Configure Cloud Management Gateway - ConfigMgr (SCCM/MEMCM) Lab Tutorial

Summary

In this tutorial, we dive into configuring the Cloud Management Gateway (CMG) in ConfigMgr (SCCM/MEMCM), a crucial component for managing devices over the internet. The video covers creating and issuing certificates necessary for secure communication between on-premise servers and the CMG. From configuring server and client certificates to setting up the cloud management gateway and integrating it with Azure services, this guide provides a comprehensive walkthrough. Key steps include setting up certificate templates, enabling auto-enrollment for client certificates, setting up Azure services, and testing application deployment via the CMG.

Highlights

• The CMG provides a seamless way to manage internet-based devices, bypassing the need for on-premise network connections 🖥️.
• Certificates are created and issued to secure communication between devices and the CMG 🔏.
• Azure services integration aids in managing and securing the CMG setup efficiently ☁️.
• Thorough testing is done by deploying applications via the CMG to ensure smooth operations 📁.
• The tutorial promises insights into cost implications for using CMG in later episodes 📊.

Key Takeaways

• The CMG allows devices to be managed over the internet without needing a stable VPN connection 🌐.
• Certificates are crucial for securing communication between devices and the CMG 🔐.
• Azure integration simplifies certificate management and enhances security 🚀.
• Configuring the CMG involves multiple steps including setting up certificates, Azure services, and testing through application deployment 📦.
• Enforcing HTTPS ensures secure communication, while Azure handles identity management for devices 🌍.

Overview

The tutorial focuses on setting up the Cloud Management Gateway (CMG) for ConfigMgr to manage devices primarily connected to the internet. This setup significantly simplifies device management by eliminating the need for reliable VPN connections and leveraging Azure's cloud capabilities.

A significant portion of the video concentrates on certificate templates and issuance, which are crucial for secure communications. The process involves setting up Active Directory Certificate Services, creating CMG server authentication certificates, and configuring client certificates for automatic enrollment via Group Policy.

The latter part of the tutorial involves integrating Azure services to manage the CMG's cloud aspects. Detailed walkthroughs on configuring the Azure public cloud, creating service and client applications, and setting up the CMG itself highlight the intricate steps necessary for a seamless integration. The tutorial ends with live testing of application deployment, showcasing the CMG's effective functionality.

Chapters

• 00:00 - 00:30: Introduction and Scenario The chapter "Introduction and Scenario" discusses challenges related to managing computers that are either constantly online or connect through unstable VPNs. It presents the solution of using a cloud management gateway, an Azure service, to facilitate configuration and updates for these computers via an internet-based server.
• 00:30 - 06:00: Configuration and Certificate Setup In this chapter titled 'Configuration and Certificate Setup', the focus is on configuring certificate templates and enrolling these certificates on CMG servers. It highlights the necessity of each computer having a certificate to enable communication. However, it also mentions that future advancements, such as utilizing enhanced HTTP, will allow computers to communicate relying on the Azure identity of the user, negating the need for individual certificates.
• 06:00 - 10:00: Azure Services Setup The chapter discusses the process of setting up Azure services, particularly focusing on security measures. It begins with securing communication channels, leading into the use of Active Directory Certificate Services. The goal is to create a template to issue a CMG server authentication certificate. This requires specifying the server that will receive the certificate, which involves creating a new group called 'Config Manager Servers' and adding the server in question to this group.
• 10:00 - 15:30: Deployment and Testing The chapter titled 'Deployment and Testing' begins with setting up of a security group named 'config manager servers,' which includes the config.js server. The next step involves accessing the certificate authority console to manage certificate templates. A new template is created for server certificates by duplicating an existing web service certificate template. Changes are mostly kept as default, and the new template is named 'cmg' under the general tab.
• 15:30 - 19:00: Conclusion and Next Steps The chapter explains the process of setting up server authentication and security configurations. It guides through the steps of adding a config manager server group and granting it enroll permissions. The chapter also covers the importance of enabling the option to export a private key in the certificate request handling tab. The chapter concludes with closing the certificate templates console after ensuring all settings are confirmed.

