This is slightly customised ppt used in BITPro event by Rajul OS.
Also the actual PPT is available here
https://mms2017.sched.com/event/AUbW/cloud-management-gateway-deep-dive
All credits to Aaron !
#BITPro
4. Manage traditional clients that roam on the Internet
Without additional infrastructure
Without exposing infrastructure to the Internet
That is easily configured through the Configuration Manager Console
Key features continue to work on the device when not on the corporate network
Software updates
Hardware and software inventory
Endpoint protection
Client notification
Settings
Applications
PLAN TO SIMPLIFY
6. CERTIFICATES
Management certificate
“Credentials” between site and Azure
Any certificate including self-signed
Public cert uploaded to Azure, .pfx with private key imports into site
Web Service (server authentication) certificate
Use public certificate provider (Symantec, Thawte)
Wild card certificate is not supported
Root/Subordinate certificate authority
Used by CMG for full chain validation on client PKI certificates
Client certificate
7. NETWORK PORTS
NO INBOUND PORTS REQUIRED!
Source Port Destination Use
Service Connection Point 443 Azure Deploy CMG
CMG Connection Point 443 CMG CMG channel for first VM
CMG Connection Point 10124-10140 CMG CMG channel for additional VM instances
Client 443 CMG Client channel
9. PERFORMANCE CONSIDERATIONS
Any Internet-roaming client in the site will use the CMG
Reduce network latency by locating CMG, CMG Connection Point and Site Server in same
geographic region
Client to CMG in Azure is not regional aware
For high availability, at least two VM instances and two CMG Connection Points per site
Scale-out by increasing VM instances, which leverages Azure load balancer in front of CMG
CMG does round-robin communication with multiple CMG Connection Points; creating more
on-premises roles will distribute load
10. BEST PRACTICES AND FAQS
Publish Certificate Revocation List (CRL) to Internet
HTTPS is optional on-prem
Supports Azure US Government (Fairfax)
Unsupported features (as of 1710)
• Azure Resource Manager
• Client deployment using client push
• Automatic site assignment
• User policies
• Application catalog
• Full operating system deployment (OSD)
• Configuration Manager console
• Remote tools
• Reporting website
• Wake on LAN
• Peer cache
• On-premises Mobile Device Management
• Mac, Linux, and UNIX clients
• Task Sequence
Aaron
Traditional management with SCCM (not ready for modern management via Intune)
Clients roam onto Internet (home, travel, remote office)
Still need to be managed, especially software updates
Aaron
This method relies on Internet-facing site system servers to which clients communicate for management purposes. This method requires clients and site system servers to be configured for Internet-based management.
Advantages:
No cloud service dependency.
No additional cost associated with a cloud subscription.
Full control of servers and roles providing the service.
Disadvantages:
Require additional infrastructure investment.
Overhead and operational cost of additional infrastructure.
Infrastructure must be exposed to the Internet.
Aaron
Aaron
Advantages:
No additional infrastructure investment required.
Does not expose on-premises infrastructure to the Internet.
Cloud virtual machines that run the service are fully managed by Azure and require no maintenance.
Easily set up and configured in the Configuration Manager console.
Disadvantages:
Cloud subscription cost.
Management data sent through cloud service.