Step-By-Step: Cloud Management Gateway

Introduction

ConfigMgr 1610 introduced the Cloud Management Gateway, an Azure based solution to manage clients on internet. The benefit is that you don't expose your infrastructure on the internet. The Azure VM(s) running behind the Cloud Management Gateway (Azure web service) are managed by Microsoft.

At a high level, the clients communicate to an Azure web service which acts a proxy to forward ConfigMgr client traffic to the on-premise MP/SUP via a new Site System role called Cloud Management Gateway Connection Point. For content distribution, you can leverage a Cloud Distribution Point. The Software Update contents are downloaded directly from Windows Update.

Let's start the journey to manage the clients over internet.

 

Important Note These procedures use an enterprise Root certification authority (CA) and certificate templates appropriate for a test environment ( as a proof of concept). Please ensure that your existing CA infrastructure is deployed as per Microsoft and Industry recommendations. For further assistance on CA/PKI infrastructure, please consult your PKI deployment documentation for the required procedures or engage Microsoft to follow best practices to deploy the required certificates for a production environment.

Environment

For a better understanding, here's a snapshot of the environment I am using to demonstrate the feature. A remote site system server will be configured to host the HTTPS roles along with the Cloud Management Gateway Connection Point.

Role

Server Name

Operating System

Domain Controller
  • Certificate Services – Enterprise Root CA
DC1.contoso.com Windows Server 2016 Data Center
ConfigMgr Primary Site (HTTP)
  • MP
  • DP
  • SUP
Primary1.contoso.com Windows Server 2016 Data Center
ConfigMgr Remote Site System (HTTP to HTTPS)
  • MP
  • SUP
  • Cloud Management Gateway Connection Point
Remote1.contoso.com Windows Server 2016 Data Center
Windows Clients Win101.contoso.comWin7.contoso.com Windows 10 Enterprise x64 v1511Windows 7 Enterprise x64 Sp1
Azure Subscription N/A N/A

1 Certificate Requirements

Note - Although its possible to use an HTTP MP/SUP for CMG functionality, this blog post follows the recommendation of HTTPS over HTTP. Its also a requirement for Modern Management Scenario.

The Clients and the Site System servers MP/SUP would still require a certificate to authenticate and encrypt communication. Here's the list of certificates you need –

  • Azure Management Certificate
  • Client Authentication Certificate
  • Server Authentication Certificate
  • Cloud Management Gateway Certificate
  • Client Root Certificate

1.1    Azure Management Certificate

An Azure management certificate is required to deploy Azure services by authenticating with Service Management APIs.

Here's a screenshot of the 2 certificates I created following the instructions above -

1.2    Client Authentication Certificate

The following systems require a Client Authentication Certificate –

  • Management Point
  • Windows Clients

Follow the instructions in the TechNet link to –

  • Create and Issue the Workstation Authentication Certificate Template on the Certification Authority
  • Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy
  • Automatically Enroll the Workstation Authentication Certificate and Verifying Its Installation on Computers

1.3    Server Authentication Certificate

The following systems require a Server Authentication Certificate –

  • Management Point
  • Software Update Point

Follow the instructions in the TechNet link to –

  • Create and Issue the Web Server Certificate Template on the Certification Authority
  • Request the Web Server Certificate. [For each server hosting the MP & SUP role in HTTPS mode.]
  • Configure IIS to Use the Web Server Certificate. [On each server hosting the MP & SUP role in HTTPS mode.]
  • Additional configuration for WSUS Website - https://technet.microsoft.com/en-us/library/bb633246.aspx

Once you have completed the steps in section 1.2 and 1.3 the remote site system server Remote1.contoso.com will have 2 certificates as below -

1.4    Cloud Management Gateway Certificate

We need an additional certificate for the Cloud Management Gateway to authenticate the client requests sent via Azure Web Service.

First we need a template to issue this certificate, since the requirements are same as the Server Authentication Certificate we created in section 1.3, we will duplicate its template.