Configure Cloud Management Gateway - ConfigMgr (SCCM/MEMCM) Lab Tutorial Transcription

• 00:00 - 00:30 so here's the scenario you've got your on-premise device management sorted when your computer's in the office or on the vpn config manager can look after its configuration and compliance but what about computers that only live on the internet or connect viral vpn or even worse connect via a vpn that isn't really that stable the cloud management gateway is an azure service that lives on the internet it allows your computers to connect directly to the internet based server to receive configuration update and all
• 00:30 - 01:00 that kind of stuff it means that your computers don't need access to the on-premise network to receive their configuration applications and updates in this first episode on the cmg we're going to look at configuring certificate templates and enrolling those certificates on our cmg servers we also need each computer to have a certificate to allow communication at least we do in this episode in a future episode we're going to look at enhanced http which will mean computers don't need a certificate instead they can rely on the azure identity of the user
• 01:00 - 01:30 to secure that communication for now let's jump into active directory certificate services and create that template so the first thing we need to do is create and issue the cmg server authentication certificate we want to be able to specify exactly which server is going to be receiving this certificate we're going to go ahead and create a new group called config manager servers and in here we're going to add our server
• 01:30 - 02:00 so we have a security group called config manager servers and that contains our config.js server next step is to open the certificate authority console right click on certificate templates and choose manage we need to create this template that can be used for the server to issue its own certificate from i'm going to start with our web service certificate and we're going to duplicate this template and leave this stuff as default heading over to the general tab we're going to call it the cmg
• 02:00 - 02:30 server authentication certificate and then we're going to head over into security add and then add in our config manager servers group that we just have here and give that enroll permissions heading back into that cert in the request handling tab we need to check that the allow private key to be exported is ticked we'll take that and choose okay so we'll close this certificate templates console down
• 02:30 - 03:00 right click new certificate template to issue we'll choose our cmg server authentication certificate and choose ok and so now we've made it possible for our config manager server to request that new cmg server certificate now that we have our certificate template in place we need to generate a certificate that we can use on our cmg now remember the cmg is a cloud service it won't be a computer on our domain it
• 03:00 - 03:30 won't be a server that we can log into we'll upload our certificate using the config manager console but we still need to generate it somehow one way to do that is to enroll our certificate on the config manager server and then export the certificate with the private key and import that onto our cmg server heading over to our config manager computer we will go to start and launch the certificate snap in in local computer we want to choose personal right click all tasks and request new set we choose
• 03:30 - 04:00 next next and you can see the first one is the cmg server authentication certificate it's available but we need more information to enroll this cert so we'll click on this and we need to give it a full distinguished name or something else in order to enroll so in this field we need to choose the globally unique name that we've chosen for our cmg in my case i'm going to go ahead and choose common name and then the globally unique name is gmcmg and we like cloudapp.net
• 04:00 - 04:30 to the end of that go ahead and choose add then we take the box to request this certificate and choose enroll okay so we've enrolled this certificate so that our config manager server identifies itself as gmcmg.cloudapp.net in order for us to be able to use that certificate we need to export it so i'm going to go ahead into personal certificates and find gmcmg.cloud.net right click and all tasks export choose next and we want to export the private key so
• 04:30 - 05:00 choose next and then next again we need to give it a password and choose next i want to put it somewhere really simple for me to find so i'm going to put on the c drive and grab it from there with the service certificate exported and ready to go we're on to the next step we need each client computer to have a certificate to enable secure communication with the cmg in a moment we're going to create a template for the client authentication certificate that we'll use to allow automatic enrollment for our windows clients over in our group policy management console we need to create a gpo in this
• 05:00 - 05:30 domain and link it here we're going to call the gpo client authentication certificate auto enrollment and choose okay we'll just expand this tree and find our client authentication certificate to enrollment choose edit we're going into computer policies windows settings security settings public key policies we're going to right click on
• 05:30 - 06:00 certificate services client auto enrollment and choose enabled we want to renew x y inserts and we want to update certificates that use templates and we're going to choose ok close this down so just heading into one of our clients i'm going to go to an admin powershell prompt and open circle m and we're going to do a gpu update slash force from here we're just going
