Latest SCCM CMG Implementation Guide with EHTTP Certificate

3
Latest SCCM CMG Setup Guide

In previous post part 1, we discussed SCCM Cloud Management Gateway (CMG) architecture, and it’s a role in co-management environment. In this post, let us consider how to configure SCCM CMG with fewer certificates (New SCCM CMG Setup Guide).

Subscribe to this Blog via eMail?

Join 16,237 other subscribers

IntroductionNew SCCM CMG Setup Guide

We all know that SCCM CMG is evolving. So, if you are planning SCCM CMG in your environment, Upgrade SCCM to the latest version to have more enhanced features of SCCM CMG.

You can refer appropriate SCCM version’s (SCCM 1810, 1902, and 1906) documentation. There has been a lot of improvements for CMG (Cloud Management Gateway) with every new SCCM version.

NOTE! – Are you planning to replace SCCM IBCM servers with SCCM CMG? I would recommend reading the following post “SCCM IBCM Vs CMG Differences a Real World Comparison.”

Cloud Management gateway Architecture

CMG Architecture New SCCM CMG Setup Guide
CMG Architecture New SCCM CMG Setup Guide
  1. Internet-connected SCCM client request for policy from Azure CMG cloud service
  2. Azure CMG cloud service forwards the client communication to the on-premises CMG connection point. CMG cloud service gets the policy from On-premise MP and SUP through CMG connection point role.
  3. CMG connection point role acts as a proxy and builds a 2-way communication channel between on-premise SCCM (MP & SUP) and Azure CMG cloud service
  4. Finally, SCCM clients get policy and content from Azure CMG cloud service.

Note:  CMG supports the management point and software update point roles only. More details about SCCM CMG supported communications are available here.

CMG Prerequisite.

The following are the quick list of SCCM CMG setup pre-requisites

  • Unique CMG DNS name
  • Azure subscription to host CMG
  • Azure permission with Global Admin and subscription owner rights. 
    • Subscription admin permission to deploy CMG cloud service
    • Global /Service Admin permission to integrate SCCM site with Azure AD using Azure Resource Manager 
    • In this post, My ID already had higher privilege with Global admin rights assigned which used for all configurations. Hence, I did not have to worry much about this pre-requisites.
  • Internet access connectivity requirements 
  • Network ports requirements 
  • Windows 10 device should have IPv4 enabled
  • server authentication certificate for the CMG
  • Service connection point in online mode. The service connection point is responsible for deploying the CMG in Azure
  • On-premises Windows server to host the CMG connection point. In this post, we are hosting CMG connection point role on a dedicated server along MP, and SUP with enhanced HTTPS enabled. If you already have, HTTPS-enabled MP and SUP then no need for a separate server.
  • Microsoft.ClassicCompute & Microsoft. Storage resource providers must be registered within the Azure subscription. For more details refer Ronny blog.

7 steps for SCCM CMG Configuration

CMG configuration steps New SCCM CMG Setup Guide
New SCCM CMG Setup Guide

Infrastructure setup used for this post

  • AADconnect enabled for hybrid azure AD join.
  • SCCM 1902
  • Internal PKI CA for certificates. In this post, we are not using third party certificate.
  • Dedicated site server with MP and SUP for CMG
  • Windows 10 1903 Enterprise

Let us cover each configuration steps in detail

Verify unique CMG DNS

In this step, we need to identify unique CMG service name that we are going to use later in SCCM. SCCM configure the CMG cloud service in *.cloudapp.net domain. Hence, the CMG service in azure must be unique and not used by anyone.

Note: we do not have to create the CMG service in the portal. SCCM will take care of deploying the CMG cloud service. We need to ensure the CMG service name is unique.

Below are the steps to Check Unique service name

  • Sign in to the Azure portal. Search for Cloud service.
  • Select Cloud service and type the prefix in the DNS name field.
  • If domain name is available, the interface reflects green color.
Cloud service Azure - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Cloud Service
  • If Name is unavailable, the interface reflects red color. Try new name if red.
Cloud service CMG - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – DNS selection for CMG

Cloud management gateway can now serve Cloud distribution point as well. Below are the steps to Check unique service name for storage

  • Sign in to the Azure portal. Search for Storage account. Select Create.
  • Type the name prefix in the “Storage account name” field.
  • Green tic state storage name is unique and available.
CMG Storage account - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Storage Account

Make a note of this unique name. Later while configuring CMG wizard in SCCM, we will use this name.

