SlideShare une entreprise Scribd logo

Cloud Management Gateway for SCCMZ .pptx

Télécharger en tant que PPTX, PDF
S
Satyam340172

CMG is cloud management gateway for

Voyages
1  sur  30
Cloud Management Gateway Satyam Shivam MS Competency Team
Agenda  Why we need CMG  Components of CMG  Requirements, Specifications  Placement of CMG componentsHierarchy  Ports  Cost | Outbound Data Transfer  Client Setting  Certificate for CMG  ARM, Configure Azure Services, Server App and Client App  Enhanced HTTP  Azure AD Authentication Workflow  Some Key SQL Tables  Logs to troubleshoot
Why we need CMG  To manage Configuration Manager clients on the internet  You also don't need to expose your on-premises infrastructure to the internet.  CMG Cloud Service  CMG Connection Point  Service Connection Point  Management Point  Software Update Point  Internet-Based Clients  Cloud Distribution Point Components of CMG
Cloud Service Models
Components of CMG  The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.  The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.  The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Make sure your service connection point is in online mode.
Components of CMG  The management point site system role services client requests per normal.  The software update point site system role services client requests per normal.  Internet-based clients connect to the CMG to access on-premises Configuration Manager components.  The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.  Internet-based clients use PKI certificates or Azure AD for identity and authentication.  A cloud distribution point provides content to internet-based clients, as needed.  Starting in version 1806, a CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. For more information, see Modify a CMG.
Requirements  An Azure subscription to host the CMG  To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin  To deploy the CMG, you need a Subscription Admin  Windows server to host the CMG connection point.  The service connection point must be in online mode.  A server authentication certificate for the CMG.  Other certificates may be required, depending upon your client OS version and authentication model.  Clients must use IPv4. Specs  CMG only supports the management point and software update point roles.  CMG doesn't support clients that only communicate with IPv6 addresses
To make user a Subscription Admin assign Owner Role at the subscription scope
Hierarchy Design  Create the CMG at the top-tier site of your hierarchy. If that's a central administration site, then create CMG connection points at child primary sites.  The cloud service manager component is on the service connection point, which is also on the central administration site.  You don't need to deploy multiple CMG instances for the purposes of geolocation.
Ports  You don't need to open any inbound ports to your on-premises network.  TCP- TLS: Preferred protocol to build CMG Channel  HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)  HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)
Cost | Outbound Data Transfer  CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.  CMG uses a Standard A2 V2 VM.  You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale the CMG to support more clients by adding more VM instances.)  Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload).  CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. These responses include inventory reports, status messages, and compliance status.  Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG.
Additional Information  Changing the VM Configuration is not supported.  You can add instances but cannot add resources to the VM  Certificate added in CMG properties can be checked in IIS Bindings.
Client Setting Enable clients to use a cloud management gateway
Certificate for CMG  Allow private key to be exported.  Supply the subject name, so that we can put the subject name we want (custom) if we don’t choose this, subject name will be the name of the client machine
ARM: Azure Resource Manager  Create the CMG using an Azure Resource Manager deployment.  Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group.  To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances.  This modernized deployment doesn't require the classic Azure management certificate.  ARM Deployment use Apps as credentials and it needs Azure Services.