  • Connect to the CA server and launch MMC > Certification Authority > Certificate Template > Right click and Manage.
  • Select ConfigMgr Web Server Certificate > Right click and Duplicate Template
  • Click on General tab and change the display name to ConfigMgr Cloud Certificate
  • Click on Request Handling Tab > Check the box Allow private key to be exported. Click OK
  • Close Certificate Template window to go back to Certification Authority
  • Right click Certificate Template and click New > Certificate Template to Issue
  • Select ConfigMgr Cloud Certificate and click OK

Now we are ready to request the new certificate from Remote1.contoso.com

  • Launch MMC and Certificates > Local Computer > Personal > Certificates

  • Right click Certificates > All Task > Request New Certificate

  • Start the wizard and choose ConfigMgr Cloud Certificate. Click more information to add details

  • In the Subject tab under Subject Name Type drop-down choose Common Name.

  • Enter a name which should end with .cloudapp.net

    Note – This name should be unique in your Azure subscription. A storage account is also created with the same name. Launch the storage quick create feature to confirm the name is not taken already.

    I used configmgrgw.cloudapp.net in my lab.

  • Click Add and OK to finish the wizard.

Once you have completed the steps in section 1.4 the remote site system server Remote1.contoso.com will have 3 certificates as below –

Next we need to Export the private key (.PFX) of the recently created certificate

  • Right click on configmgrgw.cloudapp.net certificate > All Tasks > Export
  • In the wizard choose the option Yes, export the private key.
  • Proceed next to secure the certificate with a password and save the fixe with .PFX extension to finish the wizard.

Now I have 3 exported certificates, the 2 Azure Management Certificates and 3rd is the Cloud Management Gateway Certificate.

1.5    Client Root Certificate

Next we need the Client Root Certificate. We can leverage the Client Authentication certificate we generated in section 1.2

  • Launch MMC and Certificates > Local Computer > Personal > Certificates
  • Select the Client Authentication Certificate (sort by certificate template to identify).
  • Right click and Open > Certification Path tab.
  • Select the root certificate [Contoso Enterprise CA in my case] Click View Certificate
  • This will open the Client Root Certificate. We need a copy of this certificate.
  • Click Details tab and click the button Copy to File…
  • Save the certificate with default settings.

Finally, we end up with 4 exported certificates'. 2 Azure Management Certificates, 1 Cloud Management Gateway Certificate and 1 Client Root Certificate.

2 HTTPS Configuration and Validation

Next we need to configure the Primary site for certificate authentication and validate the HTTPS site systems are responding to clients.

  • Go to Administration > Site Configuration > Sites
  • Properties of primary site > Client Computer Communication Tab
  • Check the box – Use PKI client certificate (client authentication capability) when available.
  • Clear the box – Clients check the certificate revocation list (CRL) for site systems. [Clear this only if you haven't published the CRL on internet.]
  • Click OK to commit the changes.

2.1 HTTPS MP [Skip this section if you already have an HTTPS MP]

The management point needs to be configured to accept HTTPS connection

  • Go to Administration > Site Configuration > Servers and Site System Roles
  • Select the Site Server holding the MP role which you plan to change to HTTPS. [Remote1.contoso.com in my lab]
  • Under Site System Roles, select Management point and go to it properties
  • Change the Client connections to HTTPS and click OK

To validate the health of the MP, refer the following logs –

  • MPSetup.log – Confirm a successful installation

    Installing E:\SMS\bin\x64\mp.msi REINSTALL=ALL REINSTALLMODE=vmaus CCMINSTALLDIR="E:\SMS_CCM" CCMSERVERDATAROOT="E:\SMS" USESMSPORTS=TRUE SMSPORTS=80 USESMSSSLPORTS=TRUE SMSSSLPORTS=443 USESMSSSL=TRUE SMSSSLSTATE=31 CCMENABLELOGGING=TRUE CCMLOGLEVEL=1 CCMLOGMAXSIZE=1000000 CCMLOGMAXHISTORY=1

    mp.msi exited with return code: 0

    Installation was successful.

  • MPControl.log – Confirm the status 200 OK

    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK    SMS_MP_CONTROL_MANAGER

You can also validate the MP Status from Console.

  • Monitoring > System Status > Site Status [The MP in question should be green and Status OK]
  • Monitoring > System Status > Component Status [The MP in question should be green and Status OK]

To validate the client HTTPS mode -

  • You can check the Control panel applet. Client certificate should be PKI

2.2 HTTPS SUP [Skip this section if you already have an HTTPS SUP]

The Software Update point needs to be configured to accept HTTPS connection

  • Go to Administration > Site Configuration > Servers and Site System Roles
  • Select the Site Server holding the SUP role which you plan to change to HTTPS. [Remote1.contoso.com in my lab]
  • Under Site System Roles, select Software update point and go to it properties
  • Check the box Require SSL communication to the WSUS server and click OK.

