Configure CMG
Configure Cloud Management Gateway
This feature has been introduced in SCCM in order to manage SCCM clients over the Internet. Note that this feature requires an azure subscription to work. Thereafter, the customers have the possibility of reaching the SCCM system sites wherever they are. Client certificates and SSL certificates are required. with this article you can configure the Cloud Management Gateway.
prerequisite
- SCCM system site running the cloud management gateway connector for Internet clients
- Custom SSL Certificates from Internal Certificate Authority: Used to encrypt communication from client computers and authenticate the identity of the cloud management gateway service
- Azure subscription for cloud services
- Azure Management Certificate: used to authenticate Configuration Manager with Azure
spécifications
- Each instance of the cloud management gateway supports 4,000 customers.
- The cloud management gateway enables support for management point and software update point roles.
Log SCCM
You can use this log SCCM for validate the creation of the Cloud Management Gateway.
- Deployment problem: CloudMgr.log and CMGSetup.log
- Service integrity : CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log
- Traffic problem: CMGHttpHandler.log, CMGService.log and SMS_CLOUD_PROXYCONNECTOR.log.
Verify the domain name
From the Azure platform, click on create a resource and then click on Service Cloud. Enter the desired domain name and verify if the domain name does not already exist. Be careful not to create it.
You can close Windows without create cloud Services, the creation will be done later.
Create Web Certificate
It is necessary to create a certificate. To do this, we will first create a certificate template from the Template web server. From the Certificate Authority console, open the Certificate Template console (right-click on Certificate Template then on Manage). Right-click on Web Server template and in the context menu, click Duplicate Template.
Click on the General tab and enter the name SCCM – CMG. Then select the Publish to Active Directory check box.
In the Request Handling tab, select Allow private key to be exported.
In the Security tab, give the right enroll to the administrators groups and the SCCM server (or group contain SCCM Server account).
Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select Certificate Templates to issue from the context menu. Select the previously created template and click OK.
The model certificate is now available.
Request Certificat
The certificate must now be generated and installed on the SCCM server of the primary site. On the server, access to the MMC console and add the Certificate snap-in. Access computer certificates and expand Personal / Certificates nodes.
Right-click on Certificates and select All Tasks / Request New Certificate. On the Select Certificate Enrollment Policy page, choose Next. On the Request Certificates page, select the SCCM – CMG template from the list of available templates, and then click on More information is required to enroll for this certificate.
From the Subject Name drop-down list, select Subject Name and enter the domain name for the cloud service. Click Add.
From the Other Name drop-down list, select DNS and enter the cloud service domain name. Click OK and Enroll.
The certificate is now present in the console.
Export certificate
It is now possible to export the certificate. From the MMC Certificate console, right-click the previously generated certificate and from the context menu select Export (All tasks / Export). The certificate must be exported in cer format (without private key) for Azure Management Certificate and in pfx format (with private key) for cloud management Gateway.
For export in cer format, choose : No, do not export private key.
For export in pfx format, choose : Yes, export private key.
The certificate has now been exported in pfx and cer format. It is now necessary to generate the client certificate.
Create Client Certificate
A client certificate is required on any computer that is managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. You can deploy this certificate by GPO (Autoenrollment).
From the Certificate Authority console, go to the Certificate Template console (right-click Certificate Template and then Manage). Right-click on the Workstation Authentication template and in the context menu, click Duplicate Template.
Click on the General tab and enter the name SCCM Computer Certificate. Then select Publish to Active Directory check box and set the Validity Period to 5 years.
In the Security tab, give the right enroll and AutoEnroll to the Domain Computer and Domain Controller groups.
Validate the changes and then using the Certificate Authority console to add the previously created template. Right-click Certificate Templates and select ertificate Templates to issue from the context menu. Select the previously created template and click OK.
Configure AutoEnrollment
It is now necessary to deploy certificates on workstations managed by the cloud Management Gateway. These certificates will be deployed through a group policy. On the domain controller, go to the Group Policy Management console and create a new GPO in Group Policy Objects. Right-click Group Policy Objects and choose New. Enter a name and click OK.
Right-click the group policy and click Edit. The Group Policy Editor console appears. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies.
Right-click Certificate Services Client – Auto-Enrollment and select Properties from the context menu. Activate the parameter by selecting Enable then check the boxes :
- Update certificates that use certificate templates and Renew expired certificates, update pending certificates
- remove revoked certificates
Apply the group strategy to the desired organizational unit, on the workstation execute the command gpupdate/force. It is also possible to wait for the next cycle (90 to 120 minutes). Restart the computer afterwards.
Double click the certificate and select Certification Path.Double click on the root certificate, the certificate appears.
Select the Details tab and click Copy to File. Export the Root Certificate.
Upload certificate into Azure Subscription
In the Azure platform, click on Subscription then select the desired subscription.
Click on Management Certificate then on Upload. Then select the previously exported (Template CMG SCCM). Use Cer file.
Configure Azure Services
From the SCCM console, go to the Administration tab and expand the Cloud Services node. Click on Azure Services and select Configure Azure Services.
A new wizard appear, enter the desired name and select Cloud Management. Click on Next.
Click on Browse button.
A new windows appear, click on Create.
Enter Application Name and select the Secret Key validity period. Click on Sign in and Sign in to your Azure AD tenant with your admin credential.
Click OK for validate modification.
Repeat the same operation with the second application and click on Next.
Click Next on the Configure Discovery Settings Windows.
Click on the next Windows. A new entry is present on SCCM Console. On the ribbon, click on Run Full Discovery Now.
Open SMS_AZUREAD_DISCOVERY_AGENT.log. If there is error, you need to run the Following operation.
