Troubleshooting Cloud Management Gateway: Quick & effectively /w CMG Connector Analyzer

In Configuration Manager Current Branch 1806, Microsoft introduced the Cloud Management Gateway Connector Analyzer. A highly valued feature which is a great starting point to troubleshoot your Cloud Management Gateway (CMG) in case you ran in to any issues. In short, it’s a more than welcome and helpful feature!

In a nutshell the Cloud Management Gateway Connection Analyzer validates you Cloud Management Gateway deployment on 6 points, namely:

  1. Validates whether CMG is in a ready state;
  2. Validates whether CMG services are running;
  3. Validates whether CMG is using a up to date configuration;
  4. Validates connection state between CMG Connection Point and CMG;
  5. Validates whether site systems are associated with CMG;
  6. Validates whether Management Point is available and/or well configured;

This blog post provides a first aid guidance to troubleshoot you Cloud Management Gateway(s).

Client Authentication Method

The Cloud Management Gateway Connection Analyzer can be found in the Cloud Services section part of the Administration pane. There are two clients authentication options to connect to the Cloud Management Gateway.

  • Azure AD User (this can be a regular Azure AD user);
  • Client certificate (currently use the Certificate File option as the console is by default started in a user context instead of system context);

CMG_sign_in

Once connected successfully with a valid Azure AD Account or Client Certificate we can start the connection analyzer to verify the Cloud Management Gateway is working properly.

Cloud Management Gateway Ready State

By deploying the Cloud Management Gateway as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. The cloud services authenticates and forwards Configuration Manager client requests to the CMG connection point. The status of the cloud services has the following statuses:

  • ServiceState 0 – Started
  • ServiceState 3 – UndergoingMaintenance
  • ServiceState 4 – Starting
  • ServiceState 5 – Stopping
  • ServiceState 6 – Stopped
  • ServiceState 7 – ReadyRole

The illustration below indicates the CMG service is in ready state and therefore available.

CMG_ready_state

CMG_cloudmgr.log

The illustration below indicates the CMG service is not in a ready state.

CMG_ready_state_maintenance

To troubleshoot CMG Ready state, use CloudMgr.log.

Cloud Management Gateway Services

The illustration below indicates the CMG service is running.

CMG_service_running

The illustration below indicates the CMG service is not running and therefore not available.

CMG_service_failed

In this case the CMG cloud services might be not running. To troubleshoot CMG services, use CMG-<cloud_service_name>-ProxyService_IN_0-CMGService.log (or CMG-<cloud_service_name>-ProxyService_IN_1-CMGService.log in case of 2 or more VM instances) and SMS_Cloud_ProxyConnector.log.

Cloud Management Gateway Configuration

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_in_sync

The illustration below indicates the CMG configuration between on-premise CMG connection point and in CMG in Azure is in sync.

CMG_configuration_not_in_sync

This is an easy one, just makes sure the CMG configuration data is in sync by enforcing “Synchronize configuration” under Cloud Services section part of the Administration pane.

Cloud Management Gateway Connection Point

The CMG connection point is the site system role for communicating with the CMG. By default the CMG connection point establishes TCP-TLS connections (10140-10155) to connect to CMG cloud service in Azure. In case of 2 or more VM instances, the second VM instance uses port 10141, up to the sixteenth on port 10155.

CMG_tcp_connections_established

Make sure <cloud_service_name>.cloudapp.net:10140 is reachable and can be resolved (name resolution) properly. To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

The illustration below indicates the CMG configuration point is able to communicate with CMG in Azure.

CMG_connection_point_status

The illustration below indicates the CMG configuration point is not able to communicate with CMG in Azure.

CMG_connection_point_status_not_connected

To troubleshoot CMG services, use SMS_Cloud_ProxyConnector.log.

Site System roles assigned to Cloud Management Gateway

Make sure you have configured the management point and/or software update point site systems linked to your CMG to accept CMG traffic from clients which are on the internet.

