Configure Cloud Management Gateway

Configure Cloud Management Gateway

Configure Cloud Management Gateway

This feature has been introduced in SCCM in order to manage SCCM clients over the Internet. Note that this feature requires an azure subscription to work. Thereafter, the customers have the possibility of reaching the SCCM system sites wherever they are. Client certificates and SSL certificates are required. with this article you can configure the Cloud Management Gateway

prerequisite

  • SCCM system site running the cloud management gateway connector for Internet clients
  • Custom SSL Certificates from Internal Certificate Authority: Used to encrypt communication from client computers and authenticate the identity of the cloud management gateway service
  • Azure subscription for cloud services
  • Azure Management Certificate: used to authenticate Configuration Manager with Azure

spécifications

  • Each instance of the cloud management gateway supports 4,000 customers.
  • The cloud management gateway enables support for management point and software update point roles.

Log SCCM

You can use this log SCCM for validate the creation of the Cloud Management Gateway

  • Deployment problem: CloudMgr.log and CMGSetup.log
  • Service integrity : CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log
  • Traffic problem: CMGHttpHandler.log, CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log.

Verify the domain name

From the Azure platform, click on create a resource and then click on Service Cloud. Enter the desired domain name and verify if the domain name does not already exist. Be careful not to create it .

Configure Cloud Management Gateway

Configure Cloud Management Gateway

You can close Windows without create cloud Services, the creation will be done later.

Create Web Certificate

It is necessary to create a certificate. To do this, we will first create a certificate template from the Template web server. From the Certificate Authority console, go to the Certificate Template console (right-click Certificate Template and then Manage). Right-click on the Web Server template and in the context menu, click Duplicate Template.

Configure Cloud Management Gateway

Click on the General tab and enter the name CMG SCCM. Then select the Publish to Active Directory check box.

Configure Cloud Management Gateway

In the Request Handling tab, select Allow private key to be exported.

Configure Cloud Management Gateway

In the Security tab, give the right enroll to the administrators groups and the SCCM server (or group contain SCCM Server account).

Configure Cloud Management Gateway

Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select Certificate Templates to issue from the context menu. Select the previously created template and click OK.

Configure Cloud Management Gateway

The model certificate is now available.

Request Certificat

The certificate must now be generated and installed on the SCCM server of the primary site. On the server, access to the MMC console and add the Certificate snap-in. Access computer certificates and expand Personal / Certificates nodes.

Configure Cloud Management Gateway

Right-click Certificates and select All Tasks / Request New Certificate. On the Select Certificate Enrollment Policy page, choose Next. On the Request Certificates page, identify the CMG SCCM from the list of available certificates, and then select More information is required to enroll for this certificate.

Configure Cloud Management Gateway

From the Subject Name drop-down list, select Subject Name and enter the domain name for the cloud service. Click Add.

Configure Cloud Management Gateway

From the Other Name drop-down list, select DNS and enter the cloud service domain name. Click OK and Enroll.

Configure Cloud Management Gateway

The certificate is now present in the console.

Configure Cloud Management Gateway

Export certificate

It is now possible to export the certificate. From the MMC Certificate console, right-click the previously generated certificate and from the context menu select Export (All tasks / Export). The certificate must be exported in cer format (without private key) for Azure Management Certificate and in pfx format (with private key) for cloud management Gateway.

For export in cer format, choose : No, do not export private key

Configure Cloud Management Gateway

For export in pfx format, choose : Yes, export private key

Configure Cloud Management Gateway

The certificate has now been exported in pfx and cer format. It is now necessary to generate the client certificate.

Create Client Certificate

A client certificate is required on any computer that is managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. You can deploy this certificate by GPO (Autoenrollment).
From the Certificate Authority console, go to the Certificate Template console (right-click Certificate Template and then Manage). Right-click on the Workstation Authentication template and in the context menu, click Duplicate Template.

Configure Cloud Management Gateway

Click on the General tab and enter the name SCCM Computer Certificate. Then select the Publish to Active Directory check box and set the Validity Period to 5 years.

Configure Cloud Management Gateway

In the Security tab, give the right enroll and AutoEnroll to the Domain Computer groups.

Configure Cloud Management Gateway

Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select Certificate Templates to issue from the context menu. Select the previously created template and click OK.

Configure AutoEnrollment

It is now necessary to deploy certificates on workstations managed by the cloud Management Gateway. These certificates will be deployed through a group policy. On the domain controller, go to the Group Policy Management console and create a new GPO in Group Policy Objects. Right-click Group Policy Objects and choose New. Enter a name and click OK

Configure Cloud Management Gateway

Right-click the group policy and click Edit. The Group Policy Editor console appears. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies.

Configure Cloud Management Gateway

Right-click Certificate Services Client – Auto-Enrollment and select Properties from the context menu. Activate the parameter by selecting Enable then check the boxes :

  • Update certificates that use certificate templates and Renew expired certificates, update pending certificates
  • remove revoked certificates

Configure Cloud Management Gateway

Apply the group strategy to the desired organizational unit, on the workstation execute the command gpupdate/force. It is also possible to wait for the next cycle (90 to 120 minutes). Restart the computer afterwards.

