The CMG is a role introduced in ConfigMgr Current Branch 1610. The purpose of the Cloud Management Gateway is to simplify installation and strengthen security of managing clients over the Internet. This is achieved by hosting the necessary services in Azure. To date however many customers have been hesitant to deploy a CMG due to the perceived complexity of the certificate requirements that the solution has required. Using ConfigMgr 1804 tech preview and working along-side the Microsoft product team I have been able to reduce the certificates required down to 1 single certificate. My certificate is issued by a public certificate provider therefore I’ve also eliminated the need for any internal PKI what-so-ever. I am using a wildcard cert if you choose to use named certs you will need 2 certificates rather than 1. This is part 1 of a 2 part series. I will also be publishing a guide on deploying a Cloud Distribution Point.
1. Pre-requisites
a. You must have an
Azure subscription and users must by sync’d to Azure AD using AAD
Connect.
b. Computers must be
Azure AD joined or AAD registered.
c. Find an available
service name in Azure DO NOT CREATE THE
SERVICE just find an available name.
i. Log on to the Azure
portal at portal.azure.com.
ii. In the Azure Portal,
you will see a Cloud Services node on the left. Choose to create a new cloud
service.
iii. Note down the unique
DNS name(s) that will be used for the Cloud Management as you will add this
information to Configuration Manager.
iv. While here take note
of your Azure subscription ID.
d. Create a public
facing CNAME record that maps your service name (ex mycmg.mydomain.com) to your
service name at cloudapp.com (ex mycmg.cloudapp.net)
e. Enable the CMG under
administration>Updates and servicing>features
i. Processing of the
change is often immediate, but it can take up to 30 minutes to complete,
depending on the HMAN processing cycle. After the change is processed, you must
restart the console before you can view new UI related to that
feature.
f. A new server to act
as a ConfigMgr HTTPS management point for internet
clients.
g. If your internal
domain name doesn’t match your external domain name you must internally host a
DNS zone matching your external domain name.
2. Create a Wildcard Cert
Beginning with 1802 ConfigMgr now supports wildcard
certificates. We will be using a single wildcard certificate for the deployment
of the CMG.
Beginning with 1802 ConfigMgr an HTTPS enabled MP is
required when installing a CMG
This guide is using publicly issued certificate and public
certificate authorities will only issue certificates whose have subject names
contain an FQDN which you can prove you own. For this reason, if your internal
domain name doesn’t match a public domain name which you own you must change the
FQDN of the server to a public FQDN which you own.[G1]
We will cover how to change a server FQDN later in this
guide.
a. Use the DigiCert CSR
generator tool to generate a CSR for a wildcard SSL certificate.
(*.mydomain.com)
b. Download a cer from
Digicert, import it back into the DigiCert CSR generator and export it out with
the private key as a .pfx file.
c. Import the pfx into
the local machine store on any domain-joined computer[G2]
making sure to mark the private key as exportable.
d. Open the certificates
snap-in MMC and export the certificate out as a DER encoded binary x.509 (.CER)
file[G3] .
Save this as ‘exported digicert.cer’[G4] .[G5]
e. While in the
certificate snap-in export the certificate again but this time export the
private key as well save this as ‘exported
digicert.pfx’.
3. Prepare A New Windows
Server for HTTPS MP Installation
This is
ONLY required if your internal domain name differs from your external
domain. It is quite common for an
organizations internal domain name to not match its external facing domain
name. If this is the case for your organization you will need to change the
FQDN of the newly created server on which you will install the HTTPS enabled
MP. You will also need to create an A record for the server on your internal
DNS. If you do not internally host a zone matching your external domain name
this solution will not work for you.
a. Change the FQDN of
the server
i. On the server which
will become the new HTTPS management point open System Properties in the control
panel
ii. Select Change
Settings under the computer name, domain and workgroup
settings.
iii. On the computer name
tab click Change…
iv. On the Computer
Name/Domain Changes click More…
v. Change the Primary
DNS Suffix of this computer to your external domain name.
vi. Uncheck the box
change the Primary DNS Suffix of this computer when the domain
changes.
vii. Click OK and then
restart the server
b. A Host (A) record
should have been automatically created in the zone hosting your external DNS
namespace. Confirm this by either i or ii below.
i. Ping
yourservername.yourexternaldomainname.com from any machine inside your network
to confirm that it resolves to an IP address.
ii. Open DNS on a DNS
server and ensure the Host (A) record was created.
c. Repeat step B for the
internal dns zone and create a Host (A) record for the server on the internal
DNS namespace is it’s not present already.
