In previous post part 1, we discussed SCCM Cloud Management Gateway (CMG) architecture, and it’s a role in co-management environment. In this post, let us consider how to configure SCCM CMG with fewer certificates (New SCCM CMG Setup Guide).
Subscribe to this Blog via eMail?
Introduction – New SCCM CMG Setup Guide
We all know that SCCM CMG is evolving. So, if you are planning SCCM CMG in your environment, Upgrade SCCM to the latest version to have more enhanced features of SCCM CMG.
NOTE! – Are you planning to replace SCCM IBCM servers with SCCM CMG? I would recommend reading the following post “SCCM IBCM Vs CMG Differences a Real World Comparison.”
Cloud Management gateway Architecture
- Internet-connected SCCM client request for policy from Azure CMG cloud service
- Azure CMG cloud service forwards the client communication to the on-premises CMG connection point. CMG cloud service gets the policy from On-premise MP and SUP through CMG connection point role.
- CMG connection point role acts as a proxy and builds a 2-way communication channel between on-premise SCCM (MP & SUP) and Azure CMG cloud service
- Finally, SCCM clients get policy and content from Azure CMG cloud service.
Note: CMG supports the management point and software update point roles only. More details about SCCM CMG supported communications are available here.
The following are the quick list of SCCM CMG setup pre-requisites
- Unique CMG DNS name
- Azure subscription to host CMG
- Azure permission with Global Admin and subscription owner rights.
- Subscription admin permission to deploy CMG cloud service
- Global /Service Admin permission to integrate SCCM site with Azure AD using Azure Resource Manager
- In this post, My ID already had higher privilege with Global admin rights assigned which used for all configurations. Hence, I did not have to worry much about this pre-requisites.
- Internet access connectivity requirements
- Network ports requirements
- Windows 10 device should have IPv4 enabled
- A server authentication certificate for the CMG
- Service connection point in online mode. The service connection point is responsible for deploying the CMG in Azure
- On-premises Windows server to host the CMG connection point.
In this post, we are hosting CMG connection point role on a dedicated server along MP, and SUP with enhanced HTTPS enabled. If you already have, HTTPS-enabled MP and SUP then no need for a separate server.
- Microsoft.ClassicCompute & Microsoft. Storage resource providers must be registered within the Azure subscription. For more details refer Ronny blog.
7 steps for SCCM CMG Configuration
Infrastructure setup used for this post
- AADconnect enabled hybrid Azure AD join.
- SCCM 1902
- Internal PKI CA for certificates.
In this post, we are not using a third-party certificate.
- Dedicated site server with MP and SUP for CMG
- Windows 10 1903 Enterprise
- Let us cover each configuration steps in detail
Verify unique CMG DNS
In this step, we need to identify the unique CMG service name that we are going to use later in SCCM. SCCM configures the CMG cloud service in *.cloudapp.net domain. Hence, the CMG service in azure must be unique and not used by anyone.
Note: we do not have to create the CMG service in the portal. SCCM will take care of deploying the CMG cloud service. We need to ensure the CMG service name is unique.
Below are the steps to Check Unique service name
- Sign in to the Azure portal. Search for Cloud service.
- Select Cloud service and type the prefix in the DNS name field.
- If the domain name is available, the interface reflects green color.
- If Name is unavailable, the interface reflects red color. Try new name if red.
Cloud management gateway can now serve Cloud distribution point as well. Below are the steps to Check a unique service name for the storage
- Sign in to the Azure portal. Search for Storage account. Select Create.
- Type the name prefix in the “Storage account name” field.
- Green tic state storage name is unique and available.
Make a note of this unique name. Later while configuring CMG wizard in SCCM, we will use this name.
Step 1 completed 🙂 Let us proceed to next step .
To configure CMG we need at least One certificate (Server authentication certificate). Based on need or scenario you may need more certificates. In this post or scenario, we need One certificate only (Server Authentication). Let us discuss server-side and client-side certificates
Server Side certificate
Third-party vendors like DigiCert or Microsoft PKI can issue a Server authentication certificate. Certificate issued by both supported. In this post, we will use Microsoft Enterprise PKI.
The server authentication certificate is mandatory while configuring CMG for any scenario. In part 1 of this post, we discussed different CMG scenarios.