Configure Azure Services  Web App/API: also referred as server app in ConfigMgr. Sccm uses to access azure.  Native App/API: also referred as client app in ConfigMgr. It is used by clients to request azure ad token We can either import the apps or create the apps.  If we setup Apps from the console, permissions are taken care by SCCM.  If we import apps permissions will be missing and need to be given explicitly. https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/azure-services-wizard ** Private Cloud – Azure US Government Cloud.
Server APP Import • Tenant Name: Any Name • Tenant ID: Directory ID. • App Name: Web App CMG • Client ID: App ID • Secret Key • App ID URI: It is in the access token used by the Configuration Manager client to request access to the service. By default this value is https://ConfigMgrService. Server App Create
Client App Create, Import
Server App Permissions • Application type means it has direct access to AD to read. Client App Permissions Server App has direct permissions, that means it can read the AD directly. Client App has Delegate type permission. Which means it will request Server APP to read the AD. We have user read permission.
SQL Table to check Select * from AAD_Application_Ex https://techcommunity.microsoft.com/t5/Premier-Field-Engineering/Importing-Apps-to-set-up-Cloud-Management- Gateway-CMG-for/ba-p/740011 Authentication  The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.  Internet-based clients use PKI certificates or Azure AD for identity and authentication.
Azure AD User, User Group Discovery Prereq:  Azure Service for Cloud Management  If the user is a federated or synchronized identity, you must use Configuration Manager Active Directory user discovery as well as Azure AD user discovery. For more information about hybrid identities, see Define a hybrid identity adoption strategy. Log File:  Actions for Azure AD user discovery are recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file on the top-tier site server of the hierarchy. Importance:  Azure User Discovery is required if use Azure AD Auth , if we use certs, we don’t need it. Limitations  Delta discovery for Azure AD user group discovery is currently disabled. * Federated means up to you. Docs: https://docs.microsoft.com/en- us/configmgr/core/servers/deploy/configure/configure-discovery- methods#azureaadisc https://docs.microsoft.com/en- us/configmgr/core/servers/deploy/configure/about-discovery- methods#azureaddisc https://docs.microsoft.com/en-au/azure/active-directory/hybrid/plan-hybrid- identity-design-considerations-identity-adoption-strategy
Some Key Tables  select * from AAD_Tenant_Ex (To check STS Metadata)  Select * from vProxy_Roles  select * from vProxy_RoleEndpoints
Query to check applications SELECT AE.ID, AE.ClientID, AE.Name [App Name], AE.IsClientApp, AE.IdentifierUri, AER.IsTombstoned, ACS.Name [Azure Service Name] FROM AAD_Application_Ex AE LEFT JOIN AAD_CloudServiceApplicationRelations AER ON AER.AADApplicationID = AE.ID LEFT JOIN Azure_CloudService ACS ON ACS.ID = AER.ID If any app is not used by an Azure Service, the Azure Service Name column will display a value of NULL. https://internal.support.services.microsoft.com/en-us/help/4517228
Enhanced HTTP  How to enable it.  Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.  This enables SSL on required virtual directories and make the communication secure. Logs: CertMgr, SiteComp https://docs.microsoft.com/en- us/configmgr/core/plan-design/hierarchy/enhanced- http
Log Files • For troubleshooting deployments, use CloudMgr.log and CMGSetup.log • For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log. • For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. CMGSetup, CMGService, CMGContentService, CMGHttpHandler are on Azure VM. SMS_Cloud_ProxyConnector.log Trying to build Tcp connection 0bea65f5-ac5d-467c-8171-67240cedae3e with server NATLAB.CLOUDAPP.NET:10140 SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Starting to connect to Proxy server NATLAB.CLOUDAPP.NET:10140 with client certificate F3D5A5714F2AF28ECC06483C3E686BA95917FC98 and connection ID 0bea65f5- ac5d-467c-8171-67240cedae3e... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Sending signIn message to Proxy server... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Got signIn confirm message from Proxy server and processing it... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0) Parking connection 0bea65f5-ac5d-467c-8171-67240cedae3e to Proxy server NATLAB.CLOUDAPP.NET:10140... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0) Connection 0bea65f5-ac5d-467c-8171-67240cedae3e finished initialization and started SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0)
Enable Verbose Logging You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portalCloud services configuration tab.
Cloud Management Gateway for SCCMZ .pptx