4. Install
Management Point Role on Newly Created Server
Beginning with 1802 ConfigMgr an HTTPS enabled MP is
required when installing a CMG. Unless you already use HTTPS on your site roles
we will be installing a separate management point to act as the HTTPS MP for CMG
traffic. Obviously, you could achieve this in other ways, I just chose this
method because it’s the least impact on my existing environment.
a. Ensure the flowing
prerequisites are installed:
i. Windows Server roles and features:
1. .NET Framework 4.5.2
(or later)
2. BITS Server
Extensions (and automatically selected options) or Background Intelligent
Transfer Services (BITS) (and automatically selected options)
ii. IIS configuration:
1. Application
Development:
a. ISAPI Extensions
2. Security:
a. Windows
Authentication
3. IIS 6 Management
Compatibility:
a. IIS 6 Metabase
Compatibility
b. IIS 6 WMI
Compatibility
b. In the Configuration
Manager console of the primary site server, navigate to System Center
Configuration Manager / Site Database / Site Management /< site code> –
<site name> / Site Settings / Site Systems / <site system
name>.
c. Right-click< site
system name> and click New Roles to start the New Site Systems Role
Wizard.
d. On the General tab,
you have the options to do the following:
i. Specify the new (the
external domain) FQDN as the Name.
ii. Specify the external
FQDN for Internet-based clients to communicate with this site system.
iii. Click
Next
e. On the Proxy page
configure it if required and click Next
f. On the System Role
Selection page, select Management point and click
Next.
g. On the Management
Point page do the following:
i. Select
HTTPS
ii. Select Allow
Configuration Manager cloud management gateway
traffic
iii. Select Allow
Internet-only connections
iv. Click
Next
h. On the Management
Point Database page click Next.
i. On the Summary page
click Next.
j. The Progress page
displays the progress of saving the site system settings to the site
server.
k. The Completion page
displays whether or not the site system settings were successfully saved in the
site database. Click Close.
5. Install Certificate
for HTTPS MP
a. Install the wildcard
certificate to the local machine certificate store.
i. Copy the wildcard
certificate .pfx to the new MP.
ii. Double click the
certificate to start the certificate import wizard.
iii. Select local machine
and then click Next.
iv. On the file to import
page click Next.
v. On the private key
protection page:
1. Enter the password of
the certificate.
2. Do not check the box
to mark the key as exportable.
3. Click
Next
vi. On the certificate
store page click Next
vii. On the complete the
certificate import wizard page click Finish
b. Bind the certificate
to the default web site
i. On the new MP open
Internet Information Services (IIS) Manager.
ii. Expand Sites,
right-click Default Web Site, and then choose Edit Bindings.
iii. Choose the https
entry, and then choose Edit.
iv. In the Edit Site
Binding dialog box, select the wildcard certificate that you imported in to the
certificates store and then choose OK.
v. Choose OK in the Edit
Site Binding dialog box, and then choose Close.
vi. Close Internet
Information Services (IIS) Manager.
6. Configure Azure
Services
a. In the Configuration
Manager console, go to the Administration workspace, expand Cloud
Services
b. Right Click Azure
Services and select Configure Azure Services.
i. Give the service a
name, I’m using OrgName Cloud Management Service
ii. Select Cloud
Service
iii. Click
Next
c. On the App Page do
the following:
i. Select Azure Public
Cloud
ii. On the Web App click
Browse
1. Click
Create
a. Give the application
a name, it can be anything you’d like. I used OrgName
Application
c. Change the secret key
validity to 2 years.
d. Sign in with an Azure
global admin account
e. Click
OK.
