Jump to content


anyweb

Cloud attach - Endpoint Managers silver lining – part 3 Creating a Cloud Management Gateway

Recommended Posts

Introduction

This is part 3 in a series of guides about cloud attach in Microsoft Endpoint Manager, with the aim of getting you up and running with all things cloud attach. This part will focus on creating a Cloud Management Gateway (CMG). This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. Paul is 4 times Enterprise Mobility MVP based in the UK and Niall is 10 times Enterprise Mobility MVP based in Sweden.

In part 1 we configured Azure AD connect to sync accounts from the on premise infrastructure to the cloud. In part 2, we prepared Azure resources for the Cloud Management Gateway, in this part we'll create the cloud management gateway and verify everything is running smoothly. A Cloud Management Gateway gives you a whole bunch of new abilities for managing, imaging computers, escrowing BitLocker keys and delivering software, updates and policy to remote based internet enabled clients.

Below you can find all parts in this series.

 

  • Cloud attach - Endpoint Managers silver lining - part 1 Configuring Azure AD connect
  • Cloud attach - Endpoint Managers silver lining - part 2 Prepare for a Cloud Management Gateway
  • Cloud attach - Endpoint Managers silver lining - part 3 Creating a Cloud Management Gateway <- you are here
  • Cloud attach - Endpoint Managers silver lining - part 4 Enabling co-management
  • Cloud attach - Endpoint Managers silver lining - part 5 Enabling compliance policies workload
  • Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access
  • Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices
  • Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach
  • Cloud attach - Endpoint Managers silver lining - part 9 Renewing expiring certificates
  • Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach

Step 1. Create Cloud Management Gateway

Note: The screenshots here were taken in Configuration Manager version 2010 so some features such as Virtual Machine Scale Set available in later releases may not be visible.

Quote

Deploying a CMG with a virtual machine scale set in Azure was first introduced in version 2010 as a pre-release feature. Beginning with version 2107, it's no longer a pre-release feature.

In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select Cloud Management Gateway. Right click and choose Create Cloud Management Gateway.

Create Cloud Management Gateway.png

Click on Sign in and when prompted, use the credentials of an Azure subscription administrator account. The wizard will auto-populate the remaining fields from the information stored during the Azure AD integration prerequisite. If you own more than one subscription, select the Subscription ID of the desired subscription using the drop down menu.

Specify the Azure environment for this CMG. The options in the drop-down list may vary depending upon the deployment method. The screenshot below was taken from ConfigMgr version 2010 which we used at the time of writing this lab.

sign in to azure.png

And the screenshot below shows the new option to decide how you want to deploy your cloud services. Virtual Machine Scale Set which is available as a production feature in ConfigMgr version 2107 and later versions, prior to that verion is was available as a pre-release feature. For details of the difference in choosing Virtual Machine Scale Set versus Cloud service (classic) see Paul's post here. To change the size of your Virtual Machine Scale Set see this post.

2107 and later VMSS.png

On the Settings page of the wizard, click Browse and choose the .pfx file you created in step 5 of this blog post for the Cloud Management Gateway server authentication certificate. The name from this certificate populates the required Service FQDN and Service name fields.

pfx file.png

Enter the password when prompted

enter password.png

Next, click the Region drop-down menu to choose the Azure region for your Cloud Management Gateway.

region.png

For the Resource Group, if you choose Use existing, then select an existing resource group from the drop-down list. The selected resource group must already exist in the region you selected above. If you choose Create new, then enter the new resource group name. In the VM Instance field, enter the number of VMs for this service. The default is one, but you can scale up to 16 VMs per CMG.

Note: If you select an existing resource group and it is in a different region than the previously selected region, the Cloud Management Gateway will fail to provision.

resource group and other settings.png

Click on Certificates to add client trusted root certificates. Add all of the certificates in the trust chain, so for example if you have certificates from an Issuing CA (Intermediate CA) and Offline Root CA (Trusted Root CA) then include both certificates. An example of that PKI setup is here. Here were the certificates we used (Trusted Root and Issuing). Start with the Trusted Root first.

certs used in the cmg wizard.png

If you need to use an Intermediate certificate from an Issuing CA then you will get a popup stating that it's not a valid root, it is safe to ignore that popup as long as you do include the trusted root. Here are our certs listed after adding them, you may have more (or less) depending on your PKI setup.

certificates in the chain.png

Note: By default, the wizard enables the option to Verify Client Certificate Revocation. A certificate revocation list (CRL) must be publicly published for this verification to work. That would be handled by the webserver in my PKI guide.