Recommandé

SCCM Cloud Management Gateway
SCCM Cloud Management Gateway SCCM Cloud Management Gateway
SCCM Cloud Management Gateway Anoop Nair
 
Llunitebe2018 configuring a cmg in config mgr cb
Llunitebe2018 configuring a cmg in config mgr cbLlunitebe2018 configuring a cmg in config mgr cb
Llunitebe2018 configuring a cmg in config mgr cbKenny Buntinx
 
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting Tips
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting TipsSCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting Tips
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting TipsAnoop Nair
 
SCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsSCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureSyed Irtaza Ali
 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
 
Architecting for Success: Designing Secure GCP Landing Zone for Enterprises
Architecting for Success: Designing Secure GCP Landing Zone for EnterprisesArchitecting for Success: Designing Secure GCP Landing Zone for Enterprises
Architecting for Success: Designing Secure GCP Landing Zone for EnterprisesBhuvaneswari Subramani
 

Recommandé

SCCM Cloud Management Gateway
SCCM Cloud Management Gateway SCCM Cloud Management Gateway
SCCM Cloud Management Gateway Anoop Nair
 
Llunitebe2018 configuring a cmg in config mgr cb
Llunitebe2018 configuring a cmg in config mgr cbLlunitebe2018 configuring a cmg in config mgr cb
Llunitebe2018 configuring a cmg in config mgr cbKenny Buntinx
 
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting Tips
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting TipsSCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting Tips
SCCM CDP Cloud Distribution Point and Cloud Manage Gateway Troubleshooting TipsAnoop Nair
 
SCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsSCCM Intune Windows 10 Co Management Architecture Decisions
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureSyed Irtaza Ali
 
Community call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformCommunity call: Develop multi tenant apps with the Microsoft identity platform
Community call: Develop multi tenant apps with the Microsoft identity platformMicrosoft 365 Developer
 
Architecting for Success: Designing Secure GCP Landing Zone for Enterprises
Architecting for Success: Designing Secure GCP Landing Zone for EnterprisesArchitecting for Success: Designing Secure GCP Landing Zone for Enterprises
Architecting for Success: Designing Secure GCP Landing Zone for EnterprisesBhuvaneswari Subramani
 
Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022SkillCertProExams
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringKevin Hakanson
 
How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?AdinaCoyle
 
Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)Cenk Ersoy
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
Cloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptxCloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptxSasikumarPalanivel3
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
VMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s MicrosoftemVMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s MicrosoftemMarketingArrowECS_CZ
 
Spanning cloud services across azure and aws
Spanning cloud services across azure and awsSpanning cloud services across azure and aws
Spanning cloud services across azure and awsMohamed Wali
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarKellton Tech Solutions Ltd
 
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow UpHybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow UpNicole Bray
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Amazon Web Services
 
Building Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stackBuilding Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stackWinWire Technologies Inc
 
DataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical OverviewDataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical OverviewIvan_datasynapse
 
Delivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureDelivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureKemp
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesMitchell Pronschinske
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureVignesh Ganesan I Microsoft MVP
 
Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236Sherazi Tours
 
08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking Men08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking MenDelhi Call girls
 

Contenu connexe

Similaire à Cloud Management Gateway for SCCMZ .pptx

Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022SkillCertProExams
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringKevin Hakanson
 
How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?AdinaCoyle
 
Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)Cenk Ersoy
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
Cloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptxCloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptxSasikumarPalanivel3
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
VMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s MicrosoftemVMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s MicrosoftemMarketingArrowECS_CZ
 
Spanning cloud services across azure and aws
Spanning cloud services across azure and awsSpanning cloud services across azure and aws
Spanning cloud services across azure and awsMohamed Wali
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarKellton Tech Solutions Ltd
 
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow UpHybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow UpNicole Bray
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Amazon Web Services
 
Building Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stackBuilding Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stackWinWire Technologies Inc
 
DataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical OverviewDataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical OverviewIvan_datasynapse
 
Delivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureDelivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureKemp
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesMitchell Pronschinske
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 

Similaire à Cloud Management Gateway for SCCMZ .pptx (20)

Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022Aws certified security specialty practice tests 2022
Aws certified security specialty practice tests 2022
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State Monitoring
 
How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?How to Pass Salesforce Identity and Access Management Architect Exam?
How to Pass Salesforce Identity and Access Management Architect Exam?
 
Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)Azure Stack Overview (Dec/2018)
Azure Stack Overview (Dec/2018)
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
Cloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptxCloudamize Platform Training for Azure.pptx
Cloudamize Platform Training for Azure.pptx
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
 
VMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s MicrosoftemVMware Workspace ONE a synergie s Microsoftem
VMware Workspace ONE a synergie s Microsoftem
 
Spanning cloud services across azure and aws
Spanning cloud services across azure and awsSpanning cloud services across azure and aws
Spanning cloud services across azure and aws
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech Webinar
 
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow UpHybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
Hybrid Identity Made Simple - Microsoft World Partner Conference 2016 Follow Up
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
 
