Avr 04

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Configure Cloud Management Gateway

This feature has been introduced in SCCM in order to manage SCCM clients over the Internet. Note that this feature requires an azure subscription to work. Thereafter, the customers have the possibility of reaching the SCCM system sites wherever they are. Client certificates and SSL certificates are required. with this article you can configure the Cloud Management Gateway

prerequisite

  • SCCM system site running the cloud management gateway connector for Internet clients
  • Custom SSL Certificates from Internal Certificate Authority: Used to encrypt communication from client computers and authenticate the identity of the cloud management gateway service
  • Azure subscription for cloud services
  • Azure Management Certificate: used to authenticate Configuration Manager with Azure

spécifications

  • Each instance of the cloud management gateway supports 4,000 customers.
  • The cloud management gateway enables support for management point and software update point roles.

Log to use

  • Deployment problem: CloudMgr.log and CMGSetup.log
  • Service integrity : CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log
  • Traffic problem: CMGHttpHandler.log, CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log.

Verify the domain name

From the Azure platform, click on create a resource and then click on Service Cloud. Enter the desired domain name and verify if the domain name does not already exist. Be careful not to create it .

Configure Cloud Management Gateway

Configure Cloud Management Gateway

The cloud management Gateway is now properly created.

Create Web Certificate

It is necessary to create a certificate. To do this, we will first create a certificate template from the Template web server. From the Certificate Authority console, go to the Certificate Template console (right-click Certificate Template and then Manage). Right-click on the Web Server template and in the context menu, click Duplicate Template.

Configure Cloud Management Gateway

Click on the General tab and enter the name CMG SCCM. Then select the Publish to Active Directory check box.

Configure Cloud Management Gateway

In the Request Handling tab, select Allow private key to be exported.

Configure Cloud Management Gateway

In the Security tab, give the right enroll to the administrators groups and the SCCM server (or group contain SCCM Server account).

Configure Cloud Management Gateway

Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select Certificate Templates to issue from the context menu. Select the previously created template and click OK.

Configure Cloud Management Gateway

The model certificate is now available.

Request Certificat

The certificate must now be generated and installed on the SCCM server of the primary site. On the server, access to the MMC console and add the Certificate snap-in. Access computer certificates and expand Personal / Certificates nodes.

Configure Cloud Management Gateway

Right-click Certificates and select All Tasks / Request New Certificate. On the Select Certificate Enrollment Policy page, choose Next. On the Request Certificates page, identify the CMG SCCM from the list of available certificates, and then select More information is required to enroll for this certificate.

Configure Cloud Management Gateway

From the Subject Name drop-down list, select Subject Name and enter the domain name for the cloud service. Click Add.

Configure Cloud Management Gateway

From the Other Name drop-down list, select DNS and enter the cloud service domain name. Click OK and Enroll.

Configure Cloud Management Gateway

The certificate is now present in the console.

Configure Cloud Management Gateway

Export certificate

It is now possible to export the certificate. From the MMC Certificate console, right-click the previously generated certificate and from the context menu select Export (All tasks / Export). The certificate must be exported in cer format (without private key) for Azure Management Certificate and in pfx format (with private key) for cloud management Gateway.

For export in cer format, choose : No, do not export private key

Configure Cloud Management Gateway

For export in pfx format, choose : Yes, export private key

Configure Cloud Management Gateway

The certificate has now been exported in pfx and cer format. It is now necessary to generate the client certificate.

Create Client Certificate

A client certificate is required on any computer that is managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. You can deploy this certificate by GPO (Autoenrollment).
From the Certificate Authority console, go to the Certificate Template console (right-click Certificate Template and then Manage). Right-click on the Workstation Authentication template and in the context menu, click Duplicate Template.

Configure Cloud Management Gateway

Click on the General tab and enter the name SCCM Computer Certificate. Then select the Publish to Active Directory check box and set the Validity Period to 5 years.

Configure Cloud Management Gateway

In the Security tab, give the right enroll and AutoEnroll to the Domain Computer groups.