Step 1 completed 🙂 Let us proceed to next step .

Certificate preparation

To configure CMG we need at least One certificate (Server authentication certificate). Based need or scenario you may need more certificate. In this post or scenario, we need One certificate only (Server Authentication). Let us discuss server side and client side certificates

Server Side certificate

Third party vendors like DigCert or Microsoft PKI can issue Server authentication certificate. Certificate issued by both supported. In this post, we will use Microsoft Enterprise PKI.

The server authentication certificate is mandatory while configuring CMG for any scenario. In part 1 of this post, we discussed different CMG scenarios.

Note: Microsoft recommend using trusted third party certificate provider like DigiCert, etc. Windows 10 trusts these third party certificates without any Root certificate dependency. We will discuss more in later sections.

Let us discuss the steps to get the server authentication certificate.

CMG server authentication certificate - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – SCCM PKI Cert for SCCM CMG
  • Step 1: Create server authentication certificate template
  • Step 2: Enable server authentication certificate template
  • Step 3: Enroll the server authentication certificate
  • Step 4: Export the certificate private key
  • Step 1 & Step 2 – Configuration done from CA server 
  • Step 3 & Step 4 – Configuration done from SCCM server

Step 1: Create server authentication certificate template

  • Login to Certification Authority server. Open the Certification Authority console (certsrv.msc).
  • Right-click Certificate Templates and select Manage.
  • Right click Web Server and click Duplicate Template.
Certificate Templates cloud management gateway New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Certificate Templates
  • Click on General tab and modify the display name. Example: Server certificate CMG
Server certificate CMG - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Server Certificate for CMG
  • Click on Request Handling Tab. Check the box “Allow private key to be exported”. Click OK
Server certificate CMG request handling - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Allow Private Key to be Exported
  • Click on Security tab. Add the security group that contains SCCM server computer accounts. Please ensure the group have read and enroll permission.
  • By default, Enterprise admin security group have enroll permission. Please remove the enterprise admin group from the list
Server certificate CMG permission SCCM - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Read Write Access for SCCM CMG Cert
  • Close Certificate Template window

Step 2: Enable server authentication certificate template

In previous step, we prepared certificate template for CMG . However, certificate template is not enabled. Let us do that now.

  • Launch Certification Authority console. Right click Certificate Template and click New > Certificate Template to Issue
Server certificate CMG issue - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Create Template
  • Select the template we created in step one and click OK to enable. Done.
Server certificate  cloud management gateway. New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Enable Certificate

Step Three: Enroll the server authentication certificate in SCCM

Note: Its recommended rebooting SCCM server before enrolling the certificate. This will allow refreshing the SCCM computer authentication token with CA server. We already provided enroll permission provided for SCCM server in Certificate template.

  • Launch MMC and Certificates > Local Computer > Personal > Certificates
  • Right click Certificates > All Task > Request New Certificate
Request New Certificate CMG
New SCCM CMG Setup Guide
  • Click next
Certificate Enrollment
New SCCM CMG Setup Guide
  • Select the certificate template we issued from CA.
  • Click more information to add details
Certificate Enrollment CMG
New SCCM CMG Setup Guide
  • In the Subject tab under Subject Name Type drop-down choose Common Name.
  • Enter unique name, which we already verified in step one. The name should end with *.cloudapp.net.
  • Click Add and OK to close.
Certificate Enrollment common name sccm
New SCCM CMG Setup Guide

The certificate enrolled successfully. Click Finish.

Step four : Export the private key

Finally, in this step we are going to export the private key (.PFX) for the certificate, which we created in previous step three. We need this certificate to configure CMG.

Let us go through the steps to export the private key.

  • Launch MMC and Certificates > Local Computer > Personal > Certificates
  • Right click on XXXXX.cloudapp.net certificate > All Tasks > Export
Export CMG Certificate
  • In the wizard, choose the option “Yes” and export the private key.
  • Leave everything as default and secure the certificate with a password
  • Save the certificate with .PFX extension to finish the wizard.
Certificate export summary

Client Side certificate

Why certificate required on the Windows 10 client for CMG?

SCCM client must authenticate to confirm its identity before communication with CMG cloud. There are three options for authentication. In this post we will use 3rd option.

  1. PKI client authentication certificate or
  2. User identity token (Azure AD user discovery) or
  3. Azure AD computer identity (Using Default Azure client Auth certificate)

By default, Hybrid or Azure only joined computer will receive below two certificate from Azure. These certificates can serve as authentication token for CMG service. In this post, we are using these two certificates.

Azure certificate Intune
New SCCM CMG Setup Guide

Note 1: if we are using Microsoft internal PKI then Root CA of your internal PKI CA required on Windows 10 client.

Note 2: if you are using third party certificate like Entrust, usertrust, thwate,digicert, etc then Root CA is not required. Even for Azure AD connected machines, you do not need any root CA. Unlike Microsoft enterprise PKI, Windows 10 trusts third party certificates without any need of root CA. This reduces the complexity and root CA dependency on client side. Microsoft recommend third party certificate because of this rationale.

Azure Service integration with SCCM

In this step, we are going to integrate SCCM with Azure cloud services. This integration performed using the SCCM Azure Services Wizard. For more configuration details on Azure Services wizard, refer here

This wizard can configure two things.

  1. Azure AD web app registration: SCCM client use Azure web app URL to authenticate with Azure.
  2. Azure AD user discover (optional): We are not going to configure. We discussed already that in this post User identity token not used for authentication
  • Navigate to Administration > Overview > Cloud Services > Azure Services.
  • Right click Azure Services and click Configure Azure Services.
Azure Services SCCM
New SCCM CMG Setup Guide
  • Select “Cloud Management”
Azure Services cloud management - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Cloud Services

In below wizard, we have to configure Webapps. Check with your azure administrator before you decide whether you can use existing webapps or new webapps for CMG.

You have two options. In this guide, we use second option.
(1) Pre-create the Azure webapps manually and import in the below SCCM wizard. For more details about the configuration, refer here
(2) SCCM create the Web app automatically in Azure.

  • Signed in with a Subscription Admin and select default web URL.
Azure webapps - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Server App
  • After Successful sign in, Server and Client web app details get populated automatically.Click Next.
Azure webapps - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide
  • For more details about the web apps configuration and workflow refer here
  • Next, you will see below wizard to enable Azure user discovery.

In this post, we are not enabling user discovery. Let us discuss why we are not enabling. There are two reasons

(1) Authentication: In this post, SCCM client use computer identity (using certificate) for CMG authentication Therefore, we not need user token for authentication identity.

2) Deployment: In my scenario SCCM deployments will be device based instead of user based. However, you can consider enabling user discovery, if that is not the case for you.

Azure active directory user discovery
New SCCM CMG Setup Guide – Discovery
  • Click next and Close on Completion page.

Verify the Azure service integration

  • You will see two new web app registrations in Azure console. These web apps registrations indicate successful Azure service integration. Go to Home > App registrations. Check for the client and server apps name which we configured in SCCM console
web app registrations Azure console
New SCCM CMG Setup Guide

CMG deployment configuration in SCCM

We have done lot of prep work. Finally we reached the step in which we are going to deploy CMG service in Azure using SCCM console. While configuring CMG cloud service, please ensure CMG configured at the top-tier site of SCCM hierarchy.

  • On the ConfigMgr Console, go to Administration > Cloud Services > Cloud Management Gateway
  • Click Create Cloud Management Gateway on the ribbon menu.
Cloud Management Gateway - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide
  • Sign In with Azure Subscription Admin account The subscription info, the Web App details and tenant details will auto populate. We already created the webapps in the previous step 3 as part of Azure service integration.
Azure environment Azure Public Cloud - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide
  1. Browse and select the Server authentication certificate that we exported in step two.
  2. CMG service name will auto populate from the certificate name we provided while importing the certificate in Step 2. The CMG Service name will populate with XXXX.cloudapp.net domain name. Note: CNAME is required, if you are using custom domain name. You have to create a CNAME record in public DNS pointing to
  3. Select the Region – The Azure region where the cloud service to host.For China region i would recommend to check with Microsoft.
  4. Select the option new resource group
  5. Select the group from drop down menu
  6. Choose the number of VM Instances. The maximum VM instance value you can provide is 16. Each standard VM A2 hosted in Azure can support approx 6000 clients. In addition, 2000 simultaneous connections. In production, consider multiple VM for redundancy or availability. You can add “instance” to the existing CMG, which can be done simply by adding another VM. There is no need to have additional CMG cloud service for HA. Because Azure CMG cloud service is already on HA.
  7. Un-check “Verify Client Certificate Revocation”. In our scenario, we are not using PKI client authentication certificate so this setting is not relevant for us. Clear this if you have not published the CRL on internet. Recommended to check with your security or PKI team.
  8. Since we are using Internal CA Cert for CMG, upload respective Root and Intermediate certificates.
  9. Enable the CMG to serve as cloud distribution point as well.
  • Click Next to proceed and configure CMG cloud service.
configure CMG cloud service
New SCCM CMG Setup Guide
  • On the Alerts page, select default and click next.
  • On the completion page, click Close.

Verify the CLOUD MANAGEMENT GATEWAY deployment

There are three areas to monitor the CMG service deployment

  1. SCCM Console
  2. Logs
  3. Azure Resource

SCCM console:

  • Navigate to Administration->cloud services->cloud management gateway . Initially the status will show as “Provisioning”.
Provisioning CMG SCCM - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Provisioning
  • After approx. 15 minutes, the status changed to Provisioning Completed – > Ready.
CMG SCCM status Ready - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – SCCM CMG is Ready

SCCM logs:

Open CloudMgr.log and CMGSetup.log to view the status. SCCM service connection point is responsible to deploy the CMG service in Azure. Let us cover more details about the logs, events and troubleshooting in next post.

Azure Resource deployment monitoring:

  • Log in to the Azure Console and navigate to resource group we created. You will see whether cloud service and storage account created.
Azure Resource deployment CMG - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Logs
  • We can monitor the CMG deployment activity from Azure console. Navigate to Azure->monitor–>Activity log
CMG deployment activity
New SCCM CMG Setup Guide – Logs from Azure
  • You can also monitor the resource group activity by selecting resource group you created from SCCM console.
CMG deployment activity monitor - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – SCCM CMG Activity Log

Install CMG connection point role

In previous step four, we deployed CMG cloud service. In this step, we will install CMG connection point SCCM role on premise and then connect with CMG cloud service.

CMG connection point role can be installed on the remote Site System server with or without MP/SUP role. In this guide, I have a dedicated server for CMG role with MP and SUP enabled for HTTPS. Ensure internet proxy allows CMG connection point communication with CMG cloud service.

Note 1: multiple CMG connection point role installed servers can communicate with single CMG cloud service.
Note 2: it is also possible to create multiple CMG cloud service and connect with multiple CMG connection point role servers.

The benefit of having multiple CMG connection point role is load balancing of client traffic from the CMG cloud service to the on premise MP/SUP. For more details on planning the CMG in SCCM hierarchy design, refer here

  • Let us go through the steps to configure CMG role.In SCCM console, go to Administration > Site Configuration > Servers and Site System Roles.
  • Right click the site server to Add Site System Roles.
  • In this post scenario, CMG connection role is installed on a dedicated remote server.
  • Provide the remote site server name .
Cloud Management gateway connection point - New SCCM CMG Setup Guide
New SCCM CMG Setup Guide – Add Role

Check the box for Cloud Management gateway connection point. Click Next.

Cloud Management gateway connection point role
New SCCM CMG Setup Guide

In below step, you are linking on premise CMG site server role to its appropriate CMG cloud service. Select the Cloud management service from the drop down menu if you have multiple CMG cloud service. CMG cloud service region populates automatically.

Cloud Management gateway and region
New SCCM CMG Setup Guide

Note: The CMG connection point role from a site can only connect to one CMG cloud service as shown above. For redundancy or scalability, it is possible to add a multiple “instance” to the CMG cloud server, which is adding another VM. We discussed this in step 4. For more details, refer here.

  • Click next and ok to complete the wizard.

How to Verify the CMG role setup

  • The CMG cloud service, region and its associated on premise Connection Point server will show in the console
Cloud Management gateway connection status
New SCCM CMG Setup Guide

Note:You will also be charged based on outbound data transfer. For more details refer here

Verify the CMG Role installation

After successful CMG role installation you can see the CMG role start establishing connection with CMG cloud service (*.cloudapp.net). For more details about this component activity, refer log – CMGService.log and SMS_Cloud_ProxyConnector.log.

SMS_Cloud_ProxyConnector.log
New SCCM CMG Setup Guide

After few min, we will see CMG on premise role connects with CMG cloud service and start communication. In the next post part 3, we will go in detail about troubleshooting and events.

CMGService.log
New SCCM CMG Setup Guide

SCCM CMG Site system & MP settings

In this step, let us enable component roles (MP/SUP) and site system to respond CMG requests. With this configuration, SCCM client from internet communicate with on premise MP and SUP through CMG cloud service. In this post, I dedicated a remote SCCM server with MP and SUP role enabled for CMG communication only.
Note: CMG supports only two roles: SUP and MP

Enable the MP for CMG

  • Navigate to Administration > Site Configuration > Servers and Site System Roles.
  • Select the Site Server holding the MP role (planned for dedicated CMG communications)
  • On the Management Point Properties, Check the box “Allow Configuration Manager cloud management gateway traffic”
  • Change the connection to “Allow Internet only connections”. Because in my setup, there is a dedicated MP server for CMG. Also, want to ensure only internet connected SCCM client requests communicate to the dedicated MP.
SCCM Management point settings
New SCCM CMG Setup Guide

It is important to understand different MP client connection modes and design accordingly. For more details, refer here

Enable the SUP for CMG

  • Select the Site Server holding the SUP role (planned for dedicated CMG communications)
  • Under Software update point properties, check the box “Allow Configuration Manager cloud management gateway traffic”. Click OK.
  • Change the client connection type to “allow internet only connections”. Because in my scenario, there is a dedicated SUP server for CMG. Also, want to ensure only internet connected SCCM client requests communicate to the SUP.
Software update point cloud management gateway
New SCCM CMG Setup Guide

Site system settings for SCCM CMG

  • Navigate to Site Properties > Client Computer Communication tab. Check the box “Use Configuration Manager-generated certificates for HTTP site systems”.
  • The other client computer settings left unchecked because we are not using PKI client authentication. Instead, cloud-based device identity used to authenticate with the CMG and management point.
SCCM site settings -  New SCCM CMG Setup Guide - SCCM EHTTP Certs
New SCCM CMG Setup Guide – SCCM EHTTP Certs

NOTE – SCCM EHTTP = Certificates are SCCM Self signed certificates which can replace some of the PKI certificate requirements. More details https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/enhanced-http

Client Agent Setting for SCCM CMG

  • It is recommended to create a custom SCCM client agent setting to enable CMG instead of Default client settings. Custom client agent setting provide better control. You can use SCCM collection and custom SCCM client agent setting to restrict the number of clients to use the CMG. For more details, refer here.
  • Go to Administration / Client Settings.
  • On the top ribbon, click Create Custom Client Device Settings and select cloud services
  • In the custom client agent settings, enable the option “enable clients to use a cloud management gateway”
  • Enable “Allow access to cloud distribution point”
cloud distribution point
New SCCM CMG Setup Guide – SCCM Client Settings

End Result

  • Finally, you can monitor CMG overall status including total no of cmg requests, total request size, concurrent connections, etc.
Monitor CMG status
New SCCM CMG Setup Guide – END Results
  • In the SCCM client, you will see URL in the control panel. This indicate your SCCM client received CMG URL details. When your computer move to internet it will start getting policy from CMG cloud service and content from cloud DP.
New SCCM CMG Setup Guide - SCCM EHTTP Certs
New SCCM CMG Setup Guide – SCCM EHTTP Certs End Result

In the next post, let us discuss the workflow in client side and troubleshooting.

Thank you Rajul for your inputs.

Resources

3 COMMENTS

  1. Hi, I configured the CMG on SCCM 1906 with a single public certificate and Hybrid domain join for client authentication. I want my internet clients to download updates from Microsoft. I am allowing traffic to the SUP and I don’t have the updates published to the CMG DP. Applications download fine from the cloud DP. I am allowing Microsoft as a source on the SUG deployment. The clients are trying to download from Microsoft but nothing downloads. Any ideas? Here is what I am seeing on the client logs. CCTMJob::UpdateLocations – Received empty location update for CTM Job {8BFE8993-463E-4F38-8300-B01ED4FDBE57} ContentTransferManager 10/25/2019 10:38:28 AM 3764 (0x0EB4)
    CTM job {8BFE8993-463E-4F38-8300-B01ED4FDBE57} suspended ContentTransferManager 10/25/2019 10:38:28 AM 3764 (0x0EB4)
    Persisted locations for CTM job {7F229AB1-E911-48D3-965E-53407E92FA56}:
    (WUMU) net:http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4521862-x64_87f99a7e5bde5776ab695e5432694c303385042e.cab ContentTransferManager 10/25/2019 10:38:29 AM 3764 (0x0EB4)

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.