Internet Client Communication with Cloud Management Gateway (SCCM)
by Ginu
About
After Cloud Management Gateway is deployment is successfully and making required changes on SCCM side, we need to validate whether clients are successfully communicating with CMG.
In this article, we will validate client communication with CMG.
Article Covers:
- CMG value addition in registry
- SCCM Client side log validation
- Monitor Client Side Traffic in SCCM Console.
CMG value addition in registry
Below registry changes happens automatically on client side when SCCM agent performs periodical checks for policies, SMS Agent Host is restarted or network change is detected.
- You can force the client to always use the CMG regardless of whether it’s on the intranet or internet by changing ClientAlwaysOnInternet registry value to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security ,ClientAlwaysOnInternet = 1
Restart SMS Agent Host Service to see immediate changes.
- If SCCM client doesn’t have a CMG value set in the registry, it automatically checks the CMGFQDNs registry value. This check occurs every 25 hours, when the SMS Agent Host service starts or when it detects a network change. When the client connects to the site and learns of a CMG, it automatically updates this value.
- After learning about CMG, Internet Management Point values will be updated.
SCCM Client side log validation
LocationServices.log -> Check to see if the client is seeing CMG.
Internet Management Points from assigned MP: LocationServices 7/1/2019 10:50:58 PM 4168 (0x1048)
Name: ‘SECONDCMG.LABCMG.COM/CCM_Proxy_MutualAuth/216172782113783842’ HTTPS: ‘Y’ ForestTrust: ‘N’, Locality: ‘0’, MPBGRFallbackType: ‘None’, MPFallbackTime: ‘0’ LocationServices
Clientlocation.log -> Connection Change must happen from Intranet to Internet for the client to start communicating with CMG.
Client is in Internet ClientLocation 7/2/2019 9:30:41 AM 4160 (0x1040)
Current internet management point is SECONDCMG.LABCMG.COM/CCM_Proxy_MutualAuth/216172782113783842 ClientLocation 7/2/2019 9:30:41 AM 4160 (0x1040)
ADALOperationProvider.log-> Good to log to confirm if AAD User token acquisition worked. Not seeing an error after “Getting AAD (user) token) entry is an indication that it was successful.
Once CMG policies are updated, you will find Connection Type Set to Internet and Internet Management Point Value set to CMG.
Monitor Client Side Traffic in SCCM Console
You can also monitor the Client Traffic in SCCM Console under Cloud Management Gateway -> Connection Points.
Similarly, under CMG Role Endpoints, you will see traffic coming in under different Endpoints.
To troubleshoot CMG client traffic, use can further refer to CMGHttpHandler.log, CMGService.log and SMS_Cloud_ProxyConnector.log.