• 06:00 - 06:30 to check if our certificate has enrolled and it looks like us go into the details tab on this cert you can see that it was issued today about 10 minutes ago and the template name is the config manager client authentication so next the cmg must trust the authentication certificates that clients present we need to give the
• 06:30 - 07:00 cmg what's called a client trusted root certificate so that i can verify these machines the next thing we need to do is to find the trusted root certificate so when you go into certification path and choose the trusted route to click the certificate in this window we choose details and then copy to file here we choose next we want to use the der and kildred binary choose next give it a file name okay so we're almost there next we're going to set up the azure services in config manager
• 07:00 - 07:30 and then set up the cloud management gateway with a cloud distribution point so heading back into the config manager console into administration we need to right click on azure services choose configure azure services we're going to call this service the cmg and choose next we're going to use the azure public cloud and we need to create a new web app we're going to choose create and then call it cmg and then call this the cmg config manager service we'll choose a sql key that never expires and we'll sign
• 07:30 - 08:00 in we've signed it successfully so just need to press ok and then okay let's create a native client application so we'll choose browse we'll click create and give it an application name i'm going to call it cmg client and then sign in choose okay and then okay i'm going to choose next go and choose enable and enable for the two settings choose next and then next again in the
• 08:00 - 08:30 administration console we're going to go to cloud services cloud management gateway and create cloud management gateway we'll use the azure public cloud and then sign it we're signing into the subscription that we're going to use for the billing of this cloud management gateway it's pre-filled our app names to we choose next here we need to use the cmg certificate file that we exported from our server earlier on to choose browse and for me i put it on the c drive so
• 08:30 - 09:00 i'll grab my get modern cmg and type the password i'm going to change the region to central us and then i want to change my resource group and create a new one and create new call it cmg in the next field we get to specify exactly how many virtual machines we will be creating here the default is one i think i'll only need one i've only got a few clients here so i'm going to go ahead and choose one and then we'll just go into the certificates tab here and this is where we need to
• 09:00 - 09:30 specify the trusted root certificates that we specified earlier better my trusted root choose okay i don't have specific revocation configured in this environment i'm going to take that but i do want my cmg to function as this cloud distribution point and serve content from visual storage i'll choose next i'm going to keep this 14-day threshold on for outbound data transfer and i'd like to stop the service when
• 09:30 - 10:00 the critical threshold was exceeded in my environment if i serve more than 100 gigabytes i'm going to be worried because i'm going to get a few clients so i'm going to leave that as 100 but in live environments it could be much higher similarly with the storage threshold i'm going to keep that as about 200 and then choose next so that's the process complete for creating the cloud management gateway okay so we're making progress next we need to create a boundary group and distribution point group that will help us manage our
• 10:00 - 10:30 infrastructure as you can see our is provisioning at the moment i'm gonna add it into a boundary group for now into hierarchy configuration and then boundary groups right click on the corporate boundary group and choose properties in the references tab we're going to add our site system server here i'm going to add this in this cmg server that we've just created and choose ok and then ok at this stage we either have the choice of enabling enhanced http so that computers don't
• 10:30 - 11:00 need to rely on computer certs or we can enable enforcement of https across our site for now we're going to enforce https and then later on we'll use enhanced http now we're going to set our config manager site to be https only so browsing down to the site node right click on the site choose properties and in the communication security tab choose https only and for me i'm going to turn off
• 11:00 - 11:30 this crl checking because i don't have that in place next we'll set our trusted routes to the authority and we'll use that trusted route that we picked up earlier on from that client me just choose okay we also need to create a web server certificate for our config manager server so in certificate templates on the domain controller i'm going to right click and choose manage and find the web server cert right click and duplicate leave this as
• 11:30 - 12:00 default and change the named config manager web server and change the security to allow config manager servers to enroll i'm just checking the service name field we've got supply and the request set because of the web server search default to that choose ok and then we'll issue that template heading over to our config monitor server we can request
• 12:00 - 12:30 that certificate by opening up the certificates mapping for computer and we'll right click on personal all tasks request new we'll choose next next and the certificate i want just the bottom there config manager web server more information required that's good so we'll choose common name and cm1 and its alternate name is
