2. Agenda
Why we need CMG
Components of CMG
Requirements, Specifications
Placement of CMG componentsHierarchy
Ports
Cost | Outbound Data Transfer
Client Setting
Certificate for CMG
ARM, Configure Azure Services, Server App and Client App
Enhanced HTTP
Azure AD Authentication Workflow
Some Key SQL Tables
Logs to troubleshoot
3. Why we need CMG
To manage Configuration Manager clients on the internet
You also don't need to expose your on-premises infrastructure to the internet.
CMG Cloud Service
CMG Connection Point
Service Connection Point
Management Point
Software Update Point
Internet-Based Clients
Cloud Distribution Point
Components of CMG
5. Components of CMG
The CMG cloud service in Azure authenticates and forwards Configuration Manager client
requests to the CMG connection point.
The CMG connection point site system role enables a consistent and high-performance
connection from the on-premises network to the CMG service in Azure. It also publishes
settings to the CMG including connection information and security settings. The CMG
connection point forwards client requests from the CMG to on-premises roles according to
URL mappings.
The service connection point site system role runs the cloud service manager component,
which handles all CMG deployment tasks. Additionally, it monitors and reports service health
and logging information from Azure AD. Make sure your service connection point is in online
mode.
6. Components of CMG
The management point site system role services client requests per normal.
The software update point site system role services client requests per normal.
Internet-based clients connect to the CMG to access on-premises Configuration Manager
components.
The CMG uses a certificate-based HTTPS web service to help secure network communication
with clients.
Internet-based clients use PKI certificates or Azure AD for identity and authentication.
A cloud distribution point provides content to internet-based clients, as needed.
Starting in version 1806, a CMG can also serve content to clients. This functionality reduces the
required certificates and cost of Azure VMs. For more information, see Modify a CMG.
7. Requirements
An Azure subscription to host the CMG
To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global
Admin
To deploy the CMG, you need a Subscription Admin
Windows server to host the CMG connection point.
The service connection point must be in online mode.
A server authentication certificate for the CMG.
Other certificates may be required, depending upon your client OS version and authentication model.
Clients must use IPv4.
Specs
CMG only supports the management point and software update point roles.
CMG doesn't support clients that only communicate with IPv6 addresses
8. To make user a Subscription Admin assign Owner Role at the subscription
scope
9. Hierarchy Design
Create the CMG at the top-tier site of your
hierarchy. If that's a central administration site,
then create CMG connection points at child
primary sites.
The cloud service manager component is on the
service connection point, which is also on the
central administration site.
You don't need to deploy multiple CMG
instances for the purposes of geolocation.
10. Ports
You don't need to open any inbound ports to your on-premises network.
TCP- TLS: Preferred protocol to build CMG Channel
HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)
HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)
11. Cost | Outbound Data Transfer
CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs)
that incur compute costs.
CMG uses a Standard A2 V2 VM.
You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale
the CMG to support more clients by adding more VM instances.)
Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free
(ingress or upload).
CMG data flows out of Azure include policy to the client, client notifications, and client responses
forwarded by the CMG to the site. These responses include inventory reports, status messages, and
compliance status.
Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from
clients to the CMG.
12.
13. Additional Information
Changing the VM Configuration is not supported.
You can add instances but cannot add resources to the VM
Certificate added in CMG properties can be checked in IIS Bindings.
15. Certificate for CMG
Allow private key to be exported.
Supply the subject name, so that we can put the
subject name we want (custom) if we don’t
choose this, subject name will be the name of the
client machine
16.
17. ARM: Azure Resource Manager
Create the CMG using an Azure Resource Manager deployment.
Azure Resource Manager is a modern platform for managing all solution resources as a single
entity, called a resource group.
To simplify the deployment and management of resources, the Azure Resource Manager
deployment model is recommended for all new CMG instances.
This modernized deployment doesn't require the classic Azure management certificate.
ARM Deployment use Apps as credentials and it needs Azure Services.
18. Configure Azure Services
Web App/API: also referred as server app in ConfigMgr. Sccm uses to access azure.
Native App/API: also referred as client app in ConfigMgr. It is used by clients to request azure
ad token
We can either import the apps or create the apps.
If we setup Apps from the console, permissions are taken care by SCCM.
If we import apps permissions will be missing and need to be given explicitly.
https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/azure-services-wizard
** Private Cloud – Azure US Government Cloud.
19. Server APP Import
• Tenant Name: Any Name
• Tenant ID: Directory ID.
