Create a Cloud Management Gateway (VMSS) with a Custom Domain in ConfigMgr

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
watched any of my other videos you'll know this channel is all about learning and i don't mean it's about you learning from me no i mean it's all about you watching me learn and get stuff wrong and fix it and moan about how it doesn't work hopefully you're okay with that anyway the reason i mentioned it is because once again i set up the cloud management gateway wrong last time i tried so the cmg well if you want to know what it is check out my other video after this one so you get the get the low down so what did i do wrong well nothing if you read the documentation back when i did that video but as always the documentation changes and it's updated and and now they warn against what i did so i set up the cmg using the default service name rather than the name that you would use for a custom domain for example i should have used get modern dot code uk but i use cloudapp.net or east us.azure.com or whatever it is so as jason sandy's and paul winston lee pointed out on twitter creating a certificate so that your computer's trust a site that you don't own is generally a bad idea it also means that i wasn't able to convert the cmg when it came to swapping from the classic to the vm skill set so in this video i want to show you how to create a vm scale set cmg the correct way with a custom domain so there are two elements to this i need to do stuff in the config manager portal and i also need to create a cname in dns so we'll do the config manager portal first and then we'll jump over to the dns so as you can see i've got a few cloud management gateways already for the purposes of this video imagine they're not there i'm going to create all of this stuff from scratch so that you can see how it works and see how it how it happens and why i do it um there is one thing that i will not do again though i've already created a a certificate template that i want to use for creating these certificates so i'm not going to do that from scratch but i will show you what it looks like right now so that you can copy it so head over to my domain controller which happens to be my certificate authority and then we've got this uh ca here now i'm going to go into templates and i'm going to go into manage and just show you the templates that i've got and what they look like so that you can create them i just don't want to do it again so we have this um this template here called cmg server authentication certificate and it's uh it's a copy of uh what is a copy of it's a copy of one i'm not sure i think it might have been the web server set so yeah it's it's just i've created this name here it's valid for two years and renewal period is six weeks so it's server 2003 and this is what the request handling looks like this is cryptography not doing creator station these are all uh these two are empty um subject names apply in the request and we'll show you why later on issuance is just default but in security we are allowing our config manager server to do read and enroll that's important because i want to be able to enroll it from my config manager server so that's all you need to do you create this certificate template by duplicating an existing template and then you close the certificate templates console and right click new certificate template to issue and issue the template that you want to issue and it just appears in this certificate template list here it's this one here there it is and that's all you need to do and so then you go over to the server that you want to create that certificate on and that would be my config manager server which is this one here so from here you go into the search mapping here and then you would request that search now obviously this computer isn't the one i want to be using the cert on but it's the one that i'm using to generate that cert so there it is cmg server authentication certificate and it says more information is required to enroll this cert because that's what we said we said supply in request so and so this is where we would choose the common name and potentially the dns name for this certificate now the issue is i know it's going to be something like gmcmg003 but i don't know what the remainder of that name will be yet because i haven't started creating that in uh in the cmg snap in so let's take a look at how we do that so let's assume for example it's going to be uk south.cloudout.azure.com yeah but how do we find that out i'm going to create cloud management gateway and we're going to use the vm skill set because it's default i'll just quickly sign in to this is my global admin and the next button is just hidden under there just hidden under there and we'll just tap down to it and press enter and you can see we've got this deployment name so i want to change the uh the region to um let's go with uk west just so it looks a little bit different so it's uk west.cloudapp.azure.com now what i would normally do in my previous video is use this as the deployment name because it's there by default right well that is that is always going to be the deployment name i would use this is the service name so i would use that up here in the service name and you you choose the service name by specifying the name in the certificate so this is where i've always gone wrong in the past so i know that this subject name the common name for this certificate and the service that's going to be using it is actually gmcmg003 dot get modern dot code uk if i can type and the dns is going to be the same and now at this stage i can create that without knowing anything about the server that i'm going to create this on so that's that makes it a lot easier so i'm going to do same request insert and enroll and there it is enrolling and it succeeded so all we need to do now is find the zero zero zero three there he is so we'll right click all tasks and export and we'll export the private key as well and give it a little password so we can import that later on and i must export it to the c drive for this okay so it's exported now all we need to do is just import it so we're back into this cloud management gateway wizard browse for it and scroll down to zero three and open and type in the password okay so you can see what it's done is it's chosen the service name based on that certificate that i used and the deployment name is gmcmg0003 dot ukwest.cloudapp.azure.com and so that is essentially what i need to know for the next step but for now i'm going to make a note of that so it's gmcmg003.ukwest.cloud.azure.com okay so we're going to keep this as uk west i've just chosen it and i'm going to use an existing resource group no you know what i'll change the results group because i'm doing this from scratch so this is uh uk west cmg i'm going to go with the lab version of this so i don't cost myself too much money for this demo i'm going to turn off certification for this because i want it to actually work and i haven't set up certs yet and then