SCCM 1606 Cloud Proxy Guide

Configmgr in the cloud

UPDATE

This post is about the Cloud Proxy feature, which was included with Tech Preview 1606 of SCCM Current Branch.

While featured in the Tech Preview for 1606, Cloud Proxy was not included with the production release of SCCM 1606, which shipped on July 22, 2016.

Didnt make it.png

So, while you cannot use this SCCM 1606 today, it’s still available in the tech preview.

SCCM 1606 Tech Preview brings a cool new feature to us, allowing us to manage machines even if they aren’t in the office. We can push Windows updates, deploy software, and also configure devices using SCCM Client Settings and DCM, even if a machine is half-way across the world!

This feature is called the Cloud Proxy service ūüĒó, and in this step-by-step guide I’ll tell you why it’s cool and how to do itÔľĀ

What problems does this solve?

One of the biggest challenges to the SCCM Admin in managing machines is handling those systems which rarely are in the office.

Some types of staff– such as our sales team –might cover a region and never bring their machine to the home office. If they don’t VPN either, and you don’t have DirectAccess set up, you might only see a machine once a year. Just a couple hours a week or month to push app updates ensure Antivirus is current and get those Windows updates installed. Very challenging. ¬†You know what it’s like, for some users you just have to send an e-mail like this:

Please come to the office at some point this year, I’ll even buy donuts!

Cloud Proxy in SCCM tp1606 allows us to configure our environment to use Azure and its global footprint to extend¬†the functionality of our management point, distribution point and even software update point to the Web. It’s like a freaking aircraft carrier for ConfigMgr, it extends our sphere of influence to cover the entire globe!

To the veterans out there, this might sound similar to a current feature however…

How is this different from IBCM though?

SCCM has offered a feature called Internet based client management for a while now.  It does cover some of the same ground as Cloud Proxy, however the key difference between the two is that with IBCM, we are taking ownership of all of the work of securing access to our SCCM Infrastructure from the outside Web.

That means adding new servers into a DMZ¬†and all of that network change request and security compliance meetings (BARF) which goes with a big, scary change. ¬†In IBCM,¬†we’ll also have clients hitting our SCCM¬†Infrastructure from over the Web so we also need to worry about our upload speed and take steps to ensure that serving content out doesn’t impact the quality of service for our internal users too.

Compare this to the solution offered by Cloud Proxy, in which we allow Azure and Microsoft to shoulder the burden for some of those tasks, and only have to worry about our SCCM server having a route available to Azure instead.

Azure is not a free meal

However there are Azure costs for running this.

In my test lab with a handful of machines with Azure Proxy, it cost about $2 a day to run, purely to keep the Azure Servers online. ¬†Speaking entirely out of my butt, I wouldn’t expect the compute costs to be too high for managing machines, but I would factor in some fluff factor when presenting the costs to management, if you’re doing something vastly different than me, you might be spending more like $5 a day to keep the lights on the Azure Cloud Proxy Service.

Note: This is with two Azure hosts for redundancy, although you might decide to try to run with one host or maybe you need 10 depending on your risk tolerance.

You also will pay for data transfer out of Azure.  For the first 5 TB, the rate is $0.087 / GB, which is absurdly cheap.

To put this into perspective, let’s say you need to deploy Adobe Premier (it’s about 1 GB) to your entire remote marketing team, all 1000 of them (dear lord, can you imagine having to deal with 1,000 advertising primmadona’s? ¬†So much plaid and skinny jeans…).

If they’re all remote, that’s about a terabyte of traffic, so it’d cost about $85 to deploy that one app. ¬†That ain’t free but it’s a lot cheaper than the license for ANY app, and probably less than what the company would pay for one hour of your fully loaded cost to the employerūüĒó . ¬†Management will not care.

A more realistic scenario is Windows Updates or AV updates. ¬†The average Forefront Definitions package is 250KB. ¬†Three of those a day, 30 times a month is 24MB per system. ¬†For those same thousand computers, it’d only be ¬†24 GB, or $2 to ensure your machines always have up to date AV Definitions delivered by your company.

These are estimates for generic situations, so read up on pricing ūüĒó¬†before you decide to commit.