Configure Cloud Management Gateway

Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select Certificate Templates to issue from the context menu. Select the previously created template and click OK.

Configure AutoEnrollment

It is now necessary to deploy certificates on workstations managed by the cloud Management Gateway. These certificates will be deployed through a group policy. On the domain controller, go to the Group Policy Management console and create a new GPO in Group Policy Objects. Right-click Group Policy Objects and choose New. Enter a name and click OK

Configure Cloud Management Gateway

Right-click the group policy and click Edit. The Group Policy Editor console appears. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies.

Configure Cloud Management Gateway

Right-click Certificate Services Client – Auto-Enrollment and select Properties from the context menu. Activate the parameter by selecting Enable then check the boxes :

  • Update certificates that use certificate templates and Renew expired certificates, update pending certificates
  • remove revoked certificates

Configure Cloud Management Gateway

Apply the group strategy to the desired organizational unit, on the workstation execute the command gpupdate/force. It is also possible to wait for the next cycle (90 to 120 minutes). Restart the computer afterwards.

Configure Cloud Management Gateway

Export the client certificate’s root

On the workstation, access the MMC console and add the snap-in Certificates. In the wizard, check Computer certificate. Then go to the Personal store and then Certificate.

Configure Cloud Management Gateway

Double click the certificate and select Certification Path.Double click on the root certificate, the certificate appears.

Configure Cloud Management Gateway

Select the Details tab and click Copy to File.

Configure Cloud Management Gateway

Upload certificate into Azure Subscription

In the Azure platform, click on Subscription then select the desired subscription.

Click on Management Certificate then on Upload. Then select the previously exported (Template CMG SCCM). Use Cer file.

Configure Cloud Management Gateway

On the Azure portal, retrieve the Subscription ID in Subscriptions.

Configure Cloud Management Gateway

Create the SCCM Cloud Management Gateway

From the SCCM console, go to the Administration tab and expand the Cloud Services node. Click Cloud Management Gateway and then click Create Cloud Management Gateway.

Configure Cloud Management Gateway

A wizard appears, enter the subscription id in the subscription id field. Using the Browse button select the Management Certificate (pfx file). Enter the password and click OK.

Configure Cloud Management Gateway

Using the Browse button, select the certificate in PFX format and select the desired Azure region.

Configure Cloud Management Gateway

Uncheck the box to Verify Client Certificate Revocation and select the Root CA with Certificates Button. Click Next for validate modification.

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Configure the alerts as desired and click Next on other windows.

Configure Cloud Management Gateway

Now wait provisionning operation.

Configure Cloud Management Gateway

Configure Cloud Management Gateway

Cloud Management Gateway Connector Point

From the SCCM console, go to the Administration tab and expand Site Configuration. Select Servers and Site System Roles. Select the server and click Add Site System Role.

Configure Cloud Management Gateway

A wizard appear, click next on Windows Select a server to use as a site system. Select Cloud Management gateway connection point and click next.

Configure Cloud Management Gateway

You can validate other Windows.

Configure the Primary Site

It is now necessary to configure the information for customers when they communicate with the Management Point.

From the SCCM console, go to the Administration tab and expand Site Configuration. Select Sites and then your primary site.

Go to the site properties then in the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available.

Configure Cloud Management Gateway

Clear Clients check the certificate revocation list (CRL) for site systems and click OK. At the time these lines are written, only SUP (Software Update Point) and MP (Management Point) are supported by the Cloud Management Gateway.

The purpose of this step is to enable the system role site to accept traffic from the Cloud Management Gateway.
From the SCCM console, go to the Administration tab and expand Site Configuration. Click Servers and Site System Roles. Right-click on the site system server role that needs to be configured for Cloud Management Gateway traffic (example Management Point and click Propriétés. Select the Allow Configuration Manager cloud management gateway traffic check box and click Ok to confirm.

Configure Cloud Management Gateway

Client Configuration

Customers can now be configured to use cloud management Gateway. Install client or wait for the sccm client to retrieve the information

Configure Cloud Management Gateway; »>

Laisser un commentaire

Your email address will not be published.