Setting up Cloud Management Gateway (CMG) in SCCM 1806 (HTTP mode without trusted root certificates)

Introduction

More Configuration Manager 1806 and more awesomeness. 1806 gives us additional improvements to the Cloud Management Gateway and removes the need for PKI in your environment. With these improvements, it has never been easier to setup the CMG. In this post I will walk you through the exact steps I went through in order to successfully deploy the CMG in a HTTP only environment.

Configuration Manager

Most of the doing is happening from within the Configuration Manager console.

Client Computer Communication

  • First step is to enable “Use Configuration Manager-generated certificates for HTTP site systems“. This is done the Administration work space, Site Configuration, Sites and Properties of your primary site as illustrated below. As you also notice, this site is running HTTP without PKI certificates.

Azure Services

  • Next is to configure the relevant Azure Service also in the Configuration Manager console, Administration work space, Cloud Services -> Azure Services. 
    • Select Cloud Management and give it a suitable name.

  • Create the two applications highlighted below. Note: If you already have the web app created, the wizard will prompt you to reuse the existing. Chances are that you already have Microsoft Store for Business configured in Configuration Manager. If that is the case, you will have the web app already.
    • The defaults for creating the apps can be used. Nothing but the names is required.

  • For your inspiration, my Cloud Management Azure Service looks like this:

  • Which in return will create the two same apps in Azure with the same names:

Cloud Management Gateway

  • Next up is adding the actual CMG. Here you need to sign in to Azure with an subscription administrator. The selection here will be the Azure Resource Manager deployment. 

Next step is probably the most advanced step of them all (which in fact is quite simple). This is the part where you have to upload the one and only certificate used for configuring all of this, and decide for some of the settings for the CMG in Azure.

  • Certificate file: This is the server authentication certificate, and in my scenario a certificate issued by a public provider like DigiCert, Thawte or VeriSign.
  • Service FQDN: In this scenario I have selected cmconfigmgr.mydomain.com matching the domain in the certificate. This is a name that you decide for yourself and can be anything (almost).
  • Service name: The service name will be populated once above is in place. Note that the Service name has to be unique, as this will be a part of the cloudapp.net domain.
  • Resource Group: I’m creating a new resource group in Azure.
  • Allow CMG to function as a cloud distribution point: Yes please, you would want to have this, as this will save you the trouble and money for having a cloud DP separate from the CMG.

  • For now, I just accepted the defaults on the Alerts page and finished the wizard.

  • Before I moved on to the next steps, I made sure that the CMG had a status of Provisioning complete as shown below. It might take a few minutes to complete. Patience.
    • The log files CloudMgr.log and CMGSetup.log on the site server is of interest to monitor during this phase of the setup.

Cloud Management Connection Point

  • Add the Cloud Management Connection Point site system role. I have chosen to add this on my primary site server, but this can be any site server you like.

  • With everything else mentioned in this post completed, the cloud management gateway name will automatically be filled out as shown below.

Allow cloud management gateway traffic

  • Next, make sure that your management point has following setting enabled, and thus allows the MP to have both intranet and Internet connections.

Client Settings

Make sure to have these settings in your Client Settings set to Yes and the Client Settings deployed to your clients.

DNS CNAME

All of this awesomeness requires that you create a CNAME in your organizations public DNS.

In this scenario, that will be cmgconfigmgr.mydomain.com pointing to cmgconfigmgr.cloudapp.net. Remember that this may take a while to replicate across the globe to all DNS servers.

Note: If something in the DNS alias is not working properly, you will find similar entries to this in the SMS_CLOUD_PROXYCONNECTOR.log on the site server.

Testing

You can force the client to always use the CMG regardless of whether it’s on the intranet or internet. This configuration is useful for testing purposes, or for clients at remote offices that you want to force to use the CMG. Set the following registry key on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

Verify that the client is on Internet through the Configuration Manager applet in the control panel:

 

And run following powershell line to verify that the CMG is available as Internet management point:

Running the Cloud Management Gateway connection analyzer:

ENJOY 🙂

Reference:

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.