• 12:30 - 13:00 cm1.cool.contoso.com give my friend name so i can find it choose enroll okay now that's done we'll open up ios and find the default website right click and edit bindings find the https binding choose edit and then change whatever's set to our config manager web service certificate and choose ok and then close and restart
• 13:00 - 13:30 iis okay now that's done we need to create the config manager cmg service point so to add the cmg connection point go to certain site system roles find our primary site server here expand that bin i'm going to right click and add a site system role i'll accept the defaults and on the site system rule page i want to choose cloud management gateway connection point this is my cloud management gateway through to the summary and complete that
• 13:30 - 14:00 so we'll just close this down and then head over to the cloud services section cloud management gateway you can see our cmg is ready and we'll go to our connection points and this uh this connection point server hasn't quite finished setting itself up yet give that a few more minutes and we'll take a look in the meantime we're going
• 14:00 - 14:30 to go into our management point and check that we have it set up to accept cloud management gateway traffic so i'll right click the monitoring point and chosen properties and then we have an option here of allow configuration manager cloud management gateway traffic so let's choose allow on this and you can see that instantly changes to allow internet and internet connections and we'll do the same on our software update point right click properties and then we'll choose allow configuration manager cloud management
• 14:30 - 15:00 gateway traffic and you can see it changes down to the bottom there allow internet and internet client connections so choose okay just going to quickly head back into our cloud management gateway node here and choose the cmg and then connection points and hopefully our connection point server is now connected which is great and finally we need to go into our client settings and enable clients to use the cmg and the cloud distribution point okay over into client
• 15:00 - 15:30 settings and then we're going to create for me i want to modify the default client settings and in the cloud services section i have this set to yes i'm going to take this to yes as well and then choose okay okay the moment of truth now we get to test whether this is all worked so we're going to force a client to be always on the internet i'm going to connect it to the internet rather than my lab and then we're going to deploy an application to it and see what happens so to verify whether this has worked we're going to just check a few things
• 15:30 - 16:00 on our client firstly let's take a look at the configuration manager properties you can see it's currently assigned a management point of cm1.com.cop.contoso.com and it's using the pki client certificate i prepared an application that i can use to install this application this vlc application is currently not installed it's available to install and if i choose to go into the ccm cache you can see i've got no cache of this application at all
• 16:00 - 16:30 so when it does download and install then it'll be coming from the distribution point just heading over to our config manager server here's the app i'm referring to i'm going to just check where it is where the content for this application is go into properties on the app and then choose content locations and you can see it's up in the cloud app distribution point at the moment so it's not it's not available on my on-premise distribution point so hopefully it will be able to download it from there
• 16:30 - 17:00 okay so for this test to work i need to make sure i can switch from the internal management point to the external management point by just i'm just going to change my network location my network adapter from the internal network adapter to my home home wi-fi home i'm just gonna head over into the control panel and grab the config manager applet okay so we can see it says
• 17:00 - 17:30 connection type currently internet the management point is this cm1.cool.contoso.com and if we check in the network tab and see it's got this internet based management point here okay well let's see what happens when i try and download this app so it says downloading zero percent complete just looking into this cache directory has created some work folders here for
• 17:30 - 18:00 the download create that temp file and this download is going up see if it managed to install it it seems to have downloaded which is probably the test so that's probably good enough but let's just say install plc is quite quick to install so i hope it would be finished fairly soon there we go not vlc installed it's great news okay
• 18:00 - 18:30 wait for this to catch up and do the detection method and just make sure that's all there so we can uninstall it and do a re-test later on okay that's moved over to installed and that content genuinely did come from the cmg it isn't available on my on my my lan so that's that's that's really good news so we've done it we've deployed applications to clients on the internet using the cloud management gateway to send policy and the cloud distribution point to host content i've really
• 18:30 - 19:00 enjoyed working through this with you i hope you've enjoyed it too in our next episode we're going to look at some of the logs that are generated when using the cloud management gateway both server and client side and also we're going to look at the azure side what are the cost implications of using the cloud management gateway for an update for a large application that kind of thing for now thank you for watching if you've liked this please like and subscribe and i'll see you next time