Configure your desired Alerts

Alerts.png

Review the summary and if you need to make changes click Previous, otherwise it's time to start monitoring logs.

summary.png

Complete the wizard, close it and you should see the CMG is in a state of Provisioning.

cmg provisioning.png

And open the CloudMgr.log, below you can see it's starting the task of creating the CMG.

cloudmgr log file showing starting the creation of the cmg.png

After a while the status changes to Upgrading (click Refresh to see the change).

cmg upgrading status.png

And when the log file reads RanToCompletion, you can assume it's ready.

RanToCompletion.png

As reflected in the console.

cmg is ready.png

Step 2. Add the CMG connection point role

The CMG connection point is the site system role for communicating with the CMG. In Servers and Site System Roles, right click on your on-premise site server and choose Add Site System Roles.

add cmg connection point role.png

Add Site System Roles Wizard.png

If you need to use a Proxy to communicate with the CMG then configure it here.

proxy.png

On the System Role Selection page of the Add Site System Roles Wizard, select Cloud management gateway connection point.

system role selection.png

Then select the Cloud management gateway name to which this server connects. The wizard shows the region for the selected CMG.

cloud management gateway name.png

Continue through the wizard until completion, and then close the wizard. Next, open the SMS_Cloud_ProxyConnector.log to review things. You might see some connection issues listed, fear not, it will retry in 60 seconds.

SMS cloud proxy connector  log.png

If the lines in red don't go away you might want to take a glance at the required ports for the CMG connection point.

Note: For the service connection point the Server: Azure entry relates to management.azure.com. The CMG connection point ports 10140-10155 and 10124-10139 are incremental per VM that you assign when creating the CMG. So, if you build 2 VM instances, you will use ports 10140, 10141 and 10124, 10125. You need to assign the rule to name of the CMG to which your clients resolve, so we would enter cloudattachcmg.azurenoob.com in our rule. For the blob storage rule, you need to enter the prefix of the CMG name plus .blob.core.windows.net in your rule. So we would enter cloudattachcmg.blob.core.windows.net in our firewall rule.

required ports.png

Once the connection is made you'll see the following in the log file "Starting to connect to Proxy server cloudattachcmg..."

starting to connect to Proxy server cloudattachcmg.png

And when the connection is complete you can see it reflected in the console in the Connection Points tab of the CMG, it should have a Connection status of Connected.

connection points connected.png

 

Step 3. Configure client-facing roles for CMG traffic

Next we need to configure the management point and software update point site systems to accept CMG traffic. You should perform this procedure on the primary site, for all management points and software update points that service internet-based clients.

In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Servers and Site System Roles node. Select Management point from the list.

management point.png

In the Management point properties sheet under Client Connections, check the box next to Allow Configuration Manager cloud management gateway traffic.

allow configuration manager cloud gateway traffic.png

Apply the changes and close the Management Point properties.

Next, open the Software Update Point role properties. Check the box next to Allow Configuration Manager cloud management gateway traffic in WSUS Configuration.

software update point properties.png

 

Step 4. Configure client settings

In the Administration node of the console, select Client Settings, select Default client settings, and configure the Cloud settings. Verify that Enable clients to use a cloud management gateway is set to Yes. If you don't want this to apply to all of your clients in the hierarchy, create a custom client device settings instead and deploy it to a device collection containing the clients you want enabled.

cloud services settings.png

Step 5. Verify by running the connection analyzer

Now that you've configured the cloud management gateway, it's time to verify that everything is OK. In the Administration node of ConfigMgr, select Cloud Services, then select Cloud Management Gateway. Click on Connection Analyzer in the ribbon.

connection analyzer.png

At the Cloud management gateway connection analyzer screen, click Sign in and use the azure credentials you used to set this up.

cloud management gateway connection analyzer sign in.png

Once done, click on Start. If everything went according to plan it should look like this.

connection analyzer results.png

If you had a problem, it might look like this...If it does, highlight the red x to see more details of the issue.

cmg connection analyzer issues.png

and in this particular case we had to upgrade the cmg (timing issue perhaps ?) by clicking on Synchronize configuration in the ribbon. Notice how it says Upgrading.

Create Cloud Management Gateway.png

You can also refer to the CloudMgr.log to see it upgrading the configuration in such a scenario.

updating information.png

That's it for this part, you now have a CMG in place and are ready for our next part of our cloud attach series.