2. On the Native Client
app click Browse
3. Click
Create
a. Give the application
a name, it can be anything you’d like. I used OrgName Native
Application
b. The Reply URL is not
used for anything therefore put anything you’d like here.
c. Sign in with an Azure
global admin account
d. Click
OK.
4. Highlight the client
app you’ve just created and Click OK
5. Click
Next
iii. On the discover page
you can take the defaults, the settings on this page have no effect on the CMG
so do whatever you’d like.
iv. On the Summary page
click Next and
v. On the Completion
page click Close
7. Install the
CMG
a. Install the
CMG
i. Go to
administration>cloud service>cloud management gateway, right click and
select create new cloud management gateway.
ii. On the general pane
of the install CMG wizard:
1. Select
AzurePublicCloud
2. Select Azure Resource
Manager Deployment
3. Click Sign in… and
sign in to Azure as a global Admin
4. Verify
the correct subscription ID is selected
5. Click
Next
iii. On
the Setting pane of the create cloud management
gateway;
1. select
your exported wildcard pfx as the server PKI certificate for the cloud server
and then enter a unique service FQDN
2. select
the exported cer file as the certificate for authenticating client
connections
3. Enter
your unique service FQDN which you found in the pre-requisites step of this
guide.
4. Uncheck
Verify client certificate
revocation
5. Click
Next
iv. Accept the default
thresholds and click next
v. On the summary page
click next
vi. On the completion
page click close.
b. Monitor the CMG in
the Cloud Management Gateway node of the console. You should see the status
“ready” within 15 minutes. If you do not check the CloudMgr.log in the SCCM Logs
folder of the site server for error (note: If your CM server time is incorrect
CMG install will fail on 1803)
8. Add the CMG Connection
Point
The CMG role can be installed on any site system. Since
we built a new server to host the HTTPS enabled MP that is likely as good a
place as any to install the role.
a. In the Configuration
Manager console, click Administration.
b. In the Administration
workspace, expand Site Configuration, and click Servers and Site System Roles.
Then select the server that you want to use for the CMG connection
point.
c. On the Home tab, in
the Server group, click Add Site System Roles.
d. On the General page,
review the settings, and then click Next.
e. On the Proxy page,
specify settings for a proxy server, if site system roles that run on this site
system server require a proxy server to connect to locations on the Internet.
Then click Next.
f. On the System Role
Selection page, select the cloud management gateway connection point role then
click Next.
g. On the specify the
cloud management gateway connection point settings page you should see the CMG
installed in the previous steps of this guide. Click
Next
h. On the summary page
click next
i. On the completion
page click close.
9. Create CMG
CNAME
a. In both internal and
external DNS you should create a CNAME entry for your unique service FQND to
yourservicename.cloudapp.net. For example I selected SCACMG as my service name
therefore my CNAME is scamcmg.systemcenteradmin.com and
scacmg.cloudapp.net
10. Configure Client Agent
Settings
For authentication to
your internal HTTPS management point, which you will create during this guide,
certificate authentication is not being used. For this reason, users must be
sync’d with Azure Active Directory and computers either registered or joined to
Azure Active Directory.
a. Configure the
following client agent settings in the Cloud Service node of client agent
settings:
i. Automatically
register new Windows 10 domain joined devices with Azure Active Directory:
Yes
ii. Enable clients to use
a cloud management gateway: Yes
iii. Allow access to a
cloud distribution point: Yes
11. Prepare Internal
ConfigMgr Roles for CMG Traffic
Perform the following steps on the HTTPS management
point as well as your SUP
a. In the Configuration
Manager console, go to the Administration workspace, expand Site Configuration,
right-click Servers and Site System Roles, and select Management point from the
list.
b. Select the new site
system server where you installed the HTTPS MP.
c. Select the Management
point role in the details pane, and then click Properties in the
ribbon.
d. In the Management
point properties sheet under Client Connections, check the box next to Allow
Configuration Manager cloud management gateway
traffic.
e. Click
OK.
f. Repeat these steps
for any software update points.
