Cloud Management Gateway enables SCCM clients to connect to the site server management point through the public internet. Devices can be online from the public internet. The SCCM site server can deploy and sync software updates, applications, compliance, hardware-software inventory, and other configuration manager features without requiring users to connect to the corporate network.
From my previous article of “SCCM Cloud Management Gateway with Token-based Authentication,” I have discussed the new improvement with SCCM 2002, the Token-based Authentication. It helps users to connect to CMG without a client authentication certificate. With the previous article (here), I have covered what is Token-based authentication, how it is simplifying the CMG implementation and sample costing and sizing estimation, which is relevant when calculating Azure costs. Also, I have covered general prerequisites that require when deploying CMG with Token-based authentication. From this post, I am going to cover everything which is related to implement a new Cloud Management Gateway with token-based authentication.
My solution consists of a Standalone Primary site server with SCCM 2002 version; all clients are upgraded to the latest. Single Cloud Management Gateway instance will be deployed in Azure. Cloud management gateway connection point co-exists with the primary site server along with the Management point and Software update point.
Confirming a Unique DNS name for CMG
As the first step of implementing CMG, you should pick a unique DNS name for your hosted CMG Service. SCCM uses *.cloudapp.net domain for CMG naming. To identify a unique “Cmgname.cloudapp.net” DNS name, you can use the first step of creating a classic cloud service. This will verify the uniqueness of the DNS Name.
If your tenant is not already registered for classic computing, go to the Subscriptions, Select - Subscription – Resource Providers, Type Microsoft.ClassicComputer and click Register.
Next type of Cloud service (Classic) in search and Open Cloud Service
Click Add to get the Create Cloud Service window. From the DNS Name field, try to find your unique DNS name. This DNS name is required when creating the CMG and Server authentication certificate.
Fulfilling Certificate Requirement
With this scenario, we only need a Server authentication certificate. Client authentication with the CMG will be done with a self-sign certificate along with the token authentication. A server authentication certificate required when configuring CMG from the configuration manager site server. It will enable secure communication with the Configuration manager and Azure-hosted CMG through Internet. Also, CMG connecting clients should trust this Certificate to allow communication. Server Authentication certificate can be issued from
- Public provider – Public Certificate
- internal Public Key Infrastructure (PKI)
from this post, I am configuring internal Microsoft Enterprise PKI to issue the Certificate.
Creating Server Authentication Certificate Template
- Login to the Certificate Authority server and right-click Certificate Templates, click Manage.
- Right-click on the Web Server template and select Duplicate Template
- In the New template, ensure compatibility is selected as windows server 2003. Add a new name to the template. Also, in the Request Handling tab, tick Allow Private Key to be Exported.
- In the Security tab, add the security group containing all the SCCM site server computer accounts. Ensure the group or computer account has Read and Enroll.
- By default, Domain admin groups and Enterprise admin group have enrolled permissions in the template; make sure to remove the Enroll permissions.
- Click apply to close the new template window.
- Next, you need to enable the Server Authentication certificate template we already created. Right-click on Certificate Templates – New – Certificate Template to issue and select the SCCM Certificate template and click OK.