(13) Setup CMG with eHTTP
- Mr B SOE way
- Jun 29, 2022
- 6 min read
I recently finished a project with a customer with setting up Cloud Management Gateway (CMG) using Azure Resource Manager and enhanced HTTP (eHTTP) along with Co-Management and Windows Autopilot Hybrid Azure AD Join which I cover in another post. This post will be mainly on creating the CMG with eHTTP. Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of CMG.
Prequisites
1. Hybrid Azure AD Join
2. Ports and data flow
3. Azure Subscription to host the CMG
4. Global Administrator: to integrate MECM to Azure by creating the Azure services (Web and client applications)
5. Azure Subscription Owner Rights: required to create the CMG cloud service (VMs in Azure)
6. Unique CMG DNS Name
7. Server Authentication Certificate
The following will be covered here:
1. Check if the CMG Service Name is available
2. Create the Server Authentication Certificate
3. Create the Azure Service - Cloud Management
4. Enable Enhanced HTTP
5. Update Internal CNAME and External CNAME to align with the CMG DNS
6. Update MECM Feature: Cloud Management Gateway with Azure VM Scale Set
7. Create the CMG Service in Azure
8. Create the CMG Connection Point
9. Update Boundaries and Boundary Groups
10. Enable CMG on MP, SUP and Client
Check if the CMG Service Name is available
1. Log into https://portal.azure.com, search for Cloud Services (Classic)
2. Select Create
3. Enter the desired DNS name, for this blog I have chose mrbsoeway.cloudapp.net, this is to verify that this DNS name is valid.
Create the Server Authentication Certificate
1. Navigate to the server that has the CA installed and open the Certification Authority Console. Right click on Certificate Tempaltes then select Manage. Then navigate to Web Server then select Duplicate Template
2. When prompted, select "Windows Server 2003 Enterprise"
3. Under General, enter the Template display name and change or accept the validity period
4. Under Request Handling, ensure that "Allow private key to be exported" is selected.
5. Under Subject Name, ensure "Supply in the request" is selected
6. Under Security, add the name of the MECM (SCCM) server that will issue the cert to. Allow Read and Enroll permissions. Click OK to close the properties.
7. Now we have the CMG Service Certificate
8. Go back to the main Certificate Authority Console.
Right click on Certificate Template then select New then select Certificate Template to Issue
9. Select the CMG Service Certificate that was created then select OK.
10. On the MECM Server (stand-alone primary server), run Certlm.msc to open the Certificates console. Navigate under Personal then right click Certificates then All Tasks then Request New Certificate
11. On the Before you begin, select Next then the Select Certificate Enrollment Policy page. On the request Certificate page, select the CMG Service Certificate then click on the "More information is required to enroll for this certificate. Click here to configure settings"
12. Under Subject, select Common Name with Value which is the unique CMG DNS name that was vertified with mrbsoeway.cloudapp.net (this works for a classic cloud setup).
For a Azure Virtual Machine, ensure the CN=servicename.australiaeast.cloudapp.azure.com
13. Click Enroll to add the CMG Service Certificate.
14. Once enrolled, the certificate should be listed under Personal > Certificates.
15. Right click the CMG Service Certificate then select Export.
16. Select Yes, export the private key, on to the next page, select Personal Information Exchange - PKCS #12(.PFX) then select Next.
17. Enter the password twice, then enter path and name of the file. Then click OK.
Create the Azure Service - Cloud Management
1. Navigate to your MECM Console, then select Administration > Cloud Services > right click on Azure Services > Configure Azure Services > Select Cloud Management then select Next
2. On the App Properties page, click Browse for Web App
3. On the Server App, select Create
On the Create Server Application, enter the following:
Application Name: Enter any name, for example “CMG Web Application” or "CMG Azure App"
Secret key validity period: Change to 2 years
Azure admin account: Sign into Azure with the account that has global administrator rights
Azure AD tenant name: Once signed in, this field will display the name of your tenant.
4. On the App Properties page, click Browse for Navite Client App
5. On the Create Client Application, enter the following:
Application Name: Enter any name, for example CMG Client App
Azure admin account: Sign into Azure with the account that has global administrator rights
Azure AD tenant name: Once signed in, this field will display the name of your tenant.
Select OK then select OK.
6. Under the App Properties, select Next.
7. Under Configure Discovery Settings, tick both "Enable Azure Active Directory User Discovery" and "Enable Azure Active Directory Group Discovery". Adjust the discovery settings as needed. Then select Next
8. Then select Next then Finish
9. Navigate back to Azure Services to ensure the wizard was successful.
10. Navigate to https://portal.azure.com/ then search for App Registrations. Both the Server and Client Native app should setup.