Overview of the steps

We’ll go through the following steps in this order. ¬†This diverges slightly from Microsoft’s documentation¬†ūüĒó¬†but I have found that the order presented here prevents some irritating rework which will VERY likely come up if you follow MS’s guide.

  • Come up with a name for our¬†SCCM Cloud Proxy Service
  • Make a new cert template to use with the Cloud Proxy Service
  • Request the cert from the CAS /primary
  • Export the certificatie twice, once as a pfx and once as a. Cer
  • Upload the cer as an authorized management cert in Azure
  • Setup the proxy service in SCCM
  • Configure roles to use the service
    • Optional : configure a DNS Record for the service
  • Begin managing clients wherever they are

Prerequisites

To get started, we’ll need a few things setup or readily available.

  • Know our Azure subscription ID
  • Have the ability to create new Certificate Templates (Enterprise Admin is the easiest way to get this, or request delegation otherwise)
  • Already have SCCM operating in HTTPS mode. ¬†Follow this guide if you’ve not done that yet. ¬† MicrosoftūüĒó
  • Have SCCM 1606
Finding our Azure Subscription ID

To find your Azure Subscription ID, sign in to Azure, go to the Classic portal and then down to settings. ¬†You’ll see your ID listed here as shown below.

16 subscription ID
The Subscription ID of ham ham ham probably won’t work for you.

 

Name our SCCM Cloud Proxy Service

While we’re still in Azure, we should come up with a good name for our Cloud Proxy Service.

Here’s why the name matters: the way this whole thing works is that–once configured–the next time a client requests an update for policy, they’ll receive settings for using the Cloud Proxy Service as an IBCM Point (effectively), and will try to access the client at <servicename>.domain.com.

This needs to route to <serviceName>.cloudapp.net, which is Microsoft Azure’s root domain used for almost all Azure accessible machines and services. ¬†This is true not just of ours, but for every one in the world who uses Azure for websites, services and things like SCCM Cloud Proxy.

This means that our ConfigMgr Cloud Proxy Service MUST be unique in the world.
If you fail to do this, you’ll get errors like this one later on in the process.

Unable to create service, the name already exists
Unable to create service, the name already exists

To avoid this, let’s find a good name for our service using a built-in feature for Azure that will only show us valid addresses. ¬† Still in the Azure Portal, click New, Compute \ Cloud Service \ Quick Create and then use the box which appears here to test out the name for your Cloud Service.

test the cloud service name
Every permutation of ‘cloud’, ‘SCCM’ and ‘Slow Moving Software’ I could think of was already taken

As we can see, SCCMCloud was already taken, but after enough permutation, I found a good one.

test the cloud service name 1
Rolls right off the tongue

Don’t create the service! ¬†We just did this to make sure our name wasn’t taken yet!

Write this stuff down, you’ve got both the name of the service, and our Azure Subscription. We’re ready to move on.

Make a new cert template to use with the Cloud Proxy Service

Since we’re opening this stuff up to the whole web using Azure, we are going to need some security and that means PKI certificates. ¬†We’ll make a new Certificate Template, configure it just so and allow our SCCM Server which will host the Cloud Proxy Connector role to enroll in this cert. ¬†Don’t worry, I’ll walk you through the whole process.

First, connect to a machine which has Certificate Authority with an account that has appropriate permissions.  Domain or Enterprise Admin will cut it. Launch the CA Console. Go down to Certificate Templates and choose Manage.

00Make a new cert

Scroll down to Web Server and choose duplicate.

01 Duplicate WebServer

If you’re prompted for Compatibility, always choose the oldest one. ¬†Go with Server 2003 if it doesn’t default to that already.

On the General¬†tab, it will default to the name of ‘Duplicate of WebServer’ which is garbage, so change the Template Display Name¬†¬†to something like ‘SCCM Cloud Certificate‘.02 new cert

Next on the Request Handling tab,¬†make sure to check the box for ‘Allow private key to be exported’¬†. ¬†If you miss this one, you have to start over.

03 cert

Next, on the Security Tab, remove the check for Enroll for Enterprise Admins. ¬†You can probably skip this step, but I’d do it anyway.

04 remove ent admins enroll perm cert

Next, click Add and specify a security group which contains your SCCM servers, and make sure they have at a minimum the Read and Enroll Permission.

05 add new group

That’s all the changes we have to make so hit¬†OK¬†and then close the¬†Certificate Templates window.