12. Test the
CMG
In order to simulate a client being outside of your
internal network set the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security,
ClientAlwaysOnInternet = 1
Be sure to
remove this key once testing has been
completed
i. In
the Configuration Manager console, click Software
Library.
ii. In
the Software Library workspace, expand Application Management, and then click
Packages.
iii. In
the Home tab, in the Create group, click Create
Package.
iv. On
the Package page of the Create Package and Program Wizard, specify the following
information:
1. Name:
Specify a name for the package for example Test
CMG.
2. This
package contains source files: Do not check this
box
3. Source
folder: Leave this empty
v. On the Program Type
page of the Create Package and Program Wizard, select Standard Package and then
click Next.
vi. On the Standard
Program page of the Create Package and Program Wizard, specify the
following:
1. Name: CMG Test
Program
2. Command Line:
ipconfig.exe
3. Run:
Normal
4. Program can run: Only
when a user is logged on
5. Run mode: Run with
administrative rights
6. Allow users to view
and interact with the program installation: Do not check this
box
7. Dive mode: run with
UNC name
vii. Click next through
all remaining screens to complete the wizard
b. Deploy the test
package
i. On a test PC set the
following registry value
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security,
ClientAlwaysOnInternet = 1
ii. Create a new
collection and add a test PC to the new
collection.
iii. Deploy the test
package as required to the collection containing the test
PC
1. It is not necessary
to select a distribution point during the
deployment.
2. Be sure to make the
package required
3. Set the assignment
schedule to As soon as possible
4. On the User
Experience page be sure to select “Allow users to run the program independently
of advertisements.
c. On the test client
open the configuration manager control panel applet, go to the actions tab and
run a machine policy retrieval & Evaluation Cycle.
d. Monitor the
execmgr.log on the client to verify the test program
runs
e. Open software center
to ensure the test package is display
Hey John, do you always go for the wildcard cert? Is it a better option then then internal cert CA?
We have it deployed with internal certs and are having some 403 issues.
I think what you really wanted to ask me is if I always recommend using a publicly issued cert.The blog was intended for those who have no internal PKI or who wish to not use an internal PKI. I have many customers who have no PKI what-so-ever. The public cert is natively trusted by Windows which is a bonus IMHO.
I only used the wildcard because I see many companies who have purchased a wildcard and they use it for everything. I’m no certificate expert so I am not going to give any advice on the security implications of doing what those customers do. 🙂
Having said that…. if you have an internal PKI it’s more than likely the best method for you to use. You can still use AAD Auth if you’d like to eliminate the client certs. In the near future MS will eliminate the need for any PKI what-so-ever. I can likely help you with your errors, feel free to shoot me an email. pjm at ctglobalservices dot com
Great overview. Is there a specific reason you went with 1804? Do you expect this solution would work with 1802?
cloud server is very faster than shared hosting service, besides the bandwidth cost is also cheaper than normal hosting , so if someone can deploy their network application, or web application with cloud server then it will going to be very cost effective and technical solution for them , so this post is very helpful for people who are interested in using cloud service.
I used 1804 because it was the newest version available when I wrote the blog. I was hoping 1806 would be similar but 1806 removed the requirment for HTTPS MP. I’ll get an `1806 blog up within a couple days.
nice shots!!! I was having fun looking at it..perfect!
https://skrotpriser.com
nice shots!!! I was having fun looking at it..perfect!
https://skrotpriser.com
skrotbil
Why do you need to change FQDN of the management point when using a different internal / external DNS? I haven’t seen this noted as a requirement.
Brett, I emailed you directly. Let me know if you did not get that.
Hi John,
Currently we are configuring CMG for our client. As brett said, why do need to change FQDN for MP as we have already have internal domain (ex:xyz.com). Do we need to joing it to cloudapp.net ? bit confused. Could you elaborate on that please ?
did you get any reply for above mentioned
“but 1806 removed the requirment for HTTPS MP” – Is this still true?
Is there a specific reason you went with 1804? Do you expect this solution would work with 1802?
societe depennage plombier a votre disposition
Hey ,
you said newly configured MP with HTTP . do you mean there should be a separate MP not the primary site server ?
Hey ,
is there any way i can generate client certificate from the public CA provided SSL certificate
you said newly configured MP with HTTP . do you mean there should be a separate MP not the primary site server ?