Note: Microsoft recommends using a trusted third party certificate provider like DigiCert, etc. Windows 10 trusts these third party certificates without any Root certificate dependency. We will discuss more in later sections.
Let us discuss the steps to get the server authentication certificate.
- Step 1: Create server authentication certificate template
- Step 2: Enable server authentication certificate template
- Step 3: Enroll the server authentication certificate
- Step 4: Export the certificate private key
- Step 1 & Step 2 – Configuration done from CA server
- Step 3 & Step 4 – Configuration done from SCCM server
Step 1: Create server authentication certificate template
- Login to the Certification Authority server. Open the Certification Authority console (certsrv.msc).
- Right-click Certificate Templates and select Manage.
- Right click Web Server and click Duplicate Template.
- Click on General tab and modify the display name. Example: Server certificate CMG
- Click on Request Handling Tab. Check the box “Allow private key to be exported”. Click OK
- Click on Security tab. Add the security group that contains SCCM server computer accounts. Please ensure the group have read and enroll permission.
- By default, Enterprise admin security group have enroll permission. Please remove the enterprise admin group from the list
- Close Certificate Template window
Step 2: Enable server authentication certificate template
In previous step, we prepared certificate template for CMG . However, certificate template is not enabled. Let us do that now.
- Launch Certification Authority console. Right click Certificate Template and click New > Certificate Template to Issue
- Select the template we created in step one and click OK to enable. Done.
Step Three: Enroll the server authentication certificate in SCCM
Note: Its recommended rebooting SCCM server before enrolling the certificate. This will allow refreshing the SCCM computer authentication token with CA server. We already provided enroll permission provided for SCCM server in Certificate template.
- Launch MMC and Certificates > Local Computer > Personal > Certificates
- Right click Certificates > All Task > Request New Certificate
- Click next
- Select the certificate template we issued from CA.
- Click more information to add details
- In the Subject tab under Subject Name Type drop-down choose Common Name.
- Enter unique name, which we already verified in step one. The name should end with *.cloudapp.net.
- Click Add and OK to close.
The certificate enrolled successfully. Click Finish.
Step four: Export the private key
Finally, in this step we are going to export the private key (.PFX) for the certificate, which we created in previous step three. We need this certificate to configure CMG.
Let us go through the steps to export the private key.
- Launch MMC and Certificates > Local Computer > Personal > Certificates
- Right click on XXXXX.cloudapp.net certificate > All Tasks > Export
- In the wizard, choose the option “Yes” and export the private key.
- Leave everything as default and secure the certificate with a password
- Save the certificate with .PFX extension to finish the wizard.
Client Side certificate
Why certificate required on the Windows 10 client for CMG?
SCCM client must authenticate to confirm its identity before communication with CMG cloud. There are three options for authentication. In this post we will use 3rd option.
- PKI client authentication certificate or
- User identity token (Azure AD user discovery) or
- Azure AD computer identity (Using Default Azure client Auth certificate)
By default, Hybrid or Azure only joined computer will receive below two certificate from Azure. These certificates can serve as authentication token for CMG service. In this post, we are using these two certificates.
Note 1: if we are using Microsoft internal PKI then Root CA of your internal PKI CA required on Windows 10 client.
Note 2: if you are using third party certificate like Entrust, usertrust, thwate,digicert, etc then Root CA is not required. Even for Azure AD connected machines, you do not need any root CA. Unlike Microsoft enterprise PKI, Windows 10 trusts third party certificates without any need of root CA. This reduces the complexity and root CA dependency on client side. Microsoft recommend third party certificate because of this rationale.
Azure Service integration with SCCM
In this step, we are going to integrate SCCM with Azure cloud services. This integration performed using the SCCM Azure Services Wizard. For more configuration details on Azure Services wizard, refer here
This wizard can configure two things.
- Azure AD web app registration: SCCM client use Azure web app URL to authenticate with Azure.
- Azure AD user discover (optional): We are not going to configure. We discussed already that in this post User identity token not used for authentication
- Navigate to Administration > Overview > Cloud Services > Azure Services.
- Right click Azure Services and click Configure Azure Services.
- Select “Cloud Management”
In below wizard, we have to configure Webapps. Check with your azure administrator before you decide whether you can use existing webapps or new webapps for CMG.
