Cloud Management Gateway: secure management of devices connected to Internet

Due to the COVID-19 emergency and consequent lockdown, we have witnessed an exponential increase in remote activity by employees; this has generated a rush by companies to a digital transformation to ensure efficiency and productivity. The choice to consistently use the simple VPN made it possible to respond to the emergency quickly and effectively, but at the same time it meant that some scenarios relating to cyber-security were opened to be considered.

One of these scenarios is certainly the protection of the workstation which obviously cannot be managed adequately through the VPN channel or directly connected to the internet.

In this regard, Microsoft has been providing a new cloud-based Configuration Manager functionality to allow the management of devices connected to the Internet and thus improve the corporate security posture.

The Cloud Management Gateway (CMG) functionality, leveraging the services on Microsoft Azure, allows you to manage devices and distribute content in the cloud:

• Without a dedicated on-premise infrastructure;
• Without the need to expose the infrastructure on the Internet;
• Securely via TLS or via tokens;

In addition to the above, CMG can also be used for other scenarios such as:

• Branch Office management with more efficient Internet connectivity than a WAN or VPN connection;
• Management of acquisitions, through joining systems to Azure AD and management through CMG;
• Management of workgroup systems;
• Priovisioning of new devices through Windows Autopilot or through a dedicated procedure on the Configuration Manager side.

One of the most important features introduced in the latest release of Microsoft Endpoint Configuration Manager that uses CMG is certainly the ability to download content directly from the cloud through Task Sequence media (PXE, USB sticks, etc. ..); this new functionality can be useful for the standardization of the fleet in branch offices. By sending a special USB key or using an on-site PXE server, it is possible to provision an image directly from the cloud without saturating the connection with the main office.

Requirements

In order to proceed with the activation of the Cloud Management Gateway functionality, you must have the following requirements:

• An Azure subscription
  • CMG does not support subscription with an Azure Cloud Service Provider, it will be possible starting from the 2010 version of CM;
• Microsoft Endpoint Configuration Manager version 1902 or above;
• An account with Full administrator rights on the Configuration Manager infrastructure;
• An Azure account with the following rights:
  • Subscription Owner
  • Global Admin
• An on-premises Windows server to host the CMG connection point role (this role can also be installed on a system that already hosts other site system roles);
• The Service Connection Point must be configured in online mode;
• Integration with Azure AD to deploy the service with Azure Resource Manager;
• Client systems must use the IPv4 protocol;
• A Server Authentication certificate for the CMG role;
• Other types of certificates may be required based on the authentication method and based on the client’s operating system.

Certificates for Cloud Management Gateway

To provide more information on the certificates to be generated based on your infrastructure, in this section, we report the list of certificates related to the Cloud Management Gateway functionality and their main purpose.

• CMG Server Authentication Certificate

The CMG functionality creates an HTTPS service to which internet-based clients connect. The server requires a Server Authentication certificate to allow channel encryption. It is possible to purchase a certificate from a public CA or use one issued by your PKI infrastructure.

As reported by the official Microsoft documentation, CMG supports wildcard type certificates.

This certificate requires a globally unique name to identify the service on Azure. Before requesting a certificate, it is necessary to verify that the name used is unique. For example, emmprdcmg.CloudApp.Net.

If you also enable the CMG functionality for content, verify that the name used is also unique among the names used for Azure Storage Accounts.

• CMG Trusted Root Certificate

Client systems must be able to trust the certificate provided by the CMG. To do this, there are two ways:

• Use a certificate issued by a public CA, such as DigiCert, Thawte, or VeriSign. Windows systems natively include the Trusted Root Certificate Authorities (CAs) of these providers. By using a certificate issued by one of these providers, the systems will automatically be able to “trust” the certificate used by CMG.
• Use a certificate issued by an Enterprise CA present within your Public Key Infrastructure (PKI).
  
  
• Client authentication certificate

This certificate is required for the following internet-based client systems if the 2002 version of Configuration Manager is not present:

• Windows 8.1
• Windows 10 no Azure Active Directory (Azure AD) connected

Clients use this certificate to authenticate to the CMG. Windows 10 systems in Hybrid join or join directly to Azure AD do not need this certificate as they use Azure AD for authentication.

It is possible to distribute this type of certificate using the features of Active Directory Certificate Services and Group Policy for certificate self-registration.

• CMG connection point

To securely forward client requests, the CMG connection point requires a secure connection with the respective Management Point. Depending on how the devices and the Management Point are configured, the configuration of the CMG connection point is determined.

• Management Point in HTTPS mode
  • The CMG connection point requires a client authentication certificate;
  • If clients use Azure AD authentication or the Configuration Manager token, this certificate is not required;
• If you configure the Management Point role in Enhanced HTTP mode, this certificate is not required.

Costs

One of the factors most taken into consideration by companies is certainly the economic one. This section will provide some indications on how to estimate the cost of the solution based on the number of devices you want to manage.

Some components of Microsoft Azure are involved in the CMG solution to determine the costs of the solution such as:

• Virtual Machine: based on the configuration defined on the Configuration Manager side A2v2 Azure Virtual Machine will be created;
• Outbound traffic:all outbound traffic from Azure is paid while incoming traffic is free;
• Storage: the cost consists of the amount of data that is replicated to the CMG.

