From the previous post of Implementing SCCM Cloud Management Gateway with Token-based Authentication – Part 01, I have discussed step by step on everything related to implementing a new Cloud Management Gateway with token-based authentication. From this post, I am continuing where I left to configure the CMG management point, software update point, and connecting clients successfully.
Configuring Management Point
After implementing the CMG with token-based authentication, you need to configure the management point to allow CMG traffic; before doing that, you need to tick the following setting.
SCCM Console – Administration – Site configuration – Sites – site properties and tick Use Configuration Manager-generated certificates for HTTP site systems
Next, open the Management point properties by right-clicking on the Management point role, and now you can tick Allow Configuration Manager cloud management gateway traffic as below.
Configuring Software update point to deploy through CMG
After you enabled the management point to send traffic through CMG as enhanced HTTP, next, you can configure the Software update point to Allow configuration manager cloud management gateway traffic. Since I have a single software update point for both the internet and intranet, I have used to allow internet and intranet client connection options.
Configuring Boundary groups and Client settings
After configuring the CMG and the Management point, next, you need to specify which devices will connect using CMG. This can be configured from Client settings and deploy the setting to the device collection according to your preference. In my scenario, I need all the devices to connect to the configuration manager site regardless of the network, so I have enabled clients to use Cloud management gateway using Default client settings
Also, I'm controlling cloud distribution through boundary groups, so I have enabled all clients to access the cloud distribution point as below
When you create a new boundary group, you can assign the Cloud management gateway site into the reference site. This will enable relevant boundaries to communicate with the CMG Cloud DP to get the content.
Configuring clients and troubleshooting
When you configured everything as Part 1 of this article and the Management point to Enhanced HTTP as we discussed above, your clients should pick the CMG automatically without any further configurations. When you open the Configuration Manager client from the control panel of the device, you can see the internet-based management point from the network settings as follows.
Also, the connection type will change according to the network where the client resides. It should turn to an intranet or the internet, depending on the connection.
Still, this does not confirm your client can connect to the CMG without any issues; to confirm, you need to check the ClientLocation.log
If you look closely, you can see when the client changes the network from the intranet to the internet, the CCM client talks to the CMG and gets the token to register, then it can start the communication with the Management Point. Then the log will show the client is on the internet and its current management point as the CMG. With these records, you can confirm the successful connection.