Blog

SCCM Cloud Distribution Point

No Comments

SCCM Cloud Distribution Point

SCCM CLOUD DISTRIBUTION POINT : HOW TO INSTALL AN SCCM CLOUD DISTRIBUTION POINT

A  cloud distribution point is an SCCM distribution point that is hosted in Microsoft Azure. The client will access it as a normal distribution point using port 443 (SSL). Some benefits of using cloud distribution points are for clients on the internet, fallback scenario or to quickly provision a distribution point if extra bandwidth is needed for a limited time. The whole process should take about an hour, a bit more if you’re not familiar with certificates which are a big part of this guide.

PLAN

If you’re unsure if the cloud distribution point is the right choice for your organization, read the following Microsoft documentation which explains in detail the features and benefits. The article also lists what features are supported or not.

COST

We also suggest reading the Microsoft article explaining the cost of using a cloud distribution point as this could be a show stopper for a small size business.

PREREQUISITES FOR SCCM CLOUD DISTRIBUTION POINT

  • An Azure Subscription
  • Your Windows Azure Subscription ID
  • A self-signed or public key infrastructure (PKI) management certificate for communication from your primary site server to the Azure service (.cer file)
  • A service certificate (PKI) that Configuration Manager clients use to connect to cloud distribution points and download content from them by using HTTPS
  • DNS alias and a CNAME record in your DNS namespace for clients to resolve the name of the cloud service
  • Client Settings configured correctly
  • The client must have internet access
  • Boundary group must be configured

We will cover all those requirements in this post.

CERTIFICATES REQUIREMENTS

To make an authenticated, secured (SSL) connection between your Primary Site installation and your Windows Azure subscription, you need to create your own management certificates, which can be self-signed or issued by a certification authority (CA). We recommend using a certification authority in a production environment. For testing (or lab) purposes you can use the self-sign certificate which is easier to implement.

The high-level certificate requirements:

  • Provide the .cer file of the management certificate to Azure. You must upload this certificate to Azure before you install a cloud distribution point. This certificate enables SCCM to access the Azure API.
  • Provide the .pfx file of the management certificate to SCCM when you install the cloud distribution point. SCCM will store this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into SCCM.
  • If you use a self-signed certificate, you must first export a certificate as a .cer file and then export it again as a .pfx file

CREATE A SELF-SIGNED CERTIFICATE

Only follow this section if you are using a self-signed certificate. If you’ll be using a certificate from your certification authority (CA), jump to the next section.

  • Open MMC
  • On the File menu, choose Add/Remove Snap-in…  select Certificates, and click Add
·         When prompted for what you want to manage certificates for, select Computer Account, click Next
·         Select Local Computer and then click Finish
·         Click OK to close the Add/Remove Snap-ins form
·         In the Certificate console
·         Go to Certificates (Local Computer) / Personal / Certificates.
·         You should find a Server Authentication certificate there with the name of your server in the Issued To column. In our example, it’s the first one listed (CM01.SCDLab.org)
We will export this certificate twice:
·         One to get a .Cer file that we’ll upload to Windows Azure as the management certificate
·         The other to create a password-protected .Pfx file that we’ll use to configure the connection from our Primary Server to create the SCCM cloud distribution point.
EXPORT THE .CER FILE:
·         In the Certificates (Local Computer) console
·         Right-click your Server Authentification certificate (In our case: CM01.SCDLab.org)
·         Choose All Tasks / Export
·         In the Certificates Export Wizard, choose Next
·         On the Export Private Key page, choose No do not export the private key, click Next
·         On the Export file format, select DER encoded binary X.509 (.CER), click Next
·         Save your certificate in a folder and close the Certificate Export Wizard
EXPORT THE .PFX FILE
·         On the Export Private Key page, choose Yes, export the private key, click Next
·         On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX), click Next
·         On the Password page, specify a strong password to protect the exported certificate with its private key, click Next
·         On the File to Export page, specify the name of the file that you want to export, click Next
·         To close the wizard, click Finish in the Certificate Export Wizard page, click OK
·         Close Certificates (Local Computer)

The certificate is now ready to be imported to create an SCCM cloud distribution point. You can jump to the Azure Subscription section if you are not using a PKI server

CREATE AND ISSUE A CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY (IF USING PKI ONLY)

If you just created a self-signed certificate, jump to the Azure Subscription section.

This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud distribution point and the private key must be exportable as it will be asked during installation.

CREATE AND ISSUE THE CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY

  • In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
  • On the server that is running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage
·         The Certificate Templates management console opens
·         Right-click the Web Server template and then select Duplicate Template
·         In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority
·         In the General tab, enter a template name, like SCD SCCM Cloud DP. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate
·         In the Request Handling tab, select Allow private key to be exported
·         In the Security tab, remove the Enroll permission from the Enterprise Admins security group
·         Choose Add, enter SCCM Site Servers in the text box, and then choose OK
·         Select the Enroll and Read permission for this group
·         Choose OK, close Certificate Templates Console
·         Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue
·         In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud DP, click OK

REQUEST THE CUSTOM WEB SERVER CERTIFICATE ON THE PRIMARY SITE SERVER

This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud distribution point installation

  • Open MMC
  • On the File Menu, choose Add/Remove Snap-in…  select Certificates, and click Add
·         When prompted for what you want to manage certificates for, select Computer Account, click Next
·         Select Local Computer and then click Finish
·         Click OK to close the Add/Remove Snap-ins
·         In the Add or Remove Snap-ins dialog box, choose OK.
·         In the console, expand Certificates (Local Computer) / Personal / Certificates
·         Right-click Certificates, select All Tasks / Request New Certificate
·         On the Before You Begin page, click Next
·         If you see the Select Certificate Enrollment Policy page, choose Next
·         On the Request Certificates page, identify the SCD SCCM Cloud DP from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings
·         In the Certificate Properties dialog box, in the Subject tab
o    Subject name: in Type choose Common name
o    Value:  Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add
o    Alternative name: in Type choose DNS
o    Value: Specify your service name and your domain name by using an FQDN format. (For example: scdclouddp1.cloudapp.net) and select Add
·         Click OK to close the Certificate Properties dialog box
·         On the Request Certificates page, select SCD SCCM Cloud DP from the list of available certificates, click Enroll
·         On the Certificates Installation Results page, wait until the certificate is installed, click Finish

EXPORT THE CUSTOM WEB SERVER CERTIFICATE FOR CLOUD DISTRIBUTION POINTS

This procedure exports the custom web server certificate to file. We will export it as a .Cer file for the Azure Management Certificate and in a .Pfx format for the cloud distribution point creation

.CER EXPORT

  • In the Certificates (Local Computer) console, right-click the SCD SCCM Cloud DP certificate that you just created, select All Tasks / Export
·         In the Certificates Export Wizard, choose Next
·         On the Export Private Key page, select No do not export the private key and click Next
·         On the Export file format, select CER and click Next
·         Save your certificate in a folder and close the wizard
·         To close the wizard, click Finish in the Certificate Export Wizard page
.PFX EXPORT
·         On the Export Private Key page, choose Yes, export the private key, click Next
·         On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected
·         On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next
·         On the File to Export page, specify the name of the file that you want to export
·         To close the wizard, click Finish in the Certificate Export Wizard page
·         Close Certificates (Local Computer).
The certificate is now ready to be imported to create an SCCM cloud distribution point.

UPLOAD THE CERTIFICATE TO YOUR AZURE SUBSCRIPTION

If your company is already using Windows Azure, there is a very good chance that a management certificate was already created and uploaded. In that case you will only need to get the .pfx file and its password. If not, follow theses instructions to upload the management certificate (.Cer file) into the Azure classic portal. At the time of this writing, you can’t use the new Azure Portal for this.

  • Log into the Azure classic portal
  • Click Settings on the left side (all the way down)
·         Press the Management Certificates tab
·         Click Upload a management certificate, select the .cer file that you exported earlier, and then click the checkbox at the right
·         The management certificate is now created and ready to use
·         Copy the value of Subscription ID for your certificate. It will be needed to create the cloud management point.

