
- Service & Deployment Name: It will be automatically populated when you provide the Certificate file in above step.
- Description: You can leave this blank else provide any description.
- Region: Select the Azure region from drop down list.
- Resource Group:
- If you choose Use existing, then select an existing resource group from the drop-down list. The selected resource group must already exist in the region you selected in above step. If you select an existing resource group and it is in a different region than the previously selected region, CMG will fail to provision.
- If you choose Create new, then enter the new resource group name.
- VM Instance: I’m going with one instance which is default and 16 is the maximum. You can change afterwards to scale the service as needed.
- Certificates… : Click on Certificates Button. It will open a new dialog box. Click on Add Button and select certificates to add client trusted root certificates. Add all of the certificates in the trust chain. In my case there is only one Trusted Root Certificate so I will add it and Click OK.
Note: This certificate isn’t required when using Azure Active Directory (Azure AD) for client authentication. However, I’m using PKI client authentication certificates, so it is required to add a trusted root certificate to the CMG console.
- Verify Client Certificate Revocation: Check this option only if certificate revocation list (CRL) is publicly published for verification to work.
- Enforce TLS 1.2: Starting with version 1906, you can Enforce TLS 1.2. This setting only applies to the Azure VM. It doesn’t apply to any on-premises Configuration Manager Site Servers or clients.
- Allow CMG to function as a cloud distribution point and serve content from Azure storage: Check this option to deploy Cloud Distribution Point along with CMG. This feature was integrated with CMG in version 1806. This functionality reduces the required certificates and cost of Azure VMs for Cloud DP.
Click Next.
- On Alerts, Configure alerts for Cloud Management Gateway. I’m keeping the default alert configuration. Click Next.
- On Summary Page, review your configuration. Click Next.
- Click Close on Completion Page.
Cloud Management Gateway Status/Log validation
There are below steps to validate Cloud Management Gateway Setup success via SCCM Console and logs.
- After deploying Cloud Management Gateway you will find CMG Services Status under Provisioning
It will take between five to 15 minutes to provision the service completely in Azure.
- You can monitor the status in detail in CloudMgr.log under %ProgramFiles%\Configuration Manager\Logs\CloudMgr.log
CloudMgr.log
Starting to deploy service ginucmg. SMS_CLOUD_SERVICES_MANAGER Resource Manager – Initializing… Acquiring access token to resource manager and accessing the subscription SMS_CLOUD_SERVICES_MANAGER
Resource Manager – Resource group ginucmg created SMS_CLOUD_SERVICES_MANAGER
Resource Manager – Created deployment CreateCloudService55759355-7b6f-4664-b139-0db5b0903b4f SMS_CLOUD_SERVICES_MANAGER
Resource Manager – cloud service ginucmg created. Resource properties: {~~ “provisioningState”: “Succeeded”,~~ “status”: “Created”,~~ “label”: “ginucmg”,~~ “hostName”: “ginucmg.cloudapp.net”~~} SMS_CLOUD_SERVICES_MANAGER
Resource Manager – Cloud service certificate 423C5D70A0F558AF1514CBD71FC290825AA28BA0 added to cloud service ginucmg SMS_CLOUD_SERVICES_MANAGER
Resource Manager – Created deployment CreateStorageService2da74c62-6f09-424d-bfc6-40b77ad9cc9e SMS_CLOUD_SERVICES_MANAGER
Deployment ginucmg instance status is ReadyRole. SMS_CLOUD_SERVICES_MANAGER
Finished deploying service ginucmg. SMS_CLOUD_SERVICES_MANAGER
Upload mp certs starting for service ginucmg… SMS_CLOUD_SERVICES_MANAGER
Starting to monitor service ginucmg. SMS_CLOUD_SERVICES_MANAGER
Deployment is in running state for service ginucmg SMS_CLOUD_SERVICES_MANAGER
- Once provisioning is completed, you will find the Cloud Management Status as Ready.
- Navigate to Administration -> Overview -> Site Configuration -> Servers and Site System Roles. You will find a new Site System added there for Cloud Distribution Point.
Install Cloud Management Gateway Connection Point
Let’s add Cloud Management Gateway Connection Point Role, so that clients can communicate with CMG.