Building Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stackBuilding Hybrid Cloud Apps with Azure and Azure stack
Building Hybrid Cloud Apps with Azure and Azure stack
 
DataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical OverviewDataSynapse and Amazon EC2 Technical Overview
DataSynapse and Amazon EC2 Technical Overview
 
Delivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureDelivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft Azure
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 

Dernier

Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236Sherazi Tours
 
08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking Men08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking MenDelhi Call girls
 
Top 10 Traditional Indian Handicrafts.pptx
Top 10 Traditional Indian Handicrafts.pptxTop 10 Traditional Indian Handicrafts.pptx
Top 10 Traditional Indian Handicrafts.pptxdishha99
 
08448380779 Call Girls In Chirag Enclave Women Seeking Men
08448380779 Call Girls In Chirag Enclave Women Seeking Men08448380779 Call Girls In Chirag Enclave Women Seeking Men
08448380779 Call Girls In Chirag Enclave Women Seeking MenDelhi Call girls
 
How to Get Unpublished Flight Deals and Discounts?
How to Get Unpublished Flight Deals and Discounts?How to Get Unpublished Flight Deals and Discounts?
How to Get Unpublished Flight Deals and Discounts?FlyFairTravels
 
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptx
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptxAkshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptx
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptxAkshay Mehndiratta
 
char Dham yatra, Uttarakhand tourism.pptx
char Dham yatra, Uttarakhand tourism.pptxchar Dham yatra, Uttarakhand tourism.pptx
char Dham yatra, Uttarakhand tourism.pptxpalakdigital7
 
DARK TRAVEL AGENCY presented by Khuda Bux
DARK TRAVEL AGENCY presented by Khuda BuxDARK TRAVEL AGENCY presented by Khuda Bux
DARK TRAVEL AGENCY presented by Khuda BuxBeEducate
 
visa consultant | 📞📞 03094429236 || Best Study Visa Consultant
visa consultant | 📞📞 03094429236 || Best Study Visa Consultantvisa consultant | 📞📞 03094429236 || Best Study Visa Consultant
visa consultant | 📞📞 03094429236 || Best Study Visa ConsultantSherazi Tours
 
A Comprehensive Guide to The Types of Dubai Residence Visas.pdf
A Comprehensive Guide to The Types of Dubai Residence Visas.pdfA Comprehensive Guide to The Types of Dubai Residence Visas.pdf
A Comprehensive Guide to The Types of Dubai Residence Visas.pdfDisha Global Tours
 
"Fly with Ease: Booking Your Flights with Air Europa"
"Fly with Ease: Booking Your Flights with Air Europa""Fly with Ease: Booking Your Flights with Air Europa"
"Fly with Ease: Booking Your Flights with Air Europa"flyn goo
 
How can I fly with the British Airways Unaccompanied Minor Policy?
How can I fly with the British Airways Unaccompanied Minor Policy?How can I fly with the British Airways Unaccompanied Minor Policy?
How can I fly with the British Airways Unaccompanied Minor Policy?flightsvillacom
 
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsx
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsxHoi An Ancient Town, Vietnam (越南 會安古鎮).ppsx
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsxChung Yen Chang
 
BERMUDA Triangle the mystery of life.pptx
BERMUDA Triangle the mystery of life.pptxBERMUDA Triangle the mystery of life.pptx
BERMUDA Triangle the mystery of life.pptxseribangash
 
best weekend places near delhi where you should visit.pdf
best weekend places near delhi where you should visit.pdfbest weekend places near delhi where you should visit.pdf
best weekend places near delhi where you should visit.pdftour guide
 
Dubai Call Girls O528786472 Call Girls Dubai Big Juicy
Dubai Call Girls O528786472 Call Girls Dubai Big JuicyDubai Call Girls O528786472 Call Girls Dubai Big Juicy
Dubai Call Girls O528786472 Call Girls Dubai Big Juicyhf8803863
 

Dernier (20)

Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236Study Consultants in Lahore || 📞03094429236
Study Consultants in Lahore || 📞03094429236
 
08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking Men08448380779 Call Girls In Chhattarpur Women Seeking Men
08448380779 Call Girls In Chhattarpur Women Seeking Men
 
