How to configure SCCM 1806 Cloud Management Gateway

Jonathan LefebvreSCCM14 Comments

The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the Cloud Management Gateway.

If you are new to the concept of Cloud Management Gateway, the main advantage is that it doesn’t expose your SCCM servers to the internet. The downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients.

We strongly encourage to use the Cloud Management Gateway if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away.

If you are not yet running SCCM 1806, but still would like to use Cloud Management Gateway, see our previous post

Here the available features supported through the Cloud Management Gateway:

In this post, we will configure the Cloud Management Gateway by using the Azure Resource Manager.

Some sections from our previous post are brought back here to ease reading.

High-level steps

All steps are done directly in the SCCM console. We will describe each step:

  • Verify a unique Azure cloud service URL
  • Configure Azure Service – Cloud management
  • Configure Cloud Management Gateway server authentication Certificate
  • Configure Client Authentication Certificate
  • Configure Cloud Management gateway
  • Configure SCCM-generated certificates
  • Add the Cloud Management Gateway Connector Point
  • Configure system roles to communicate with the Cloud Management Gateway
  • Configure client settings

SCCM 1806 Cloud Management Gateway Prerequisites

Note
 Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Azure Management certificate

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

  • Log in the Azure portal
  • In the Azure Portal, select Cloud Services on the left, click Add
  • Enter the desired DNS name
  • Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
  • Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as DNS Name for our example
  • Close the window, do not create the service now

SCCM Cloud Management Gateway

Configure the Azure Service – Cloud Management

  • Go to Administration/Cloud Services/Azure Services and select Configure Azure Services

  • Specify a name and select Cloud Management, click Next

  • In this step, the Azure Administrator will be required to create the web app and native client app. Click on Browse for the Web app

  • Click on Create

  • Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

Important Info
The secret key will need to be renewed before the expiration period.

To do so, go to Administration/Cloud Services/Azure Active Directory Tenants,  at the bottom, it will be possible the Renew Secret key

  • Select the App that was just created and click OK

  • Click Browse for the  Native client app.  Click Create

  • Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed

  • Select the App that was just created and click OK

  • Click Next

  • Chose to Enable Azure Active Directory User Discovery or not.

Note
The Azure AD Discovery is not a requirement for Cloud Management gateway to work
  • Click Next

  • The Azure service is completed. If enabled, the AAD user discovery can be modified

  • the Azure AD Tenant is now configured

Cloud Management Gateway server authentication Certificate requirements

The certificate requirements are the most complex part of configuring the Cloud Management Gateway.

A certificate is needed between the SCCM server and the Cloud Management Gateway.

The following choices are available :

  • Use a certificate from a public trusted provider
    • This option requires a CNAME to be created in the DNS for CMGSCD.SystemCenterDudes.com to the real hostname CMGSCD.CloudApp.Net
  • Use a certificate from an enterprise CA
    • This certificate must be trusted by all computers that will connect with the Cloud Management Gateway
    • Use format <CMG name>.CloudApp.Net
Important Info
In all cases this certificate will determine the name of the Cloud Management Gateway.

Only letters and numbers are allowed in the name.

A valid example is CMGSCD.cloudapp.net

An invalid example is CMG-SCD.cloudApp.Net

See our post for the complete How-to about the certificate from an Enterprise CA

Follow section Create and issue a custom SSL certificate for the Cloud Management Gateway up to Export the custom Web Certificate

More detail can also be found on Docs.Microsoft.com

Client authentication certificate requirements

If you are using a certificate from a Public trusted provider for the CMG server authentication, this part can be skipped.

This can also be skipped if you only have client computers that are either Hybrid-domain joined or Azure AD joined.

Otherwise, using an Enterprise CA require this step.

See our post for the complete How-to about the certificate for Client Authentication

Follow section Create a client authentication certificate up to Export the client certificate’s root

Configure SCCM 1806 Cloud Management Gateway

  • Go to Administration/Cloud Services/Cloud Management Gateway, select Create cloud management gateway

  • Sign-in with Azure Administrator rights. The Azure AD App name should be auto-populated, click Next

  • Select :
    • Service name: provided automatically if the certificate is using .cloudapp.net. If using a public certificate or an internal certificate, the name will need to be entered manually.
      • Remember, only letter and number for the name.
    • Region: should be the same as the on-prem Management point
    • Resource group: select an existing or create a new one
    • VM instance: 1
    • Cloud service certificate: select the CMG server authentication certificate or the Public certificate
    • Client authentication certificate: Provide the client authentication certificate when using an Enterprise CA
    • Choose to Verify client certificate revocation or not
    • Choose if you want to enable the Cloud DP

   

Note
 Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to .cloudapp.net.

This is a reminder about the CNAME requirements.

  • Set the threshold as needed

    

  • Summary, click Next

  • Click Close

  • The Cloud Management Gateway will show as Provisioning for about 10 minutes

  • The Cloud Management Gateway is ready for next steps

 

  • The cloud management gateway resources are also visible in the Azure portal.

Configure SCCM-generated certificates

This is a new feature from SCCM 1806, but still in Pre-Release. This means that this feature is still in development but is fully supported.

The goal of this feature is to enable an HTTP Management point and Software Update to support CMG traffic using HTTPS. Prior to SCCM 1806, it was needed to provide an HTTPS MP and SUP in order to connect those services to the Cloud Management Gateway.

  • Go to Administration/Updates and Servicing/Features
  • Turn on the feature Enhanced HTTP site system

  • Go to Administration/Site Configuration/Sites and select properties on your site

  • Under the Client computer communication tab, check to box for Use Configuration Manager-generated certificates for HTTP Systems

 

For more detail on the SCCM-Generated certificate, see Docs.Microsoft.com

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
  • Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
  • On the System Role Selection pane, select Cloud management gateway connection point

SCCM Cloud Management Gateway

  • Your Cloud Management Gateway name and region will be auto-populated

SCCM Cloud Management Gateway

  • Review your settings and complete the wizard

SCCM Cloud Management Gateway

SCCM Cloud Management Gateway

You can follow the installation progress in SMS_Cloud_ProxyConnector.log.

Configure System roles to communicate with the Cloud Management Gateway

Prior to SCCM 1806, it was not possible for the current Management Point and Software Update Point to remain in HTTP mode and support the Cloud Management Gateway.

Admins were in need of a new Management Point and Software Update Point configured in HTTPS mode or to switch current ones.

Now with the SCCM-generated certificate, a current HTTP MP and SUP can support the Cloud Management Gateway.

  • Under Administration/Site Configuration/Servers and site System roles, select the Management Point properties
  • Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Client Connections remain in HTTP

  • Under Administration/Site Configuration/Servers and site System roles, select the Software Update Point properties
  • Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Require SSL communication to the WSUS remains unchecked

Configure Client settings

Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes.

Once configure, deploy your client settings to the desired clients.

If you plan to use Cloud Distribution Point, it is also configured here.

Configure clients for cloud management gateway

We will now verify if clients are able to successfully communicate with our server via the SCCM Cloud Management Gateway.

On a client connected to the intranet, do a machine policy retrieval and restart the SMS Agent host.

On the Network tab of the Configuration Manager agent, the *.CloudAPP.net should be visible.

Additional information is available in the ClientLocation.log

SCCM Cloud Management Gateway

Testing client connection to Cloud Management gateway

To test the cloud management gateway, get your machine on the internet … or force the SCCM client to be configured as Always Internet.

In the registry editor, set HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet to 1 and restart the SMS Agent host service.

After the SMS Agent host service, the client will display connection type Always internet

From this point, you can try any of the supported features for the Cloud Management Gateway!

Warning

Make sure to whitelist the address XXXX.cloudapp.net in your Enterprise Firewall. We’ve seen an issue with Cisco Umbrella blocking traffic thus preventing the Cloud connector point to keep the connection to the cloud management gateway.

The following error found in the SMS_CLOUD_PROXYCONNECTOR.log was showing Failed to build HTTP connection with XXXXX.CloudApp.Net. The cloud management gateway check the connection every 60 seconds

 

This was a big one, hope it helped! Are you using the nre Cloud Management Gateway ? Tell us your experience in the comment section.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

Share this Post

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

14 Comments on “How to configure SCCM 1806 Cloud Management Gateway”

  1. We have successfully implemented CMG. However, a few weeks later when adding another site / connector it is now stuck at “updating configuration”

    start / stop / synchronise is greyed out.

    Any ideas ? thanks in advance

  2. Hi,
    Recently we configured the CMG with HTTP Option and everything seems to OK when we test CMG Connection Analayzer
    when we configure client computer with external network we getting the following errors

    Raising pending event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = “GUID:D4F03A98-74DE-4FB1-A4C6-93D3AE29F83C”;
    DateTime = “20181029111338.135000+000”;
    HostName = “XXXCMG.CLOUDAPP.NET”;
    HRESULT = “0x80072f78”;
    ProcessID = 32648;
    StatusCode = 600;
    ThreadID = 21268;
    };

    [CCMHTTP] ERROR: URL=https://XXXCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?MPLIST2&AV1, Port=443, Options=1472, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE

    Any suggestions?
    Thanks.