You have two options. In this guide, we use second option.
(1) Pre-create the Azure webapps manually and import in the below SCCM wizard. For more details about the configuration, refer here
(2) SCCM create the Web app automatically in Azure.
- Signed in with a Subscription Admin and select default web URL.
- After Successful sign in, Server and Client web app details get populated automatically.Click Next.
- For more details about the web apps configuration and workflow refer here
- Next, you will see below wizard to enable Azure user discovery.
In this post, we are not enabling user discovery. Let us discuss why we are not enabling. There are two reasons
(1) Authentication: In this post, SCCM client uses computer identity (using certificate) for CMG authentication Therefore, we do not need user token for authentication identity.
2) Deployment: In my scenario SCCM deployments will be device-based instead of user-based. However, you can consider enabling user discovery, if that is not the case for you.
- Click next and Close on Completion page.
Verify the Azure service integration
- You will see two new web app registrations in the Azure console. These web apps registrations indicate successful Azure service integration. Go to Home > App registrations. Check for the client and server apps name which we configured in SCCM console
CMG deployment configuration in SCCM
We have done lot of prep work. Finally, we reached the step in which we are going to deploy CMG service in Azure using the SCCM console. While configuring CMG cloud service, please ensure CMG configured at the top-tier site of the SCCM hierarchy.
- On the ConfigMgr Console, go to Administration > Cloud Services > Cloud Management Gateway
- Click Create Cloud Management Gateway on the ribbon menu.
- Sign In with Azure Subscription Admin account The subscription info, the Web App details and tenant details will auto populate. We already created the webapps in the previous step 3 as part of Azure service integration.
- Browse and select the Server authentication certificate that we exported in step two.
- CMG service name will auto populate from the certificate name we provided while importing the certificate in Step 2. The CMG Service name will populate with XXXX.cloudapp.net domain name. Note: CNAME is required, if you are using custom domain name. You have to create a CNAME record in public DNS pointing to
- Select the Region – The Azure region where the cloud service to host.For China region i would recommend to check with Microsoft.
- Select the option new resource group
- Select the group from drop down menu
- Choose the number of VM Instances. The maximum VM instance value you can provide is 16. Each standard VM A2 hosted in Azure can support approx 6000 clients. In addition, 2000 simultaneous connections. In production, consider multiple VM for redundancy or availability. You can add “instance” to the existing CMG, which can be done simply by adding another VM. There is no need to have additional CMG cloud service for HA. Because Azure CMG cloud service is already on HA.
- Un-check “Verify Client Certificate Revocation”. In our scenario, we are not using PKI client authentication certificate so this setting is not relevant for us. Clear this if you have not published the CRL on internet. Recommended to check with your security or PKI team.
- Since we are using Internal CA Cert for CMG, upload respective Root and Intermediate certificates.
- Enable the CMG to serve as cloud distribution point as well.
- Click Next to proceed and configure CMG cloud service.
- On the Alerts page, select default and click next.
- On the completion page, click Close.
Verify the CLOUD MANAGEMENT GATEWAY deployment
There are three areas to monitor the CMG service deployment
- SCCM Console
- Azure Resource
- Navigate to Administration->cloud services->cloud management gateway . Initially the status will show as “Provisioning”.
- After approx. 15 minutes, the status changed to Provisioning Completed – > Ready.
Open CloudMgr.log and CMGSetup.log to view the status. SCCM service connection point is responsible to deploy the CMG service in Azure. Let us cover more details about the logs, events and troubleshooting in next post.
Azure Resource deployment monitoring:
- Log in to the Azure Console and navigate to resource group we created. You will see whether cloud service and storage account created.
- We can monitor the CMG deployment activity from Azure console. Navigate to Azure->monitor–>Activity log
- You can also monitor the resource group activity by selecting resource group you created from SCCM console.
Install CMG connection point role
In previous step four, we deployed CMG cloud service. In this step, we will install CMG connection point SCCM role on premise and then connect with CMG cloud service.
CMG connection point role can be installed on the remote Site System server with or without MP/SUP role. In this guide, I have a dedicated server for CMG role with MP and SUP enabled for HTTPS. Ensure internet proxy allows CMG connection point communication with CMG cloud service.
Note 1: multiple CMG connection point role installed servers can communicate with single CMG cloud service.