To validate the changes –

  • Check in DB by running the query - Select * from WSUSServerLocations -- Check ISSSL = 1

  • On server side, check WCM.log

    Attempting connection to WSUS server: REMOTE1.contoso.com, port: 8531, useSSL: True    SMS_WSUS_CONFIGURATION_MANAGER

    Successfully connected to server: REMOTE1.contoso.com, port: 8531, useSSL: True    SMS_WSUS_CONFIGURATION_MANAGER

  • On the client side, refer the WUAHandler.log -

    Enabling WUA Managed server policy to use server: https://REMOTE1.contoso.com:8531    WUAHandler

  • Local Policy – Specify intranet Microsoft update service location should have the HTTPS address

3 Enable and Configure Cloud Management Gateway

After completing sections 1 and 2, we are now ready to setup the Cloud Management Gateway.

3.1 Enable Feature

As of 1610 the Cloud Management Gateway is a Pre-Release feature which isn't enabled by default. Follow the steps below to enable –

  • From the ConfigrMgr console, go to Administration > Site Configuration > Sites
  • Select Primary Site and click on Hierarchy Settings from ribbon
  • In the General tab check the box Consent to use Pre-Release features. Click OK
  • Navigate to Updates and Servicing in the Administration page.
  • Click on Features
  • Select Pre-release – Cloud Management Gateway and click Turn on from ribbon menu.
  • Close and re-open the console.

3.2 Create Cloud Management Gateway

Now as we have enabled the feature, let's create the gateway –

  • In the ConfigMgr console navigate to Administration > Cloud Services > Cloud Management Gateway

  • From the ribbon menu click Create Cloud Management Gateway

  • Enter the Subscription ID

  • Click Browse to choose the Management Certificate. This is the certificate export from section 1.1

  • Click Next

    Now we need to provide details for the Azure Cloud Service which will be created in our subscription.

  • The Service name will be automatically populated once you provide the certificate information.

  • Select Region – The Azure region where the cloud service will be hosted.

  • Choose the number of VM Instances. A standard A2 VM will be hosted in Azure. Each VM can support approx 2000 simultaneous connections.

    You can go up to 16 VMs. For each additional VM you need to increase the number of ports on the proxy by the number of virtual machines you use, starting at port 10124.

  • For Certificate File click Browse to choose the certificate created and exported in section 1.4

    This will auto populate the Service FQDN and Service Name.

  • For Client certificate root click Browse to choose the certificate exported in section 1.5

  • Uncheck Verify Client Certificate Revocation. [Clear this only if you haven't published the CRL on internet.]

  • Click Next

  • Configure threshold settings as desired.

  • Click Next to finish the wizard.

To view the status, open CloudMgr.log You will see the Azure Cloud service is created and the CloudProxyService.cspkg file is deployed. You can also view the Azure console to see the Storage account and Cloud service.

Uploading file C:\Program Files\Microsoft Configuration Manager\inboxes\cloudmgr.box\CloudProxyService.cspkg to container deploymentcontainer with blob name configmgrgw.cspkg in storage account configmgrgw    SMS_CLOUD_SERVICES_MANAGER

    Deployment package is uploaded to https://configmgrgw.blob.core.windows.net/deploymentcontainer/configmgrgw.cspkg for service configmgrgw    SMS_CLOUD_SERVICES_MANAGER

Once the provisioning is complete, the Status of Cloud Management Gateway in ConfigMgr console will change to Ready.

3.3 Add Site System Role - Cloud Management Gateway Connection Point

This is a new site system role required for communicating with the Azure Gateway created in step 3.2 I will use the remote1.contoso.com to add this site system role.

  • Go to Administration > Site Configuration > Servers and Site System Roles

  • Select the Site Server where you plan to install this role. [remote1.contoso.com]

  • Add site system role and select Cloud management gateway connection point

  • The Gateway name and Region will be auto-populated and requires no further action. Finish the wizard.

    A new log file is created SMS_CLOUD_PROXYCONNECTOR.log to monitor the activities.

    TCP CONNECTION: Established TCP connection with Proxy server CONFIGMGRGW.CLOUDAPP.NET:10140    SMS_CLOUD_PROXYCONNECTOR

3.4 Configure Roles to accept Cloud Gateway traffic

Last step is to configure the site system roles [MP & DP] to listen and respond to Cloud Management Gateway traffic from internet clients.