Top 10 Traditional Indian Handicrafts.pptx
Top 10 Traditional Indian Handicrafts.pptxTop 10 Traditional Indian Handicrafts.pptx
Top 10 Traditional Indian Handicrafts.pptx
 
08448380779 Call Girls In Chirag Enclave Women Seeking Men
08448380779 Call Girls In Chirag Enclave Women Seeking Men08448380779 Call Girls In Chirag Enclave Women Seeking Men
08448380779 Call Girls In Chirag Enclave Women Seeking Men
 
How to Get Unpublished Flight Deals and Discounts?
How to Get Unpublished Flight Deals and Discounts?How to Get Unpublished Flight Deals and Discounts?
How to Get Unpublished Flight Deals and Discounts?
 
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptx
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptxAkshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptx
Akshay Mehndiratta Summer Special Light Meal Ideas From Across India.pptx
 
char Dham yatra, Uttarakhand tourism.pptx
char Dham yatra, Uttarakhand tourism.pptxchar Dham yatra, Uttarakhand tourism.pptx
char Dham yatra, Uttarakhand tourism.pptx
 
DARK TRAVEL AGENCY presented by Khuda Bux
DARK TRAVEL AGENCY presented by Khuda BuxDARK TRAVEL AGENCY presented by Khuda Bux
DARK TRAVEL AGENCY presented by Khuda Bux
 
visa consultant | 📞📞 03094429236 || Best Study Visa Consultant
visa consultant | 📞📞 03094429236 || Best Study Visa Consultantvisa consultant | 📞📞 03094429236 || Best Study Visa Consultant
visa consultant | 📞📞 03094429236 || Best Study Visa Consultant
 
A Comprehensive Guide to The Types of Dubai Residence Visas.pdf
A Comprehensive Guide to The Types of Dubai Residence Visas.pdfA Comprehensive Guide to The Types of Dubai Residence Visas.pdf
A Comprehensive Guide to The Types of Dubai Residence Visas.pdf
 
Call Girls Service !! New Friends Colony!! @9999965857 Delhi 🫦 No Advance VV...
Call Girls Service !! New Friends Colony!! @9999965857 Delhi 🫦 No Advance VV...Call Girls Service !! New Friends Colony!! @9999965857 Delhi 🫦 No Advance VV...
Call Girls Service !! New Friends Colony!! @9999965857 Delhi 🫦 No Advance VV...
 
"Fly with Ease: Booking Your Flights with Air Europa"
"Fly with Ease: Booking Your Flights with Air Europa""Fly with Ease: Booking Your Flights with Air Europa"
"Fly with Ease: Booking Your Flights with Air Europa"
 
How can I fly with the British Airways Unaccompanied Minor Policy?
How can I fly with the British Airways Unaccompanied Minor Policy?How can I fly with the British Airways Unaccompanied Minor Policy?
How can I fly with the British Airways Unaccompanied Minor Policy?
 
Call Girls Service !! Indirapuram!! @9999965857 Delhi 🫦 No Advance VVVIP 🍎 S...
Call Girls Service !! Indirapuram!! @9999965857 Delhi 🫦 No Advance VVVIP 🍎 S...Call Girls Service !! Indirapuram!! @9999965857 Delhi 🫦 No Advance VVVIP 🍎 S...
Call Girls Service !! Indirapuram!! @9999965857 Delhi 🫦 No Advance VVVIP 🍎 S...
 
Rohini Sector 18 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 18 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 18 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 18 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsx
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsxHoi An Ancient Town, Vietnam (越南 會安古鎮).ppsx
Hoi An Ancient Town, Vietnam (越南 會安古鎮).ppsx
 
BERMUDA Triangle the mystery of life.pptx
BERMUDA Triangle the mystery of life.pptxBERMUDA Triangle the mystery of life.pptx
BERMUDA Triangle the mystery of life.pptx
 
best weekend places near delhi where you should visit.pdf
best weekend places near delhi where you should visit.pdfbest weekend places near delhi where you should visit.pdf
best weekend places near delhi where you should visit.pdf
 
Call Girls 🫤 Connaught Place ➡️ 9999965857 ➡️ Delhi 🫦 Russian Escorts FULL ...
Call Girls 🫤 Connaught Place ➡️ 9999965857 ➡️ Delhi 🫦 Russian Escorts FULL ...Call Girls 🫤 Connaught Place ➡️ 9999965857 ➡️ Delhi 🫦 Russian Escorts FULL ...
Call Girls 🫤 Connaught Place ➡️ 9999965857 ➡️ Delhi 🫦 Russian Escorts FULL ...
 
