Tag Archives: Cloud Management Gateway

SCCM TP 1805 – CMG Connection Analyzer

One of the nice new features in the SCCM Technical Preview 1805 is the CMG Connection analyzer to help you determine issues with your Cloud Management Gateway. At the moment it allows you to troubleshoot as a user authenticating through Azure AD, and a user authenticating with a client authentication certificate.

This post will show the different checks that the Connection analyzer performs, and the types of errors it displays when something has gone wrong. I will include a few scenario’s of me breaking my CMG and what the Connetion analyzer shows.

You will notice in the CMG section there is a new button called Connection analyzer.

CA01

You can see the different authentication options you get. First I will test logging in as an Azure AD user. You can see that the first two steps involve checking that the service is running and testing connecting to it.

CA02

Next we can see that its checking the configuration versions to make sure it matches between on-prem and Azure.

CA03

Here in my lab you can see that the next step checks the CMG connection point and confirms that it is connected.

CA04

I have set my management point to allow CMG traffic, the test confirms this.

CA05

The Azure AD user can authenticate against my management point without any issues.

CA06

Now if I was to break the certificate on my management point IIS bindings and run the test again, you can see that the test fails and reports some 500 status code errors and gives possible reasons.

CA07

Next up is testing using a client certificate. You have two options to load the certificate. You can either export the client authentication certificate from a machine with the private key, or you can connect to the Certificate Store.

CA072

In this Tech Preview when you try to connect to the Certificate Store, it will try to connect to the User Store and then report that there are no certificates available. So for this post I have chosen to export the client authentication certificate to run through the tests.

CA08

You can see below that it has the same steps as testing authenticating as an Azure AD user.

CA09

I have broken my Cloud Management Gateway Point role in my lab and run through the tests again to see what it fails on. You can see that it fails as it can’t connect to the CMG Service.

CA010_2

The same as below.

CA11

Another interesting scenario is if I use an incorrect Client trusted root certificate that is uploaded to the CMG service. You can see that it fails below with the 403 forbidden status code.

CA10

And again, you can see that it says that the certificate is not trusted by the CMG.

CA12

That is all the tests I have run so far. So far it is a good start. It seems quite a few customers have issues getting their CMG up and running, I think it is mostly to do with certificates. Hopefully in the future the descriptions can be improved with more details as to what could be wrong in the Connection analyzer to help customers troubleshoot more. The Cloud Management Gateway is an awesome feature.

Advertisements

ConfigMgr CB 1610 -Cloud Management Gateway

One of the features in the newly released 1610 update for ConfigMgr Current Branch is the pre-release Cloud Management Gateway. This is similar to the Azure Cloud Proxy feature released in the Technical Preview 1606. I wrote a post on this here.

One thing to note that seems to be different from the TP, is that the on-prem distribution point isn’t supported for cloud management gateway traffic. You will need to set up an Azure cloud based distribution point for clients to download content (applications etc). However, you can enable the Management Point and Software Update Point to receive cloud management gateway traffic.

You can see the limitations of the Cloud Management Gateway here

This post will show you how I set up the Cloud Management Gateway in a lab. I won’t dive into the certificates part but information can be found at Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority and

A bit of info about my setup:

  • Azure subscription (you can get a trial here)
  • ConfigMgr Current Branch 1610 environment
  • Azure Management certificate uploaded to manage.windowsazure.com
  • Cloud management gateway certificate for <name>.cloudapp.net. Info for that can be found here Note: this name needs to be unique and cannot exist in Azure
  • Workstation certificate installed on clients and exported as the root certificate
  • Management Point and SUP configured for HTTPS
  • Windows 10 client with Workstation Certificate enrolled to test 

As this is a pre-release feature, I enabled it when installing the 1610 update

clouggw01

Now you will see the Cloud Management Gateway under the Cloud Services section. Click Create.

clouggw02

Enter in your Azure Subscription ID which can be found from portal.azure.com or manage.windowsazure.com and select the Management Certificate (which needs to already be uploaded to Azure)

clouggw04

When the cloud service PKI certificate is selected from the Browse button, the service name and FQDN will automatically be filled in (this is the common name from when the certificate was requested). Make sure a unique name was chosen earlier for the certificate as it will create a cloud service in Azure with <name>.cloudapp.net

Also specify the client certificate root. You can see instructions here. Make sure this is done properly as the client will get certificate issues when trying to connect to the Management Point.

clouggw05

You have the ability to set thresholds to create alerts regarding the outbound traffic as Azure charges you based on the Outbound traffic.

clouggw06

clouggw07

You can watch the provisioning status. Or even better, examine the  CloudMgr.log so you can see exactly what is going on and look out for any issues or errors.

clouggw08

Enable the site to use PKI certificate. The workstations that communicate with the Cloud Management Gateway need a Workstation certificate enrolled. Workstation Certificates are covered here.

clouggw09

Next the Cloud Management Gateway connection point role will be added.

clouggw10

The information is filled in automatically

clouggw11

Once the role has been added, the Management Point and Software Update Point need to allow Cloud Management Gateway traffic. Make sure the Web Server certificate for the MP/WSUS is configured in IIS. There is a guide on that here 

clouggw11_2clouggw11_3

On the client, while it has a connection to the Internal network, you can restart SMS Agent Host service so it picks up the new Internet management point.

Once that is done on my client, I have given the machine only Internet access and no internal network access. I have restarted SMS Agent Host and you can see in LocationServices.log it is using the Cloud Management Gateway and the ConfigMgr client connection type is set to Internet.

clouggw12

If you’re curious about what it looks like in Azure, if you go to portal.azure.com and go to Cloud Services (classic), you can see it created a ProxyService role which is meant to be running on an A2 VM.

clouggw13