11. Navigate to API permissions for both the server and client app, ensure to click on "Grant Admin Consent" then select Yes to confirm.
12. Navigate back to the MECM console, and ensure to Run Full Discovery Now.
Enable Enhanced HTTP
This step is neccessary if MECM is not configured for HTTPS.
1. Navigate to the MECM console, navigate to Administration > Overview > Site Configuration > Sites. Select the Site, right click and select Propeties then select Communication Security.
Select HTTPS or HTTP.
Tick "Use Configuration Manager-generated certificates for HTTP site systems"
Wait for about 30 minutes to ensure the MP and DP has applied the self-signed cert.
2. Navigate to MP or DP, run Certlm.msc. Under the Certificate console, select Personal > Certificates, you should see the certificate generated by the site server.
3. Open IIS on the Distribution Point(the bindings will exist on the MP as well). Under Default Web Site you should find the new endpoint named CCMTokenAuth_SMS_DP_SMSPKG$.
4. Right click Default Web Site > Edit Bindings > Select https > Edit and the edit site binding page will open. On the bottom left you should see the certificate(SMS Role SSL Certificate) that was generated by the site server on the image below.
Update Internal CNAME and External CNAME to align with the CMG DNS
Note: if you are using an internal CA, ensure to update the internal CNAME and external CNAME. In most cases, a wild card certificate would be a better choice.
From an internal CNAME, ensure the following are entered:
Alias name = ServiceNameCMG
Fully Qualified Domain Name = ServiceNameCMG.external CNAME domain
Fully Qualified Domain Name (FQDN) = ServiceNameCMG.australiaeast.cloudapp.azure.com
Update MECM Feature: Cloud Management Gateway with Azure VM Scale Set
Note: Azure VMs (classic) is being depreciated, read more here: https://docs.microsoft.com/en-us/azure/virtual-machines/classic-vm-deprecation
To ensure there is no issues with setting up CMG with Azure VM Scale Set, navigate to MECM Console > Administration > expand Updates and Services > Features > Turn on "Cloud Management Gateway with Azure VM scale set"
Create the CMG Service in Azure
1. Navigate to the MECM Console, select Administration then Overview then right click on Cloud Management Gateway then select Create Cloud Management Gateway.
2. Ensure that the account that is being logged in as Subscription owner rights. If the sign in is successful, the subscription ID, Azure AD App Name and Azure AD Tenant name will populate.
Select Next.
On the specify additional details for this cloud service, click Browse from Certificate file. Browse to the .pfx file and enter the password when prompted (when exporting out the certificate in the earier post).
Service Name – will auto populate
Deployment name – will auto populate
Description – enter desired description
Region – select your region
Resource Group – select the resource group that was created earlier or use an existing one.
VM Instance – Each VM will support 6,000 clients. Increase the VM count depending on the number of clients. One CMG can support 16 VM. If needed, increase the VM count from the SCCM console and not from the Azure portal.
Clients will use Azure AD for authentication when they are Hybrid Azure AD joined, so there is no need for a client certificate if CM is configured for eHTTP. When Hybrid Azure AD joined, the clients get a work place joined (WPJ) certificate which is used to establish trust.
Check Allow CMG to function as a cloud distribution point and serve content from Azure storage to eliminate to need to deploy a cloud DP.
3. Configure the desired alerts, then click to confirm the summary and start the installation process.
4. In the console, the status will change from provisioning. After a successful installation, the status will be changed to Ready. Open the CloudMgr.log on the site server to monitor the progress.
Create the CMG Connection Point
As this "Check Allow CMG to function as a cloud distribution point and serve content from Azure storage to eliminate to need to deploy a cloud DP" has been checked earlier on when setting up the CMG, the Cloud Distribution Point automatically gets provisioned as part of the setup.
Update Boundaries and Boundary Groups
To ensure the references associate with the Cloud DP.
Enable CMG on MP, SUP and Client
1. Navigate to Console, then select MP Properties then ensure "Allow Configuration Manager Cloud Management Gateway Traffic" is set on MP and SUP.
Open the SUP properties and tick "Allow Configuration Manager Cloud Management Gateway Traffic"
Navigate to Client Settings, then create a custom setting and click on properties. On the properties page select Cloud Services, then select Yes for Enable clients to use a cloud management gateway.
Comentários