Back in the Certificate Authority console, click Certificate Templates \ New \ Certificate Template to Issue.

06 issue this cert

Choose the cert template we just created, SCCM Cloud Certificate.  (or whatever you called it)

07 enableit

Request the cert from the CAS /primary

Now we’ve created a whole new type of Certificate and allowed our SCCM Servers to request it. ¬†At this point, either GPupdate or reboot your SCCM Server which will host the Cloud Proxy Connector Role so it will update Workstation Group Policy.

On the SCCM Server to host the Cloud Proxy Connector Role, launch the MMC and add the Certificates Snap-in, for the Computer.

08 request cert

Now go to Personal \ Certificates \ All Tasks \ Request New Certificate

09 request cert

In this next window, you should see a fancy new cert available with the name we chose earlier, but it will say More information is required to enorll for this certificate.  Click that text.

10 almost there

In the Certificate Properties wizard which appears, on the General tab, enter the name of our SCCM Cloud Service.  Mine was FoxDeploySCCMProxy.foxdeploy.com, but yours is whatever you came up with in Azure.

correct cert name req

Once you’ve put your name in, hit OK and then Enroll.12 yay

And now we should see our brand new certificate in the console here, issued to our cloud service.  confirm our cert

Export the certificate twice, once as a pfx and once as a .cer

One of the core tenants of PKI is validating who you’re talking to and only trusting those who are vetted by someone you trust. ¬†We created this cert so that our machines will trust the Cloud Proxy service when they interact with it later in lieu of our SCCM Servers. ¬†So now that we’ve requested this cert, we need to export it in two different formats and put those files in the right place.

On the SCCM Server, select the certificate for our Cloud Proxy Service and choose All Tasks \ Export.  

13 export the cert

On the first run through, choose Yes, Export the private key.

14 yep

When you export the certificate with the private key, you must secure it with a password so pick something good. Don’t forget this as you’ll be prompted for it in about five minutes!

15 best password

Put the certificate somewhere safe and then run through the wizard again. ¬†This time choose ‘No, do not export the private key’ and choose the .cer file format (the default works fine).

two certs
Don’t lose the files. Make sure you have one in both .cer and .pfx

Now you should have two separate cert files, one with a .pfx and one in the .cer format.

Upload the cer as an authorized management cert in Azure

If you don’t want to constantly enter credentials for Azure, you can use management certificates instead, and that’s just what we’re going to do with the .cer file we just created. ¬†Later on in this process the SCCM Wizard will use this same certificate file to authenticate itself against Azure, and them make all the changes we need for Cloud Proxy to Work.

Log back into Azure \ Settings \ Management Certificates \ Upload

16 upload a cert

In the next page, browse out to the .cer file you created and plop her in there. ¬†Then hit¬†OK¬†and you’re done.

upload

Setup the proxy service in SCCM

It only took 1700 words before we are ready to open the SCCM Console. ¬†We’re here! ¬†Fire up the SCCM console and oh yeah, be sure you’re running 1606 tech preview. ¬†Browse over to¬†Administration \ Cloud Services \ ¬†Cloud Proxy Service and choose ‘Create Cloud Proxy Service.’

17 admin cloud services cloud prox serivce

On the next page, paste in your Azure Subscription ID, and browse to the .pfx certificate we exported.18 Setting up cloud proxy

Now, the most important page:

  • Service Name – the Service Name we tested earlier in Azure (so if you tested SCCMisCool.cloudapp.net, enter only SCCMisCool).
  • Description – will end up in Azure as the flavor text for this new Azure Cloud Service.
  • Region – Pick a geographical region which makes sense for your company
  • Instance Number – How many instance you want to run. ¬†At this time there is no guidance on how many you should have but two is the default
  • Certificate File – Select the .pfx file one more time
  • Root Certificate File – this should probably say management certificate instead, it’s the .cer file.
  • Verify Client Certificate Revocation – you would know if you needed to do this based on your organizational standards

1 actually signing up for the cloud service!

Alright you made it! Now verify everything looks cool in the summary page and hit Next.