CMG_site_system_role_assigned

When there is no site system role assigned (whether management point or software update point) clients on the internet won’t be able to take benefit of the concerning service(s).

CMG_no_site_system_role_assigned

Make sure you’ve assigned at least one management point or more to service clients on the internet.

Management Point Availability & Configuration

The CMG connect point forwards client communications to on-premise site system role(s) (management point(s) and/or software update point(s). In this case the site system roles should be available

CMG_management_point_status

In case you’ve bind a wrong web server certificate to you management point or software update point (IIS) or the certificate isn’t trusted (certificate chain) incoming client communications from CMG cloud service won’t be accepted.

CMG_pki_configuration

In the table below an overview of a few scenarios whereby the management point isn’t available for various reasons.

Error Solution
Failed to get ConfigMgr token with Azure AD token. Status code is ‘503’ and status description is ‘CMGConnector_ServiceUnavailable’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘ServiceUnavailable’.

Make sure IIS services is running properly.

Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’. A possible reason for this failure is the CMG connection point failed to forward the message to the management point. Internal server error. For more information, see the management point logs for more details to see why internal server error returns.

Make sure you bind the right web server certificate to IIS or make sure the correct root- and/or intermediate CA is added.

Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘401’ and status description is ‘CMGConnector_Unauthorized’

A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: ‘Unauthorized’.
Succeed to get ConfigMgr token with Azure AD token.

Failed to refresh MP location. Status code is ‘500’ and status description is ‘CMGService_No_Connector’.

A possible reason for this failure is the CMG service failed to forward the message to the CMG connection point. There is no CMG connection point that is connecting to the CMG service. For more information, see the SMS_CLOUD_PROXYCONNECTOR.log on the CMG connection point.

Make sure firewall or proxies aren’t blocking network traffic. Click here for a complete overview of ports required by CMG.

Cloud Management Gateway Log files

The following table lists the log files that contain information related to the cloud management gateway.

Log name Description Computer with log file
CloudMgr.log Records details about deploying the cloud management gateway service, ongoing service status, and use data associated with the service.

You can configure the logging level be editing the Logging level value in the registry key HKLM\SOFTWARE\ Microsoft\SMS\COMPONENTS\ SMS_CLOUD_ SERVICES_MANAGER

The installdir folder on the primary site server or CAS.
CMGSetup.log1 Records details about the second phase of the cloud management gateway deployment (local deployment in Azure)

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGHttpHandler.log1 Records details about the cloud management gateway http handler binding with Internet Information Services in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
CMGService.log1 Records details about the cloud management gateway service core component in Azure

You can configure the logging level using the setting Trace level (Information (Default), Verbose, Error) on the Azure portal\Cloud services configuration tab.

The %approot%\logs on your Azure server, or the SMS/Logs folder on the site system server
SMS_Cloud_

ProxyConnector.log

Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point. Site system server

1 These are local Configuration Manager log files that cloud service manager sync from Azure storage every five minutes. The cloud management gateway pushes logs to Azure storage every five minutes. So the maximum delay is 10 minutes. Verbose switches affect both local and remote logs. The actual file names include the service name and role instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log

  • For troubleshooting deployments, use CloudMgr.log and CMGSetup.log
  • For troubleshooting service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
  • For troubleshooting client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.

Sources

Please find below the resources I’ve used to writeup this blog post.

Microsoft, Plan for the cloud management gateway in Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway

Microsoft, Log files in System Center Configuration Manager

https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/log-files#cloud-management-gateway

Further I want to pay attentions of a great blog post series of how to set up your Cloud Manage Gateway by fellow MVP Zeng Yinghua

SCConfigMgr, How to setup Co-Management

http://www.scconfigmgr.com/2017/11/23/how-to-setup-co-management-part-1/

Advertisements

Microsoft Intune introduced High Available (HA) support for SCEP/PFX Connector

Since December 2017 Microsoft Intune introduced support for multiple active SCEP/PFX connectors per tenant in order to provide high availability for certificate handling.

Initially the Microsoft Intune SCEP/PFX connector didn’t provide support for high availability. The SCEP/PFX connector could be installed as an single instance with no option for multiple active connectors.

Microsoft Intune SCEP-PFX Connector
Microsoft Intune SCEP/PFX connector support multiple active connectors per tenant.

Continue reading “Microsoft Intune introduced High Available (HA) support for SCEP/PFX Connector”

Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

In a diptych I’m sharing my experiences, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in the enterprise.

IntunePFX

In my first blog post I covered the basics of implementing a certificate deployment infrastructure based on Microsoft Intune PFX connector. Explained the differences and considerations whether to choose SCEP or PFX as your certificate deployment solution. And explained the certificate issuing workflow. In this second post I’ll go in more detail of the anatomy of the Intune Certificate Connector, setup. Explaining the renewal and revocation process(flow) works. And lastly I give you some pointers where to start your journey, in case of troubleshooting certificate deployment issues.

Part 1 – Deploying Microsoft Intune Connector in an Enterprise world: common practices

Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

Continue reading “Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting”

Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices

Last year I had the change to implement PFX certificate infrastructure for a large enterprise customer. Occasion of the project was a migration of Citrix XenMobile (XDM) to Microsoft Intune as strategic mobile device- and application management solution.

microsoft-intune-pfx-connector-architecture-overview
Microsoft Intune PFX connector certificate deployment architecture.

In a series of blogposts I’m sharing my experiences, design decisions, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in an enterprise environment.

Windows Information Protection…notes from the field! #MSIgnite

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps organizations to protect corporate data against potential data leakage.

information-protection-needsThe concept is fairly simple and is actually based on defining two lists:

  • A corporate boundary list, which represents both on-premise & cloud network locations where managed apps can access corporate data;
  • A list of managed (trusted) apps, which are allowed to open, modify & store corporate data within the corporate boundary list.

In this blog we will look at some practical examples which you have to consider for a successful implementation of Windows Information Protection including a top 4 of recommended practices.

Continue reading “Windows Information Protection…notes from the field! #MSIgnite”

Important! Updated Microsoft Intune Company Portal app for iOS supports only iOS 8.0 or higher.

image

In case you missed it, Microsoft recently announced the Microsoft Intune Company Portal app for iOS will be updated. Why this might be important to you?

Why updating?

As Apple releases new versions of iOS, they release new functionality, so there is a lack of functionality available on older iOS versions. Ending support for these older versions and encouraging end users to upgrade leads to a better end-user experience and allows us to prioritize the release new functionality for customers. This adjustment to support iOS 8.0 and later brings the iOS Company Portal app into alignment with the version support of the Office apps and many other Microsoft (and non-Microsoft) apps

Continue reading “Important! Updated Microsoft Intune Company Portal app for iOS supports only iOS 8.0 or higher.”

Programma System Center Summer Night 2016 bekend!

SCUG.6001_summer_night_bbq_V01

Nog een kleine maand te gaan en dan is het zover –  de System Center Summer Night 2016! De afgelopen week hebben we hard gewerkt om het programma rond te krijgen. En met succes! Naast keynote spreker Andrew de la Haye hebben we een groot aantal Microsoft sprekers, Microsoft MVP’s en experts bereid gevonden om te komen spreken tijdens de System Center Summer Night. Een gevarieerd programma met maar liefst 9 sessies, uiteenlopend van Azure Stack tot The Modern Workplace, Incident response team tot Infrastructure as Code en van Configuration Manager Sneak Preview tot een blik op de toekomst van het internet!

Mede dankzij onze sponsoren hebben we de luxe om ook de toegang tot dit evenement GRATIS aan te kunnen bieden (hier over later meer). Inschrijven voor de System Center Summer Night 2016 – op donderdag 23 juni – doe je hier.

Continue reading “Programma System Center Summer Night 2016 bekend!”