How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet Clients

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Justin shelf and I'm the engineering lead at patch my PC we develop at their party patch management solution that integrates into configuration manager prior to my current role I is also a premier field engineer at Microsoft supporting config manager in this video I'm going to show you how you can install the cloud management gateway within SCCM 18:06 now I'm also working with Niall Brady over at windows noob comm and he's going to be doing a blog version so be sure to check out for that link in the video description below so with that said let's go ahead and jump right into the content so the first thing I want to talk about within cloud management gateway is to give you a little overview of how it differs from Internet based client management so if you've been following my guide you might have noticed that I did a internet based client management video a couple months ago the key differences here between CMG and IB cm is mainly going to be I would say the complexity so with cloud management gateway I've done plenty of internet-based client management setups when I was a PFE and I have to say I'm quite impressed with the simplicity of setting up the cloud management gateway so the key differences are with internet-based client management you would have to set up a site system that's gonna host your MP DP and sup roles to host your internet clients that they need to talk to this would generally involve placing that site system in a DMZ and that would often cause issues with ports being open from that site system to your internal site database as well as your site server I could always be complex trying to get that set up so although I BC M is free in the fact that you don't have any subscription cost the complexity involved of getting the ports open and the appropriate connections for firewalls and things like that could always be quite complex cloud management gateway takes quite a bit of that complexity out of the picture because I the the server that's going to be initiating the connections for your Internet clients is going to be in Microsoft Azure so it's actually a connection initiated from the cloud management connection point out too that CMG server and microsoft azure and it's done over for for three so it's an outbound connection and then it initiates that channel so you don't have to worry about things like opening up ports to your DMZ in the complexity involved there so that's that's kind of the key different between the two obviously it is a subscription cost so you will pay for content it's relatively cheap I'll be sure to include a link to the calculator that you can use to help estimate what kind of cost you might incur with with content going out to CMG so coming in some of the prerequisites of cloud management gateway so it's quite similar as with regards to certificates as the IB cm video that we did so you are gonna need a server certificate or a web certificate that's going to be used on the cloud management gateway to initiate the HTTP traffic for your clients so that's the first thing just like you need a web server cert for your IB cm M PDP and sup for CMG you also need to have a web server certificate that's used to authenticate and secure that traffic from your internet clients the next certificate that we need is the client certificate so if you have clients that are domain joined and you want to be able to manage them on the Internet when they go out and don't have access to your network they do need to have a client authentication certificate now I already did a video I'll include a link in the top right of the video at this point where you can go and watch my video about configuring PKI within Active Directory and how we can switch our site over to HTTPS so if you don't have your clients with certificates and your servers with certificates you're probably gonna want to start off with that PKI video that I mentioned here now if your clients are azure ad joined they would not need a client authentication certificate it would be able to use that connection and Trust from Azure ad to communicate with the cloud management gateway so I think that's good to kind of cover some of the things that we need to have in place so we're gonna go ahead and jump over to our domain controller and we're gonna open up our certificate authority so if you haven't watched that video be sure to check out the PKI video that's going to cover some of the things that we've been doing here so the first thing that I'm going to do if you remember we created a web server certificate that was going to be used for our MPD P and sup when we configure our site to use HTTPS now what we need to do is duplicate that template so we're gonna go ahead and rename this to be config manager is certificate - CMG everything else is going to be the same as the template that we created in our previous video the only difference is we're gonna allow the private key to be exported the reason for that is when we configure our CMG server we need to give it the web server certificate with the private key and that's going to be uploaded to our CMG server and azure and that's gonna be what binds to IAS if we verify the security in the enrollment we can see that my config manager is group that we created in our PTI video we can see that they do have the rights to enroll this certificate like we created in the original video so that looks good what we're gonna do now is right-click our templates and go ahead and issue that template so that it's being deployed to our environment now if you wanted to it's actually recommended you could use a third party certificate authority to create your web server certificate as well so if you wanted you could use something like a digi cert or really any third party CA to issue your web server certificate but in my video I wanted to show you how the template