Configure Cloud Management Gateway

Export the client certificate’s root

On the workstation, access the MMC console and add the snap-in Certificates. In the wizard, check Computer certificate. Then go to the Personal store and then Certificate.

Configure Cloud Management Gateway

Double click the certificate and select Certification Path.Double click on the root certificate, the certificate appears.

Configure Cloud Management Gateway

Select the Details tab and click Copy to File.

Configure Cloud Management Gateway

Upload certificate into Azure Subscription

In the Azure platform, click on Subscription then select the desired subscription.

Click on Management Certificate then on Upload. Then select the previously exported (Template CMG SCCM). Use Cer file.

Configure Cloud Management Gateway

On the Azure portal, retrieve the Subscription ID in Subscriptions.

Configure Cloud Management Gateway

Create the SCCM Cloud Management Gateway

From the SCCM console, go to the Administration tab and expand the Cloud Services node. Click Cloud Management Gateway and then click Create Cloud Management Gateway.

Configure Cloud Management Gateway

A wizard appears, enter the subscription id in the subscription id field. Using the Browse button select the Management Certificate (pfx file). Enter the password and click OK.

Configure Cloud Management Gateway

Using the Browse button, select the certificate in PFX format and select the desired Azure region.

Configure Cloud Management Gateway

Uncheck the box to Verify Client Certificate Revocation and select the Root CA with Certificates Button. Click Next for validate modification.

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Configure the alerts as desired and click Next on other windows.

Configure Cloud Management Gateway

Now wait provisionning operation.

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Cloud Management Gateway Connector Point

From the SCCM console, go to the Administration tab and expand Site Configuration. Select Servers and Site System Roles. Select the server and click Add Site System Role.

Configure Cloud Management Gateway

A wizard appear, click next on Windows Select a server to use as a site system. Select Cloud Management gateway connection point and click next.

Configure Cloud Management Gateway

You can validate other Windows.

Configure the Primary Site

It is now necessary to configure the information for customers when they communicate with the Management Point.

From the SCCM console, go to the Administration tab and expand Site Configuration. Select Sites and then your primary site.

Go to the site properties then in the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available.

Configure Cloud Management Gateway

Clear Clients check the certificate revocation list (CRL) for site systems and click OK. At the time these lines are written, only SUP (Software Update Point) and MP (Management Point) are supported by the Cloud Management Gateway. From the Set button select the Root CA certificate.

Configure Cloud Management Gateway

The purpose of this step is to enable the system role site to accept traffic from the Cloud Management Gateway.
From the SCCM console, go to the Administration tab and expand Site Configuration. Click Servers and Site System Roles. Right-click on the site system server role that needs to be configured for Cloud Management Gateway traffic (example Management Point and click Propriétés. Select the Allow Configuration Manager cloud management gateway traffic check box and click Ok to confirm.

Configure Cloud Management Gateway

Migrate HTTP to HTTPS

Customers can now be configured to use cloud management Gateway. Install client or wait for the sccm client to retrieve the information.

Configure Cloud Management Gateway

You need deploy certificate on all Server and computer. Next it is now possible to activate HTTPS for all communication. On the SCCM server, open the MMC console and add the Certificate plug-in software. A wizard appears, check Computer Certificate and click A Computer Certificate. The certificate console is displayed.

Configure Cloud Management Gateway

Expand the Personal node and then Certificate. It is now necessary to detect the certificate from the Web Server Template. In the certificate properties, click Details and then click Advanced Key Usage. This certificate was generated at the beginning of this article.

Configure Cloud Management Gateway

Note the digital Thumbprint that will allow us to verify the correct selection of the certifica when we configure IIS Server.

Configure Cloud Management Gateway

On the SCCM server, go to the IIS console and select the default site (site used by SCCM). In the Action banner, click Binding.

Configure Cloud Management Gateway

Select the https line and click Edit.

Configure Cloud Management Gateway

From the drop-down list, select the SSL certificate and using the display button to diplay certificate and check the Thumbprint property. The value must be identical to that previously recorded. Click Ok and execute DOS COMMAND IISReset.

Configure Cloud Management Gateway

Configure Client policy

From the SCCM console, go to the Administration tab and expand Site Configuration. Select Sites and then your primary site.
Go to the site properties then in the Client Computer Communications tab, check HTTPS Only.

Configure Cloud Management Gateway

It is now necessary to configure the SCCM client. From the SCCM console, create a new Client Settings (Device policy). Enter the desired name and check Client Policy and CLoud .

Configure Cloud Management Gateway

Select Yes from the Enable User Policy Requests from Internet clients drop-down list.

Configure Cloud Management Gateway

Select and configure Yes for Allow Access to cloud distribution point and Enable clients to use a cloud management Gateway. Click OK to create Policy and deploy it on the desired collection. For my part I took the collection used for co-management.

Configure Cloud Management Gateway

Configuration test

Force the application of the policy(Device policy and User Policy) on the workstation. Access the registry on the workstation and modify the DWORD ClientAlwaysOnInternet (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security), set the value to 1. This change forces the use of the cloud management gateway.

Configure Cloud Management Gateway

On the Workstation, restart SMS Agent Host service. You can use log to verify if the configuration has correct :

  • LocationServices.log on the workstation
  • SMS_CLOUD_PROXYCONNECTOR.log on the server

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.