Dubai Call Girls O528786472 Call Girls Dubai Big Juicy
Dubai Call Girls O528786472 Call Girls Dubai Big JuicyDubai Call Girls O528786472 Call Girls Dubai Big Juicy
Dubai Call Girls O528786472 Call Girls Dubai Big Juicy
 

Cloud Management Gateway for SCCMZ .pptx

  • 2. Agenda  Why we need CMG  Components of CMG  Requirements, Specifications  Placement of CMG componentsHierarchy  Ports  Cost | Outbound Data Transfer  Client Setting  Certificate for CMG  ARM, Configure Azure Services, Server App and Client App  Enhanced HTTP  Azure AD Authentication Workflow  Some Key SQL Tables  Logs to troubleshoot
  • 3. Why we need CMG  To manage Configuration Manager clients on the internet  You also don't need to expose your on-premises infrastructure to the internet.  CMG Cloud Service  CMG Connection Point  Service Connection Point  Management Point  Software Update Point  Internet-Based Clients  Cloud Distribution Point Components of CMG
  • 5. Components of CMG  The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.  The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.  The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Make sure your service connection point is in online mode.
  • 6. Components of CMG  The management point site system role services client requests per normal.  The software update point site system role services client requests per normal.  Internet-based clients connect to the CMG to access on-premises Configuration Manager components.  The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.  Internet-based clients use PKI certificates or Azure AD for identity and authentication.  A cloud distribution point provides content to internet-based clients, as needed.  Starting in version 1806, a CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs. For more information, see Modify a CMG.
  • 7. Requirements  An Azure subscription to host the CMG  To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin  To deploy the CMG, you need a Subscription Admin  Windows server to host the CMG connection point.  The service connection point must be in online mode.  A server authentication certificate for the CMG.  Other certificates may be required, depending upon your client OS version and authentication model.  Clients must use IPv4. Specs  CMG only supports the management point and software update point roles.  CMG doesn't support clients that only communicate with IPv6 addresses
  • 8. To make user a Subscription Admin assign Owner Role at the subscription scope
  • 9. Hierarchy Design  Create the CMG at the top-tier site of your hierarchy. If that's a central administration site, then create CMG connection points at child primary sites.  The cloud service manager component is on the service connection point, which is also on the central administration site.  You don't need to deploy multiple CMG instances for the purposes of geolocation.
  • 10. Ports  You don't need to open any inbound ports to your on-premises network.  TCP- TLS: Preferred protocol to build CMG Channel  HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)  HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)
  • 11. Cost | Outbound Data Transfer  CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.  CMG uses a Standard A2 V2 VM.  You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale the CMG to support more clients by adding more VM instances.)  Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload).  CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. These responses include inventory reports, status messages, and compliance status.  Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG.
  • 12.
  • 13. Additional Information  Changing the VM Configuration is not supported.  You can add instances but cannot add resources to the VM  Certificate added in CMG properties can be checked in IIS Bindings.
  • 14. Client Setting Enable clients to use a cloud management gateway
  • 15. Certificate for CMG  Allow private key to be exported.  Supply the subject name, so that we can put the subject name we want (custom) if we don’t choose this, subject name will be the name of the client machine
  • 16.
  • 17. ARM: Azure Resource Manager  Create the CMG using an Azure Resource Manager deployment.  Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group.  To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances.  This modernized deployment doesn't require the classic Azure management certificate.  ARM Deployment use Apps as credentials and it needs Azure Services.
