ConfigMgr Cloud Management Gateway – a first look

ConfigMgr Cloud Management Gateway – a first look

cloudgateway-01Yesterday the ConfigMgr Product Group released ConfigMgr Current Branch 1610 to the fast channel. As part of this new version of ConfigMgr a new feature is released in preview.

This feature allows you to eliminate the fairly complex infrastructure that allows you to support the Internet based clients. This new feature is called the Cloud Management Gateway.

Currently the Cloud Management Gateway is a Virtual Machine that allows you to provide a Management Point and Software Update point via Microsoft Azure. The only thing you need is an Azure Subscription and an Azure Management Certificate to let ConfigMgr authenticate to the Microsoft Azure service.

Be sure to create a management cert that has a common name with the cloudapp.net domain.

The ConfigMgr Cloud Management Gateway connection point (which we install in a later step) is used to setup the connection to the VM that is used in Microsoft Azure. Since the Cloud Management Gateway connection point initiates the connection, no firewalls changes are needed, okay we need except for 443 outgoing… 😉

Setting up the Cloud Management Gateway is done as follows:

  1. Configure and export the management certificates and export the CA cert of your environment
  2. Enable the preview of Cloud Management Gateway via Administration > Cloud Services > Updates and Servicing > Features if you did not already do so.
  3. Add the Cloud Management Gateway via Administration > Cloud Services > Cloud Management Gateway
  4. Click Create Cloud Management Gateway
  5. Supply the Subscription ID (portal.azure.com > Subscriptions)
  6. Supply the Management Certificate (.cer)
  7. Supply the certificate file for the VM that will be the Cloud Management Gateway
  8. Check if the service FQDN is something like <service>.cloudapp.net
  9. Supply the Client Certificate Root cert
  10. Uncheck the Verify Client Certificate Revocation
  11. Finish the Create Cloud Management Gateway Wizard
Provisioning the Cloud Management Gateway

Provisioning the Cloud Management Gateway

12. Within 15 minutes (or so) a cloud service will be created with a Virtual Machine (Standard_A2) instance.

The Cloud Service in Microsoft Azure

The Cloud Service in Microsoft Azure

13. Next we need to configure the Cloud Management Gateway connection point on one of the existing site servers.

cloudgateway-03

14. Enable Allow Configuration Manager cloud management gateway traffic on the Management Point and Software Update Point.

Enable

Enable

Next check if the Connection point is connected to the Cloud Management Gateway and check if the client is able to connect to the Cloud Management Point.

cloudgateway-05

General information about the Cloud Management Gateway

cloudgateway-06

Is the Connection Point connected to the Cloud Management Gateway or not

cloudgateway-07

The current Site Systems and services that are supported by the Cloud Management Proxy

To be able to check if the client is able to connect to the Cloud Management Gateway.

The client can be forced to use the Cloud Management Gateway by for instance setting the registry as follows, configure in HKLM\Software\CCM:

  • –          ClientAlwaysOnInternet = 1 (DWORD)
  • –          Security = 1 (DWORD)

To test it if it works check the client or WMI via PowerShell;

cloudgateway-08

The ConfigMgr Client is configure automatically

get-wmiobject  -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate

See the configuration via PowerShell

See the configuration via PowerShell

And of course, ConfigMgr is famous about the logfiles, also in the logfiles you can monitor what Management Point is used.

cloudgateway-10

In the ConfigMgr console you can see how much traffic has been handled by the Cloud Management Gateway.

cloudgateway-11

So what about the content?

For Software Updates deployment, Microsoft Updates can be used as the place to get the updates from. To force the clients to use Microsoft Updates, you need to enable the option “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” while deploying Software Update Groups.cloudgateway-12

For other content like packages or applications the cloud-based distribution point need to be used.

A great feature if you ask me, lets test this some more 🙂

 

 

Comments

 
Comments

Trackbacks for this post

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

 
Read previous post:
Action required: Check your Conditional Access policies!

Due to an incident (IT85607) while moving the Conditional Access policies from “Preview phase” to Read more

Close