2 summary

And we’re off. ¬†You can monitor the install status by refreshing the SCCM ¬†Console under¬†Administration \ Cloud Services \ Cloud Proxy Service, or if you’re a real man, open up CloudMgr.logs. ¬†You should see nothing for a bit and then ‘Starting to Deploy Service’

3 seven seconds in heaven

After a few minutes you will see ‘Deployment instance status for service <ServiceName> is ReadyRole.’

You can also monitor this installation within Azure by clicking to Cloud Services and watching your new Cloud Proxy Service appear here.  6 building instances

 

6.1 Service is running 2
Elapsed time between pictures is roughly ten minutes

With this completed, we now have our Proxy SCCM roles running in Azure.  The final step is to install the connector locally and then configure which roles we want to use the service.

Install the connector and configure roles to use the service

Back in the SCCM Console, go to Administration \ Sites and Roles and choose to add a role to whichever SCCM Server you want to talk to clients on the internet via Azure.

3.1 install the cloud proxy connector point role

In the next page, choose your Cloud Proxy Service from the drop down box. You can ignore the text about Manually installing the client cert, as we’ve already done so.

3.2 install the cloud proxy connector point role 2

Now, open up SMS_CLOUD_PROXYCONNECTOR.log, and chances are you’ll see this:

4 add a dns alias

Text:ERROR: Failed to build Http connection f201bcf3-6fee-48d2-af38-0e7311588f23 with server FOXDEPLOYSCCMPROXY.FOXDEPLOY.COM:10125. Exception: System.Net.WebException: The remote name could not be resolved: 'foxdeploysccmproxy.foxdeploy.com'

If you see this error, this means that you need to add a CNAME record in DNS. ¬†If you’re using Windows DNS, the record should be setup like the following:

DNS Record

Once this is done, do an ipconfig /flushdns on your SCCM Server and you should see the log files clear up.

5 service gets created

Now that SCCM can talk to Azure, we’re in the money. ¬†All that remains is to configure the roles we want to use the Cloud Proxy Service.

Browse to Administration \ Site Configuration \ Servers and Site Systems and choose the server with the Cloud Proxy Role.  Go to Management Point \ General and make sure that HTTPS and Allow Configuration Manager Cloud Proxy Traffic are selected.

6.2 configure MP for cloud proxy

Once you do this, it will trigger a reinstall of the Management Point if needed, to configure HTTPs.  Be sure to monitor the install from MPSetup and MPMsi.log for a healthy install.

Begin managing clients wherever they are

And we’re finished! ¬†The final step is to refresh policy on some SCCM Clients and take them outside the boundaries of the network. ¬†You’ll know that the client is talking to Azure when you by monitoring ClientLocation.log and you should see the new Cloud Proxy Management Point appear as an Internet Management Point.

Client get's new MP

Additionally, from the Configuration Manager Control Panel, you’ll see values filled out now under the Network tab for Internet Based Management Points.

Client WORKS
You’ll also see the site listed as ‘Currently Internet’ on the General tab as well

What’s next

Now you’re free to manage this client mostly the same as if it were in the office, with Software Updates, Software Installation, new Client Settings and Antivirus Definitions as well! ¬†You’ll enjoy up to date Hardware and Software inventory as well!

Be sure to configure each one of these additional roles from the SCCM Console as well.

Did I miss something?  Leave me a comment or shoot me an e-mail / tweet.  stephen [at] foxdeploy dot com.  Twitter: @FoxDeploy

Source

New Capabilities in SCCM tp 1606ūüĒó

Configuring SCCM 2012 R2 in HTTPS¬†ūüĒó

Configuring a cloud DP¬†ūüĒó

Advertisements

48 thoughts on “SCCM 1606 Cloud Proxy Guide

  1. Lionel Oh June 28, 2016 / 11:16 pm

    Great write up! Would it work with machines that are not part of the SCCM Primary server domain? I.e. Managing other Azure based VMs in another domain/forest.

    • FoxDeploy June 29, 2016 / 9:06 am

      The machines will need certs to be able to communicate with the Azure Proxy, so if you have a mechanism to do that (manual enrollment or creating and approving a certificate request for those machines outside of the domain), then I don’t see why it wouldn’t work.

  2. JamieT June 29, 2016 / 7:47 am

    How does this tie into SCCM/Intune Hybrid model? Right now I have been installing SCCM client on all end-points but these rare mobile devices that never come into the office. I install the Intune client on them. This would pretty much eliminate that and let me stick with just SCCM client right? Will Activity info but known through the Cloud Proxy?

