The fast channel of the current branch 1610 of System Center Configuration Manager (SCCM) got an interesting update which deliver the Cloud Management Gateway.
This new feature will help to reduce the infrastructure complexity to manage internet based client.
NOTE if the update is not displayed in the Update and Servicing section, you may not have enabled the fast channel. To do this, download the script available here https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9
Install and Enable Cloud Management Gateway feature
From the console, access the Update and Servicing section to download and install the update
When installing the update, ensure you enable the Cloud Management Gateway feature
Create the Cloud Management Gateway
Before starting you will need to request a new certificate to include the cloudapp.net namespace.
Then from the SCCM console, go to the Administration\Cloud Services\Cloud Management Gateway to create the new gateway.
The process is pretty straight forward
Provide the Subscription ID and the management certificate (the new one with cloudapp.net in a .CER and .PFX format) – the CER file will be uploaded into the Azure subscription while the PFX will be imported into SCCM with the wizard.
NOTE if you do not upload the certificate into Azure, you will get an error “The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription”
You can get the Subscription ID from the Azure portal
To define the VM creation details you need to import again the certificate (PFX file); you may got a pop up being displayed “The service certificate has the following errors/warnings.”, do not be afraid this is because you generates your certificate with the SCCM server name, you will be able to select the service FQDN after the import which will generates the service name correctly
Select the correct FQDN (*.cloudapp.net) to generate the service name as well as the Region where the VM will be provisioned
You can uncheck the Verify client certificate revocation, unless your internal CA is publicly published
The next settings define the alert thresholds; keep it as default or change it to match your need
After the usual configuration summary you can complete the creation process; you will to wait some time to get the VM provisioned on your Azure tenant; you can check the progress from the SCCM console
Configure the Cloud Management Gateway
Once the Cloud Management Gateway status is provisioning completed in the SCCM console, you can continue to configure the gateway
To do so, you need to define a connection point with the Cloud Management Gateway by adding the new server role “Cloud management gateway connection point”
Once you have enabled the cloud management gateway connection point role, you need to update your management point to take advantage of the new role
At this stage, the status of the Cloud Management Gateway is now Ready and you can see the connection point(s) using the Connection Point tab (the status is Disconnected if you do not have yet enabled the management point)
Once the connection point status is Ready, you can also see the role endpoints associated with the gateway
Check the client
Once you have configured the gateway, you should see your Internet based client using the new Internet-based management point which will be something like <your Cloud Management Gateway service>.cloudapp.net/CCM_Proxy_MutualAuth/<GUID>