Yesterday the ConfigMgr Product Group released ConfigMgr Current Branch 1610 to the fast channel. As part of this new version of ConfigMgr a new feature is released in preview.
This feature allows you to eliminate the fairly complex infrastructure that allows you to support the Internet based clients. This new feature is called the Cloud Management Gateway.
Currently the Cloud Management Gateway is a Virtual Machine that allows you to provide a Management Point and Software Update point via Microsoft Azure. The only thing you need is an Azure Subscription and an Azure Management Certificate to let ConfigMgr authenticate to the Microsoft Azure service.
Be sure to create a management cert that has a common name with the cloudapp.net domain.
The ConfigMgr Cloud Management Gateway connection point (which we install in a later step) is used to setup the connection to the VM that is used in Microsoft Azure. Since the Cloud Management Gateway connection point initiates the connection, no firewalls changes are needed, okay we need except for 443 outgoing… 😉
Setting up the Cloud Management Gateway is done as follows:
- Configure and export the management certificates and export the CA cert of your environment
- Enable the preview of Cloud Management Gateway via Administration > Cloud Services > Updates and Servicing > Features if you did not already do so.
- Add the Cloud Management Gateway via Administration > Cloud Services > Cloud Management Gateway
- Click Create Cloud Management Gateway
- Supply the Subscription ID (portal.azure.com > Subscriptions)
- Supply the Management Certificate (.cer)
- Supply the certificate file for the VM that will be the Cloud Management Gateway
- Check if the service FQDN is something like <service>.cloudapp.net
- Supply the Client Certificate Root cert
- Uncheck the Verify Client Certificate Revocation
- Finish the Create Cloud Management Gateway Wizard
12. Within 15 minutes (or so) a cloud service will be created with a Virtual Machine (Standard_A2) instance.
13. Next we need to configure the Cloud Management Gateway connection point on one of the existing site servers.
14. Enable Allow Configuration Manager cloud management gateway traffic on the Management Point and Software Update Point.
Next check if the Connection point is connected to the Cloud Management Gateway and check if the client is able to connect to the Cloud Management Point.
To be able to check if the client is able to connect to the Cloud Management Gateway.
The client can be forced to use the Cloud Management Gateway by for instance setting the registry as follows, configure in HKLM\Software\CCM:
- – ClientAlwaysOnInternet = 1 (DWORD)
- – Security = 1 (DWORD)
To test it if it works check the client or WMI via PowerShell;
get-wmiobject -namespace root\ccm\locationservices -class SMS_ActiveMPCandidate
And of course, ConfigMgr is famous about the logfiles, also in the logfiles you can monitor what Management Point is used.
In the ConfigMgr console you can see how much traffic has been handled by the Cloud Management Gateway.
So what about the content?
For Software Updates deployment, Microsoft Updates can be used as the place to get the updates from. To force the clients to use Microsoft Updates, you need to enable the option “If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates” while deploying Software Update Groups.
For other content like packages or applications the cloud-based distribution point need to be used.
A great feature if you ask me, lets test this some more 🙂