HH06 - Configure Cloud Management Gateway - ConfigMgr (SCCM/MECM) Lab Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Thank you very much, embarking on this journey shortly myself.

👍︎︎ 2 👤︎︎ u/redvelvet92 📅︎︎ May 21 2021 🗫︎ replies
Captions
so here's the scenario you've got your on-premise device management sorted when your computer's in the office or on the vpn config manager can look after its configuration and compliance but what about computers that only live on the internet or connect viral vpn or even worse connect via a vpn that isn't really that stable the cloud management gateway is an azure service that lives on the internet it allows your computers to connect directly to the internet based server to receive configuration update and all that kind of stuff it means that your computers don't need access to the on-premise network to receive their configuration applications and updates in this first episode on the cmg we're going to look at configuring certificate templates and enrolling those certificates on our cmg servers we also need each computer to have a certificate to allow communication at least we do in this episode in a future episode we're going to look at enhanced http which will mean computers don't need a certificate instead they can rely on the azure identity of the user to secure that communication for now let's jump into active directory certificate services and create that template so the first thing we need to do is create and issue the cmg server authentication certificate we want to be able to specify exactly which server is going to be receiving this certificate we're going to go ahead and create a new group called config manager servers and in here we're going to add our server so we have a security group called config manager servers and that contains our config.js server next step is to open the certificate authority console right click on certificate templates and choose manage we need to create this template that can be used for the server to issue its own certificate from i'm going to start with our web service certificate and we're going to duplicate this template and leave this stuff as default heading over to the general tab we're going to call it the cmg server authentication certificate and then we're going to head over into security add and then add in our config manager servers group that we just have here and give that enroll permissions heading back into that cert in the request handling tab we need to check that the allow private key to be exported is ticked we'll take that and choose okay so we'll close this certificate templates console down right click new certificate template to issue we'll choose our cmg server authentication certificate and choose ok and so now we've made it possible for our config manager server to request that new cmg server certificate now that we have our certificate template in place we need to generate a certificate that we can use on our cmg now remember the cmg is a cloud service it won't be a computer on our domain it won't be a server that we can log into we'll upload our certificate using the config manager console but we still need to generate it somehow one way to do that is to enroll our certificate on the config manager server and then export the certificate with the private key and import that onto our cmg server heading over to our config manager computer we will go to start and launch the certificate snap in in local computer we want to choose personal right click all tasks and request new set we choose next next and you can see the first one is the cmg server authentication certificate it's available but we need more information to enroll this cert so we'll click on this and we need to give it a full distinguished name or something else in order to enroll so in this field we need to choose the globally unique name that we've chosen for our cmg in my case i'm going to go ahead and choose common name and then the globally unique name is gmcmg and we like cloudapp.net to the end of that go ahead and choose add then we take the box to request this certificate and choose enroll okay so we've enrolled this certificate so that our config manager server identifies itself as gmcmg.cloudapp.net in order for us to be able to use that certificate we need to export it so i'm going to go ahead into personal certificates and find gmcmg.cloud.net right click and all tasks export choose next and we want to export the private key so choose next and then next again we need to give it a password and choose next i want to put it somewhere really simple for me to find so i'm going to put on the c drive and grab it from there with the service certificate exported and ready to go we're on to the next step we need each client computer to have a certificate to enable secure communication with the cmg in a moment we're going to create a template for the client authentication certificate that we'll use to allow automatic enrollment for our windows clients over in our group policy management console we need to create a gpo in this domain and link it here we're going to call the gpo client authentication certificate auto enrollment and choose okay we'll just expand this tree and find our client authentication certificate to enrollment choose edit we're going into computer policies windows settings security settings public key policies we're going to right click on certificate services client auto enrollment and choose enabled we want to renew x y inserts and we want to update certificates that use templates and we're going to choose ok close this down so just heading into one of our clients i'm going to go to an admin powershell prompt and open circle m and we're going to do a gpu update slash force from here we're just going to check if our certificate has enrolled and it looks like us go into the details tab on this cert you can see that it was