    • FoxDeploy June 29, 2016 / 9:07 am

      Intune is all about stripped down management options. You can natively manage machines pretty well even if they’re not in the domain, but you can’t do Task Sequences, OSD, USMT etc on them. You’re just pushing apps, configuring conditional access and mail profiles and ensuring AV is working, basically.

      In your use case, you could use SCCM Proxy instead. Those machines out in the field forever would effectively look like machines within the home office. Now, some things like USMT might not work though (not sure if SMP knows how to handle the proxied clients)

      • JamieT June 29, 2016 / 9:34 am

        Awesome thanks for the info. can’t wait till this rolls out for all.

  3. Anil KP June 29, 2016 / 8:10 am

    You mentioned to enable on MP properties for cloud proxy traffic in the end. How about enabling the clients for DP & SUP.

    • FoxDeploy June 29, 2016 / 9:08 am

      Sorry didn’t take screen shots of that but I will!

  4. J.R. Esposito (@JoseEsposito_IT) July 5, 2016 / 4:32 pm

    Hey Stephen!

    Would this possibly result in computers not being assigned to CM boundaries (but inside your network / joined to domain) going through Azure? Great write up, just thinking outloud.

    • FoxDeploy July 5, 2016 / 4:56 pm

      Exactly. If there is a defined boundary, the pc talks to those MP, dp and SUPs. If a machine is outside of these days it talks to Cloud proxy, which is really just ICBM

      • Oliver July 7, 2016 / 4:24 am

        Hi, does this not depend on if the client is Internet or Intranet and does a client not consider to be Intranet as Long he can reach a Domain Controller and in that case would contact the internal MP instead going to the cloud Proxy ?

        • FoxDeploy July 7, 2016 / 7:26 am

          Domain controllers don’t factor into this at all, from what I can tell. If a client is within predefined boundaries (the boundary groups you create in SCCM) then it is viewed as intranet. Not in a boundary? Then it’s uses Cloud proxy to go through Azure instead.

  5. Dave July 13, 2016 / 8:49 am

    Great write up on this. I’m in the process of designing an IBCM infrastructure for my current company for the obvious reasons. This may give me reason to hold. What I have been told for ICBM is that due to me having a CAS and 2 primary infra, I need 2 IBCM points since they hang off the primaries. I see you say you can link this to the CAS. I also am running an intune hybrid so the cloud service point hangs off one of the primaries as required by MS. So my overall question is does this truly hang off the CAS and I would only need one instance (which I would like ideally) and would be different from the 2 instance IBCM (one off each primary, according to MS, which duplicates all certs and infra)? That would be a HUGE advantage to me to only have one set of certs.

    • FoxDeploy July 13, 2016 / 10:51 am

      Interesting question: you CAN have multiple Cloud Proxies in your environment, but I’m not certain if you would need two in your environment. Make a thread on reddit/r/sccm and post the link here. I’ll raise it to the attention of the folks at MS.

  6. Oscar July 20, 2016 / 10:17 am

    Nice Post!!

    What about the remote control to an internet client connected via cloud proxy?? Till now the only way to use remote control it’s under VPN connection or Direct Access, but this needs windows 7 enterprise or ultimate.

    Thanks

    • FoxDeploy July 21, 2016 / 5:57 pm

      No remote control… Yet. But if you really had to you could push an application like VNC to a machine and remote through that.

      If you want Cloud proxy remoting, I suggest you make a ticket on uservoice ConfigMgr.

  7. Mark July 22, 2016 / 11:45 am

    Very good write up. Everything was smooth until I installed the site role. I’m getting an error in SMS_CLOUD_PROXYCONNECTOR.log:

    ERROR: Failed to create com TaskExecution with error = 0X80040154
    End main SMS_CLOUD_PROXYCONNECTOR thread

    The log just loops this over and over. That error code equates to “Class not registered”

    Any ideas what this could be?

    Thanks!

  8. mteegarden July 23, 2016 / 1:19 pm

    Great post. I just upgraded my site to 1606 and I do not see the “Cloud Proxy Service” under “Cloud Services”. Any idea as to why?

