ConfigMgr and the Cloud Proxy Point

 

Technical Preview 5 using Build 1606 or 1607 let's you play around with the new Cloud Proxy feature, and I thought I’d run up a guide on this awesome feature to help others reach out to play with it a bit more easily, as it is a very enabling architectural element for us to have in the design toolkit and worth checking out.

I found the release notes to be a little short on a few details when I got this guide underway, I had to come back to it for several attempts, Torsten Meringer another Enterprise Mobility MVP helped me out understanding what the Service Domain Name should be, CLOUDAPP.NET, and explained how he setup his Cloud Proxy Point certificate using PKI instead of a self-signed certificate, from there everything else just falls into place as documented.

After you’ve done this a few times it takes mere minutes to sail through, but for the first time it’s going to most likely take well over an hour to complete.

A key thing to note in the steps for enabling the Cloud Proxy Point is that your roles have to switch into HTTPS mode after you’ve added the Cloud Proxy Point role, I found that if you do not do this, the ConfigMgr Clients never see the Cloud Proxy Point. An example of how to manifest this unknowingly is if you remove the Cloud Proxy service and Cloud Proxy Point role, then try to put them back on without first switching your MP\DP\SUP roles to HTTP.

To get to the point where you can test out this Cloud Proxy point feature, you will need to have PKI setup already for your ConfigMgr environment.

For a lab you can simply switch your existing MP, DP and SUP if testing with, into HTTPS mode, but for a lab that is servicing non-HTTPS clients, you will need to setup a new Site system with which to host your new HTTPS based MP, DP and SUP roles.

Before you begin working through this guide, your MP\DP and SUP roles must be fully functional in HTTPS mode. Once you’ve tested them, and before you begin the guide, switch them to HTTP mode. I found if you don't, you’re clients will not get a Cloud Proxy Point given to them when they do a Location Request while on the Intranet.

 

From your Active Directory Domain Controller, or a system running the RSAT tool, create a new Active Directory Security Group called ConfigMgr Cloud Proxy PKI Template

image

We’ll use this Security Group for two purposes, to generate the Cloud Proxy Point certificate and the Azure Management Certificate.

Now that the Security Group has been created, we next need to add the Site servers computer account to it, please go ahead and do that now.

Once done reboot the Site server so that its computer account token is updated with this new security group membership.

To proceed, we’ll concentrate on creating the Cloud Proxy certificate, this is created in the same way that you’d create a Cloud Distribution Point certificate as shown here for reference, we’ll set this certificate up below so no need to transition to the steps in that link.

Switch to your Certificate Authority server.

Open the Certificate Authority MMC snap-in, navigate down to Certificate Temples, from there right-click and Select Manage.

image

We’ll need to do the below steps twice, but hold off doing so for now, until I tell you later in the guide to return to this point.

The Certificate Templates console will appear (or switch to it if returning here), from there navigate to the Web Server template, right click and select Duplicate Template.

image

On the General tab, enter the new Template Name as ConfigMgr Cloud Proxy Point Certificate

image

Select the Request Handling tab, tick Allow private key to be exported

image

Select the Security tab and then Enterprise Admins, remove Enroll permissions for Enterprise Admins.

image

Add the new Security Group name ConfigMgr Cloud Proxy PKI Template

image

Tick Read (should already be ticked) and Enroll

Select OK

Right click Certificate Templates, select New, then select Certificate Template to Issue

image

Locate and select the ConfigMgr Cloud Proxy Point Certificate entry in the Enable Certificates Templates dialog

image

Select OK

That’s the Cloud Proxy Point PKI Certificate setup, we now need to setup the Azure Management certificate.

I’ve separated these two certificates out, as it is a more secure way of dealing with your Azure subscription, I could have opted to reuse the Cloud Proxy Point Certificate as the Azure Management Certificate, but I prefer the degree of separation.

So now return above where I told you earlier you’d be returning too, and use the following details to change the steps:

Call the template name the following: ConfigMgr Azure Management Certificate

In the Enable Certificate Templates dialog: Select the ConfigMgr Azure Management Certificate

When you are done, we’ll continue from here.

We’re going to request the Cloud Proxy Point and Azure Management Certificates from the Certificate Authority now, so that we can export them, and while we’re in the Certificates snap-in we’re going to fetch the Trusted Root Certificate.

Before we do this we’re going to have to think of a unique Azure Service name for our Cloud Proxy Point. This will be appended to a Domain Name called CLOUDAPP.NET, it must be unique, if you don’t get this right you’ll have to recreate the below Certificates once you find the problem and generate a unique service name.

An easy way to find out if a service name is taken is to ping it, if there is no DNS match you can try that as a service name. Later in this guide you’ll be asked to provide the Service Name and the Service Name FQDN, the latter just being your service name with .CLOUDAPP.NET appended.

