In Technical Preview 1805 of Configuration Manager Current Branch, Microsoft introduced the Cloud Management Gateway Connector Analyzer. A highly valued feature which is a great starting point to troubleshoot your Cloud Management Gateway (CMG) in case you ran in to any issues. In short, it’s a more than welcome and helpful feature!
In a nutshell the Cloud Management Gateway Connection Analyzer validates you Cloud Management Gateway deployment on 6 points, namely:
- Validates whether CMG is in a ready state;
- Validates whether CMG services are running;
- Validates whether CMG is using a up to date configuration;
- Validates connection state between CMG Connection Point and CMG;
- Validates whether site systems are associated with CMG;
- Validates whether Management Point is available and/or well configured;
This blog post provides a first aid guidance to troubleshoot you Cloud Management Gateway(s).
Client Authentication Method
The Cloud Management Gateway Connection Analyzer can be found in the Cloud Services section part of the Administration pane. There are two clients authentication options to connect to the Cloud Management Gateway.
- Azure AD User (this can be a regular Azure AD user);
- Client certificate (currently use the Certificate File option as the console is by default started in a user context instead of system context);
Once connected successfully with a valid Azure AD Account or Client Certificate we can start the connection analyzer to verify the Cloud Management Gateway is working properly.
Cloud Management Gateway Ready State
By deploying the Cloud Management Gateway as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. The cloud services authenticates and forwards Configuration Manager client requests to the CMG connection point. The status of the cloud services has the following statuses:
- ServiceState 0 – Started
- ServiceState 3 – UndergoingMaintenance
- ServiceState 4 – Starting
- ServiceState 5 – Stopping
- ServiceState 6 – Stopped
- ServiceState 7 – ReadyRole
The illustration below indicates the CMG service is in ready state and therefore available.
The illustration below indicates the CMG service is not in a ready state.
To troubleshoot CMG Ready state, use CloudMgr.log.
Cloud Management Gateway Services
The illustration below indicates the CMG service is running.
The illustration below indicates the CMG service is not running and therefore not available.
In this case the CMG cloud services might be not running. To troubleshoot CMG services, use CMG-<cloud_service_name>-ProxyService_IN_0-CMGService.log (or CMG-<cloud_service_name>-ProxyService_IN_1-CMGService.log in case of 2 or more VM instances) and SMS_Cloud_ProxyConnector.log.
Cloud Management Gateway Configuration
The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.
The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.
This is an easy one, just makes sure the CMG configuration data is in sync by enforcing “Synchronize configuration” under Cloud Services section part of the Administration pane.
Cloud Management Gateway Connection Point
The CMG connection point is the site system role for communicating with the CMG. By default the CMG connection point establishes TCP-TLS connections (10140-10155) to connect to CMG cloud service in Azure. In case of 2 or more VM instances, the second VM instance uses port 10141, up to the sixteenth on port 10155.
Make sure <cloud_service_name>.cloudapp.net:10140 is reachable and can be resolved (name resolution) properly. To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
The illustration below indicates the CMG configuration point is able to communicate with CMG in Azure.
The illustration below indicates the CMG configuration point is not able to communicate with CMG in Azure.
To troubleshoot CMG services, use SMS_Cloud_ProxyConnector.log.
Site System roles assigned to Cloud Management Gateway
Make sure you have configured the management point and/or software update point site systems linked to your CMG to accept CMG traffic from clients which are on the internet.
When there is no site system role assigned (whether management point or software update point) clients on the internet won’t be able to take benefit of the concerning service(s).
Make sure you’ve assigned at least one management point or more to service clients on the internet.
Management Point Availability & Configuration
The CMG connect point forwards client communications to on-premise site system role(s) (management point(s) and/or software update point(s). In this case the site system roles should be available
In case you’ve bind a wrong web server certificate to you management point or software update point (IIS) or the certificate isn’t trusted (certificate chain) incoming client communications from CMG cloud service won’t be accepted.
In the table below an overview of a few scenarios whereby the management point isn’t available for various reasons.
| Error |
Solution |
| Failed to get ConfigMgr token with Azure AD token. Status code is ‘503’ and status description is ‘CMGConnector_ServiceUnavailable’. |
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘ServiceUnavailable’.
Make sure IIS services is running properly. |
| Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’. |
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Internal server error. For more information, see the management point logs for more details to see why internal server error returns.
Make sure you bind the right web server certificate to IIS or make sure the correct root- and/or intermediate CA is added. |
| Succeed to get ConfigMgr token with Azure AD token.
Failed to refresh MP location. Status code is ‘401’ and status description is ‘CMGConnector_Unauthorized’ |
A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Unauthorized’. |
| Succeed to get ConfigMgr token with Azure AD token.
Failed to refresh MP location. Status code is ‘500’ and status description is ‘CMGService_No_Connector’.
|
A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. There is no CMG connection point that is connecting to the CMG service. For more information, see the SMS_CLOUD_PROXYCONNECTOR.log on the CMG connection point.
Make sure firewall or proxies aren’t blocking network traffic. Click here for a complete overview of ports required by CMG. |
The concept is fairly simple and is actually based on defining two lists: