Cloud Based Management Gateway Overview
by David Maiolo 2018-03-16
Cloud-Based Management Service Overview
Internet-based client management has been available for years in Configuration Manger, however it’s generally not very easy to setup, with an estimated 10% of Microsoft’s Configuration Manager install-base having actually used it.
Starting with the Configuration Manager 1610 release, management of internet-based clients is now available through an Azure hosted service called the Cloud Management Gateway. This is done through a new role called the cloud management gateway connector point. Once the role is added in Configuration Manger, it becomes the point your internet-based clients proxy back into your On-Premises Configuration Manager services, or your Azure hosted Configuration Manger services.
The strategic goal in adding the Cloud Management Gateway to your environment is to provide an intermediary cloud solution on your roadmap to a full cloud management solution of your Windows 10 devices through Microsoft Intune. In this intermediary stage you still have access to your traditional agent based management from Configuration Manger while extending the perimeter for clients that roam on the internet. The Cloud Management Gateway is accomplished without adding additional infrastructure and without exposing any of your infrastructure to the internet.
The one drawback to this service from traditional Internet-Based client management is that it requires a Microsoft Azure monthly subscription for the cloud service.
Deployment and Configuration of the Cloud Management Gateway
Configuration Manager 1610 introduced the cloud management gateway to offer a simpler way to manage your internet-based clients. The cloud management gateway service is deployed to Azure and requires an Azure subscription.
The high-level certificate steps are:
- Create and issue a custom Web Service Certificate (SSL Cert)
- Request the Web Service Certificate (SSL Cert) from your CA
- Export the custom Web Service Certificate (SSL Cert)
- Create a Client Authentication Certificate
- Create an Auto-Enroll Group Policy for the Client Authentication Certificate
- Export the Client Root Certificate (CA / PKI Cert)
- Upload the Management Cert to Azure
The high-level SCCM console management steps are:
- Create the Cloud Management Gateway in SCCM
- Add the Cloud Management Gateway Connector Point role
- Configure the Management Point for the Cloud Management Gateway
- Verify the Client is communicating with the Cloud Management Gateway
Requirements
- Cloud Management Gateway Connection Point role added to Site Server
- Azure subscription
- Client Certificate (Management Cert)
- Web Certificate (SSL Cert)
- Root Certificate (CA / PKI Cert)
Limitations
- Each CMG Supports 4000 clients
- CMG only supports MP and SUP roles
- No Client Push
- No OSD or Task Sequences
- Wake on LAN
- Peer cache
Understanding the Required Certificates
Web Service Certificate (SSL Cert)
The Web Service Certificate is used by Cloud Management Gateway when authenticating with the clients. It’s recommended that this certificate come from a Public CA and the certificate subject name match the public domain of your company. This certificate will be exported to a file which will be the Management Cert
Management Cert
The Management Certificate is used to authenticate SCCM with Azure and configure and setup the instances of Cloud Management Gateway. After the certificate is created, go ahead and upload the certificate into the Azure portal.
Client Cert
A client cert is required to be on any computer that will be managed by the Cloud Management Gateway. It also needs to be on you site server hosting the Cloud Management Gateway connection point. You can deploy the client certificate to your SCCM clients with an auto-enrollment GPO. Once the Client Cert is on a machine, the Client’s Root Certificate needs to be exported. This will become the Client Root Certificate (CA / PKI Cert)
Client Root Certificate (CA / PKI Cert)
The Root Certificate for the clients PKI certificate. Internet-based clients still require the use of PKI certificates to authenticate with Configuration Manager. This is the root of that PKI certificate.
Create the Cloud Management Gateway in SCCM
Now that you have your certificates created, you need to enable the Cloud Management Gateway feature in the console by going to Administration -> Overview -> Cloud Services -> Updates and Servicing -> Features and right-click to the turn the feature.
Next, go to Administration -> Overview -> Site Configuration -> Sites and set the Client Computer Communication to HTTPS or HTTP and Use PKI Client Cert
Now, we will create the Cloud Management Gateway. Go to Administration -> Overview -> Cloud Services -> Cloud Management Gateway. Click Create Cloud Management Gateway.
Next add your Azure Subscription ID and Upload the Management Cert
On next page we’ll upload the Web Service Certificate (SSL Cert) and the Client Root Certificate (CA / PKI Cert)
Once the wizard finishes, you will see the Cloud Management Gateway Provision and then Complete.
Add the Cloud Management Gateway Connector Point role
Now we need to add the Cloud Management Gateway Connector Point role. Go to Administration -> Overview -> Site Configuration -> Server and Site Roles. Then add the role.
Go through the wizard with the default settings and make sure it chose the Cloud Management Gateway you created earlier.
Configure the Management Point for the Cloud Management Gateway
Now we have to tell the Management Point that is OK to accept Cloud Management Gateway Traffic. Go to Administration -> Overview -> Site Configuration -> Servers and Site Server Roles. Open your Management Point Properties.
Select the settings to Allow Configuration Manager Cloud Management Gateway Traffic.
Verify the Client is communicating with the Cloud Management Gateway
Finally, we need to verify everything is working. Connect one of your clients to an external internet connection such as a home Wi-Fi.
Run a Machine Policy Retrieval & Evaluation cycle from the Configuration Manager app
And finally verify under the Network Tab that you are connected to your Cloud Management Gateway
If you need more help creating certificates or have custom settings you would like to apply to your Cloud Management Gateway, consult the latest Microsoft Documentation for setting up a Cloud Management Gatewy.
Leave a Reply
Want to join the discussion?Feel free to contribute!