Cloud Management Gateway Deep Dive Aaron Czechowski Senior Program Manager Microsoft Dune Desormeaux Program Manager II Microsoft Both
Aaron Czechowski Dune Desormeaux @AaronCzechowski @DuneConfigured Program Manager II, Configuration Manager product team Senior Program Manager, Configuration Manager product team 2 years on the product team (almost), more text so that I look cool & savvy next to Aaron 5 years on product team, 10 years at Microsoft. 19 years working with Configuration Manager Both Chipotle for lunch most days Poutine, Guacamole
Scenario Corporate Network DMZ Internet AD CA Windows Update Azure 9/28/2017 Windows Update Scenario Corporate Network Firewall DMZ Internet AD CA MP Azure Site DP SUP Aaron Traditional management with SCCM (not ready for modern management via Intune) Clients roam onto Internet (home, travel, remote office) Still need to be managed, especially software updates © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Internet-based Client Management 9/28/2017 Windows Update Internet-based Client Management Corporate Network Firewall DMZ Internet AD CA MP AD CA Azure Site DP MP SUP Aaron This method relies on Internet-facing site system servers to which clients communicate for management purposes. This method requires clients and site system servers to be configured for Internet-based management. Advantages: No cloud service dependency. No additional cost associated with a cloud subscription. Full control of servers and roles providing the service. Disadvantages: Require additional infrastructure investment. Overhead and operational cost of additional infrastructure. Infrastructure must be exposed to the Internet. DP SUP © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Plan to simplify Manage traditional clients that roam on the Internet Without additional infrastructure Without exposing infrastructure to the Internet That is easily configured through the Configuration Manager Console Key features continue to work on the device when not on the corporate network Software updates Hardware and software inventory Endpoint protection Client notification Settings Applications Aaron
Cloud Management Gateway 9/28/2017 Windows Update Cloud Management Gateway Corporate Network Firewall DMZ Internet AD CA MP Azure Site DP Outbound port 443 CMG CDP Applications Packages 3P updates CMG Connection Point SUP Aaron Advantages: No additional infrastructure investment required. Does not expose on-premises infrastructure to the Internet. Cloud virtual machines that run the service are fully managed by Azure and require no maintenance. Easily set up and configured in the Configuration Manager console. Disadvantages: Cloud subscription cost. Management data sent through cloud service. Logical data flow © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Creating CMG Demo Dune
Network Ports NO INBOUND PORTS REQUIRED! Source Port Destination Use Service Connection Point 443 Azure Deploy CMG CMG Connection Point CMG CMG channel for first VM 10124-10140 CMG channel for additional VM instances Client Client channel Aaron
Scaling CMG ~6,000 ~6,000 Corporate Network NA Site APAC Site Azure East US CMG East Asia CMG Standard A2 VM Standard A2 VM Standard A2 VM Standard A2 VM CMG Connection Point ~6,000 Aaron CMG Connection Point ~6,000
Performance Considerations Any Internet-roaming client in the site will use the CMG Reduce network latency by locating CMG, CMG Connection Point and Site Server in same geographic region Client to CMG in Azure is not regional aware For high availability, at least two VM instances and two CMG Connection Points per site Scale-out by increasing VM instances, which leverages Azure load balancer in front of CMG CMG does round-robin communication with multiple CMG Connection Points; creating more on-premises roles will distribute load Dune
Best Practices and FAQs Publish Certificate Revocation List (CRL) to Internet HTTPS is optional on-prem Supports Azure US Government (Fairfax) Unsupported features (as of 1702) Azure Resource Manager Client deployment using client push Automatic site assignment User policies Application catalog Full operating system deployment (OSD) Configuration Manager console Remote tools Reporting website Wake on LAN Peer cache On-premises Mobile Device Management Mac, Linux, and UNIX clients Dune
certificates Management certificate “Credentials” between site and Azure (thus classic portal, not Azure Resource Manager) Any certificate including self-signed Public cert uploaded to Azure, .pfx with private key imports into site Web Service (server authentication) certificate Use public certificate provider (Symantec, Thawte) Wild card certificate is not supported Root/Subordinate certificate authority Used by CMG for full chain validation on client PKI certificates Client certificate Dune
Using a public server auth certificate Create DNS CNAME Example: GraniteFalls.Contoso.Com = GraniteFalls.CloudApp.Net Obtain a server authentication cert from a public and globally trusted certificate provider (like Symantec or Thawte) Example: CN = GraniteFalls.Contoso.com Create the CMG service Example: Configuration Manager creates Azure service as GraniteFalls.CloudApp.net Dune
Logs .\SMS\Logs on Service Connection Point CloudMgr.log First phase deployment of CMG package to Azure as cloud service Verbose: HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_CLOUD_SERVICES_MANAGER\Logging level .\SMS\Logs on Service Connection Point (from %approot%\logs on Azure VM instance) Verbose: Azure portal, Cloud Services Configuration tab, Trace level: Information (default), Verbose, Error CMG components push logs to Azure storage every five minutes. Cloud Service Manager syncs from Azure storage every five minutes. CMGSetup.log (or CMG-<RoleInstanceID>-CMGSetup.log) Second phase deployment of CMG on VM instance CMGHttpHandler.log (or CMG-<RoleInstanceID>- CMGHttpHandler.log) CMG HTTP handler binding with IIS on VM instance CMGService.log (or CMG-<RoleInstanceID>- CMGService.log) CMG service core component on VM instance .\SMS\Logs on CMG Connection Point SMS_CLOUD_PROXYCONNECTOR.log CMG Connection Point site role Verbose: HKLM\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR\VerboseLogging Dune
Troubleshooting Deployment: Service health Client traffic CloudMgr.log CMGSetup.log Service health CMGService.log SMS_CLOUD_PROXYCONNECTOR.log Client traffic CMGHttpHandler.log -> CMGService.Log -> SMS_CLOUD_PROXYCONNECTOR.log Dune
Client CMG Demo Aaron
Roadmap Use Azure Active Directory for client authentication (no client certificate!) User-targeted apps in Software Center Install/register client on Internet Client setting to enable use of CMG Aaron
References CMG Setup video Product documentation Cost estimates https://youtu.be/-awTBMdMHFE Product documentation https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients-internet Cost estimates https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management- gateway#cost-of-cloud-management-gateway Aaron
Real-world Scenario John John Marcum, MVP