certificates i need to choose the root cert for my domain so they trust it because i'm not using an external third party so it's not globally trusted so i just need to export import my root certificate i must also show you how i get that root certificate actually at superior a common thing that you might need to do you can see in the local specific local computer certificate store there's a trusted root cert authorities store and then here i can choose certificates and there will be one that references my domain so this is dc1 so this is my domain name and this is the computer name hosting this ca so you would just right click and export this by just using next and then giving it a file name we're not exporting the private key there it's just the public key so we don't need to choose a cert a significant password so anyway you get to the point where you're you're able to import it just there without using a password nice and simple so at the bottom there we've got allow cmg to function as a cloud dp and serve content you know that's that's fairly very useful so we'll go with that how does press next thresholds are all about protecting the you know the the amount of data that you're sending um and so it's a cost management thing really so it'll turn off if you've exceeded the amount of data because it does cost for egress within azure i'll just choose next and it'll go away and do this here so what i want to do is just just grab this name and it's in uk west so we'll just choose next and get that creating for us looks like it's asking me to sign in again all done so we'll just choose close okay so while that's provisioning the next step is to create the cname in dns so that when my computers reach out to gmcmg03 dot uh get modern code uk they know where to go because get modern dot code uk doesn't host anything related to this amg it's all on the azure platform so we need to just send them off there to get that data and to start that communication so that's what we're going to do now i'm going to head over to my uh to my domain provider and we'll take a look so that is in my case it's one on one which is this and you can see i'm just on the dns page right now so it's just a case of choosing add record and we're going to choose the cname and the host name is going to be gmcmg0003 that points to the equivalent in uh in azure which is gmcmg0003.ukwest.cloudapp.azure.com i'm going to give this a short time to live but in production you want this to be a pretty higher 60 minutes perhaps but i'm just testing so we'll give it five and we'll click save it won't take long for that to to happen so we'll give that just a few minutes while the service provisions back over to my config manager server you can see this vm skill set in uk west is provisioning so we'll give this a little while to provision and for the dns to replicate and all that kind of stuff and we'll come back to it in a few minutes time all right so i've given that about 25-30 minutes now and it says he used to say provisioning now it says ready so we are good to go or at least we we almost were so if we just take a look at this we've got this cmg service name here which is good we've got the cloud service name that's good it's in the vm scale so we've got the region we're going to jump down to connection points click on that and you can see we've got no connection points so every cmg requires a management point in order to do you know proxy between the site database and the cmg server itself so we need to do that we go into servers and site system roles choose our management point this is my internal management point here forget about all these additional cmgs that we've got apart from the one i've just created they're all pretend they don't exist so we've got this management point this is the cloud management gateway connection point i'm going to right click on that and choose properties and i need to change this cmg because this is the old one i want to change that to the new one which is cmg03 you can see it's in the region uk west and we will choose ok and give that a few minutes we do need to kick that off in the cloud management gateway though to um to change that up so just out of the connection point there as you can see it says connected well you know i was going to say we need to to synchronize configuration and wait a few minutes but just for the purposes of testing and being transparent let's just choose connection analyzer i'm going to sign in as lucy tester and just to be clear the reason i'm signing in is lucy tesla rather than dean here is because dean is an on-prem account that is not synchronized to azure it's my um it's my um domain admin so the reason i'm i'm signing in as dean here rather than lucy is because uh dean is is my admin account i don't have intune licenses on this i've got global admin it's got 2fa it's not used for anything else other than admining stuff and uh lucy is a user and obviously users are going to be the the people that are going to be using this not my admin account so we want to test the user because you need an intune license you need you need to be in the right ou and all that kind of stuff to get this working so we're going to choose lucy here as a test so sign in successfully that's good so we're going to choose start and see all the green ticks appear one by one not quite gone as well as it could have check connection status of cmg connection points and it's saying that it might not be functional uh okay yeah let's close that and i want to synchronize that configuration like i thought i would need to because we're just going to choose synchronize it disconnects that and hopefully we'll reattach it for us in a few moments okay so it's switched to ready and you can see the connection point is connected let's just try that connection analyzer again sign in as lucy tester just choose start straight through all the greens there and then at the end testing the cmg channel for management points this one here that i've just added yep that's it that's pretty much all we needed okay so that that is working now we've tested it with a connection analyzer i'm comfortable that that's working now hopefully this will be the last video that i create about the cmg or at least about setting up the cmg with a vm scale set because it's been three or four so far hopefully it's helped i'll try to be really clear with this one with how you do it give me some feedback hit the like button see you next time [Music]
Info
Channel: CloudManagement.Community
Views: 1,108
Rating: undefined out of 5
Keywords: Cloud Management Gateway, CMG, Configuring CMG, Configuring Cloud Management Gateway, Configure CMG, Configure Cloud Management Gateway, ConfigMgr, Configuration Manager, Configuration Manager Cloud Management Gateway, ConfigMgr CMG, Could not connect, Config Mgr, MECM, MEMCM, SCCM, configuration manager, azure, cloud management gateway
Id: aodHACZH80E
Channel Id: undefined
Length: 15min 53sec (953 seconds)
Published: Thu Sep 30 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.