Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Management Gateway Deep Dive

Published byEmerald McGee Modified over 7 years ago

Similar presentations

Presentation on theme: "Cloud Management Gateway Deep Dive"— Presentation transcript:

1 Cloud Management Gateway Deep Dive
Aaron Czechowski Senior Program Manager Microsoft Dune Desormeaux Program Manager II Microsoft Both

2 Aaron Czechowski Dune Desormeaux @AaronCzechowski @DuneConfigured
Program Manager II, Configuration Manager product team Senior Program Manager, Configuration Manager product team 2 years on the product team (almost), more text so that I look cool & savvy next to Aaron 5 years on product team, 10 years at Microsoft years working with Configuration Manager Both Chipotle for lunch most days Poutine, Guacamole

3 Scenario Corporate Network DMZ Internet AD CA Windows Update Azure
9/28/2017 Windows Update Scenario Corporate Network Firewall DMZ Internet AD CA MP Azure Site DP SUP Aaron Traditional management with SCCM (not ready for modern management via Intune) Clients roam onto Internet (home, travel, remote office) Still need to be managed, especially software updates © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Internet-based Client Management
9/28/2017 Windows Update Internet-based Client Management Corporate Network Firewall DMZ Internet AD CA MP AD CA Azure Site DP MP SUP Aaron This method relies on Internet-facing site system servers to which clients communicate for management purposes. This method requires clients and site system servers to be configured for Internet-based management. Advantages: No cloud service dependency. No additional cost associated with a cloud subscription. Full control of servers and roles providing the service. Disadvantages: Require additional infrastructure investment. Overhead and operational cost of additional infrastructure. Infrastructure must be exposed to the Internet. DP SUP © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Plan to simplify Manage traditional clients that roam on the Internet
Without additional infrastructure Without exposing infrastructure to the Internet That is easily configured through the Configuration Manager Console Key features continue to work on the device when not on the corporate network Software updates Hardware and software inventory Endpoint protection Client notification Settings Applications Aaron

6 Cloud Management Gateway
9/28/2017 Windows Update Cloud Management Gateway Corporate Network Firewall DMZ Internet AD CA MP Azure Site DP Outbound port 443 CMG CDP Applications Packages 3P updates CMG Connection Point SUP Aaron Advantages: No additional infrastructure investment required. Does not expose on-premises infrastructure to the Internet. Cloud virtual machines that run the service are fully managed by Azure and require no maintenance. Easily set up and configured in the Configuration Manager console. Disadvantages: Cloud subscription cost. Management data sent through cloud service. Logical data flow © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Creating CMG Demo Dune

8 Network Ports NO INBOUND PORTS REQUIRED! Source Port Destination Use
Service Connection Point 443 Azure Deploy CMG CMG Connection Point CMG CMG channel for first VM CMG channel for additional VM instances Client Client channel Aaron

9 Scaling CMG ~6,000 ~6,000 Corporate Network NA Site APAC Site Azure
East US CMG East Asia CMG Standard A2 VM Standard A2 VM Standard A2 VM Standard A2 VM CMG Connection Point ~6,000 Aaron CMG Connection Point ~6,000

10 Performance Considerations
Any Internet-roaming client in the site will use the CMG Reduce network latency by locating CMG, CMG Connection Point and Site Server in same geographic region Client to CMG in Azure is not regional aware For high availability, at least two VM instances and two CMG Connection Points per site Scale-out by increasing VM instances, which leverages Azure load balancer in front of CMG CMG does round-robin communication with multiple CMG Connection Points; creating more on-premises roles will distribute load Dune

11 Best Practices and FAQs
Publish Certificate Revocation List (CRL) to Internet HTTPS is optional on-prem Supports Azure US Government (Fairfax) Unsupported features (as of 1702) Azure Resource Manager Client deployment using client push Automatic site assignment User policies Application catalog Full operating system deployment (OSD) Configuration Manager console Remote tools Reporting website Wake on LAN Peer cache On-premises Mobile Device Management Mac, Linux, and UNIX clients Dune

12 certificates Management certificate
“Credentials” between site and Azure (thus classic portal, not Azure Resource Manager) Any certificate including self-signed Public cert uploaded to Azure, .pfx with private key imports into site Web Service (server authentication) certificate Use public certificate provider (Symantec, Thawte) Wild card certificate is not supported Root/Subordinate certificate authority Used by CMG for full chain validation on client PKI certificates Client certificate Dune

13 Using a public server auth certificate
Create DNS CNAME Example: GraniteFalls.Contoso.Com = GraniteFalls.CloudApp.Net Obtain a server authentication cert from a public and globally trusted certificate provider (like Symantec or Thawte) Example: CN = GraniteFalls.Contoso.com Create the CMG service Example: Configuration Manager creates Azure service as GraniteFalls.CloudApp.net Dune

14 Logs .\SMS\Logs on Service Connection Point
CloudMgr.log First phase deployment of CMG package to Azure as cloud service Verbose: HKLM\SOFTWARE\Microsoft\SMS\COMPONENTS\SMS_CLOUD_SERVICES_MANAGER\Logging level .\SMS\Logs on Service Connection Point (from %approot%\logs on Azure VM instance) Verbose: Azure portal, Cloud Services Configuration tab, Trace level: Information (default), Verbose, Error CMG components push logs to Azure storage every five minutes. Cloud Service Manager syncs from Azure storage every five minutes. CMGSetup.log (or CMG-<RoleInstanceID>-CMGSetup.log) Second phase deployment of CMG on VM instance CMGHttpHandler.log (or CMG-<RoleInstanceID>- CMGHttpHandler.log) CMG HTTP handler binding with IIS on VM instance CMGService.log (or CMG-<RoleInstanceID>- CMGService.log) CMG service core component on VM instance .\SMS\Logs on CMG Connection Point SMS_CLOUD_PROXYCONNECTOR.log CMG Connection Point site role Verbose: HKLM\SOFTWARE\Microsoft\SMS\SMS_CLOUD_PROXYCONNECTOR\VerboseLogging Dune

15 Troubleshooting Deployment: Service health Client traffic CloudMgr.log
CMGSetup.log Service health CMGService.log SMS_CLOUD_PROXYCONNECTOR.log Client traffic CMGHttpHandler.log -> CMGService.Log -> SMS_CLOUD_PROXYCONNECTOR.log Dune

16 Client CMG Demo Aaron

17 Roadmap Use Azure Active Directory for client authentication (no client certificate!) User-targeted apps in Software Center Install/register client on Internet Client setting to enable use of CMG Aaron

18 References CMG Setup video Product documentation Cost estimates
Product documentation Cost estimates gateway#cost-of-cloud-management-gateway Aaron

19 Real-world Scenario John John Marcum, MVP

20

21

Download ppt "Cloud Management Gateway Deep Dive"

Similar presentations

Web RoleWorker Role At runtime each Role will execute on one or more instances A role instance is a set of code, configuration, and local data, deployed.

Web RoleWorker Role At runtime each Role will execute on one or more instances A role instance is a set of code, configuration, and local data, deployed.
Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network Name Title Microsoft Corporation.

Connecting Cloud and On-Premises Applications Using Windows Azure Virtual Network Name Title Microsoft Corporation.
Feature: Assign an Item to Multiple Sites © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: Assign an Item to Multiple Sites © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
Windows Azure Connect Name Title Microsoft Corporation.

Windows Azure Connect Name Title Microsoft Corporation.
Operating System for the Cloud Runs applications in the cloud Provides Storage Application Management Windows Azure ideal for applications needing:

Operating System for the Cloud Runs applications in the cloud Provides Storage Application Management Windows Azure ideal for applications needing:
WINDOWS AZURE Scott Guthrie Corporate Vice President Windows Azure

WINDOWS AZURE Scott Guthrie Corporate Vice President Windows Azure
Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.

Microsoft Virtual Academy Preparing for the Windows 8.1 MCSA Module 5: Managing Devices & Resource Access.
Service Pack 2 System Center Configuration Manager 2007.

Service Pack 2 System Center Configuration Manager 2007.
Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.

Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.
Won Huh Product Marketing Manager

Won Huh Product Marketing Manager
IT Operations Management

IT Operations Management
Microsoft Virtual Academy

Microsoft Virtual Academy
Deployment Planning Services

Deployment Planning Services
Optimize your network for the cloud

Optimize your network for the cloud
Azure AD Application Proxy

Azure AD Application Proxy
Introduction to Windows Azure AppFabric

Introduction to Windows Azure AppFabric
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
Microsoft Virtual Academy

Microsoft Virtual Academy

Similar presentations

Ads by Google