Deploy Cloud Management Gateway as a Virtual Machine Set in Configuration Manager 2111— wildcard cert method
As we know beginning in Configuration Manager 2107, the virtual machine set option for cloud management gateway is out of preview.
Deprecated features — Configuration Manager | Microsoft Docs
Classic Cloud deployments for the CMG will now be considered deprecated after March 1, 2022.
I’m deleting my classic cloud deployment. Let’s deploy a Virtual Machine set CMG.
Here are MS Docs notes on Planning for the Virtual Machine Sets Deployment:
Plan for CMG — Configuration Manager | Microsoft Docs
Ensure the following Resource Providers are enabled when using Virtual Machine sets:
Microsoft.Compute
Microsoft.Network
Microsoft.Storage
Microsoft.KeyVault
Some more Notes:
Configure Azure AD for CMG — Configuration Manager | Microsoft Docs
Planning for Server Auth. How it can affect the Service/Deployment and Cert Naming
CMG server authentication certificate — Configuration Manager | Microsoft Docs
Essentially, it’s not that different from the prior method. We have to ensure additional resource providers are enabled, pick a service name (cloudapp.net namespace is now [AZUREREGION].cloudapp.azure.com, so EASTUS.cloudapp.azure.com, for example, and so on. My service name will be NBCMG2022.EASTUS.Cloudapp.azure.com
There is also a new option available to convert your CMG from classic cloud to virtual machine sets via the console.. The pre-requisites are obviously still applicable. We will revisit that in a different post.
Here is how I constructed it in my lab, and the proper entries:
External DNS Entry in google domains
Internal DNS Entry in Microsoft DNS
I’ve deleted my Classic CMG in the lab:
Begin Deployment of Virtual machine set CMG:
I also re-used my previously created azure ad apps.
External DNS Entry in google domains
Internal DNS Entry in Microsoft DNS
We are using the same wildcard cert we used when we deployed the Classic Cloud CMG. *.nathanblasac.com in PFX format.
Obviously the same pre-reqs are in place. So we need to ensure the Cloud Management Gateway Connection Point is deployed, and CMG Traffic is enabled on both SUP and MP.
Management Point
Software Update Point
Voila
Until next time.