CREATE THE SCCM CLOUD DISTRIBUTION POINT

  • Open the SCCM Console
  • Click Administration / Cloud Services / Cloud Distribution Points
  • Right-Click Cloud Distribution Points and click on Create Cloud Distribution Point
·         On the Specify details for this cloud service page, paste your Subscription ID that you copied in the previous step
o    If you forgot to copy it, log to your Azure portal and get it in the Subscription section
·         In Management Certificate field, click Browse. Navigate to and select the .pfx file that you saved earlier.  After you select it and click Open, you’ll be prompted for the password you used to protect it.  Enter the password and click Ok
·         On the Specify additional details for this distribution point form, select the regions where you want to host your cloud distribution point
·         Enter a Description if desired
·         All other values should be auto-filled, click Next
·         On the Configure alerts for this distribution point page, we’ll leave the defaults and click Next
·         On the Summary page, review the Details, click Next
·         On the Completion tab, click Close
·         The Cloud Distribution Point will now be listed, it will have a status of Provisioning. That status will change to Ready when provisioning is completed. You can also monitor the CloudMgr.log file on the primary site server. This process can take up to 10 minutes so be patient.
·         There’s a known bug in SCCM 1702 which leaves the status in Provisioning. If you’re affected by this bug, apply the following hotfix
·         Cloud Distribution Point ready!

In your Windows Azure portal page, you can see that the storage space has been created. This is the storage space that will hold content that you’ll distribute to your cloud distribution point.

  • In the Azure Portal, go to Storage Accounts section on the left
  • You will see a new cloud service with a GUID

We will now distribute a package to our new cloud distribution point.  We will send the Configuration Manager Client Package to the cloud distribution point.

  • In the SCCM Console
  • Click Software Library / Application Management / Packages
  • Right-click Configuration Manager Client Package, select Distribute Content
  • On the Review selected content page, click Next
  • On the Specify the content destination page, click Add.  In the resulting drop-down list, click Distribution Point
  • In the Add Distribution Points list of available distribution points, check the box next to your cloud distribution point.  Click OK, and then click Next
  • On the Summary page, click Next.  The distribution should complete successfully, so click Close

Let’s see if that package is distributed.

  • Click Monitoring / Distribution Status / Content Status
  • In the details pane, select your Configuration Manager Client Package, and note the completion status. The yellow circle will turn to green when the distribution is complete as a “normal” DP
  • Your cloud distribution point should be listed in the Success section when completed
·         In the PkgXferMgr.log file, you can see that content is sent to the cloud distribution point
Let check under the hood in our Azure Storage account if the content is there:
·         In your Windows Azure administration page
·         Click on Storage Accounts
·         Click onyour storage account GUID
·         In the Overview section, click on Blobs
·         You can see our content based on their packageID, click on a name
·         You can see that the files match the content of the package that we just distributed

SETUP NAME RESOLUTION FOR CLOUD DISTRIBUTION POINTS

  • In the Azure Portal
  • Go to Cloud Services (classic)
  • Click the Columns button on the top, and add the URL column
  • On the right, the URL value will be YourServiceName.cloudapp.net this is the DNS name that your clients will use for connecting to the cloud distribution point and getting their content
CONFIGURE DNS
In order for the clients to download content from a cloud distribution point, they must be able to resolve scdclouddp01.cloudapp.net to the cloud distribution point IP address. This is done by creating a CNAME record in DNS with the FQDN of the Windows Azure service URL that you just noted in prior steps.
·         Open the DNS Manager Console
·         On your DNS server, open the DNS console and create a new CNAME record in your domain Forward Lookup Zones
·         Select New Alias (CNAME)
·         For Alias name, type your cloud distribution point name (Ex: scdclouddp01)
·         In Fully qualified domain name (FQDN) for target host paste your Site URL (In our example: c940eea9c9954f038b69101c.cloudapp.net)  and click OK
CLIENTS CONFIGURATION
We now need to configure client settings on our SCCM client for them to access the cloud distribution point.
·         Open the SCCM console
·         Go to Administration / Client Settings
·         Right-click your client settings and click Properties
·         Select Cloud Services and select Yes on Allow access to cloud distribution point

ADJUST BOUNDARY GROUPS

The last step is to setup our boundary groups to include our cloud distribution point

  • In the SCCM Console
  • Go to Administration / Hierarchy Configuration / Boundary Groups
  • Right-click you boundary group, select Properties
·         On the Reference tab, click Add
·         Select your cloud distribution point and click Ok twice
You are now ready to use your new cloud distribution point for your deployments.

SCCM Training 

Live Instructor-led Online Training

Click here for SCCM Course Content

Watch SCCM Demo Video

Leave a Reply