One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.
One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.
You can see the limitations of the Cloud Management Gateway here
This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and
A bit of info about my setup:
- Azure subscription (you can get a trial here)
- ConfigMgr Current Branch 1610 environment
- Azure Management certificate uploaded to manage.windowsazure.com
- Cloud management gateway certificate for <name>.cloudapp.net. Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
- Workstation certificate installed on clients and exported as the root certificate
- Management Point and SUP configured for HTTPS
- Windows 10 client with Workstation Certificate enrolled to test
As this is a pre-release feature, I enabled it when installing the 1610 update
Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.
Enter in your Azure Subscription ID which can be found from portal.azure.com or manage.windowsazure.com and select the Management Certificate (which needs to already be uploaded to Azure)
When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>.cloudapp.net
Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.
You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.
You can watch the provisioning status. Or even better, examine the CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.
Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.
Next the Cloud Management Gateway connection point role will be added.
The information is filled in automatically
Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here
On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.
Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.
If you’re curious about what it looks like in Azure, if you go to portal.azure.com and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.