From the previous post of Implementing SCCM Cloud Management Gateway with Token-based Authentication – Part 01, I have discussed step by step on everything related to implementing a new Cloud Management Gateway with token-based authentication. From this post, I am continuing where I left to configure the CMG management point, software update point, and connecting clients successfully.
After implementing the CMG with token-based authentication, you need to configure the management point to allow CMG traffic; before doing that, you need to tick the following setting.
SCCM Console – Administration – Site configuration – Sites – site properties and tick Use Configuration Manager-generated certificates for HTTP site systems
Next, open the Management point properties by right-clicking on the Management point role, and now you can tick Allow Configuration Manager cloud management gateway traffic as below.
After you enabled the management point to send traffic through CMG as enhanced HTTP, next, you can configure the Software update point to Allow configuration manager cloud management gateway traffic. Since I have a single software update point for both the internet and intranet, I have used to allow internet and intranet client connection options.
After configuring the CMG and the Management point, next, you need to specify which devices will connect using CMG. This can be configured from Client settings and deploy the setting to the device collection according to your preference. In my scenario, I need all the devices to connect to the configuration manager site regardless of the network, so I have enabled clients to use Cloud management gateway using Default client settings
Also, I'm controlling cloud distribution through boundary groups, so I have enabled all clients to access the cloud distribution point as below
When you create a new boundary group, you can assign the Cloud management gateway site into the reference site. This will enable relevant boundaries to communicate with the CMG Cloud DP to get the content.
When you configured everything as Part 1 of this article and the Management point to Enhanced HTTP as we discussed above, your clients should pick the CMG automatically without any further configurations. When you open the Configuration Manager client from the control panel of the device, you can see the internet-based management point from the network settings as follows.
Also, the connection type will change according to the network where the client resides. It should turn to an intranet or the internet, depending on the connection.
Still, this does not confirm your client can connect to the CMG without any issues; to confirm, you need to check the ClientLocation.log
If you look closely, you can see when the client changes the network from the intranet to the internet, the CCM client talks to the CMG and gets the token to register, then it can start the communication with the Management Point. Then the log will show the client is on the internet and its current management point as the CMG. With these records, you can confirm the successful connection.
Troubleshooting
There are some troubleshooting you need to do if you have issues when connecting clients to the CMG. And the best source is to find out errors is the ClientLocation.log and LocationServices.log. You can troubleshoot 80% errors through the following points.
Bulk Registration is to install the SCCM client through the public internet. You need to generate the bulk registration token from the site server and copy it to the internet-facing client device and run it with the CCM setup files. With this token, the client will contact the CMG and register itself with the management point. A bulk registration token is a token with a short validity period.
Open a command prompt as an administrator and navigate the Configuration Manager installation folder \bin\X64 and run BulkRegistrationTokenTool.exe /new to generate a new token.
Copy the CCM client installation files to the internet-based device and run the setup with the bulk registration token generated. Use the following command let when installing
Example -
ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh
5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHki
OiJTQ0NNIiwiTGljZW5zZSI6IlNDQ00iLCJUeXBlIjoiQnVsa1JlZ2lzdHJhdGlvbiIsIlRlbmFudElkIjoiQ0RDQzVFOTE
tMEFERi00QTI0LTgyRDAtMTk2NjY3RjFDMDgxIiwiVW5pcXVlSWQiOiJkYjU5MWUzMy1wNmZkLTRjNWItODJm
My1iZjY3M2U1YmQwYTIiLCJpc3MiOiJ1cm46c2NjbTpvYXV0aDI6Y2RjYzVlOTEtMGFkZi00YTI0LTgyZDAtMTk2
NjY3ZjFjMDgxIiwiYXVkIjoidXJuOnNjY206c2VydmljZSIsImV4cCI6MTU4MDQxNbUwNSwibmJmIjoxNTgwMTU
2MzA1fQ.ZUJkxCX6lxHUZhMH_WhYXFm_tbXenEdpgnbIqI1h8hYIJw7xDk3wv625SCfNfsqxhAwRwJByfkXdVG
gIpAcFshzArXUVPPvmiUGaxlbB83etUTQjrLIkgvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4
i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y5
7LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZPJUu4-mQFIgrMmKCYbFk3AaEvvrJienfWSvFYLpIYA7lg6EVYRcCAA
Conclusion
After everything configured correctly you should have a up and running CMG while all the devices connecting to the configuration manager site regardless of the network. You can monitor the connectivity through the SCCM console and Azure Portal.
Hope this post is useful
Cheers