issued today about 10 minutes ago and the template name is the config manager client authentication so next the cmg must trust the authentication certificates that clients present we need to give the cmg what's called a client trusted root certificate so that i can verify these machines the next thing we need to do is to find the trusted root certificate so when you go into certification path and choose the trusted route to click the certificate in this window we choose details and then copy to file here we choose next we want to use the der and kildred binary choose next give it a file name okay so we're almost there next we're going to set up the azure services in config manager and then set up the cloud management gateway with a cloud distribution point so heading back into the config manager console into administration we need to right click on azure services choose configure azure services we're going to call this service the cmg and choose next we're going to use the azure public cloud and we need to create a new web app we're going to choose create and then call it cmg and then call this the cmg config manager service we'll choose a sql key that never expires and we'll sign in we've signed it successfully so just need to press ok and then okay let's create a native client application so we'll choose browse we'll click create and give it an application name i'm going to call it cmg client and then sign in choose okay and then okay i'm going to choose next go and choose enable and enable for the two settings choose next and then next again in the administration console we're going to go to cloud services cloud management gateway and create cloud management gateway we'll use the azure public cloud and then sign it we're signing into the subscription that we're going to use for the billing of this cloud management gateway it's pre-filled our app names to we choose next here we need to use the cmg certificate file that we exported from our server earlier on to choose browse and for me i put it on the c drive so i'll grab my get modern cmg and type the password i'm going to change the region to central us and then i want to change my resource group and create a new one and create new call it cmg in the next field we get to specify exactly how many virtual machines we will be creating here the default is one i think i'll only need one i've only got a few clients here so i'm going to go ahead and choose one and then we'll just go into the certificates tab here and this is where we need to specify the trusted root certificates that we specified earlier better my trusted root choose okay i don't have specific revocation configured in this environment i'm going to take that but i do want my cmg to function as this cloud distribution point and serve content from visual storage i'll choose next i'm going to keep this 14-day threshold on for outbound data transfer and i'd like to stop the service when the critical threshold was exceeded in my environment if i serve more than 100 gigabytes i'm going to be worried because i'm going to get a few clients so i'm going to leave that as 100 but in live environments it could be much higher similarly with the storage threshold i'm going to keep that as about 200 and then choose next so that's the process complete for creating the cloud management gateway okay so we're making progress next we need to create a boundary group and distribution point group that will help us manage our infrastructure as you can see our is provisioning at the moment i'm gonna add it into a boundary group for now into hierarchy configuration and then boundary groups right click on the corporate boundary group and choose properties in the references tab we're going to add our site system server here i'm going to add this in this cmg server that we've just created and choose ok and then ok at this stage we either have the choice of enabling enhanced http so that computers don't need to rely on computer certs or we can enable enforcement of https across our site for now we're going to enforce https and then later on we'll use enhanced http now we're going to set our config manager site to be https only so browsing down to the site node right click on the site choose properties and in the communication security tab choose https only and for me i'm going to turn off this crl checking because i don't have that in place next we'll set our trusted routes to the authority and we'll use that trusted route that we picked up earlier on from that client me just choose okay we also need to create a web server certificate for our config manager server so in certificate templates on the domain controller i'm going to right click and choose manage and find the web server cert right click and duplicate leave this as default and change the named config manager web server and change the security to allow config manager servers to enroll i'm just checking the service name field we've got supply and the request set because of the web server search default to that choose ok and then we'll issue that template heading over to our config monitor server we can request that certificate by opening up the certificates mapping for computer and we'll right click on personal all tasks request new we'll choose next next and the certificate i want just the bottom there config manager web server more information required that's good so we'll choose common name and cm1 and its alternate name is cm1.cool.contoso.com give my friend name so i can find it choose enroll okay now that's done we'll open up ios and find the default website right click and edit bindings find the https binding choose edit and then change whatever's set to our config manager web service certificate and choose ok and then close and restart iis okay now that's done we need to create the config manager cmg service point so to add the cmg connection point go to certain