  • Go to Administration > Site Configuration > Servers and Site System Roles

  • Select the Site System Server hosting the MP/SUP which you want to respond to the internet clients via Cloud Management Gateway.

  • Go to Management Point Properties and check the box Allow Configuration Manager cloud management gateway traffic.

  • Go to SUP Properties and check the box Allow Configuration Manager cloud management gateway traffic.

    The connection automatically switches to Allow intranet and Internet connections.

  • Click OK to complete.

    You can view the SMS_CLOUD_PROXYCONNECTOR.log to see the connection with Cloud Management Gateway.

    ReportOnlineConnections - state message to send: <Connections ServerName="REMOTE1.CONTOSO.COM"><Connection ID="00f9a999-958a-4a30-b50d-2a35b7742bae" ConnectedInstances="1"/></Connections>    SMS_CLOUD_PROXYCONNECTOR

    The connection points and connection status can also be viewed in the console under the Cloud Management Gateway Node.

4 Validate Internet Clients Management

4.1 Client Gateway Policies

The clients on the corporate network will receive the location of the cloud management gateway service which prepares them for internet management.

You can verify the information in the ConfigMgr control panel applet in the Network Tab.

The information is also published under the following registry key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Internet Facing

4.2 Management Point – Internet Connections

Now as we have the gateway policies, it's now time to test the internet client management. Switch one of the test client from the domain network to public internet.

  • Open the ConfigMgr control panel applet to validate the Connection Type: Currently Internet. You will also notice the Assigned Management Point name is missing.

  • Make a configuration change from Primary Site and initiate machine policy on the internet client. View the PolicyAgent.log; LocationServices.log

    Initializing download of policy 'CCM_Policy_Policy5.PolicyID="PS120001-PS10000C-BB8CD055",PolicySource="SMS:PS1",PolicyVersion="1.00"' from 'https://CONFIGMGRGW.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594…./SMS_MP/.sms_pol?PS120001-PS10000C-BB8CD055.1_00'    PolicyAgent_ReplyAssignmentsLSUpdateInternetManagementPoints:

    Successfully refreshed internet MPs from MP CONFIGMGRGW.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057…...    LocationServices

    I created a test package and deployed it to the internet client which is now available in Software Center.

If you have a Cloud Distribution point, the client will be able to download the content.

4.3 Software Update Point – Internet Connections

The SUP proxy information is also sent to the client machines. Refer the registry key below for information -

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

When a new Scan request is sent, the location services reports the new WSUS location.

WSUS Path='https://CONFIGMGRGW.CLOUDAPP.NET/CCM_Proxy_ServerAuth/720575……', Server='REMOTE1.CONTOSO.COM', Version='3'    LocationServices

    Initializing download of policy 'CCM_Policy_Policy5.PolicyID="{442ECAD6-ABFA-4579-934F-9F71E21A72F3}",PolicySource="SMS:PS1",PolicyVersion="2.00"' from     'https://CONFIGMGRGW.CLOUDAPP.NET/CCM_Proxy_MutualAuth/7205…/SMS_MP/.sms_pol?{442ECAD6-ABFA-4579-934F

You can also check the status of the SUP proxy state by browsing the web service url below. Change the number 7205…. to the number for your cloud service.

https://configmgrgw.cloudapp.net/CCM_Proxy_ServerAuth/7205........../CLIENTWEBSERVICE/client.asmx

On my Windows 7 machine I deployed an update and have configured the deployment to download content from MU instead of DP.

Update (Site_D7D3DEFB-42AE-468E-AAB1-5ED2D51F28AC/SUM_81d78420-defd-4425-81c1-cad24afaa647) Progress: Status = ciStateDownloading, PercentComplete = 0, Result = 0x0    UpdatesDeploymentAgent

Download started for content 41844b78-fe16-4f15-b9a9-4bf44b09fc51.1    ContentAccess

Distribution Point='net: https://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/secu/2016/04/windows6.1-kb3155178-x64\_8d5c4b10ce6a99858877fb3fe85d98fae6acc8ca.cab',     Locality='WUMU'    ContentAccess

4.4 Monitoring Cloud Management Gateway

You can monitor the status of the Gateway and the traffic from the ConfigMgr console. The Connection Points and Role Endpoints tab has this information.

    

Thanks,

Arnab Mitra