ConfigMgr Cloud Management Gateway – a first look

cloudgateway-01Yesterday the ConfigMgr Product Group released ConfigMgr Current Branch 1610 to the fast channel. As part of this new version of ConfigMgr a new feature is released in preview.

This feature allows you to eliminate the fairly complex infrastructure that allows you to support the Internet based clients. This new feature is called the Cloud Management Gateway.

Currently the Cloud Management Gateway is a Virtual Machine that allows you to provide a Management Point and Software Update point via Microsoft Azure. The only thing you need is an Azure Subscription and an Azure Management Certificate to let ConfigMgr authenticate to the Microsoft Azure service.

Be sure to create a management cert that has a common name with the cloudapp.net domain.

The ConfigMgr Cloud Management Gateway connection point (which we install in a later step) is used to setup the connection to the VM that is used in Microsoft Azure. Since the Cloud Management Gateway connection point initiates the connection, no firewalls changes are needed, okay we need except for 443 outgoing… 😉

Setting up the Cloud Management Gateway is done as follows:

  1. Configure and export the management certificates and export the CA cert of your environment
  2. Enable the preview of Cloud Management Gateway via Administration > Cloud Services > Updates and Servicing > Features if you did not already do so.
  3. Add the Cloud Management Gateway via Administration > Cloud Services > Cloud Management Gateway
  4. Click Create Cloud Management Gateway
  5. Supply the Subscription ID (portal.azure.com > Subscriptions)
  6. Supply the Management Certificate (.cer)
  7. Supply the certificate file for the VM that will be the Cloud Management Gateway
  8. Check if the service FQDN is something like <service>.cloudapp.net
  9. Supply the Client Certificate Root cert
  10. Uncheck the Verify Client Certificate Revocation
  11. Finish the Create Cloud Management Gateway Wizard
Provisioning the Cloud Management Gateway
Provisioning the Cloud Management Gateway

12. Within 15 minutes (or so) a cloud service will be created with a Virtual Machine (Standard_A2) instance.

The Cloud Service in Microsoft Azure
The Cloud Service in Microsoft Azure

13. Next we need to configure the Cloud Management Gateway connection point on one of the existing site servers.

cloudgateway-03

14. Enable Allow Configuration Manager cloud management gateway traffic on the Management Point and Software Update Point.

Enable
Enable

Next check if the Connection point is connected to the Cloud Management Gateway and check if the client is able to connect to the Cloud Management Point.

cloudgateway-05
General information about the Cloud Management Gateway
cloudgateway-06
Is the Connection Point connected to the Cloud Management Gateway or not
cloudgateway-07
The current Site Systems and services that are supported by the Cloud Management Proxy

To be able to check if the client is able to connect to the Cloud Management Gateway.

The client can be forced to use the Cloud Management Gateway by for instance setting the registry as follows, configure in HKLM\Software\CCM:

  • –          ClientAlwaysOnInternet = 1 (DWORD)
  • –          Security = 1 (DWORD)

To test it if it works check the client or WMI via PowerShell;

cloudgateway-08
The ConfigMgr Client is configure automatically

get-wmiobject  -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate

See the configuration via PowerShell
See the configuration via PowerShell

And of course, ConfigMgr is famous about the logfiles, also in the logfiles you can monitor what Management Point is used.

cloudgateway-10

In the ConfigMgr console you can see how much traffic has been handled by the Cloud Management Gateway.

cloudgateway-11

So what about the content?

For Software Updates deployment, Microsoft Updates can be used as the place to get the updates from. To force the clients to use Microsoft Updates, you need to enable the option “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” while deploying Software Update Groups.cloudgateway-12

For other content like packages or applications the cloud-based distribution point need to be used.

A great feature if you ask me, lets test this some more 🙂

 

 

Comments

Total
0
Shares
3 comments
  1. Hello,

    I’m working on this cloud management gateway as well and when I reach step 7 (just next to Azure sub validation) :
    – I’ve got the parameters tab with service name, region and stuff to fill in.
    service name is gray and it’s impossible to write down anything in it. As well, some words are cut (virtual machine) words hide the number of VM we have to choose for example.
    I’m running Windows 2012 R2 and everything in french.
    As my SQL is working in french, I cant just switch to english, right?
    PS. Im doing this exercise as a lab (HyperV VM running all my role)

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Action required: Check your Conditional Access policies!

Next Post

Intune and Lookout: the end user experience

Related Posts
Total
0
Share