The Cloud Management Gateway (CMG) provides a simple way to manage SCCM clients on the internet. The CMG is a PaaS (Platform As A Service) solution in Azure. So, we don’t need to maintain the servers in the Azure platform, unlike Azure IaaS (Infrastructure As A Service) solution.
We need to set up and configure Azure Cloud Services within SCCM before implementing Co-Management CMG.
Co-Management Related Posts
All Co Management Video Tutorial in one post here.
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 (This Post) SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
Co-Management CMG Requirements
Co-Management CMG is not a prerequisite for all the SCCM Co-Management scenarios. However, CMG is required for the scenario where you want to install SCCM client from the internet. SCCM Cloud Management Gateway (CMG) & CDP are required for the situation mentioned above.
- Azure subscription with Azure Admin access to host the CMG
- Azure Cloud Services Configured within SCCM (Azure AD User Discovery – for some authentication scenarios)
- Azure Web and Client applications (Part of Azure Cloud Services)
- Azure Resource Manager (ARM) SCCM 1802 or later to avoid Azure Management certificates
- Client Authentication Certificate – Root Cert and Intermediate/Issuing certificates (PKI or Public Certificates)
- Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
- The service connection point must be in online mode
Video Step by Step Guide to Setup Cloud Management Gateway
Setup Azure Services – Cloud Management
I would recommend going through and configure Azure services cloud management before proceeding with CMG configuration. Use the Azure Services Wizard to simplify the process of setting up the Azure cloud services you use with SCCM. I have also explained this in the video tutorial.
Azure Services configuration wizard provides a standard configuration experience by using Azure Active Directory (Azure AD) web app registrations. This wizard creates Web and Client (native) applications to subscription & configuration details, & authenticate communications with Azure AD.
Cloud Management: This service enables the SCCM site and clients to authenticate by using Azure AD. This authentication allows for other scenarios, such as:
Install and assign SCCM Windows 10 clients using Azure AD for authentication
Configure Azure AD User Discovery
Support specific Cloud Management Gateway scenarios
Configure Azure Services
This wizard helps you deploy and configure Azure services through SCCM. I have explained the same in the Video Tutorial as well.
Navigate via \Administration\Overview\Cloud Services\Azure Services – Click on Configure Azure Services button from the ribbon menu.
1. Select an Azure service and specify the name, description:-
Name:- ACN Azure Cloud Services Description:- Any meaning full description
2. Select Cloud Management and click on NEXT button to proceed further
Note - Deploying the Azure service for Cloud Management enables SCCM clients to authenticate with the site using Azure AD. You can also enable discovery for Azure AD resources for this tenant.
3. Select AzurePublicCloud as Azure Environment from App properties page
4. Create a new WEB APP in Azure for Authentication (Server App for SCCM). Add an application that represents a web application, a web API, or both.
Server App – Select a from the list of available server apps to configure Azure services. You can also import or create a server app. In this scenario, I opted to create new Server Application.
Specify an application details and sign in with AAD admin credentials to create application in the Azure Active Directory
Application Name: ACNCloudServiceAnoopC HomePage URL: https://ConfigMgrService1 App ID URI: https://ConfigMgrService1 Secret Key Validity Period: 1 Year Azure AD Admin Account: Sign in - Signed in successfully! Azure AD Tenant Name: ANOOPC
5. Create NATIVE Client APP. A native client is an application that can be installed on a user’s device or computer. To Create Client Application Specify application details and sign in with AAD admin credentials to create an application in the Azure Active Directory.
Application Name: ACN CloudService AnoopC Reply URL: https://ConfigMgrClient1 Azure AD Admin Account: Sign in - Signed in successfully!
Tenant Friendly Name: ANOOPC App Friendly Name: ACN CloudService AnoopC Service Type: Blank
6. Enable Azure AD Discovery on Configure Discovery Settings page. Click on settings button to check and configure advanced options of AAD Discovery.
Azure AD User Discovery – Configure the settings to discover resources in the Azure AD. When resources are discovered, SCCM creates records in the SCCM DB for the resources and their associated information.
We need to enable Azure AD discovery to enable AAD authentication scenario in SCCM. If you want SCCM to authenticate the AAD user, you need have the user discovered first.
You need to provide/grand appropriate permissions for WEB (Server) application on Azure as I showed in the video tutorial.
Setup Co-Management CMG (Cloud Management Gateway)
Before the start of Co-management CMG setup, make sure that all the prerequisites and certs are readily available with you. I have also explained this in video tutorial.
- Navigate via SCCM CB console – \Administration\Overview\Cloud Services\Cloud Management Gateway
- Click on Create Cloud Management Gateway icon in the ribbon menu
- Select Azure Environment as AzurePublicCloud on Specify details of this cloud service page
NOTE - Specify the Azure environment and the deployment method for the cloud service. Provide Azure subscription ID, the management certificate or Azure AD administrator credentials to proceed.
4. Choose how you want to deploy your cloud Service – Azure Resource Manager (ARM) deployment
Note:- Please sign in as administrator account to access your Azure subscription. SCCM will obtain the subscription information, and contribute permission that are required for deploying the service.
Subscription Admin Account: Sign In Subscription ID: Automatically get populated once you logged in with Azure admin account Azure AD App Name: ACNCloudServiceAnoopC (WEB/Server Application which we created (above) will automatically get populated) Azure AD Tenant: ANOOPC (Automatically get populated once you logged in with Azure admin account)
5. Specify Additional Details for the cloud Service (CMG) page
Service Name: ACMCMG01 Automatically get populated based on the CName mentioned in the certificate. You won’t be able to change it. To change the service name, you need to create a new WEB certificate as explained in the previous blog.
Description: Useful information to identify the CMG instance if you have more than one CMGRegion: South Central US
Resource Group: ACNCMGCDP. Click on Create New radio button above and give it a meaningful name
VM Instance: 1 (depending on your requirement)
Select the CMG PFX file created for CMG in the previous post about creating certs. We need to specify a server PKI certificate for this cloud service.
Certificate File: Select the PFX file created for CMG in the previous post. Enter the password for PFX certificate. Service Name, Service FQDN will automatically get populated once you have uploaded the PFX cert successfully.
Service FQDN: ACMCMG01.Cloudapp.net This details will get populated automatically as I mentioned above.
Specify security settings for authenticating client connections through CMG (Cloud Management Gateway).
Certificates uploaded to the cloud services: Click on Certificates button to upload Root CA and Intermediate/Issuing CA certs. I have only root CA in the chain of certs. Click on Add to upload certificates to the cloud service.
Remove “Verify Client Certificate Revocation” check box when you have not published CRL to internet. I would recommend to publish CRL to internet to have more secure PKI. However I don’t use this for my lab environment.
Sample Configuration Details of SCCM Cloud Management Gateway (CMG) Wizard
General • Subscription ID: dda75f69a-5a3b-4ecd-b385-db1223e9549873 • Azure AD application: ACNCloudServiceAnoopc Settings • Service Name: ACMCMG01 • Description: • Primary Site: Primary CB 2 (PR3) • Region: South Central US • Resource group: ACNCMGCDP • Service Certificate:\\dc1\Sources\Certs\ACNCMG01.pfx • CName:ACMCMG01.cloudapp.net • Number of Instances: 1 • Root Certificate: 681B323ghdAC90E2523489898HUD7C0E4015E812; • Verify client certificate revocation enabled:True Alerts • Outbound Data Transfer Threshold:Enabled • Outbound Data Transfer Threshold:10000 GB • Outbound data transfer Warning alert level: 50% • Outbound data transfer Critical alert level: 90%
Setup Co-Management – Cloud Management Gateway Connector
The CMG connection point is the SCCM site system role for communicating with the CMG and on-prem components like MP/SUP. I have also explained this in video tutorial.
Add new Site System Role – Select a server to use as a site system. When you have only one site system – Click NEXT
System Role Selection – Specify roles for this server – Select Cloud Management Gateway Connection Point
Specify the Cloud Management Gateway Connection Point settings. When you have more than one CMG in your SCCM environment, you can select relevant one from the drop down option. For me, it’s only one CMG.
Cloud Management Gateway Name: ACMCMG01.CLOUDAPP.NET
Region: South Central US
Install client authentication purpose certificate manually for CMG connection point to communicate with client facing site roles in HTTPS mode.
Azure Portal experience Co-Management CMG
Login to Azure Portal and click on Subscriptions – Resource Groups – ACMCMG01
There will be 2 (two) services associated with Resource Group which we create from SCCM console. More details available in the video tutorial.
1. ACMCMG01 PaaS server for CMG service
2. acmcmg01 storage account for CMG
Click on PaaS server ACMCMG01 to check the details and you can also login to the server and check (there is no need to login and check in normal scenarios).
SCCM Cloud Management Gateway CMG Log Files
The following table lists the log files that contain information related to the cloud management gateway.
|Log name||Description||Computer with log file|
|CloudMgr.log||Records details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service. You can configure the logging level be editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGER||The installdir folder on the primary site server or CAS.|
|CMGSetup.log1||Records details about the second phase of the cloud management gateway deployment (local deployment in Azure) You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.||The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server|
|CMGHttpHandler.log1||Records details about the cloud management gateway http handler binding with Internet Information Services in Azure You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.||The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server|
|CMGService.log1||Records details about the cloud management gateway service core component in Azure You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.||The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server|
|SMS_Cloud_ ProxyConnector.log||Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point.||Site system server|