CMG – VM Scale set

CMG - VM Scale set

Customers with an Azure subscription through a CSP (Cloud Solution Provider) could encounter a lot of problems to set up the CMG. Since the 2010 version of Configuration Manager, it is possible to set up the functionality Cloud management gateway with Azure VM scale set.

Enable feature

It is necessary to enable the functionality. From the console, go to the Administration tab and expand Updates and Servicing. Select Cloud management gateway with Azure VM scale set and click on Turn on.

Enable CMG VM scale set

A message appear, click on Yes. the feature has been enable.

Enable CMG VM scale set

Issue of certificate

From your server Certification Authority, right click on Certificates Templates and select Manage.

Create certificate template

The Certificate Templates Console appears, right click on the Web Server template and click on Duplicate.

Duplicate Web Server certificate

Configure Compatibility tab and click on General.

Configure compatibility tab

Enter the desired name..

Enter the name of the template

From the Request Handling tab, tick Allow private key to be exported.

Allow povate key to be exorted

I have created a security group on my Active Directory, he contain my SCCM Primary Site Server. On the Security tab, click on Add button and select groups. Tick Enroll permission.

Assign Enroll permission

Click on OK and close Certificate Templates Console. Right click on Certificate Templates and click on New / Certificate Template to Issue.

Add certificate on Certificate Template on Issue

Add the template previously created and click on OK.

Add certificate on Certificate template node

The template has been added.

Configure Azure AD

You can now integrate your Configuration Manager site and your Azure Active Directory tenant. This step permit to authentificate with Azure AD

From Configuration Manager console, click on Administration tab and expand Cloud Services. Select Azure Services then click on Configure Azure Services.

Create Cloud Services

A new wizard appear, enter the desired name and select Cloud Management. Click on Next.

Configure Azure Services

Click on Browse for create Web app.

Create Web App for Azure AD SCCM

A new windows appear, click on Create.

Create application

Enter the name of the application then click on Sign In…

Create new application

Signed is successfully. Click twice on OK.

Sign in work perfectly

Click on Browse for create Native Client app.

Create Native Client app

A new windows appear, click on Create.

Create application

Enter the desired name and click on Sign In. Click on OK for create application.

Create native application

Click twice on OK. Tick Disable Azure Active Directory authentification for this tenant and click on Next.

Disable Azure AD Authentification

Click on Next on other windows and leave the default value. Azure Services has been created.

Verify Cloud Services name

This step permit to verify if the name of Azure Cloud Services has been available. From Azure portal, search Cloud Services.

Verify Cloud Services name

Click on Create cloud service.

Create Cloud Services

Enter the name desired to check availability, Do not create it.

Check availability for the name

You can now issued certificate.

Issued required certificate

Before configure Configuration Manager, you need issued certificate. From the Configuration Manager server, open mmc console and click on File then on Add Remove Snap-in.

Add Certificate Snap-in

Select Computer account then click on Next. Click on Finish.

Right click on Personal then click on Request New Certificate.

Request new certificate

Select the template previously created and click on More information is required to Enroll for this certificate.

Request new certificate

Select Common name on Suject name and enter the following value :

Name.NameOfAzureRegion.CloudApp.Azure.com
For me : InYourCloud.FranceCentral.CloudApp.Azure.com

Click on Add then on OK. Click on Enroll for Enroll new certificate.

Issued certificate

Right click on the certificate and select All Tasks / Export.

Export certificate

Tick Yes, export the private key and click on Next.

Export private key

Leave the default value for the format (Personal Information Exchange.) and click on Next. Enter the desired password and click on Next.

Configure password

With Browse button, select the directory and file name.

Select directory and configure file name

Click on Next then on Finish. The certificate has been exported and will used later.

The root CA must be exported. Open the properties of the certificate previously exported and click on Certification Path tab. Select Root CA certificate and click on view certificate.

Copy to file root ca

Open Details tab and click on Copy to file.

Copy to file for export certiticat

Export the certificat.

You can now configure HTTPS for all SCCM hierarchy. You can use my previously post, click here (Create Client Certificate, Configure AutoEnrollment, Configure the Primary Site and Migrate HTTP to HTTPS step).

Create the CMG

From the Configuration Manager console, click on Cloud Management Gateway then click on Create Cloud Management Gateway.

Create CMG

Select Virtual machine scale set and click on Sign In.

Configure CMG

Select administrator account on Azure AD, the Azure subscription and application appear.

Sign in and subscription appear

Click on Browse button and select the certificate file previously exported. The service name and deployment name appear. Select the azure region (france central for me).

select certificate for configure cmg

Select the desired resource group and enter the number of VM instance. Click on Certificates for upload root certificates.

Configure certificat

With the Add button, select the root certificat previously exported.

add root certificate

Configure Alerts windows. You can now lauch creation of the CMG.

Configure CMG

You can use CloudMge.log for verify if eror is present.I

log used for cmg creation

After few long minutes, the Cloud Management Gateway is now Ready.

CMG is ready

Cloud management gateway connection point

When CMG is ready, you need to install Cloud management gateway connection point. From the Configuration Manager console, click on Administration then on Sites. Click on the site then on Add Site System Roles.

Add Site System Role

Tick Cloud Management gateway connection point and click on Next.

Add Cloud Management gateway connection point

The Cloud Management gateway name and the Region are configured. Click on Next.

Configure Cloud Management gateway

Click on Next, the Cloud management gateway connection point has been configured.

CMG connection point has configured

Create client policy

Client policy can now be created. From the SCCM console, click on Administration then on Client Settings. On the ribbon, click on Create Custom Client Device Settings.

Create client settings

Enter the desired name and tick Client Policy and Cloud Services.

Configure Client policy

Select Yes from the Enable User Policy Requests from Internet clients drop-down list.

Enable User Policy Requests from Internet clients

Select Cloud Services and configure Yes for Allow Access to cloud distribution point and Enable clients to use Cloud management Gateway. Click OK to create Policy. You can deploy it on the desired collection.

Allow Access to cloud distribution point and Enable clients to use Cloud management Gateway

Test CMG

If you want to test your CMG, configure the following DWORD on Windows 10 computer. The computer will act as if it were connected outside the local network. Be Careful, it is necessary that the computer recovers at first the policy created previously.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security

DWORD : ClientAlwaysOnInternet  (set to 1)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.