  3. Is it possible to have SCCM and Intune on a AAD joined machine only, without a CMG. We really on want SCCM to install software when the devices are on the Intranet only. Then we let Intune manage everything else.

    1. Hi Ronald,

      Yes you can use Co-Management (SCCM + Intune standalone) without the Cloud Management gateway.
      They are not related at all.

      Jonathan

  4. We already have two separate environments with On Premise SCCM and Intune Managed Windows 10 devices. We are looking at setting up CoMgmt and have some control over the Intune managed devices for ex. Remote Control, Reporting features of SCCM. May I know what design changes would be required in our case from the above illustrated steps?

    1. Hi Mark,
      the way documented in this post is without AAD.

      AAD can be used if you only have Windows 10 devices in Hybrid domain joined or Azure AD joined.
      hope this clear things

      thanks
      Jonathan

  5. In this setup what if an azure ad joined machine comes onto the local network. Will it be able to communicate with a http management point?

    1. Hi Annabel,

      I believe it should as the SCCM agent will have connection type of Intranet at that point.
      The AAD joined machine as a more simple setup to authenticate against the CMG when outside of the reach of the on-prem Management Point

      Jonathan

  6. Thank you for this. I ran through this for our lab environment and I’m getting some errors. I apologize in advance for any formatting issues.

    SMS_CLOUD_PROXYCONNECTOR.LOG:

    ERROR: Failed to build Http connection 8adcf040-5723-4055-8597-0e17d43e21fd with server CMG.CLOUDAPP.NET:443. Exception: System.Net.WebException: The remote server returned an error: (990) BGB Session Ended.~~ at System.Net.HttpWebRequest.GetResponse()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.HttpConnection.Send(Boolean isProxyData, Byte[] data, Int32& statusCode, Byte[]& payload)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections()

    The error that follows is repeated with a bunch of different MessageIDs.

    SMS_CLOUD_PROXYCONNECTOR.LOG:

    “MessageID: e7f96f39-1090-4290-8356-53f3dce8294f RequestURI: http://CMG.CLOUDAPP.NET/SMS_MP/.sms_aut?SITESIGNCERT EndpointName: SMS_MP ResponseHeader: HTTP/1.1 404 CMGConnector_NotFound~~ ResponseBodySize: 4880 ElapsedTime: 1 ms

    On the client side I get a number of errors

    LocationServices.log:

    [CCMHTTP] ERROR: URL=https://CMG.CLOUDAPP.NET/CCM_PROXY_MUTUALAUTH/72057594037927999/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=1472, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

    [CCMHTTP] ERROR INFO: StatusCode=404 StatusText=CMGConnector_NotFound

    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = “GUID:b190c666-e77f-43d1-a77b-4480b599397c”;
    DateTime = “20180920163242.595000+000”;
    HostName = “CMG.CLOUDAPP.NET”;
    HRESULT = “0x87d0027e”;
    ProcessID = 4440;
    StatusCode = 404;
    ThreadID = 1892;
    };

    If I run the connection analyzer from the console I get the following message at the “testing the CMG channel for management point” step.

    Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’.

    After getting those errors I figured I must have done something wrong so I blew it all out and started over. I made sure that I had the right certs loaded and exported but I’m getting the same errors. I can successfully distribute content to the cloud dp. The error that you mentioned relating to establishing the HTTP connection is different in my case so I’m not entirely sure where to go from here.

    1. Hey Mikes,
      did you modify the log you copied here? if not, CMG.Cloudapp.net is for sure not a valid entry.
      Go back to step one VERIFY A UNIQUE AZURE CLOUD SERVICE URL and validate the name you want to .cloudapp.net

      Jonathan

      1. Yes, I modified it. The actual name of that service is validated in azure, I just didn’t want to post it here.

        In any event, I think I’ve got it working. I had set the connection point up on a new mp and after digging through more logs I found that bgbisapi.msi couldn’t get installed because BITS was not installed when the mp was installed (I thought that was automatic but I guess it isn’t). I enabled BITS then restarted the site component manger and after that the missing components were installed. From there the bad responses in CMG_CLOUD_PROXYCONNECTOR.log cleared up and were replaced with “ResponseHeader: HTTP/1.1 200 OK” and “ResponseHeader: HTTP/1.1 280 BGB Session Continued”. The connection analyzer also reports success so I think I’m good.

        Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *