Presentation is loading. Please wait.

Presentation is loading. Please wait.

ConfigMgr and Azure – A Compelling Partnership – Part I

Similar presentations


Presentation on theme: "ConfigMgr and Azure – A Compelling Partnership – Part I"— Presentation transcript:

1 ConfigMgr and Azure – A Compelling Partnership – Part I
Steven Rachui Principal Premier Field Engineer Microsoft Corporation This is part 1 of 2 sessions that focus on the management capabilities of ConfigMgr in Azure. This session will focus on those specific features of ConfigMgr that require the use of Azure including Cloud DP's, the Cloud Proxy, Upgrade Analytics, Client Health Attestation and more.

2 Agenda Introduction The Microsoft Cloud
Why ConfigMgr & Microsoft Cloud? ConfigMgr and the Microsoft Cloud – Secure Access ConfigMgr and Microsoft Cloud – Options ConfigMgr/Cloud Services in Focus Questions?

3 ThE Microsoft Cloud Azure EMS Intune O365 The Microsoft Cloud Azure

4 Why configmgr and the Microsoft cloud
Services Options Innovation Scale Services Suite of available services Cloud capabilities extend, enhance and enable additional ConfigMgr functionality No/Minimal Configuration Required OMS Device Health Attestation Upgrade Analytics More…. No/Minimal/Reduced administration Depends on service SaaS infrastructure managed by Microsoft OMS, Device Health Attestation, Upgrade Analytics, etc. IaaS infrastructure managed by customer Cloud resources (VM’s) need to be managed too! Cloud based ConfigMgr managing in the cloud Cloud based ConfigMgr managing on premise On premise ConfigMgr managing in the cloud Options Cloud Only On Premise Hybrid Innovation Cloud first direction Most frequent updates New functionality ConfigMgr Current Branch release cadence aligns well with pace of cloud development Ultimate flexibility Rapid response to customer feedback Scale Global Dynamic Proven

5 Configmgr and ThE Microsoft Cloud Secure Access
Azure Azure Azure Resource Group Azure Active Directory Operations Management Suite (OMS) Web App for OMS/Upgrade Analytics Management Certificate Operations Management Suite Upgrade Readiness Windows Store for Business AAD Integration Cloud Distribution Point Cloud Management Gateway Site Server Site Server

6 Configmgr and ThE Microsoft Cloud options
EMS/Intune Device Health Attestation Operations Management Suite (OMS) Upgrade Analytics Cloud Distribution Points Cloud Management Gateway Windows Store for Business Conditional Access

7 Configmgr and Cloud services in focus
EMS/Intune Device Health Attestation Operations Management Suite (OMS) Upgrade Analytics Cloud Distribution Points Cloud Management Gateway Windows Store for Business Conditional Access

8 Configmgr and Cloud services in focus
Device Health Attestation Upgrade Analytics Cloud Distribution Points Cloud Management Gateway

9 Configmgr and Cloud services in focus Cloud Distribution Point
What is the Cloud Distribution Point? Why Cloud Distribution Points? Configuring Cloud Distribution Point in Action Scenarios and Tips

10 Configmgr and Cloud services in focus What is a Cloud Distribution Point?
What is the Cloud Distribution Point? Why Cloud Distribution Points? Configuring Cloud Distribution Point in Action Scenarios and Tips Cloud distribution point uses classic Azure storage Azure resource manager support is often requested No details or commitment around any change to support Azure resource manager at time of PPT preparation

11 Configmgr and Cloud services in focus Why Cloud Distribution Points?
Flexibility/Scale Granular Controls Client Settings, Thresholds, Boundary Groups Additional Benefits Encrypted Content, Scale, Multiple as needed

12 Configmgr and Cloud services in focus Configuring - certificates
Azure Management Certificate Cloud Distribution Point Service Certificate

13 Configmgr and Cloud services in focus Configuring – certificates - demo
Azure Management Certificate Cloud Distribution Point Service Certificate DEMO Azure Management Certificate Options MakeCert.exe Makecert –sky exchange –r –n “CN=ConfigMgr Azure Management Certificate” –pe –a sha1 –len 2048 –ss My “Windows Azure Management Certificate” PowerShell $cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" $password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password Export Management Cert To CER To PFX Upload Management Certificate Classic Azure Portal Services Management certificate Upload CER New Azure Portal Cloud Distribution Point Certificate Create and issue a custom web server certificate template on certification authority Create AD Security Group Name: ConfigMgr Site Servers Membership: Primary site server(s) On Certificate Authority Comment on CRL Checking and potential errors if needed and not available Reference will discuss in Tips section Certificate Templates > Manage Duplicate Web Server template Ensure Windows 2003 Server, Enterprise Edition is selected General tab Template Name: ConfigMgr Cloud Distribution Point Request handling Allow private key to be exported Security Enterprise Admins Remove enroll permission Add ConfigMgr site servers Select Enroll and Read permission Certificate Templates > New > Certificate Template to Issue Issue ConfigMgr Cloud Distribution Point cert Request the custom web server certificate Restart ConfigMgr site server Launch MMC and add Certificates snap-in Select options for computer account and local computer Personal certificate store All Tasks > Request New Certificate Request ConfigMgr Cloud Distribution Point Certificate Before requesting select More information is required to enroll for this certificate option Specify Subject Name Set to Common Name Set Value to clouddp1.tailspintoys.com Export the custom web server certificate for cloud distribution points Export enrolled certificate as PFX Select to export private key (this is what causes the cert to be exported as PFX)

14 Configmgr and Cloud services in focus Configuring - components
ConfigMgr Cloud Distribution Point Connector Azure/Cloud Services & Storage DNS Clients

15 Configmgr and Cloud services in focus Configuring – components - demo
ConfigMgr Cloud Distribution Point Connector Azure/Cloud Services & Storage DNS Clients ConfigMgr Cloud Distribution Point Connector Connector Subscription ID Services Management certificate (PFX) Service certificate (PFX) Threshold settings Monitor/Troubleshoot CloudMgr.log CloudDP-<GUID>.log May take up to 30 minutes Configuration status also reflected in console Azure/Cloud Services & Storage No configuration to do here – the cloud distribution point install takes care of all of this Access Azure, demonstrate cloud service and <GUID>.cloudapp.net Access Azure, demonstrate storage and content already deployed DNS Configure CNAME record Access Azure cloud service and save off <GUID>.cloupapp.net FQDN Configure CNAME record to map cloud DP name to Azure cloud service FQDN Clients Client Settings MP access required Internet access required

16 Configmgr and Cloud services in focus cloud distribution point in action
DEMO Boundary Groups Distribute content Deploy Boundary Groups Distribute Packages Applications Software Updates Task Sequences Deploy Enable/demonstrate appropriate content options Monitor/Troubleshoot Distmgr.log PkgXferMgr.log LocationServices.log CAS.log DataTransferService.log Logs HTTPS communication attempts A couple of WEBDAV errors may be normal Note the ID’s in the log refer to ID of cloud service ContentTransferManager.log Content location type is Azure. Need to get the signed source url.]

17 Configmgr and Cloud services in focus cloud distribution point – scenarios and tips
Non-internet distribution point preferred if available If internet based distribution point selected, no fallback to cloud distribution point

18 Configmgr and Cloud services in focus cloud management gateway
What is a Cloud Management Gateway? Why a Cloud Management Gateway? Configuring Cloud Management Gateway in Action Scenarios and Tips

19 Configmgr and Cloud services in focus What is a cloud management gateway?
Proxy Azure Cloud Service Virtual Machine(s) Currently Pre-release Status Proxy For ConfigMgr site/Client Communication Azure Cloud Service Virtual Machine(s) Currently A2 class VM’s Support up to 6,000 clients per VM Multiple (up to 16) VM’s possible per CMG Currently Pre-release Status Typically try to avoid discussing pre-release features Components in pre-release status more likely to be tweaked Some tweaks are pending Basic functionality shouldn’t change

20 Configmgr and Cloud services in focus why a cloud management gateway?
Manage Internet Clients On-Prem or Internet Innovation Cloud Management Gateway or IBCM? Manage Internet Clients Internet management simplified! Increase value of ConfigMgr investment On-Prem or Internet Automatically detect whether clients is located on-prem or on the internet Determined by client direct access to Domain Controller or on-prem management point Clients must be connected to internal network to receive initial CMG configuration policy Innovation Current approach innovative Changes pending to add more flexibility and features Automatic client install via CMG already in technical preview Cloud Management Gateway or IBCM? CMG Advantages IBCM Advantages No additional infrastructure investment required No cloud service dependency Does not expose on-premises infrastructure to internet No additional cost associated with a cloud subscription Easily setup and configured in ConfigMgr console Full control over servers and roles providing service Cloud virtual machines that run the service are fully managed by Azure and require no maintenance CMG Disdvantages IBCM Disadvantages Cloud Subscription Cost Requires additional infrastructure investment Management data sent through cloud service Overhead and operational cost of additional infrastructure

21 Configmgr and Cloud services in focus configuring - certificates
Azure Management Certificate Client Authentication Certificate (Optional) Server Authentication Certificate CMG Certificate Client Root Certificate

22 Configmgr and Cloud services in focus configuring - components
Primary Site Management Point/Software Update Point Cloud Management Gateway Cloud Management Gateway Connection Point Azure Client

23 Configmgr and Cloud services in focus configuring – components - demo
Primary Site Management Point/Software Update Point Cloud Management Gateway Cloud Management Gateway Connection Point Azure Client Primary Site Set Primary Site to Support Certificate Authentication ConfigMgr will communicate with CMG using certificate authentication DEMO Site Configuration > Sites > <site code> Properties Client Computer Communications Select ‘Use PKI client certificate (client authentication capability) when available’ If not publishing CRL on internet, Clear ‘Clients check the certificate revocation list (CRL) for site systems’ Management Point/Software Update Point The management points and software update points that will be used with CMG must be configured to support CMG traffic Configure to accept cloud management gateway traffic Site Configuration > Server and Site System Roles Select Role (MP or SUP) properties Change Client Connections to HTTPS (optional but recommended) Check the box to ‘Allow Configuration Manager cloud management gateway traffic’ Cloud Management Gateway CMG is currently pre-release Ensure pre-release features are enabled Enable CMG in updates and servicing Future releases of ConfigMgr may make some slight changes to configuration options Ability to deploy client automatically through CMG already in Technical Preview Administration > Cloud Services > Cloud Management Gateway > Create Cloud Management Gateway Possible to create multiple per primary site Supply required information Import Client Management Gateway cert first Service name field will be autocompleted Import Client Certificate Root Cert Disable Client Revocation Checking (unless CRL is published to internet) Setup process takes 15 or so minutes to show Ready status Review CloudMgr.log CMG Connection Point The CMG Connection Point facilitates communication with CMG Create CMG Connection Point If required, add new site system server Administration > Site Configuration > Servers and Site System Roles > Cloud Management Gateway Connection Point Supply required detail Monitor SMS_CLOUD_PROXYCONNECTOR.log for progress Validate MP and SUP for CMG In properties of MP and SUP enable ‘Allow Configuration Manager cloud management gateway traffic’ Ensure ‘Allow internet and intranet connections’ is selected Review status information Show Ready and Connect status for Cloud Management Gateway Azure Installing a CMG will create a cloud service, cloud storage and between 1-16 VM(s) (depending on selection) to support configuration. Show CMG created cloud service, cloud storage and VM’s Open Azure portal Show Azure components created Show Azure VM created Show how to configure RDP capability for this VM Connect to VM and explore Show IIS Confirm CRL configuration netsh http show sslcert Client When a CMG is introduced to the environment clients will learn about it during their next location refresh cycle Cycle will occur every 24 hours Can be forced by restarting CCMExec service CMG configuration will show up in Network Configuration tab of client control panel applet Show Network Configuration tab of client control panel applet

24 Configmgr and Cloud services in focus Cloud management gateway – in action
Client DEMO CMG In Action Start with client on internal network Show client configuration Open ConfigMgr client applet General tab – client set for PKI and connected to PKI enabled management point Client Status Show in device list that test client is presenting with a green check mark indicating proper communication Policy Request Cycle Initiate a policy request cycle Show in CCMMessaging log that the request is being sent to on-premises management point Software Install Show RichCopy configured in the console and show the content tab and the distribution points where it is deployed Note that the cloud DP has the content but is not a preferred DP in the boundary group in which the client resides Install RichCopy (ensure RichCopy is not in CCMCache first) Show in ContentTransferManager log that RichCopy was downloaded from on-premises distribution point Uninstall RichCopy Remove RichCopy content from CCMCache Switch client to only communicate on the internet Set Registry HKLM/Software/Microsoft/CCM/Security ClientAlwaysOnInternet set to 1 Restart CCMExec service General tab – client set for PKI but no management point listed Show in CCMMessaging log that the request is being sent to CMG Show in ContentTransferManager log that RichCopy was downloaded from cloud distribution point

25 Configmgr and Cloud services in focus cloud management gateway – scenarios and tips

26 Configmgr and Cloud services in focus scenarios and tips
Performance Cost Performance Configure CMG, CMG connection point and ConfigMgr site server in same network region to reduce latency Connection between ConfigMgr and CMG currently not region aware Higher availability with at least 2 virtual instances of CMG and 2 CMG connection points per site Scale CMG to support more clients. Automatically load balanced by Azure AD load balancer Create more CMG connection points to distribute load Support number of clients per CMG VM is 6,000 as of 1702 release Cost CMG uses VM's - there is a cost associated with running the VM VM costs vary by region Use Azure pricing calculator Costs incurred for data flowing out of the service For estimating purposes expect approximately 100 MB per client per month for internet based clients doing policy refreshes every hour Other actions, such as deploying software, will increase the cost since the amount of outbound data will increase Clients managed by CMG will get software update content from Windows Update at no charge

27 Configmgr and Cloud services in focus
Device Health Attestation Upgrade Analytics/Readiness

28 Questions?


Download ppt "ConfigMgr and Azure – A Compelling Partnership – Part I"

Similar presentations


Ads by Google