how you would create that if you did want to use your internal CA for the web server certificate for CMG so jumping over to our config manager in bar we do have our site set up so that the clients can use HTTPS so this is just coming over from our HTTPS video so under our client can come communication we have it set to HTTPS and we also have it set so clients can use PGI certificates and I do have the certificate revocation list enabled for clients to check the certificate this the the revocation on our site systems so like your MPs DPS and sups so that they could check that crl to verify that it's not revoked so that's how we're kind of set up in our lab so if you were going to use a internal certificate authority what we're gonna do here is go and request a new certificate so I'm gonna go ahead and do a request we're gonna walk through our wizard and we should see that new certificate that is targeting us so here we go here's our SCCM actually we want the CMG version here so what we're gonna do now is go ahead and enter in our dns name so this is gonna be the public dns name that you want to use with CMG so you do need to have a publicly verifiable domain name that you're gonna use so in my case it's a setup config manager com that's gonna be what I initiate my instance with so in order to do this I'm actually going to use a wild wild card so we could potentially make our CMG server any subdomain that we want when we actually set that up now if you knew what subdomain that you wanted to create you could certainly enter that here if you didn't want to make it a wild card so it looks good for the friendly name we're gonna go ahead and call this CMG server certificate and then okay and then enroll all right so if we do a refresh here we can see here's the certificate that we just requested so that looks good it looks like I might have a few old ones here let me just get rid of some of those okay so here's the cert that we just requested what we want to do now is export that and we need to export it with the private key because when we set up our server we need to make sure that we can give it the private key so it can actually make use of this certificate we'll leave all the defaults here I'm going to give it a password okay do next here and I'm gonna save it to a folder on my desktop and I'm just gonna call it contoso config manager - HTTP certificate then we'll go ahead and do finish and then okay now the next thing that you would want to do is make sure that you have your root certificate authority exported so for example we can see internally I'm issuing my client certificates and any other certificate from my certificate authority now what you would want to do here just go ahead and export that so we can import that into CMG so it trusts it so you can just go through the default wizard here we're gonna go ahead and export that to the same folder on the desktop and then finish okay that looks good all right so if we go over to our client settings the next thing that we want to verify is that we enable the studying for our clients to talk to cloud distribution points so under your client settings there's going to be a cloud services option here and then there's going to be a setting to allow access to cloud distribution point you want to make sure you set that to yes otherwise clients will be unable to download content from your cloud DP so they won't be able to actually download things from the Internet so make sure that's yes and we'll do OK on that all right at this point I think we're good to go ahead and configure our Ajab script subscription within the console so under our cloud services we want to go to Azure services and we want to configure a subscription so I'm just gonna give it a friendly name I'm gonna call it config manager - azure subscription ok we want to make sure that it's cloud management so that's what we need for CMG we're gonna do next here now we need to create what's called a web app and a client app so these are gonna be api's that get created within a sure that's going to have all the authentication that we need for our on-prem component to talk to that service in Azure so we're gonna go ahead and choose create and we're just gonna give this a name called config manager - server app I'm going to set the secret key to be valid for two years and then I'm gonna sign in with a global admin account but one thing that you notice here we're gonna get some certificate errors so if I E is enabled with enhanced security what we need to do is go add the trusted sites and we need to add Microsoft or log in Microsoft online comm I'm gonna go ahead and copy and paste that and then we need to add Microsoft all 9 - p.com ok looks good we do it close and then ok close IE and if we come back in here click sign in now we can see that it looks good so I'm gonna sign in with a global admin account for my Azure subscription ok there we go alright ok so now we're going to choose that server app that we just made and click OK we're gonna basically repeat this process for our client app API so I'm gonna choose create we'll call it config manager - client app I'm gonna go ahead and sign in and then okay and then we'll go ahead and select that and then choose okay so we do next here optionally if you want to allow your config managers site to discover cloud identities you can do that here that's fine I'll just leave that default and then choose next here all right so while that's configuring it if we jump over to asher and if we go to our dashboard under the app registrations now if you don't see this you might have to go into all services and then you can come in here and search app registrations and then I went ahead and add it to my favorites over here so if you open up that click view all applications you should see those two applications that we just created so we're going to go ahead and click the client app we want to click on the Settings tab here we want to go to the