    • FoxDeploy July 23, 2016 / 2:23 pm

      Try to relaunch the sccm console and see if it updates. You should see the option appear once the console updates

      • mteegarden July 23, 2016 / 5:37 pm

        Nope. I even ran a site restore from cd.latest. Uninstalled the console. Reinstalled. Still nothing. This is my lab environment. I’ll see what happens when I upgrade production next week. Weird.

        • Oliver July 24, 2016 / 3:35 am

          same here … updated but no Cloud proxy option

        • FoxDeploy July 24, 2016 / 4:40 pm

          Did you give consent for prerelease features? This is a new thing for 1606 and beyond, you have to do an extra eula to expose the hidden goodness.

  9. Oliver July 25, 2016 / 9:32 am

    on my site it is checked but still no cloud proxy ūüė¶

  10. Dave July 25, 2016 / 9:58 am

    Yep, it does not look like its apart of this release and may only be apart of TP5 at this point. I would guess it was to close to the release of the official 1606 to send it out.

    • Oliver July 25, 2016 / 1:57 pm

      yep, …offical blog post states it is not in the 1606 production release ūüė¶

  11. Justin Rassi August 9, 2016 / 7:24 pm

    hello, I was not able to find a technical preview forum. I have successfully provisioned the cloud proxy service in azure but these are the errors I am getting in the proxy connector log file. local cname is created, I added a local hosts file entry resolving the cloud ip and service fqdn, as I thought that might be the issue; but no change. verify certificate is unchecked, use pki when available is checked….I don’t get it?

    everything is set correctly per the article

    ERROR: Failed to build Tcp connection blank with server blank.blankme.com:10140. Exception: System.Net.WebException: TCP CONNECTION: Failed to connect TCP socket with proxy server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it CloudIP:10140~~ at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.TcpConnection.Connect()~~ — End of inner exception stack trace —~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.TcpConnection.Connect()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionBase.Start()~~ at Microsoft.ConfigurationManager.CloudConnection.ProxyConnector.ConnectionManager.MaintainConnections()

    • FoxDeploy August 9, 2016 / 7:31 pm

      Hi! Recommend you post this on TechNet and give me the link. I’ll make sure the ConfigMgr devs see it. There were a lot of issues with Cloud proxy so it’s been delayed until a later release

  12. Taylor Artunian August 17, 2016 / 7:26 pm

    Do all config manager servers and clients have to be in the same domain/forest? And if not can one cloud proxy service clients from different domains/forests?

    • FoxDeploy August 17, 2016 / 9:06 pm

      I’m not sure. Can one MP service clients in many domains? I’ve never tried that configuration before.

      My gut feeling is no, as the policy for a cloud proxy comes down from a MP. Communication to the proxy is over certs so there isn’t a domain req there…

      I dunno!

      • Dave August 18, 2016 / 5:47 am

        I’m in a 25+ trusted domains (25 untrusted)situation and when using IBCM you need to just distribute the certs with the root ca’s certificate. When using in untrusted or dmz you would manually install the cert and that would allow connection to whatever point is in that cert. I would assume it would be the same.

        • Taylor Artunian August 18, 2016 / 7:39 pm

          If I may ask, are all of these domains on the same WAN/connected by VPN or are they unrelated/not connected to eachother. I am trying to find out if I can run SCCM over the internet as an MSP platform.

        • Dave August 19, 2016 / 8:19 am

          Trusted and several untrusted are connected via wan/vpn. With a service account we can discover ad and install clients. Outside that the other machines are IBCM. IBCM in these environments severely limits what SCCM can actually do. You loose the ability to deploy software based on user, imagining is hosed, forget any integration with intune or exchange. You basically do machine based deployments, software updates, and inventory. We run ours as a service for the entities under our parent company’s EA, but if you truely wanted to do MSP, you need to become an MS partner and be a tenant admin and peddle intune as the platform. The site license/EA would not cover you for multiple individual company’s with SCCM.

  13. Artyom August 24, 2016 / 3:25 am

    Hello Stephen. Thanks for sharing your experience! Much appreciated.
    I’m wondering about where software update content would come to clients connected to the Cloud Proxy. Do I have to make it available on an internal DP or clients can pull it directly from Microsoft Update?