Note 2: it is also possible to create multiple CMG cloud service and connect with multiple CMG connection point role servers.
The benefit of having multiple CMG connection point role is load balancing of client traffic from the CMG cloud service to the on premise MP/SUP. For more details on planning the CMG in SCCM hierarchy design, refer here
- Let us go through the steps to configure CMG role.In SCCM console, go to Administration > Site Configuration > Servers and Site System Roles.
- Right click the site server to Add Site System Roles.
- In this post scenario, CMG connection role is installed on a dedicated remote server.
- Provide the remote site server name .
Check the box for Cloud Management gateway connection point. Click Next.
In below step, you are linking on premise CMG site server role to its appropriate CMG cloud service. Select the Cloud management service from the drop down menu if you have multiple CMG cloud service. CMG cloud service region populates automatically.
Note: The CMG connection point role from a site can only connect to one CMG cloud service as shown above. For redundancy or scalability, it is possible to add a multiple “instance” to the CMG cloud server, which is adding another VM. We discussed this in step 4. For more details, refer here.
- Click next and ok to complete the wizard.
How to Verify the CMG role setup
- The CMG cloud service, region and its associated on premise Connection Point server will show in the console
Note:You will also be charged based on outbound data transfer. For more details refer here
Verify the CMG Role installation
After successful CMG role installation you can see the CMG role start establishing connection with CMG cloud service (*.cloudapp.net). For more details about this component activity, refer log – CMGService.log and SMS_Cloud_ProxyConnector.log.
After few min, we will see CMG on premise role connects with CMG cloud service and start communication. In the next post part 3, we will go in detail about troubleshooting and events.
SCCM CMG Site system & MP settings
In this step, let us enable component roles (MP/SUP) and site system to respond CMG requests. With this configuration, SCCM client from internet communicate with on premise MP and SUP through CMG cloud service. In this post, I dedicated a remote SCCM server with MP and SUP role enabled for CMG communication only.
Note: CMG supports only two roles: SUP and MP
Enable the MP for CMG
- Navigate to Administration > Site Configuration > Servers and Site System Roles.
- Select the Site Server holding the MP role (planned for dedicated CMG communications)
- On the Management Point Properties, Check the box “Allow Configuration Manager cloud management gateway traffic”
- Change the connection to “Allow Internet only connections”. Because in my setup, there is a dedicated MP server for CMG. Also, want to ensure only internet connected SCCM client requests communicate to the dedicated MP.
It is important to understand different MP client connection modes and design accordingly. For more details, refer here
Enable the SUP for CMG
- Select the Site Server holding the SUP role (planned for dedicated CMG communications)
- Under Software update point properties, check the box “Allow Configuration Manager cloud management gateway traffic”. Click OK.
- Change the client connection type to “allow internet only connections”. Because in my scenario, there is a dedicated SUP server for CMG. Also, want to ensure only internet connected SCCM client requests communicate to the SUP.
Site system settings for SCCM CMG
- Navigate to Site Properties > Client Computer Communication tab. Check the box “Use Configuration Manager-generated certificates for HTTP site systems”.
- The other client computer settings left unchecked because we are not using PKI client authentication. Instead, cloud-based device identity used to authenticate with the CMG and management point.
NOTE – SCCM EHTTP = Certificates are SCCM Self signed certificates which can replace some of the PKI certificate requirements. More details https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/enhanced-http
Client Agent Setting for SCCM CMG
- It is recommended to create a custom SCCM client agent setting to enable CMG instead of Default client settings. Custom client agent setting provide better control. You can use SCCM collection and custom SCCM client agent setting to restrict the number of clients to use the CMG. For more details, refer here.
- Go to Administration / Client Settings.
- On the top ribbon, click Create Custom Client Device Settings and select cloud services
- In the custom client agent settings, enable the option “enable clients to use a cloud management gateway”
- Enable “Allow access to cloud distribution point”
- Finally, you can monitor CMG overall status including total no of cmg requests, total request size, concurrent connections, etc.
- In the SCCM client, you will see URL in the control panel. This indicate your SCCM client received CMG URL details. When your computer move to internet it will start getting policy from CMG cloud service and content from cloud DP.
In the next post, let us discuss the workflow in client side and troubleshooting.
Thank you Rajul for your inputs.