permissions required permissions and then we need to grant it permission so it can communicate with our site so that looks successful we're going to close that close that close that and then we need to repeat that process for our server app so we're gonna go to settings permissions grant permissions and then yes so that's going to make sure that we have the appropriate permissions to do our discoveries and and talk to this these applications and azure so that looks good so if we come back over and we go to our cloud management gateway we're going to go ahead and right click and choose to create so there's a new feature that came out in 1802 also of course it's available in 1806 which is what we're running it makes it quite a bit easier because you don't have to upload a management subscription or management cert you can just use this as your resource manager so in order to do that all we have to really do is just sign in to our account and it can configure all it needs to set up the cloud management gateway instance within a sure I'm gonna go ahead and log in now one thing to note is that I was having an issue where my subscription ID would not populate here it would bring in the azure app but it wouldn't bring in the subscription and in my case I actually want to choose this second subscription is what's active but the reason why the subscription ID might show blank is because even though your account is a global admin what you have to do is make sure that within these subscriptions in Azure that the account also has access to the subscription so in order to do that if you click on your subscriptions and then go to account control over here you just need to make sure that your account is a co administrator and an owner so I just added my account in here by clicking add and I made sure that it was a co admin as well as an owner once you make that change if you come back in here and run this again you should have your subscription Auto populate right so we'll do next here and now this is where we actually configure our cloud management gateway settings so the first thing that I'm going to do is I want my instance to be set up in West US and Azure the next thing that we can do here is choose whether we want to use an existing resource group within your Azure subscription or what we can do is create a new resource group in my case I'm going to create a new one and I'm just going to call it CMG setup config manager for the name ok now we do need to add some certificates so this is where we would add the server or web server certificate for our instance of CMG so in my case here's our certificate that we issued from our internal PKI but what I'm actually gonna do is I have a digi cert certificate that is also a wild card for setup config manager com so I'm actually going to choose that public one that way my clients can perform a certificate revocation check that we saw in the properties of our site if you use an internal one you will need to make sure that your crl is using HTTP path that is accessible from the internet so just keep that in mind all right so since this is a wildcard certificate we need to essentially tell CMG what we want our subdomain to be so we need to go ahead and delete that wildcard and in my case I'm gonna go ahead and call it the same thing as my resource name so CMG setup config manager dot setup config manager comm is essentially going to be the public dns name that we're gonna redirect to our asher domain so that looks good now if we go over and just click out of that it should pre fill in our service name as well now what we also need to do is specify if you're using a internal PKI for your clients instead of azor ad for joining we need to tell CMG what certificates we need to trust so when we exported that root certificate from our root CA internally this is where we can put that certificate within CMG now if you have intermediate issuing CAS you could also add those here and define that there are a sub CA of your root so you just want to make sure you add any certificate authorities that is issuing your client certificates within your environment alright so now that we have that public dns name that we actually want to use we need to make sure that that's actually resolvable so what I'm using for my setup config manager domain is I'm actually using cloud CloudFlare for DNS so in order to make sure that this works correctly what we're gonna do is create a cname so we're gonna go add a new record this should be pretty similar if you're using other DNS providers like GoDaddy or really whoever you're hosting your domain DNS with it should be a similar process so what we want to do is create a new cname and we can see that we are what we want to do is copy that sub domain and we want to make that our cname so we're gonna basically be pointing CMG setup config manager dot setup config manage com2 CMG setup config manager dot cloud app dot we don't want to add any type of proxy or CDN that cloud fara offers and we want to go ahead and add that record so that looks good so we've got that redirecting so we have that set and ready to go now one thing to note is that this this name here the service name it does have to be unique so if you chose something generic and you get a little exclamation here you're going to have to go ahead and rename it to something more generic that somebody else isn't using because you can see you get your own subdomain on the cloud app dotnet that resources are going to be essentially talking to so it looks good we'll leave the defaults for the alerts I'm not too worried about that and then we'll go ahead and choose next here and what that's going to do that's going to start initiating our instance in Azure get our CMG servers set up and going now if we want to monitor the process of this if we go to our site server logs we're gonna have a new log file here called cloud manager so this can take maybe 10 to 15 minutes I would say on average from