CMG – VM Scale set
Customers with an Azure subscription through a CSP (Cloud Solution Provider) could encounter a lot of problems to set up the CMG. Since the 2010 version of Configuration Manager, it is possible to set up the functionality Cloud management gateway with Azure VM scale set.
Enable feature
It is necessary to enable the functionality. From the console, go to the Administration tab and expand Updates and Servicing. Select Cloud management gateway with Azure VM scale set and click on Turn on.
A message appear, click on Yes. the feature has been enable.
Issue of certificate
From your server Certification Authority, right click on Certificates Templates and select Manage.
The Certificate Templates Console appears, right click on the Web Server template and click on Duplicate.
Configure Compatibility tab and click on General.
Enter the desired name..
From the Request Handling tab, tick Allow private key to be exported.
I have created a security group on my Active Directory, he contain my SCCM Primary Site Server. On the Security tab, click on Add button and select groups. Tick Enroll permission.
Click on OK and close Certificate Templates Console. Right click on Certificate Templates and click on New / Certificate Template to Issue.
Add the template previously created and click on OK.
The template has been added.
Configure Azure AD
You can now integrate your Configuration Manager site and your Azure Active Directory tenant. This step permit to authentificate with Azure AD
From Configuration Manager console, click on Administration tab and expand Cloud Services. Select Azure Services then click on Configure Azure Services.
A new wizard appear, enter the desired name and select Cloud Management. Click on Next.
Click on Browse for create Web app.
A new windows appear, click on Create.
Enter the name of the application then click on Sign In…
Signed is successfully. Click twice on OK.
Click on Browse for create Native Client app.
A new windows appear, click on Create.
Enter the desired name and click on Sign In. Click on OK for create application.
Click twice on OK. Tick Disable Azure Active Directory authentification for this tenant and click on Next.
Click on Next on other windows and leave the default value. Azure Services has been created.
Verify Cloud Services name
This step permit to verify if the name of Azure Cloud Services has been available. From Azure portal, search Cloud Services.
Click on Create cloud service.
Enter the name desired to check availability, Do not create it.
You can now issued certificate.
Issued required certificate
Before configure Configuration Manager, you need issued certificate. From the Configuration Manager server, open mmc console and click on File then on Add Remove Snap-in.
Select Computer account then click on Next. Click on Finish.
Right click on Personal then click on Request New Certificate.
Select the template previously created and click on More information is required to Enroll for this certificate.
Select Common name on Suject name and enter the following value :
Name.NameOfAzureRegion.CloudApp.Azure.com
For me : InYourCloud.FranceCentral.CloudApp.Azure.com
Click on Add then on OK. Click on Enroll for Enroll new certificate.
Right click on the certificate and select All Tasks / Export.
Tick Yes, export the private key and click on Next.
Leave the default value for the format (Personal Information Exchange.) and click on Next. Enter the desired password and click on Next.
With Browse button, select the directory and file name.
Click on Next then on Finish. The certificate has been exported and will used later.
The root CA must be exported. Open the properties of the certificate previously exported and click on Certification Path tab. Select Root CA certificate and click on view certificate.
Open Details tab and click on Copy to file.
Export the certificat.
You can now configure HTTPS for all SCCM hierarchy. You can use my previously post, click here (Create Client Certificate, Configure AutoEnrollment, Configure the Primary Site and Migrate HTTP to HTTPS step).
Create the CMG
From the Configuration Manager console, click on Cloud Management Gateway then click on Create Cloud Management Gateway.
Select Virtual machine scale set and click on Sign In.
Select administrator account on Azure AD, the Azure subscription and application appear.
Click on Browse button and select the certificate file previously exported. The service name and deployment name appear. Select the azure region (france central for me).
Select the desired resource group and enter the number of VM instance. Click on Certificates for upload root certificates.
With the Add button, select the root certificat previously exported.
Configure Alerts windows. You can now lauch creation of the CMG.
You can use CloudMge.log for verify if eror is present.I
After few long minutes, the Cloud Management Gateway is now Ready.
Cloud management gateway connection point
When CMG is ready, you need to install Cloud management gateway connection point. From the Configuration Manager console, click on Administration then on Sites. Click on the site then on Add Site System Roles.
Tick Cloud Management gateway connection point and click on Next.
The Cloud Management gateway name and the Region are configured. Click on Next.
Click on Next, the Cloud management gateway connection point has been configured.
Create client policy
Client policy can now be created. From the SCCM console, click on Administration then on Client Settings. On the ribbon, click on Create Custom Client Device Settings.
Enter the desired name and tick Client Policy and Cloud Services.
Select Yes from the Enable User Policy Requests from Internet clients drop-down list.
Select Cloud Services and configure Yes for Allow Access to cloud distribution point and Enable clients to use Cloud management Gateway. Click OK to create Policy. You can deploy it on the desired collection.
Test CMG
If you want to test your CMG, configure the following DWORD on Windows 10 computer. The computer will act as if it were connected outside the local network. Be Careful, it is necessary that the computer recovers at first the policy created previously.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security
DWORD : ClientAlwaysOnInternet (set to 1)