From the Primary Site server, open the Certificates MMC snap-in for the Local Computer

Expand Personal and right click Certificates, select All Tasks and then Request New Certificate

image

The Certificate Enrollment dialog will now appear, from which you’ll need to tick both the ConfigMgr Cloud Proxy Point and ConfigMgr Azure Management Certificate entries

image

Both certificates need a Common Name configured, we’ll do the ConfigMgr Azure Management certificate entry first, so select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

image

Select OK

Select the ConfigMgr Cloud Proxy Point certificate entry, and select the “More information …” link underneath it

From the Subject Name panel, and from the Type drop-down box, select Common Name

For Value enter your service FQDN.

Select Add

image

Select OK

Now select Enroll and Finish once done, while noting whether it is successful or not

image

You should end up with your two certificates back in the Certificate snap-in

image

Let’s export them, we need to do this twice for each certificate, starting with the ConfigMgr Azure Management certificate

Select the ConfigMgr Azure Management certificate, right click it, select All Tasks then Export

image

Select Next then Yes, export the private key

Select Next

image

Select Next

image

Tick the Password check box and give this certificate a strong password, note it as you’ll need this password

Select Next

image

Now to save the certificate by selecting Browse, give it a suitable name, this one will be saved in PFX file format, drop it into a common folder that you’ll return to again a few more times.

image

Repeat the export of the ConfigMgr Azure Management Certificate, but this time do not export the Private key, this will cause you to be prompted just for the filename, give it the same name as your previous certificate, this one will be saved in CER file format

image

Now do the same again for your ConfigMgr Cloud Proxy Point certificate, repeating the steps above to export it as a CER file.

Once you’re done exporting, go back to the Certificates snap-in, navigate to the Trusted Root Certification Authorities node, expand Certificates and select the root certificate for your domain. I’ve selected and highlighted mine here:

image

Right click it, select All Tasks then Export, accept the default format type, give it a name and store it along with the other certificates you’ve already exported naming it appropriately (YOURDOMAINRootCA.CER for example)

Now you need an Azure Trial, or a functioning Azure subscription, I’ll assume you will create a test subscription from new to check the Cloud Proxy feature out.

To setup a new Azure subscription you’re going to need a Microsoft account, if you don’t have one of those to hand, or spare, create a new one here

Go visit the Azure Trial and set yourself up a subscription, you’ll need an MS account (Live, Hotmail et al), a credit card (not-charged unless you upgrade to a paid subscription yourself) and your phone details. This will give you a 30 day or so trial to mess around with, and enough resources to run up a demo of the Cloud Proxy point.

image

Once you’ve subscribed and logged in, you will need to connect to the Azure Classic Portal, instead of the new Portal that you’ve most likely logged in with.

This is a requirement for a configuration element of the Cloud Proxy, Azure Management Certificates, a feature which I believe is deprecated but used by the Cloud Proxy feature today.

Visit MANAGE.WINDOWSAZURE.COM and login if necessary.

Once logged in, we’ll now upload our ConfigMgr Azure Management certificate to Azure itself, so as to gain access to the Azure Service Management API for the Cloud Proxy Point.

More can be read on Azure API Management Certificates here.

In the Azure Classic Portal, select Settings, then select Management Certificates

image

image

The Upload a Management certificate window will pop up in the browser, click the Folder icon and navigate to your ConfigMgr Azure Management certificate

image

Enter the strong password that you set when exporting this certificate

Note that it is uploaded to your Azure subscription.

image

Anyone flashing this Certificate around can completely control your Azure subscription, so tuck it away somewhere safe when done.

image

Note the Subscription ID, it’ll be in dashed notation like XXXX-XXXX-XXX-XXXX-XXXXX, store this away as you’ll need it in a moment and we’ll refer to it as your Subscription ID.

 

Now we’ll add the Cloud Proxy Service to the ConfigMgr Site server. To do this we visit the Administration workspace, and expand Cloud Services and select Cloud Proxy Service.

Select Create Cloud Proxy Service on the Ribbon, or via a Right click on Cloud Proxy Service

image

You’ll be greeted by the Create Cloud Proxy Service Wizard.

Enter your Subscription ID.

Select Browse and select your ConfigMgr Azure Management certificate

image

It’ll prompt you for the Certificates strong password, tap it in, then select Next

image

Now enter your Service Name, this is not your Service FQDN.

Select the Region you are testing in.

For Certificate File select Browse and navigate to the ConfigMgr Cloud Proxy Point certificate

The Service FQDN will automatically be populated from the certificates Common Name.

For Root certificate file select Browse and navigate to the Root Certificate that you exported earlier

Make sure Verify Client Certificate Revocation is not ticked, unless you are setup for it, if in doubt, untick.