what I've been running so I'll just kind of monitor this log and we'll come back once it's complete and it's provisioned all right so it looks like that the setup was complete so if you go back to your console and go ahead and refresh the cloud management gateway you should see something like the status is ready and provisioning has been completed now once this is set up in 1806 we do want to change a few options that are new to 1806 so if we go to properties of our CMG then under settings there's this new option here to allow the CMG to also function as a cloud distribution point so we want to make sure we go ahead and enable this option this is actually quite convenient because you don't have to go in and create a additional resource group in Azure and create a additional cloud or cloud distribution point you can just use your CMG and have it also host your cloud content as well so this was an improvement in 1806 if you're using 1802 or before you would actually have to set up a cloud distribution point in order to stage content now one setting that I am going to also disable is verify client certificate revocation so within my Active Directory certificate services in a way on my client that they can be publicly verified using a HTTP CRL so if you remember in our site we did enable the clients to check the CRL of our site systems so since our CMG servers using a digi serve certificate the client shouldn't have any issue that crl that we have enabled in our site and just to kind of show you what that looks like if we look at our digi search certificate that I use for my web server and CMG certificate if we look at the certificate details and look at the certificate crl distribution point what you can see is that it's a public path and it will have no access for the clients on the internet to gain access to that so if you are using a internal PKI in order to enable the CRL checking of client certificates if we come back to our cloud distribution point you would need to verify that the client certificates that are you're issuing they have a public crl HTTP path that the CMG server out in Azure would be able to verify in my case in my lab that's not set up so I want to make sure that I uncheck that otherwise when clients try to talk to your CMG the client would get a transient error and IAS would deny the traffic because it wouldn't be able to check if that certificates been revoked for that client now obviously this can be a bit more complex because it really kind of goes outside the scope of config manager ins more on PKI which would most likely be handled by a different team but I will include a link to my PKI video as well as nyle Brady's PKI setup as well I know that he does cover doing things like setting up a HTTP certificate revocation list in case you did want to make sure your client certificates could have their crl checked by that CMG server and azure so i think that looks good so we'll go ahead and wait a couple minutes it should auto detect that you changed the setting and then you should see that it's going to go ahead and update the CMG configuration all right so it looks like the configuration is now synced so our CMG server should have those new settings where we enabled it to actually it looks like I might have unchecked that let me go ahead and check that again and we'll wait for that to complete okay so that update is complete one thing I do want to show you though is that what I did is I increase the resolution that's why you might see that things are being a little bit cut off right now but I knew the wizard looked a little bit different it looks like since I was recording with low resolution it actually cut off a few of the options that would other be otherwise be available during the initial setup so those options for the allow the CMG to be a cloud DP and the verify CRLs they're actually generally going to be available directly in the setup when you go to setup CMG it looks like in the current technical preview this is 18:06 point - it doesn't look like it scales or adds a scrollbar here so just keep that in mind generally you could configure this when you setup CMG but in my case it looks like the resolution was a bit too low for my console and it didn't display those options during that initial setup alright so that looks good I've just scaled back to what we were at before now I am pretty certain that I am using a resolution that's actually high enough to be supported so wouldn't surprise me if that just might be an issue in the technical preview because I did want to make sure that I show you this new option where you can make CMG also be your cloud DP so that's why I'm running the 1806 point two but it's currently July 17th so 1806 will probably go live any time now so now that we have our cloud management gateway set up in Azure the next thing that we want to make sure we set up is our connection point so if we go to our servers and site system roles in my lab it's quite simple I'm basically running all my site system roles on my site server so we're going to go ahead and add the connection point here so if we go ahead and walk through our wizard we're gonna install the cloud management gateway connection point so that's gonna be what proxies the traffic if you will from your CMG server and azure to things like your MP in your software update point so clients can kind of come through that channel to do things like scanning and getting policy so it looks good we can see that it automatically detected the CMG instance that we set up here we're going to go ahead and next and then next here alright so that looks good close out of that now what we need to do is set what management points and software update points that you want to allow to be used within CMG so what MPs and DPS is our CMG from an azure going to use when it's proxying that internet traffic from our clients into our on prem site for getting policy and doing software update scans so i'm gonna