site system roles find our primary site server here expand that bin i'm going to right click and add a site system role i'll accept the defaults and on the site system rule page i want to choose cloud management gateway connection point this is my cloud management gateway through to the summary and complete that so we'll just close this down and then head over to the cloud services section cloud management gateway you can see our cmg is ready and we'll go to our connection points and this uh this connection point server hasn't quite finished setting itself up yet give that a few more minutes and we'll take a look in the meantime we're going to go into our management point and check that we have it set up to accept cloud management gateway traffic so i'll right click the monitoring point and chosen properties and then we have an option here of allow configuration manager cloud management gateway traffic so let's choose allow on this and you can see that instantly changes to allow internet and internet connections and we'll do the same on our software update point right click properties and then we'll choose allow configuration manager cloud management gateway traffic and you can see it changes down to the bottom there allow internet and internet client connections so choose okay just going to quickly head back into our cloud management gateway node here and choose the cmg and then connection points and hopefully our connection point server is now connected which is great and finally we need to go into our client settings and enable clients to use the cmg and the cloud distribution point okay over into client settings and then we're going to create for me i want to modify the default client settings and in the cloud services section i have this set to yes i'm going to take this to yes as well and then choose okay okay the moment of truth now we get to test whether this is all worked so we're going to force a client to be always on the internet i'm going to connect it to the internet rather than my lab and then we're going to deploy an application to it and see what happens so to verify whether this has worked we're going to just check a few things on our client firstly let's take a look at the configuration manager properties you can see it's currently assigned a management point of cm1.com.cop.contoso.com and it's using the pki client certificate i prepared an application that i can use to install this application this vlc application is currently not installed it's available to install and if i choose to go into the ccm cache you can see i've got no cache of this application at all so when it does download and install then it'll be coming from the distribution point just heading over to our config manager server here's the app i'm referring to i'm going to just check where it is where the content for this application is go into properties on the app and then choose content locations and you can see it's up in the cloud app distribution point at the moment so it's not it's not available on my on-premise distribution point so hopefully it will be able to download it from there okay so for this test to work i need to make sure i can switch from the internal management point to the external management point by just i'm just going to change my network location my network adapter from the internal network adapter to my home home wi-fi home i'm just gonna head over into the control panel and grab the config manager applet okay so we can see it says connection type currently internet the management point is this cm1.cool.contoso.com and if we check in the network tab and see it's got this internet based management point here okay well let's see what happens when i try and download this app so it says downloading zero percent complete just looking into this cache directory has created some work folders here for the download create that temp file and this download is going up see if it managed to install it it seems to have downloaded which is probably the test so that's probably good enough but let's just say install plc is quite quick to install so i hope it would be finished fairly soon there we go not vlc installed it's great news okay wait for this to catch up and do the detection method and just make sure that's all there so we can uninstall it and do a re-test later on okay that's moved over to installed and that content genuinely did come from the cmg it isn't available on my on my my lan so that's that's that's really good news so we've done it we've deployed applications to clients on the internet using the cloud management gateway to send policy and the cloud distribution point to host content i've really enjoyed working through this with you i hope you've enjoyed it too in our next episode we're going to look at some of the logs that are generated when using the cloud management gateway both server and client side and also we're going to look at the azure side what are the cost implications of using the cloud management gateway for an update for a large application that kind of thing for now thank you for watching if you've liked this please like and subscribe and i'll see you next time
Info
Channel: CloudManagement.Community
Views: 2,197
Rating: undefined out of 5
Keywords: Configuration Manager, MEM, MECM, MEMCM, Training, Hybrid, Intune, Lab, Intune lab, sccm, system center configuration manager, osd, MSIntune, Endpoint Manager, Endpoint, beginer, handbook, starting, learning, train, endpoint, config mgr, system center, microsoft intune, hybrid, on-premise, lab, hyper-v, microsoft intune tutorial, sccm training, sccm tutorial, mecm training, mecm tutorial, memcm training, cloud management gateway, cloud gateway, cloud distribution point, dp, distribution point
Id: 9uvF0c_7Jy8
Channel Id: undefined
Length: 18min 53sec (1133 seconds)
Published: Thu May 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.