    • FoxDeploy August 24, 2016 / 5:51 am

      You have the option of either, actually. You either user Cloud DP for your remote clients, or allow them to download content from WSUS, using Custom Client Policy settings

  14. Peter Clark September 30, 2016 / 3:55 am

    Hi Steve, great write up. Have you looked into hosting the entire ConfigMgr environment in Azure?

    • FoxDeploy October 3, 2016 / 11:19 am

      You could… But I would be cautious to ensure that my first primary is able to take ownership of the Systems Management container. It’s possible that network routing could affect this, so I would probably stand up a dc in Azure to make sure it works as expected.

      There’s no reason you couldn’t do it though! It would be cool to have an Azure Resource Manager template to deploy everything needed for a sccm deployment in Azure, then setup the prerequisites with DSC.

      I might blog on that!

  15. Dave October 3, 2016 / 11:14 am

    FYI – I just got back from Ignite and the product manger confirmed cloud proxy will be in GA for 1610 and the tentative release will be the end of November. Its hung off primaries so if you have a CAS and multiple primaries, you would need a CPP for each primary.

    • FoxDeploy October 3, 2016 / 11:16 am

      Cool! Thanks for validating!

  16. Marcel January 5, 2017 / 4:21 am

    Hi, thank you for this really helpful post. One question you mal have an answer to:
    As a service provider we are running several windows server on customer sites which can’t be managed via SCCM yet (NAT, no direct network connection…). We don’t want to give all this server public internet access just to connect the Azure SCCM Proxy. So our idea is, to create a VPN connection from the customer site to our azure cloud. So data goes:
    Windows Server -> Default GW -> VPN Tunnel -> Azure SCCM Proxy -> VPN -> Our Datacenter.
    Will this work?

    • FoxDeploy January 5, 2017 / 10:06 am

      Interesting question. If the servers you want to manage can route to .domain.com, and .cloudapp.net over 443 and 80, you’ll be fine.

    • Oliver January 5, 2017 / 10:19 am

      first why you will setup a VPN between your Datacenter and Azure ? Azure Proxy is desiged to not need such complexity. In Addition Keep in mind that you have limited functionality at the Moment so you can¬īt install third Party patches using Software update Point as you cannot push Software update packages to a cloud dp which is the only supported DP at the moment. for your scenario you should consider to place sccm infrastructure directly into azure and not use the cloud gateway.

  17. Matthew January 20, 2017 / 5:09 pm

    Hello,

    This is a great step by step. Better than the one on TechNet! https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

    Hopefully you are OK with suggestions:

    1. You may want to rename your post to ‘SCCM Cloud Management Gateway’ so that is comes up in searches for the topic.

    2. The SCCM Cloud Cert that you request on the SCCM server needs the Common Name of [whatever].cloudapp.net In your blogs example it would be FoxDeploySCCMProxy.Cloudapp.net

    Matthew

  18. Ioan Popovici January 26, 2017 / 1:00 pm

    I would be nice if someone would post something about installing internet workgroup clients (from Azure for example) manually. I’ve installed the required certificates but clients can’t communicate for some reason with the Cloud Management Gateway. It’s really frustrating and I found almost zero documentation on this…

    • FoxDeploy January 28, 2017 / 9:32 am

      Do your clients trust the root and have the full cert chain from the CA? I believe there is a trusted host concept too for non domain communication

      • Ioan Popovici January 29, 2017 / 6:02 am

        Yes they do. I think the problem is that our CA does not publish the CRL anywhere. I will fix that on Monday and get back to you. There is no other explanation everything else seems ok. There where some problems with our MP but I fixed those by issuing a client certificate for the MP (forgot about that).
        I verified everything, IIS bindings WSUS+MP, Root certificates are automatically installed via GPO but I verified those anyway, Root certificates added to Client Communication, Allow CMG traffic, etc.
        It’s not a prod env yet but we are migrating soon. I would be nice if this proves reliable despite it being in pre-relase now, we could ditch DMZ site systems.

        • FoxDeploy January 29, 2017 / 9:17 am

          You can disable crl checking if needed, but that’s not a good solution

      • Ioan Popovici February 2, 2017 / 4:59 am

        OK, so yeah that was the problem, once the CRL was configured on the CA everything started working!
        Thanks ūüôā

Have a code issue? Share your code by going to Gist.github.com and pasting your code there, then post the link here!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s