go ahead and do properties of my management point now one thing that you notice in order for the management point to be used with a cloud management gateway it does have to be in HTTP mode so in my case it's already set to HTTPS so like i've already mentioned if you don't have that setup I've got a whole guide and I'll be sure to include the link in the description as well as a little note within the video here that you can go check that out so as long as your MP is set to HTTPS we have this new option that says allow config manager cloud management gateway traffic so that looks good would do okay on that now same thing with your software update point we want to make sure we enable it now for the software update point it can work over HTTP so we could just be running our software update point on eight five thirty or port 80 it doesn't necessarily have to be configured to require SSL we can still enable that traffic for the cloud management gateway even if your software update point is running an HTTP mode so we do okay on that and we'll go ahead and just wait a few minutes to make sure all that policy kicks in all right so what we're gonna do is go ahead and distribute an application so we have a 7-zip application we're going to go ahead and right-click and choose to distribute content we're going to go ahead and choose next here and we're gonna go ahead and add that cloud distribution point that was configured for CMG for us so we're gonna go ahead and add that choose next here and get that distributed because that can take a couple minutes now what I'm also gonna show you is third party update so what I've got here is I've got a software deployment package that's hosting all my third party update content now one thing to note that since third party updates are going to be unique per your environment so they're gonna be using your code signing certificate if you had those and if you are publishing updates for example from our patch my PC catalog you would need to make sure that you also distribute that type of content to your cloud DP because it wouldn't be available from Microsoft Update so if I go and look at this update package we can see that I've got all my third-party updates but I don't have any Microsoft updates now for example for my Microsoft update packages you would not have to distribute these because your clients that are out on the internet they can actually use Windows Update to get the binaries for updates that you deploy through config manager so I probably wouldn't ever worry about distributing your deployment packages for Microsoft updates because it would just be consuming data and content that you don't need because those clients can just go out to the internet since they're already out there so what we'll do we'll just kind of wait for that content to distribute and then once that's done we'll jump over to our client and I'll kind of show you the process of how the client would switch over to the Internet and how we can verify that it's talking but actually before we jump over to a client what I'm going to do is go back into Microsoft Azure refresh my portal and we can see that we have this new resource for our subscription that we created so I'm going to go ahead and go into this cloud service and what I'm going to do is enable remote desktop so because I generally like to go a bit more in detail of what's happening on the back end we're gonna go ahead and able RDP and we're gonna remote desktop into our CMG server out in Azure so we're gonna just go ahead and give it a password here and I'm gonna choose one of the default certificates that are going to be loaded here for RDP and if optionally you can configure when you want your account to expire I'll just leave the default of a month and choose save now this can take a few minutes so we'll go ahead and pause the video all right so it looks like RDP was configured successfully enough but one thing I did notice this has happened multiple times so if you try to already p-n directly so if you come to the overview of your instance and then click on the RDP session here that's gonna go ahead and download you an RDP file if you click connect here but one thing I did notice it will timeout it seems like it there needs to be a restart in order for it to start working right away I'm sure if I just let the VM sit and fully configure this it would most likely work within a little bit of time but I'm noticing that if you just try to remote in directly after it says it configured it it seems to timeout and say that it's not available but what we can do here to kind of work around that is if you reboot your server so if we click on this instance and click restart I'll go ahead and pause it but after that restart I've noticed that it will go ahead and allow the RDP to work right away all right so our server restarted so what we can do here is if we go and open that RDP file that we downloaded we should go ahead and click connect and now you can see that RDP is up and listening on that Azure system so I'm going to go ahead and log in with the password that I created with that a local account and what we can see we're actually RDP now into the CMG server that's hosting that connection like any good suc madmen of course the first thing that we do is get cm trace copied over and set that for our default log viewer now what you're noticed is that this kind of configured some different discs on your CMG server so the first thing you might want to look at is go ahead and open regedit and then what we could do is kind of go into our software key under H key local machine Microsoft and then SMS and then you could just get an idea of where your CMG components are installed so if you look at the tracing key and you look at your setup we can see that it's in the e app root logs CMG setup so if you want to actually just verify that the CMG components are running if you go to the e app root and then logs here's our CMG's service log and