• App Name: Web App CMG
• Client ID: App ID
• Secret Key
• App ID URI: It is in the access token used by the
Configuration Manager client to request access
to the service. By default this value
is https://ConfigMgrService.
Server App Create
21. Server App Permissions
• Application type means it has direct access to AD to read.
Client App Permissions
Server App has direct permissions, that means it can read the AD directly.
Client App has Delegate type permission. Which means it will request Server APP to read the AD. We have user read permission.
22. SQL Table to check
Select * from AAD_Application_Ex
https://techcommunity.microsoft.com/t5/Premier-Field-Engineering/Importing-Apps-to-set-up-Cloud-Management-
Gateway-CMG-for/ba-p/740011
Authentication
The CMG uses a certificate-based HTTPS web service to help secure network communication with
clients.
Internet-based clients use PKI certificates or Azure AD for identity and authentication.
23. Azure AD User, User Group Discovery
Prereq:
Azure Service for Cloud Management
If the user is a federated or synchronized identity, you must use
Configuration Manager Active Directory user discovery as well as Azure
AD user discovery. For more information about hybrid identities,
see Define a hybrid identity adoption strategy.
Log File:
Actions for Azure AD user discovery are recorded in
the SMS_AZUREAD_DISCOVERY_AGENT.log file on the top-tier site server
of the hierarchy.
Importance:
Azure User Discovery is required if use Azure AD Auth , if we use certs,
we don’t need it.
Limitations
Delta discovery for Azure AD user group discovery is currently disabled.
* Federated means up to you.
Docs:
https://docs.microsoft.com/en-
us/configmgr/core/servers/deploy/configure/configure-discovery-
methods#azureaadisc
https://docs.microsoft.com/en-
us/configmgr/core/servers/deploy/configure/about-discovery-
methods#azureaddisc
https://docs.microsoft.com/en-au/azure/active-directory/hybrid/plan-hybrid-
identity-design-considerations-identity-adoption-strategy
24.
25. Some Key Tables
select * from AAD_Tenant_Ex (To check STS Metadata)
Select * from vProxy_Roles
select * from vProxy_RoleEndpoints
26. Query to check applications
SELECT AE.ID, AE.ClientID, AE.Name [App Name], AE.IsClientApp, AE.IdentifierUri,
AER.IsTombstoned, ACS.Name [Azure Service Name]
FROM AAD_Application_Ex AE
LEFT JOIN AAD_CloudServiceApplicationRelations AER ON AER.AADApplicationID = AE.ID
LEFT JOIN Azure_CloudService ACS ON ACS.ID = AER.ID
If any app is not used by an Azure Service, the Azure Service Name column will display a value of NULL.
https://internal.support.services.microsoft.com/en-us/help/4517228
27. Enhanced HTTP
How to enable it.
Wait up to 30 minutes for the management
point to receive and configure the new
certificate from the site.
This enables SSL on required virtual directories
and make the communication secure.
Logs: CertMgr, SiteComp
https://docs.microsoft.com/en-
us/configmgr/core/plan-design/hierarchy/enhanced-
http
28. Log Files
• For troubleshooting deployments, use CloudMgr.log and CMGSetup.log
• For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
• For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.
CMGSetup, CMGService, CMGContentService, CMGHttpHandler are on Azure VM.
SMS_Cloud_ProxyConnector.log
Trying to build Tcp connection 0bea65f5-ac5d-467c-8171-67240cedae3e with server NATLAB.CLOUDAPP.NET:10140 SMS_CLOUD_PROXYCONNECTOR
1/31/2020 4:04:52 PM 5024 (0x13A0)
Starting to connect to Proxy server NATLAB.CLOUDAPP.NET:10140 with client certificate F3D5A5714F2AF28ECC06483C3E686BA95917FC98 and connection ID 0bea65f5-
ac5d-467c-8171-67240cedae3e... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0)
Sending signIn message to Proxy server... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0)
Got signIn confirm message from Proxy server and processing it... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0)
Parking connection 0bea65f5-ac5d-467c-8171-67240cedae3e to Proxy server NATLAB.CLOUDAPP.NET:10140... SMS_CLOUD_PROXYCONNECTOR 1/31/2020
4:04:53 PM 5024 (0x13A0)
Connection 0bea65f5-ac5d-467c-8171-67240cedae3e finished initialization and started SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0)
29. Enable Verbose Logging
You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error)
on the Azure portalCloud services configuration tab.