Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2020/09/06 by Asitha De Silva in Tech-Tips

Implementing SCCM Cloud Management Gateway with Token based Authentication – Part 02 | Configurations and troubleshooting

From the previous post of Implementing SCCM Cloud Management Gateway with Token-based Authentication – Part 01, I have discussed step by step on everything related to implementing a new Cloud Management Gateway with token-based authentication. From this post, I am continuing where I left to configure the CMG management point, software update point, and connecting clients successfully.

Configuring Management Point

After implementing the CMG with token-based authentication, you need to configure the management point to allow CMG traffic; before doing that, you need to tick the following setting.

SCCM Console – Administration – Site configuration – Sites – site properties and tick Use Configuration Manager-generated certificates for HTTP site systems

Next, open the Management point properties by right-clicking on the Management point role, and now you can tick Allow Configuration Manager cloud management gateway traffic as below.



Configuring Software update point to deploy through CMG

After you enabled the management point to send traffic through CMG as enhanced HTTP, next, you can configure the Software update point to Allow configuration manager cloud management gateway traffic. Since I have a single software update point for both the internet and intranet, I have used to allow internet and intranet client connection options.


Configuring Boundary groups and Client settings

After configuring the CMG and the Management point, next, you need to specify which devices will connect using CMG. This can be configured from Client settings and deploy the setting to the device collection according to your preference. In my scenario, I need all the devices to connect to the configuration manager site regardless of the network, so I have enabled clients to use Cloud management gateway using Default client settings

Also, I'm controlling cloud distribution through boundary groups, so I have enabled all clients to access the cloud distribution point as below



When you create a new boundary group, you can assign the Cloud management gateway site into the reference site. This will enable relevant boundaries to communicate with the CMG Cloud DP to get the content.




Configuring clients and troubleshooting

When you configured everything as Part 1 of this article and the Management point to Enhanced HTTP as we discussed above, your clients should pick the CMG automatically without any further configurations. When you open the Configuration Manager client from the control panel of the device, you can see the internet-based management point from the network settings as follows. 



Also, the connection type will change according to the network where the client resides. It should turn to an intranet or the internet, depending on the connection.



Still, this does not confirm your client can connect to the CMG without any issues; to confirm, you need to check the ClientLocation.log

If you look closely, you can see when the client changes the network from the intranet to the internet, the CCM client talks to the CMG and gets the token to register, then it can start the communication with the Management Point. Then the log will show the client is on the internet and its current management point as the CMG. With these records, you can confirm the successful connection.



Troubleshooting

There are some troubleshooting you need to do if you have issues when connecting clients to the CMG. And the best source is to find out errors is the ClientLocation.log and LocationServices.log. You can troubleshoot 80% errors through the following points.

  • If the error indicates an issue with PKI or failure to get an access token
    • Check client's trust the Server Authentication certificate. Clients should have a trusted root certificate with them.
    • In the CMG properties check, you have added all the trusted root certificates.



  • Make sure the client version is 2002 or above. If not, update the client.
  • If the CCM client already installed when you Implement the CMG, without bulk enrollment method, then.
    • Clients need to be restarted, and the restart should happen when they are connected to the intranet or from a VPN (This is from my findings). This will restart the CCM services, and token registration will happen through communicating to the Primary site server.
    • Restarting the SMS Agent host service of the client also initiates the token registration. This also should happen when the device is connected to the VPN or from an on-premises network.

Client Installation – Bulk Registration

Bulk Registration is to install the SCCM client through the public internet. You need to generate the bulk registration token from the site server and copy it to the internet-facing client device and run it with the CCM setup files. With this token, the client will contact the CMG and register itself with the management point. A bulk registration token is a token with a short validity period.

Open a command prompt as an administrator and navigate the Configuration Manager installation folder \bin\X64 and run BulkRegistrationTokenTool.exe /new to generate a new token.



Copy the CCM client installation files to the internet-based device and run the setup with the bulk registration token generated. Use the following command let when installing

Example -

ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh
5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHki
OiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0RDQzVFOTE
tMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkLTRjNWItODJm
My1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2
NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU
2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVG
gIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIkgvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4
i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y5
7LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg6EVYRcCAA

Conclusion

After everything configured correctly you should have a up and running CMG while all the devices connecting to the configuration manager site regardless of the network. You can monitor the connectivity through the SCCM console and Azure Portal.




Hope this post is useful

Cheers

Asitha De Silva

Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2024 Terminalworks. All Rights Reserved

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. Privacy details