we can also see our CMD setup log so this will just kind of let you know hey things are running it's connected to your connection point and things look good as long as everything's looking like it's all 9 here so that looks that looks good the next thing that might be of interest is if you want to open up is we could go ahead and open that up and here's our essentially our components that are running our CMG service so if we go ahead and open that up and look at the logging you can just get an idea of where your is server is logging out so we'll go ahead and copy this directory open that up and this is basically our is log so this will show you any type of traffic coming in from your internet client so if you're trying to troubleshoot any type of connection errors you get on your internet clients this could be a helpful place to look now instead of rolling over hourly I'm going to make this weekly just so we can kind of view the log by week so it doesn't roll over quite so much but that all looks good so it looks like we're up and running if we come back to our SCCM console so minimize this RDP we can see on our content so under our distribution status if we go and look at our cloud DP that was configured with CMG we can see that all the package has successfully been distributed and we've got all our content ready to go for our clients so if we jump over a client what I can see here is I've got a client that at this point it's just running internally it is using a certificate because that would be required if your domain joined and not using Azure ad but we can see that it's using PGI so what we're going to do is go ahead and start the agent if we look at the network tab we can see that we currently don't have any internet-based client management points configured so this would also include CMG so by default every 24 hours the client is going to do what's called a Content locator or a location request so the location request is going to be when it would pick up any new available management points so if we look at client location dot log what we can see here is that it picked up that new cloud management gateway server so that looks good now this would also automatically do a location request if you were to connect to a new Wi-Fi network or if the service was to be restarted so if you were playing around with this and you didn't want to wait the default up to 24 hours you could just restart the SMS agent host service and that would initiate it so if I close my config manager applet and reopen it and we look at that network tab now we can see that it's now populated with the CMG server so if you remember from our video where we created that sub domain let me actually go back to my server for this if we actually do an nslookup on this so nslookup and then we've got CMD you set up can setup config manager comm so that's the sub domain or cname that we created we can see that that's now pointing to our a sure IP so that's why we had to create that that a cname to point our certificate to basically redirect that to the cloud app which is where our asher CMG is running so that's going to be how our clients can actually connect and detect that all right so that looks good I think at this point we're pretty much up and running so if we jump back over to that client it's currently on the internal network so we can verify that if we go look at our CCM messaging dot log we can see that it's currently going to be talking to our internal management point it doesn't look like I've got any traffic going on recently but what we're gonna do in order to switch that to the Internet is I'm gonna switch my VM from my internal Ethernet that's connected locally to a guest Network over Wi-Fi so I'm just gonna go ahead and initiate that we're you go ahead and make this full screen again and I mean go ahead and restart the agent host so that it detects it's on the internet now so one thing to note is that if you're using hyper-v and you just switch the network it's not going to detect the actual adapter change like if you were to reconnect to Wi-Fi so in that case we're gonna just go ahead and restart the agent host and we'll go ahead and monitor client location and now we can see that it says the client is the main joined but it's on the internet so once it detects it switches to the Internet if we go and look at location services that log what we should essentially see is the client will then start switching to use our CMG management point so if we take a look now that we're on the Internet if we go back to our console here and if we do a refresh we can still see that the client is showing that it's on the online so even though clients are online it can still use the fast channel to get notifications so what we can do here let's give this a quick test to see if this is fully functioning yet we're going to go ahead and choose to go to our device collections devices and then we're going to right-click our client and choose to do a software update scan cycle so evaluate software update deployments now before I click OK what we'll do we'll jump over to the client and we're going to open up updates deployment dot log but also we're gonna open up scan agent and then updates deployment and merge those two logs and then we'll jump back and go ahead and say let's perform that scan so we'll see if that kicks in here in a few seconds there we go we can see it just got that notification that was triggered from our on-prem environment even though the this connection is out over the internet so the fast channel will still work of course most of your components so doing things like hardware inventory application deployment software updates I'll include a link to the description of what supported over CMG I know obviously there's a few things that aren't supported so you couldn't do things like Pixy booting for sure you couldn't do remote tools because it would be out on a public IP address so there's a few features you