On the SCCM console delete entry in the console (Azure Services node and Azure Active Directory Tenants).
From the SCCM Console, click on Azure Services and click on Configure Azure Servcies.
Enter the name and select Cloud Management. Click on Browse on the next Windows.
A new Windows Appear, click on Import.
Open Azure Active Directory portal and copy Azure AD Tenant Name and Azure AD Tenant ID.
Paste ID on SCCM application .
Open Azure Active Directory portal and click on App Registrations.
Browse to the ConfigMgr Server Application and copy Application ID value. Paste this ID and Application Name on SCCM Application.
Open Certificates & secretstab and delete the secrets.
Click on New client secret. Select two years and click on Add.
Click on New client secret. Select two years and click on Add. Copy the value of the secrets and paste on SCCM Application. Configure Secret Key Expiry and click on Verify. If configuration is successfully verified click OK.
Browse to the ConfigMgr Client Application and open Authentification tab. Delete the value.
Select Public client/native and paste the following Redirect URL.
ms-appx-web://Microsoft.AAD.BrokerPlugin/<ConfigMgr Server Application ID>
Click on Save. Open API permissions and click on Grant Admin consent.
Grant Admin consent for ConfigMgr Server application.
From the SCCM console, click on Browse for create Native Client app.
A new windows appear, click on Import. Enter the name of the second application present in Azure AD and the Client ID.
Click on OK and Next on the following windows. There is no error message on the log.
Create the SCCM Cloud Management Gateway
From the SCCM console, go to the Administration tab and expand the Cloud Services node. Click Cloud Management Gateway and then click Create Cloud Management Gateway.
A wizard appears, click on Sign In and enter username and password of azure admin account. Subscription ID, Azure AD app name and Azure AD tenant name are automatically filled in.
Using the Browse button select the Management Certificate (pfx file). Enter the password and click OK. Select the desired region and the Resource Group. Configure VM instance.
Uncheck the box to Verify Client Certificate Revocation and select the Root CA with Certificates Button. Click on Certificates button and click on Add.
Click on Add and add root certificates. Click OK and Next.
Configure the alerts as desired and click Next on other windows.
Now wait provisionning operation.
Cloud Management Gateway Connector Point
From the SCCM console, go to the Administration tab and expand Site Configuration. Select Servers and Site System Roles. Select the server and click Add Site System Role.
A wizard appear, click next on Windows Select a server to use as a site system. Select Cloud Management gateway connection point and click next.
You can validate other Windows.
Configure the Primary Site
It is now necessary to configure the Client Computer Communication. From the SCCM console, go to the Administration tab and expand Site Configuration. Select Sites and then your primary site.
Go to the site properties then in the tab, check Use PKI client certificate (client authentication) when available.
Clear Clients check the certificate revocation list (CRL) for site systems and click OK. At the time these lines are written, only SUP (Software Update Point) and MP (Management Point) are supported by the Cloud Management Gateway. From the Set button select the Root CA certificate.
The purpose of this step is to enable the system role site to accept traffic from the Cloud Management Gateway.
From the SCCM console, go to the Administration tab and expand Site Configuration. Click Servers and Site System Roles. Right-click on the site system server role that needs to be configured for Cloud Management Gateway traffic (example Management Point and click Propriétés. Select HTTPS and Allow Configuration Manager cloud management gateway traffic. Click Ok to confirm.
Migrate HTTP to HTTPS
You need deploy Computer certificate (SCCM – Computer for me) on all Server and computer. Next it is now possible to activate HTTPS for all communication. On the SCCM server, open the MMC console and add the Certificate plug-in software. A wizard appears, check Computer Certificate and click A Computer Certificate. The certificate console is displayed.
Expand the Personal node and then Certificate. It is now necessary to request new certificate. Select the Template previously created (SCCM – CMG for me). The request need to have the Following information :
- Subject Name – Type Common Name – Value FQDN of the server (example : srv-sccm.formation.local
- Subject Name – Type Common Name – Value Netbios name of the server (example : srv-sccm
- Alternative Name – Type DNS – Value FQDN of the server (example : srv-sccm.formation.local
- Alternative Name – Type DNS – Value NetBIOS name of the server (example : srv-sccm
Enroll new certificate. Note the digital Thumbprint that will allow us to verify the correct selection of the certifica when we configure IIS Server.
On the SCCM server, go to the IIS console and select the default site (site used by SCCM). In the Action banner, click Binding.
Select the https line and click on Edit.
From the drop-down list, select the SSL certificate and using the display button to diplay certificate and check the Thumbprint property. The value must be identical to that previously recorded. Click Ok and run DOS COMMAND IISReset.
From the SCCM console, go to the Administration tab and expand Site Configuration. Select Sites and then your primary site.
Go to the site properties then in the Client Computer Communications tab, check HTTPS Only.
Configure Client policy
It is now necessary to configure the SCCM client. From the SCCM console, create a new Client Settings (Device policy). Enter the desired name and check Client Policy and CLoud.
Select Yes from the Enable User Policy Requests from Internet clients drop-down list.
Select and configure Yes for Allow Access to cloud distribution point and Enable clients to use a cloud management Gateway. Click OK to create Policy and deploy it on the desired collection.
Customers can now be configured to use cloud management Gateway. Install client or wait for the sccm client to retrieve the information.
Configuration test
Force the application of the policy(Device policy and User Policy) on the workstation. Access the registry on the workstation and modify the DWORD. This change forces the use of the cloud management gateway.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security
DWORD : ClientAlwaysOnInternet (set to 1)
On the Workstation, restart SMS Agent Host service. You can use log to verify if the configuration has correct :
- LocationServices.log on the workstation
- SMS_CLOUD_PROXYCONNECTOR.log on the server