Related reading

CMG FAQ - https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/cloud-management-gateway-faq

Data flow for CMG - https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/data-flow

Managing remote clients with a CMG - https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-remote-machines-with-cloud-management-gateway-in/ba-p/1233895

  • Like 1

Share this post


Link to post
Share on other sites

I could really use some help with the Add the CMG connection point role part. I have added the role and I get the following error.  Unfortunately opening the ports on my windows firewall does not resolve the problem. My entire site (including the domain controller) is built in azure VM's and I also tried opening the ports for my NSG for the configuration manager VM but that that did not work.

When I do the cname lookup on https://dnschecker.org/  I can see that server.domain.com resolves correctly to server.cloudapp.net

No other problems setting the azure services or the CMG installed.   Just getting stuck with Add the CMG connection point role part

CM Version 2107. 

 

ERROR: Failed to build HttpV2 connection 9a65d55a-0940-4e05-9eb4-22f0ada02013 with server server.domain.COM:443. Exception: System.Net.WebException: The remote name could not be resolved: 'server.domain.com'~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, String payload, Int32& statusCode, Byte[]& responsePayload)~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, Byte[] payload)~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.Online()~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections()

 

Share this post


Link to post
Share on other sites

are you absolutely sure you've configured it as we've explained ? to find out if the firewall is causing you issues, as a test, temporarily disable it, try adding the CMG connection point role again, any difference ? don't forget to re-enable the firewall after the test. If there's no change, then it's not your firewall or blocked ports but more than likely a mis-configuration or certifcate issue

Share this post


Link to post
Share on other sites

On 8/14/2021 at 3:04 AM, crashrebootrepeat said:

I could really use some help with the Add the CMG connection point role part. I have added the role and I get the following error.  Unfortunately opening the ports on my windows firewall does not resolve the problem. My entire site (including the domain controller) is built in azure VM's and I also tried opening the ports for my NSG for the configuration manager VM but that that did not work.

When I do the cname lookup on https://dnschecker.org/  I can see that server.domain.com resolves correctly to server.cloudapp.net

No other problems setting the azure services or the CMG installed.   Just getting stuck with Add the CMG connection point role part

CM Version 2107. 

 

ERROR: Failed to build HttpV2 connection 9a65d55a-0940-4e05-9eb4-22f0ada02013 with server server.domain.COM:443. Exception: System.Net.WebException: The remote name could not be resolved: 'server.domain.com'~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, String payload, Int32& statusCode, Byte[]& responsePayload)~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.SendInternal(HttpMethod method, String path, Byte[] payload)~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnectionV2.Online()~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~   at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections()

 

I was stuck here for days working this problem out.  In the Administrator | Cloud connection gateway | Service name when highlighted would say 'status' ready.  On the tab 'Connection Points' at the bottom would say 'Connection Status' disconnected.  The SMS_CLOUD_POXYCONNECTOR.log just kept polling every 60 seconds giving the same error message: ERROR: Failed to build Tcp connection b4022caa-886f-4d7e-8bda-09d950c321a2 with server MyUniqueCMGname.MyPublicFQDN:10140. Exception: System.Net.WebException: TCP CONNECTION: Failed to connect TCP socket with proxy server.

I also checked my unique CNAME that I added to the site hosting my public web site that pointed to MyUniqueCMGname.cloudapp.net
I used a wildcard SSL certificate which I purchased for my domain
All of the certificates in this guide were added.  Something to note with a wildcard SSL you need to overwrite the *.MyPublicFQDN to say under field 'service name': MyUniqueCMGname.MyPublicFQDN
I checked the CNAME propagated to al the DNS names using the dnschecker.org tool using this format: MyUniqueCMGname.MyPublicFQDN. This resolved successfully to: MyUniqueCMGname.cloudapp.net
Everything lined up perfectly so I was completely stumped.  Now I created a local CNAME on my local DNS server using a Forward Lookup Zone of MyPublicFQDN that CNAME pointed to MyUniqueCMGname.cloudapp.net which is the same as what was done on the DNS of my public web site.

The resolution in my instance was really simple the problem was in my local lab environment you need to go to the DNS  and check the SOA and NS records are configured correctly for your Forward Lookup Zone some entries default to your local FQDN when you create a new one.  Once I changed those the Cloud connection gateway comes into life now on the tab 'Connection Points' at the bottom would say 'Connection Status' Connected almost immediately after tweaking the local DNS forward lookup zone  

 

 

   

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.