System Center Configuration Manager Cloud Services – Cloud Distribution Point Presented By: Ginu Tausif

Cloud Distribution Point A cloud distribution point is a Configuration Manager distribution point that is hosted as Platform-as-a-Service (PaaS) in Microsoft Azure. CDP service supports the following scenarios: Provide software content to internet-based clients without additional on-premises infrastructure Cloud-enable your content distribution system Reduce the need for traditional distribution points

CDP over local DPs ? The cloud distribution point has following additional benefits: The site encrypts the content before sending it to the cloud distribution point in Azure. To meet changing demands for content requests by clients, manually scale the cloud service in Azure. This action doesn't require that you install and provision additional distribution points in Configuration Manager. Supports content download from clients configured for other content technologies, such as Windows BranchCache and alternate content providers. Reduce the overhead of managing Content Library and local drive space as Blob Storage is used with CDP

New Features Add-On Starting in version 1806, use cloud distribution points as source locations for pull-distribution points Cloud distribution point support for Azure Resource Manager beginning with 1806. Cloud distribution point site affinity from version 1802. Prefer cloud distribution points over distribution points beginning with 1810

CDP Requirements You need an Azure subscription to host the service along with Global Administrator rights in Azure Note: This persona doesn't require permissions in Configuration Manager. The site server requires internet access to deploy and manage the cloud service. Set the client setting, “Allow access to cloud distribution points” to Yes in the Cloud Services group. By default, this value is set to No. Client devices require internet connectivity, and must use IPv4.

CDP Certificate Requirements Depending upon your cloud distribution point design, you need one or more digital certificates. Certificates for cloud distribution points support the following configurations: 4096 bit key length Starting in version 1710, support for Version 3 certificates. Starting in version 1802, when you configure Windows with the following policy: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Starting in version 1802, support for TLS 1.2.

Contd… 1) Azure management certificate If using the Azure classic deployment method, you need an Azure management certificate. The Configuration Manager site server uses this certificate to authenticate with Azure to create and manage the classic deployment. The classic deployment method is deprecated as of version 1810. To reduce complexity, use the same Azure management certificate for all classic deployments of cloud distribution points and cloud management gateways, across all Azure subscriptions and all Configuration Manager sites.

Contd… 2) Server authentication certificate This certificate is required for all cloud distribution point deployments. CMG trusted root certificate to clients Server authentication certificate issued by a) Public provider b) Enterprise PKI The cloud distribution point uses this type of certificate in the same way as the cloud management gateway. Clients also need to trust this certificate. To reduce complexity, Microsoft recommends using a certificate issued by a public provider. Note: When doing so, you also need a DNS CNAME alias for clients to resolve the name of the cloud service. Unless you use a wildcard certificate, don't reuse the same certificate. Each instance of the cloud distribution point and cloud management gateway requires a unique server authentication certificate.

Specifications The cloud distribution point supports all Windows versions listed in below article: https://docs.microsoft.com/en-us/sccm/core/plan-design/configs/supported-operating-systems-for-clients- and-devices An administrator distributes the following types of supported software content: a) Applications b) Packages c) OS upgrade packages d) Third-party software updates Important Tip: While the Configuration Manager console doesn't block the distribution of Microsoft software updates to a cloud distribution point, you're paying Azure costs to store content that clients don't use. Internet-based clients always get Microsoft software update content from the Microsoft Update cloud service. Don't distribute Microsoft software updates to a cloud distribution point.

Verifying Cloud Distribution Point Installation In the background the Cloud DP manager component will connect to Azure and start creating the service. It can take up to 30 minutes to provision a new distribution point in Azure. Till then Cloud Distribution Point will be in provisioning status Cloud Distribution Point state can be monitored using CloudMgr.log Once the Cloud Distribution Point is ready, Configuration Manager displays a status message ID 9409 for the SMS_CLOUD_SERVICES_MANAGER component. We’ll also see that a Site System Server is created for Cloud Distribution Point under Servers and Site Systems Role. In Windows Azure Portal, we’ll see two cloud services created with running and online status. a) Storage Account Service b) Cloud Service

Client to cloud distribution point The management point gives the client an access token along with the list of content sources. This token is valid for 24 hours, and gives the client access to the cloud distribution point. The management point responds to the client's location request with the Service FQDN of the cloud distribution point. This property is the same as the common name of the server authentication certificate. If you're using your domain name, for example, domain.contoso.com, then the client first tries to resolve this FQDN. You need a CNAME alias in your domain's internet-facing DNS for clients to resolve the Azure service name, for example: domain.cloudapp.net. The client next resolves the Azure service name, for example, domain.cloudapp.net, to a valid IP address. This response should be handled by Azure's DNS. The client connects to the cloud distribution point. Azure load balances the connection to one of the VM instances. The client authenticates itself using the access token. The cloud distribution point authenticates the client's access token, and then gives the client the exact content location in Azure storage. If the client trusts the cloud distribution point's server authentication certificate, it connects to Azure storage to download the content.

Limitations You can't use a cloud distribution point for PXE or multicast-enabled deployments. A cloud distribution point doesn't support App-V streaming applications. You can't prestage content on a cloud distribution point. The distribution manager of the primary site that manages the cloud distribution point transfers all content. A cloud distribution point doesn't support package deployments with the option to Run program from distribution point. Use the deployment option to Download content from distribution point and run locally

Logs for CDP Server Side: CloudMgr.log: Records details about content provisioning, collecting storage and bandwidth statistics, and administrator-initiated actions to stop or start the cloud service that runs a cloud-based distribution point CloudDP-<guid>.log: Records details for a specific cloud-based distribution point, including information about storage and content access. CMGContentService.log: Starting in version 1806, when you enable a CMG to also serve content from Azure storage, this log records the details of that service.

Content Distribution and Download logs Logs to check while distributing content to CDP: Distmgr.log PkgXferMgr.log  On client side: CAS.log ContentTransferManager.log & DataTransferService.log