can't do but for the most part you would manage this just like any other client so what we can do to just test to verify that we can get things like applications and updates is we'll go ahead and try to install an application so you can see that we don't have 7-zip installed currently but I've got this targeted now this is an application that we made sure that we distributed to our cloud or let me make that as our CMG server now that they're kind of integrated into our cloud DB and and CMG server so if i go in and click install what should happen if we come back to our logs and look at the content access log we should see that we're downloading our content from us our CMG server so if i zoom in on that we can see that we detected that content is on our cloud server so that's going to go ahead and download that content in our case it was just 7-zip so if we go and look at our cache we can verify the seven-zip got downloaded and it should have been installed so now if we go back and refresh we can see that our software distribution works just fine for those clients over the internet through CMG another thing that I thought would be interesting is looking at Windows updates so what I'm gonna do is go ahead and click on this Microsoft Update for Flash Player now this is one that we don't have out on our CMG server this is one that would go out and get it from Microsoft Update so for example we can see that when it does our content location to get that update we can see that it's actually downloading that binary from Windows updates because obviously you wouldn't need to host that because it's already out on the Internet and available so we can see that it's been downloaded so if we go and look at our cache we can see we now have this new folder for that flash update so that's going to be coming through Microsoft updates the next scenario that I wanted to test is third-party updates so what we've got here we've got an outdated version of Java so we'll go ahead and choose the 32-bit version for this example and then we'll choose to install now this is one that's hosted out on our cloud DP or our CMG server so we'll go ahead and wait for this to finish and I'll show you how that gets accessed all right so that update also installed so if we go and look at our cast log we can see that we got the content from our CMG server as well since since that was a third-party update it was distributed from our cloud service if we go and look at our cache we can verify that the third-party update was in fact downloaded we can see we've got our Java update here if we do a quick refresh we should see that we went from Java 8 161 to Java 8 181 for the 32-bit version is what we installed we can see we got 7-zip installed and if we look at our updates we've also got that flash update that installed as well so it looks like our client is functioning just fine out on the internet through CMG the only other thing that I'll go ahead and kind of show you is let's go ahead and do one more client notification so jumping back to our console let's right the device and do a hardware inventory there we go collect hardware inventory so before we initiate that let's look at the inventory agent I did clear the log files before I started this service so let's go ahead and initiate that and let's see if that inventory agent gets created here once that gets the policies telling it to do a scan there we go so we can see that real-time action got sent to our client through the fast Channel even though it's on the internet CMG was able to broker that connection and say hey go ahead and submit Hardware inventory for me so at this point we can see that it's submitting the inventory if we get back over to our site server fast enough we can look at the data loader dot log and we can actually see this inventory file that gets sent through our connection point from our CMG server it should basically flow into our site server through the internet so we'll wait for that client to send it up we can see that the file just got sent up to our management point so the client would send that up to our CMG server out on the internet that would then proxy the connection through the connection point and basically that myth file for the hardware inventory should flow over to our data loader and it should get processed here in a few seconds hopefully there we go so we can see that it just processed that inventory file we can see that the hardware inventory was in fact for our device called Skype client so that is the machine that's out there on the Internet one other thing that I thought might be interested is if we look over at our is logs what I've done is I've opened up my software update point scan log for is so what we can see is that when the client was scanning for updates over the internet we can see all these updates are coming over and it's scanning we can see it's using the internet IP v6 address of our proxy connection through CMG and our client but this is in fact the client out on the Internet and we can see that it's out there scanning and this would be kind of what's brokering that connection through that connection point so I think that's all I had to cover now if you have any questions I know that we did kind of we didn't go too deep in on the PGI aspect of it because I already have a video on that so if you do have any questions around crl checking or certificates that maybe I didn't go deep enough that you have a question about feel free to leave a comment in the video blog post Twitter wherever you're reading you know this this video thank you for watching and I hope this was helpful for you

Info

Channel: Patch My PC

Views: 66,489

Rating: undefined out of 5

Keywords: Cloud Management Gateway, CMG, ConfigMgr CMG, SCCM CMG, Configuration Manager Cloud Management Gatway, ConfigMgr 1806, SCCM 1806, Configuration Mangaer 1806

Id: kTOPhVHyZtE

Channel Id: undefined

Length: 47min 5sec (2825 seconds)

Published: Thu Jul 19 2018