- Navigate to Administration -> Site Configuration -> Servers and Site System Roles.
- Right click Site Server and click Add Site System Roles. Click Next.
- On Proxy, Click Next.
- On System Role Selection, Select “Cloud Management Gateway Connection Point” Role. Click Next
- Select the Cloud Management Gateway Name from drop down and Click Next.
- On Summary, review the settings. Click Next.
- Click Close on Completion Page,
- You can monitor the role installation status under SMS_Cloud_ProxyConnector.log
SMS_Cloud_ProxyConnector.log
Component SMS_CLOUD_PROXYCONNECTOR started successfully. SMS_CLOUD_PROXYCONNECTOR
Starting to connect to Proxy server GINUCMG.CLOUDAPP.NET:10140 with client certificate 11234DDA3C163CE4C86845830F0A9CBDC5B7AD3E and connection ID ca933476-88ce-4469-8d8e-236b29b932ea… SMS_CLOUD_PROXYCONNECTOR
Sending signIn message to Proxy server… SMS_CLOUD_PROXYCONNECTOR
Got signIn confirm message from Proxy server and processing it… SMS_CLOUD_PROXYCONNECTOR
Parking connection 09b0f538-860c-4628-8841-438469030dbe to Proxy server GINUCMG.CLOUDAPP.NET:10140… SMS_CLOUD_PROXYCONNECTOR
Connection 09b0f538-860c-4628-8841-438469030dbe finished initialization and started SMS_CLOUD_PROXYCONNECTOR
Trying to build Tcp connection 4aff5b90-6fda-4a62-a535-475dc82b2dfd with server GINUCMG.CLOUDAPP.NET:10140 SMS_CLOUD_PROXYCONNECTOR
ReportOnlineConnections – state message to send: <Connections ServerName=”PROD-VM02.GINU.COM” Time=”05/03/2020 17:53:57.263</Connections> SMS_CLOUD_PROXYCONNECTOR
There are 10 Tcp connections established with proxy server GINUCMG.CLOUDAPP.NET:10140 SMS_CLOUD_PROXYCONNECTOR
- Once it is completed successfully. You will find the connection status under Cloud Management Gateway.
Note: If you are using PKI client authentication certificates for client communication, CMG connection point server must have a client authentication certificate on it.
Configure client-facing roles for CMG traffic
Now we will configure Management Point and Software Update Point to accept CMG Traffic. Perform below steps on the primary site, for all management points and software update points that service internet-based clients.
- Open Management Point properties, Check the box “Allow Configuration Manager cloud management gateway traffic”. Click OK.
- Open Software Update Point properties, Check the box “Allow Configuration Manager cloud management gateway traffic”. Click OK.
- After enabling above options, we will find Endpoints configured in Cloud Management Gateway for handling Client traffic.
- If you’re using client authentication certificates for clients to authenticate with the CMG, make sure to enable “Use PKI client certificate (client authentication) when available” option is enabled on Primary Site.
- Open the Primary Site Server Properties, switch to the Client Computer Communication/ Communication Security tab, Check “Use PKI client certificate (client authentication) when available”.
If you don’t publish a CRL, deselect the option for Clients “Check the certificate revocation list (CRL) for site systems”.
Configure Client Settings for Cloud Management Gateway
- You can edit the Default Client Settings or create a new Custom Device Client Settings for Managing Internet Clients.
- Under the client settings -> click Client Policy. Set “Enable user policy requests from internet clients” to Yes.
- Now Click on Cloud Services, Set “Allow access to cloud distribution point” to Yes.
By Default “Enable clients to use a cloud management gateway” is set to Yes.
- You can also set Metered Internet Connections for Internet Connections. By Default it is block, you can set it to “Allow” or “Limit”
Configure boundary groups for CMG
Starting with version 1902, you can associate a CMG with SCCM Boundary Groups.
You can also associate CMG with “Default-Site-Boundary-Group” in case, VPN clients do not fall into a known boundary group, Clients will fallback to communicate with referenced site systems from the default site boundary group.
That’s all we are done with all the CMG Setup and Configuration.