SCCM Cloud Distribution Point
- April 21, 2022
- Posted by: Pavithra
- Category: End User Computing
SCCM Cloud Distribution Point
SCCM CLOUD DISTRIBUTION POINT : HOW TO INSTALL AN SCCM CLOUD DISTRIBUTION POINT
A cloud distribution point is an SCCM distribution point that is hosted in Microsoft Azure. The client will access it as a normal distribution point using port 443 (SSL). Some benefits of using cloud distribution points are for clients on the internet, fallback scenario or to quickly provision a distribution point if extra bandwidth is needed for a limited time. The whole process should take about an hour, a bit more if you’re not familiar with certificates which are a big part of this guide.
If you’re unsure if the cloud distribution point is the right choice for your organization, read the following Microsoft documentation which explains in detail the features and benefits. The article also lists what features are supported or not.
We also suggest reading the Microsoft article explaining the cost of using a cloud distribution point as this could be a show stopper for a small size business.
PREREQUISITES FOR SCCM CLOUD DISTRIBUTION POINT
- An Azure Subscription
- Your Windows Azure Subscription ID
- A self-signed or public key infrastructure (PKI) management certificate for communication from your primary site server to the Azure service (.cer file)
- A service certificate (PKI) that Configuration Manager clients use to connect to cloud distribution points and download content from them by using HTTPS
- DNS alias and a CNAME record in your DNS namespace for clients to resolve the name of the cloud service
- Client Settings configured correctly
- The client must have internet access
- Boundary group must be configured
We will cover all those requirements in this post.
To make an authenticated, secured (SSL) connection between your Primary Site installation and your Windows Azure subscription, you need to create your own management certificates, which can be self-signed or issued by a certification authority (CA). We recommend using a certification authority in a production environment. For testing (or lab) purposes you can use the self-sign certificate which is easier to implement.
The high-level certificate requirements:
- Provide the .cer file of the management certificate to Azure. You must upload this certificate to Azure before you install a cloud distribution point. This certificate enables SCCM to access the Azure API.
- Provide the .pfx file of the management certificate to SCCM when you install the cloud distribution point. SCCM will store this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into SCCM.
- If you use a self-signed certificate, you must first export a certificate as a .cer file and then export it again as a .pfx file
CREATE A SELF-SIGNED CERTIFICATE
Only follow this section if you are using a self-signed certificate. If you’ll be using a certificate from your certification authority (CA), jump to the next section.
- Open MMC
- On the File menu, choose Add/Remove Snap-in… select Certificates, and click Add
The certificate is now ready to be imported to create an SCCM cloud distribution point. You can jump to the Azure Subscription section if you are not using a PKI server
CREATE AND ISSUE A CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY (IF USING PKI ONLY)
If you just created a self-signed certificate, jump to the Azure Subscription section.
This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud distribution point and the private key must be exportable as it will be asked during installation.
CREATE AND ISSUE THE CUSTOM WEB SERVER CERTIFICATE TEMPLATE ON THE CERTIFICATION AUTHORITY
- In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
- On the server that is running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage
REQUEST THE CUSTOM WEB SERVER CERTIFICATE ON THE PRIMARY SITE SERVER
This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud distribution point installation
- Open MMC
- On the File Menu, choose Add/Remove Snap-in… select Certificates, and click Add
EXPORT THE CUSTOM WEB SERVER CERTIFICATE FOR CLOUD DISTRIBUTION POINTS
This procedure exports the custom web server certificate to file. We will export it as a .Cer file for the Azure Management Certificate and in a .Pfx format for the cloud distribution point creation
- In the Certificates (Local Computer) console, right-click the SCD SCCM Cloud DP certificate that you just created, select All Tasks / Export
UPLOAD THE CERTIFICATE TO YOUR AZURE SUBSCRIPTION
If your company is already using Windows Azure, there is a very good chance that a management certificate was already created and uploaded. In that case you will only need to get the .pfx file and its password. If not, follow theses instructions to upload the management certificate (.Cer file) into the Azure classic portal. At the time of this writing, you can’t use the new Azure Portal for this.
- Log into the Azure classic portal
- Click Settings on the left side (all the way down)
CREATE THE SCCM CLOUD DISTRIBUTION POINT
- Open the SCCM Console
- Click Administration / Cloud Services / Cloud Distribution Points
- Right-Click Cloud Distribution Points and click on Create Cloud Distribution Point
In your Windows Azure portal page, you can see that the storage space has been created. This is the storage space that will hold content that you’ll distribute to your cloud distribution point.
- In the Azure Portal, go to Storage Accounts section on the left
- You will see a new cloud service with a GUID
We will now distribute a package to our new cloud distribution point. We will send the Configuration Manager Client Package to the cloud distribution point.
- In the SCCM Console
- Click Software Library / Application Management / Packages
- Right-click Configuration Manager Client Package, select Distribute Content
- On the Review selected content page, click Next
- On the Specify the content destination page, click Add. In the resulting drop-down list, click Distribution Point
- In the Add Distribution Points list of available distribution points, check the box next to your cloud distribution point. Click OK, and then click Next
- On the Summary page, click Next. The distribution should complete successfully, so click Close
Let’s see if that package is distributed.
- Click Monitoring / Distribution Status / Content Status
- In the details pane, select your Configuration Manager Client Package, and note the completion status. The yellow circle will turn to green when the distribution is complete as a “normal” DP
- Your cloud distribution point should be listed in the Success section when completed
SETUP NAME RESOLUTION FOR CLOUD DISTRIBUTION POINTS
- In the Azure Portal
- Go to Cloud Services (classic)
- Click the Columns button on the top, and add the URL column
- On the right, the URL value will be YourServiceName.cloudapp.net this is the DNS name that your clients will use for connecting to the cloud distribution point and getting their content
ADJUST BOUNDARY GROUPS
The last step is to setup our boundary groups to include our cloud distribution point
- In the SCCM Console
- Go to Administration / Hierarchy Configuration / Boundary Groups
- Right-click you boundary group, select Properties
Live Instructor-led Online Training
Click here for SCCM Course Content