Three certificates are needed to set up the cloud DP, the client authentication certificate which we have already created in either part 1 or 2, an Azure management certificate and a web server certificate for the cloud DP. We can use the same technique for the cloud DP certificate creation as in the previous blogs but for completeness let’s run through that process again.
Creating the cloud DP management cert
The management certificate for the cloud DP service can be created in the same manner as in parts 1 and 2 of this series. However, for part 3 I thought I would show you another way that you can create a management certificate, this time using some PowerShell commands.
Type in the following command into an elevated PowerShell windows
$cert = New-SelfSignedCertificate -DnsName <yourdomain>.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" $password = ConvertTo-SecureString -String "<your password>" -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath ".\CloudDP-ManagementCert.pfx" -Password $password Export-Certificate -Type CERT -Cert $cert -FilePath .\CloudDP-ManagementCert.cer
As you can see this quickly generates a pfx and cer management certificate.
Creating the cloud DP certificate
Fire up your certificate authority, drill down to Certificates, right click and choose Manage. Note that I am using an old 2008 DC, the process is the same for 2012 and above.
Right click the Web Server template and select Duplicate Template.
Select Windows Server 2003 Enterprise. Click OK.
Enter a name for the template. I’ve called mine ‘SCCMCMG – Management Certificate’ as I am going to create another template for my Web Server cert.
In the Request Handling tab choose Allow private key to be exported.
Set security accordingly so that enrollment can take place, Read and Enroll permissions are required for this.
With the template in place, we need to issue it so that we can enroll with it.
To do this right click the Certificate Templates folder in the Certificate Authority and choose New>Certificate Template to Issue.
Choose the certificate template, in this instance the cloud DP template and click OK.
The certificate template will be available for enrollment.
Next up, you need to request the certificates on a computer.
Load up MMC and choose File>Add/Remove Snap-in…
Select Certificates and then click Add>.
Choose Computer account and click Next.
Ensure Local computer is selected and click Finish.
Note that Certificates (Local Computer) is in the Selected snap-ins pane. Click OK.
Navigate to the Personal store and right click, choose All Tasks>Request New Certificate.
Click Next to begin the certificate enrollment.
Go with the defaults here by clicking Next.
Select the cloud DP template that was created earlier. Then click the More information link.
In the Subject tab click the Type drop down and enter a common name for the cloud DP service. For my example, I have used sccmsolcloudp1.sccmsolutions.co.uk. Once done, click Add>.
Click the Enroll button to enroll the certificate.
When the process is complete click Finish.
The next step in the certificate process, is to export the certificate so we can import it in with or without a private key. We will use these exports to upload the certificate into Azure and to configure the cloud DP.
In the personal store, if you refresh you will see you the new cert. Right click the cloud dp certificate, you can check the Certificate Template column to ensure you have the correct one, select All Tasks>Export.
Click Next on the export wizard.
Choose not to export the private key and click Next.
Export the DER encoded binary X.509 (.CER) format and click Next.
Save the certificate as the .cer file. Name it accordingly so you know which cert it is.
Click Finish to complete the process.
You will be notified that the export was successful.
The next step is to create an exported certificate with private keys.
As before, in the MMC>Personal>Certificates store, right click the cloud dp certificate and choose All Tasks>Export.
This time select Yes, export the private key. Click Next.
This time the .pfx format is selected. Go with the defaults and click Next.
Enter a strong password for the pfx file and click Next.
Save the certificate.
Click Finish to complete the export.
Set up Azure for cloud DPs
As with the CMG we need to upload a managment certificate into Azure for the cloud service.
In the Azure Portal , navigate to Subscriptions and then select your subscription.
Select Management Certificates from the list of options.
Click the Upload link.
Next we need to select a .cer file to upload. This will be the management certificate .cer file created earlier.
Ensure the cert is uploaded successfully. Copy your Subscription ID as you will need this next.
Install the Cloud Distribution Point in ConfigMgr
In the ConfigMgr console navigate to \Administration\Overview\Cloud Services\Cloud Distribution Points. Right click and choose Create Cloud Distribution Point.
Enter the Subscription ID noted from the Azure portal and click the Browse button.
Select the pfx export of the management certificate.
Enter the password for the .pfx and click OK.
The cloud service information provided will be validated.
Note that Azure will automatically generate a GUID for the service name. Make a note of this GUID as we will need this later in the set-up. Click the Browse button.
Choose the cloud DP certificate file.
Enter the password for the .pfx and click OK.
Note that the service FQDN is automatically populated. We’ll need to map this address to the <Service name GUID>.cloudapp.net address shortly. Click Next.
Set any threshold alert levels for the cloud DP at this stage and click Next.
Click Close to complete the set up wizard.
The cloud DP will be in a provisioning state. It can take a while to build the cloud DP
The progress can be monitored in the CloudMgr.log file.
When provisioning has completed the cloud DP will report as ready.
Set up name resolution for the cloud DP
To resolve the cloud DP, you need to map the address of the service FDQN to the <service GUID>.cloudapp.net address.
So for my example, I need to create a CNAME record to cater for this.
Upload content to the cloud DP
At this stage, our cloud DP is ready, configured and raring to go. We can upload content to it in the same way as we do any on-prem DP.
The finale – push software to a client connected via the CMG
So we’ve been building up to this point. We showed in parts 1 and 2 that we could connect clients to the SCCM environment via the CMG, which acts as a proxy to the internal MP and SUP. We need cloud DP since you cannot route internally to non-Internet facing DPs.
So as a test, I am going to publish a 7-Zip installation to the Internet connected client and install the software across the Internet
First up, I have confirmed that my client is still connected via the Internet – note the Domain joined client is in Internet in the ClientLocation.log
A quick check and nothing is assigned to the device for software deployment.
I then created an available deployment for 7-Zip targeted at my Internet based client and on the client ran a policy retrieval – all standard ConfigMgr tasks.
After policy had updated the Software Center showed 7-Zip as an available install.
After kick starting the 7-Zip install, a quick glance at the CAS.log shows the download taking place, and from my cloud DP, sccmsolcloudp1.sccmsolutions.co.uk.
and that the install succeeds.
There’s a lot to take in with the new Cloud Management Gateway and it’s integration with cloud DP and internal MP and SUP. I have show how to get the services up and running but there are plenty of planning considerations that need to be examined prior to doing these installations.
I recommend that you read the following before deploying these services.
Plan for the cloud management gateway in Configuration Manager at https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management-gateway
Use a cloud-based distribution point with System Center Configuration Manager at https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point