  • 18. Configure Azure Services  Web App/API: also referred as server app in ConfigMgr. Sccm uses to access azure.  Native App/API: also referred as client app in ConfigMgr. It is used by clients to request azure ad token We can either import the apps or create the apps.  If we setup Apps from the console, permissions are taken care by SCCM.  If we import apps permissions will be missing and need to be given explicitly. https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/azure-services-wizard ** Private Cloud – Azure US Government Cloud.
  • 19. Server APP Import • Tenant Name: Any Name • Tenant ID: Directory ID. • App Name: Web App CMG • Client ID: App ID • Secret Key • App ID URI: It is in the access token used by the Configuration Manager client to request access to the service. By default this value is https://ConfigMgrService. Server App Create
  • 21. Server App Permissions • Application type means it has direct access to AD to read. Client App Permissions Server App has direct permissions, that means it can read the AD directly. Client App has Delegate type permission. Which means it will request Server APP to read the AD. We have user read permission.
  • 22. SQL Table to check Select * from AAD_Application_Ex https://techcommunity.microsoft.com/t5/Premier-Field-Engineering/Importing-Apps-to-set-up-Cloud-Management- Gateway-CMG-for/ba-p/740011 Authentication  The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.  Internet-based clients use PKI certificates or Azure AD for identity and authentication.
  • 23. Azure AD User, User Group Discovery Prereq:  Azure Service for Cloud Management  If the user is a federated or synchronized identity, you must use Configuration Manager Active Directory user discovery as well as Azure AD user discovery. For more information about hybrid identities, see Define a hybrid identity adoption strategy. Log File:  Actions for Azure AD user discovery are recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file on the top-tier site server of the hierarchy. Importance:  Azure User Discovery is required if use Azure AD Auth , if we use certs, we don’t need it. Limitations  Delta discovery for Azure AD user group discovery is currently disabled. * Federated means up to you. Docs: https://docs.microsoft.com/en- us/configmgr/core/servers/deploy/configure/configure-discovery- methods#azureaadisc https://docs.microsoft.com/en- us/configmgr/core/servers/deploy/configure/about-discovery- methods#azureaddisc https://docs.microsoft.com/en-au/azure/active-directory/hybrid/plan-hybrid- identity-design-considerations-identity-adoption-strategy
  • 24.
  • 25. Some Key Tables  select * from AAD_Tenant_Ex (To check STS Metadata)  Select * from vProxy_Roles  select * from vProxy_RoleEndpoints
  • 26. Query to check applications SELECT AE.ID, AE.ClientID, AE.Name [App Name], AE.IsClientApp, AE.IdentifierUri, AER.IsTombstoned, ACS.Name [Azure Service Name] FROM AAD_Application_Ex AE LEFT JOIN AAD_CloudServiceApplicationRelations AER ON AER.AADApplicationID = AE.ID LEFT JOIN Azure_CloudService ACS ON ACS.ID = AER.ID If any app is not used by an Azure Service, the Azure Service Name column will display a value of NULL. https://internal.support.services.microsoft.com/en-us/help/4517228
  • 27. Enhanced HTTP  How to enable it.  Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.  This enables SSL on required virtual directories and make the communication secure. Logs: CertMgr, SiteComp https://docs.microsoft.com/en- us/configmgr/core/plan-design/hierarchy/enhanced- http
  • 28. Log Files • For troubleshooting deployments, use CloudMgr.log and CMGSetup.log • For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log. • For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. CMGSetup, CMGService, CMGContentService, CMGHttpHandler are on Azure VM. SMS_Cloud_ProxyConnector.log Trying to build Tcp connection 0bea65f5-ac5d-467c-8171-67240cedae3e with server NATLAB.CLOUDAPP.NET:10140 SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Starting to connect to Proxy server NATLAB.CLOUDAPP.NET:10140 with client certificate F3D5A5714F2AF28ECC06483C3E686BA95917FC98 and connection ID 0bea65f5- ac5d-467c-8171-67240cedae3e... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Sending signIn message to Proxy server... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:52 PM 5024 (0x13A0) Got signIn confirm message from Proxy server and processing it... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0) Parking connection 0bea65f5-ac5d-467c-8171-67240cedae3e to Proxy server NATLAB.CLOUDAPP.NET:10140... SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0) Connection 0bea65f5-ac5d-467c-8171-67240cedae3e finished initialization and started SMS_CLOUD_PROXYCONNECTOR 1/31/2020 4:04:53 PM 5024 (0x13A0)
  • 29. Enable Verbose Logging You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portalCloud services configuration tab.