Select Next

image

Select Next and then Finish

Now go monitor the CLOUDMGR log to see it provisioning the service into Azure, eventually you’ll also see the SMS_CLOUD_PROXYCONNECTOR log.

Once everything has settled down, from the ConfigMgr Console you should be able to see that the service has been setup correctly

image

image

In the above shots I’ve already had some traffic pass through, for a brand new setup the metrics should be white space.

I heard that if it shows Partially connected for an extended period of time, mine showed for a minute or two, then there was a problem provisioning the service. Try again, if it doesn’t work it is most likely a glitch.

Now that’s the Certificates and on-boarding of the services in Azure done, next we set up the Site server to use the Cloud Service, by installing a Cloud Proxy Point, and then we’ll do a quick run through with a Client test, run from a client on the Internet.

From the ConfigMgr Console, go to the Administration workspace, select Site Configuration and then Sites.

Assuming this is a Stand-alone Primary site server, select it and then select Properties, otherwise select the Primary you want to run the test on

From the Client Computer Communications tab, tick the box next to Use PKI client certificates (client authentication) when available text, and make sure to untick Clients check the certificate revocation list (CRL) for site systems.

Now add the Cloud Proxy Connector role to your Site server. No instructions needed for bedding this role in, just select and install it.

And to complete the server configuration switch your MP, DP and SUP to HTTPS mode, while making sure to tick the Allow Configuration Manager Cloud Proxy Traffic while switching to HTTPS in each of those roles properties dialogs. Make sure the roles are functioning, check the MPCONTROL log to make sure the MP is working fine.

That should be it.

You can go back if you like and look at the steps in the Technical Preview notes, to double check we’ve not missed anything, especially if you are buzzing up and down the guide trying to figure out why it isn’t working.

Now, to kick the wheels of this feature you’re going to need to have a ConfigMgr Client installed. Take care of that on a device that can be set to visit the Internet.

Once all of the above changes have been implemented, while on the Intranet recycle the CCMEXEC service on the ConfigMgr Client so that it gets a Location Services update, these occur every 24 hours if left alone, so recycling the service will speed this part of the testing up somewhat.

Once Policy has arrived and been processed by the ConfigMgr Client (go look at the messages and date stamps in the POLICYEVALUATOR log) open WBEMTEST and connect to ROOT\CCM\LOCATIONSERVICES, select Enum Classes… and select OK, navigate until you find the SMS_ActiveMPCandidate class, double click it, and then select the Instances button.

Here you can quite clearly see that the ConfigMgr Client knows all about our Cloud Proxy Management Point and will switch to it if it senses we’re on the Internet (out of any defined boundaries)

image

Now that we know that the ConfigMgr Client is ready to begin using the Cloud Proxy Point, let’s trigger it to do so.

I used a mobile hotspot to get a WIFI connection for my laptop to use, which was routing onto the internet.

Once I got the laptop on to the Internet, I checked the ClientLocation log, so as to see if the ConfigMgr Client was registering as being on the Intranet or Unknown (Internet in this case). Sure enough after a few moments it fired into life the Connection Type value changed to show as Unknown, which means Internet in our case, as can be seen below:

2016-08-08 (2)

Now switch back to the ClientLocation log, after a few moments if not already done, there should be activity, and a switch taking place to the Cloud Proxy service instead of continuing to try the on-premise Management Point.

2016-08-08 (3)

In the above shot you can see we’ve rotated over to using a new URL for the Management Point as:

CP1EMMVPTEST04.CLOUDAPP.NET/CCM_Proxy_MutualAuth.

Now you just need to open the PolicyEvaluator log, then trigger a Machine Policy Retrieval, watch from the log, confirm that Policy was retrieved, if it has it’s been retrieved from the Cloud Proxy service!

I also sent down a test Package\Program combination, one package with real content, another to just launch Notepad, all arrived as you’d expect when Machine Policy was triggered.

I didn’t test out the SUP as I didn’t have it configured in the lab, but am sure it’ll function just as fine as the Management Point and Distribution Point did, I’ll be sure to test that another time to make sure.

Enjoy the feature, I really rate this, I can see it becoming a major element in the architectural design process, one companies will use to extend their systems management ‘reach’ to their most difficult to manage, remote and not-well-connected to the core network end-points (with the condition that they at least have internet access), as well as to atypical remote office devices that have good internet access (serviced today by IBCM for example), with the added advantage of removing the need to host your on-premise ConfigMgr roles in public facing DMZs (so that IBCM can function), instead, Azure is used to route the traffic between the ConfigMgr Clients and your on-premise roles in a secure fashion.

A great feature. Cannot wait to see it develop further.

Tweet me on @RobMVP if you want to chat about the guide, any deviations you had to make, or if you just plain are stuck, will try to help.