In this regard, we report below the indicative costs based on the above:

• Azure Virtual Machine costs
  • Standard A2 V2 (single instance) in «Pay as you go»: ~80 €/month
• Outbound traffic costs
  • Invenotry and policy: about 100 MB/month per system * 2000 device = 195 GB/month: ~12 €/month
  • Software Distribution: based on the size of the Packages/Applications (NB: software updates are downloaded directly from Microsoft Update)
• VM volume costs
  • 32 GB: 1,30 €/month
  • 64 GB: 2,54 €/month

Solution activation

This paragraph shows the steps required for the installation and subsequent configuration of the Cloud Management Gateway functionality on Configuration Manager.

Public DNS record creation

The creation of an alias on your public DNS is required when using a certificate issued by a public CA for the Cloud Management Gateway role.
As previously mentioned, the CMG role requires a globally unique name to identify your service on Azure with the suffix CloudApp.net; a third party CA is unable to issue a certificate with this suffix as the domain in question appears to be managed by Microsoft.
In this regard, if you want to use a certificate (related to your domain) issued by an external CA, you only need to add an alias on your public DNS.

For example, suppose the name of our Azure side CMG is emmprdcmg.CloudApp.Net; on our public DNS we will have to create a new CNAME record for emmprdcmg.emm-blog.com pointing to the host emmprdcmg.CloudApp.Net.

Cloud Management Gateway activation

• Open Configuration Manager console with an account with administrative rights;
• Access the Administration section, expand the Updates and Servicing container, and select the Features node;
• Check that the Cloud Management Gateway functionality is active, otherwise proceed with activation using the Turn on button on the top ribbon;
• Expand the Cloud Services folder, access the Azure Service node and select Configure Azure Services present in the ribbon at the top;

• Enter the name to be associated with the service and verify that the Cloud Management option is selected.
• From the Azure environment drop-down menu, check that the AzurePublicCloud option is selected.
• Press the Browse button in the Web app section to proceed with the creation of a new cloud app.
• Specify the application name.
• The URL https://ConfigMgrService should be configured in the HomePage URL and App ID URI fields; if you receive the error “Another object with the same value for property identifierUris already exists” enter a different name as this URL is already used by another Azure service.
• Set the validity period of the secret key to 2 years.
• Press the Sign in button and log in with a user with Global Admin rights:

• Once the authentication process has been successfully completed, confirm the changes using the OK button.
• Press the OK button again.
• Press the Browse button in the Native Client App section and follow the same steps mentioned above to create the new app.
• It is possible to select the Enable Azure AD User Discovery and Enable Azure AD Group Discovery options if you want to activate the Tenant Attach functionality (for more information about Tenant Attach, a dedicated article is available here).
• Complete the wizard through the Next button.
• Access the Administration section, expand the Cloud Services container, and select the Cloud Management Gateway node.
• Select Create Cloud Management Gateway option from the ribbon at the top.
• Press the Sign In button and log in with an account with Subscription Owner rights.
• Upon successful login, the remaining fields will be automatically populated with the information on Azure AD.
• In the event that you are the owner of more than one subscription, select the one concerned.
• Press Next button.
• From the Settings page, click on the Browse button related to the Certificate file section and select the certificate in PFX format issued by the public CA. The Service FQDN and Service name fields will be automatically filled in.

NOTE: if you are using a wildcard type certificate, in the Service FQDN field, remove the asterisk and enter the hostname indicated in the DNS record (example: emmprdcmg).

• From the drop-down menu, select the Region concerned.
• Select a Resource Group already present in Azure or create a new Resource Group that will host the CMG (if you select an existing Resource Group, make sure it is present in the same Region set in the previous point).
• In the VM Instance field, enter the number of VMs you want to create for this service (a maximum number of 16 VMs is allowed).
• Check that the 3 options below are correctly selected:
  • Verify Client Certificate Revocation;
  • Enforce TLS 1.2;
  • Allow CMG to function as a cloud distribution point and serve content from Azure storage;
• Press Next button.
• Set the Alerting thresholds based on your needs.
• Press the Next button again to start the CMG provisioning process.

CMG Connection Point role activation

The CMG Connection point role is the core role on the Configuration Manager side that allows communication with the Cloud Management Gateway; Here are some simple steps for activating the role:

• Open Configuration Manager console with an account with administrative rights.
• Access the Administration section, expand the Site Configuration folder, and select the Server and Site System Roles node.
• Select the server identified as owner of the CMG connection point role (example: Management Point), right-click and select the Add Site System Roles option.
• Check that all the information is correctly populated and press the Next button.
• Press the Next button again.
• From the System Roles Selection page, select the Cloud management gateway connection point option and proceed with the wizard.

• Select the previously created CMG from the drop-down menu (the Region you belong to will be automatically populated).

Management Point and Software Update Point roles configuration

To allow communication with the CMG, it is necessary to configure the Management Point role and possibly the Software Update Point role to accept this type of traffic; the steps below allow you to enable this type of communication:

• Open Configuration Manager console with an account with administrative rights.
• Access the Administration section, expand the Site Configuration folder, and select the Server and Site System Roles node.
• Select the server with the management point role and, from the bottom section, right click on the Management Point role.
• Select Properties option and, from the General tab, enable Allow Configuration Manager cloud management gateway traffic option;

• Confirm the changes with OK button.
• Follow the same procedure above also for the Software Update Point role if you want to distribute updates through a CMG.

References

Here are some useful references to the official Microsoft documentation:

• Frequently asked questions about the cloud management gateway
• Security and privacy for the cloud management gateway
• Monitor cloud management gateway

Conclusions

This article has reported one of the features available on Configuration Manager Current Branch for simple and efficient management of devices connected to the Internet.

One of the most important aspects of this solution is to be able to guarantee the security and protection of company data even on systems not directly connected to its infrastructure.