Cloud Integration - Mastering System Center 2012 R2 Configuration Manager (2014)

Mastering System Center 2012 R2 Configuration Manager (2014)

Chapter 5. Cloud Integration

Ever since the release of Configuration Manager 2012 Service Pack 1, you can use Windows Azure cloud services to host cloud-based distribution points. Cloud-based distribution points allow Configuration Manager administrators to provide content to Internet-facing clients quickly and easily, without having to deal with the complexity of setting up Configuration Manager site systems in a perimeter network. Just like on-premises distribution points, cloud-based distribution points can be managed individually, or they can be members of distribution point groups.

Cloud-based distribution points have many benefits; for instance, they can be used for fallback content location. In addition, the provisioning of content on cloud-based distribution points is a secure process; Configuration Manager 2012 encrypts the content that is targeted to cloud-based distribution points before the content is sent to Windows Azure. Another benefit of cloud-based distribution points on Windows Azure is that the service can scale to meet changing demands for content requests, without having to deploy additional distribution points.

Windows Azure and cloud-based distribution points in Configuration Manager 2012 provide you with a lot of flexibility. You can extend and integrate your private cloud Configuration Manager infrastructure with the public cloud in a matter of hours—maybe in a couple of days in most cases. How long will it take you to requisition hardware or a virtual machine, stage the OS and applications, and then work with your network and security teams to set up that server in a perimeter network? In most environments that project will take months to complete.

Another benefit of cloud integration is that you can scale on the fly your cloud-based distribution points, based on your Internet-connected users’ demand. You can control the costs that are associated with data transfers to and from a cloud-based distribution point; Configuration Manager includes options to control and monitor data access. You can also control and monitor the amount of content that you copy to the cloud service, and you can configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. Use the alerts in Configuration Manager to proactively manage data charges when you use cloud-based distribution points.

You might be wondering where you can use a cloud-based distribution point. My experience supporting Configuration Manager for some of the Fortune 500 companies in the United States tells me that most enterprises could benefit from cloud-based distribution points. One retailer I know could prevent all his remote stores’ computers from coming across the WAN to get content from their corporate network. An oil company I know could have the computers on drilling rigs located in the middle of the ocean pull the content they need from the cloud. An insurance company I know could probably eliminate over 20,000 secondary sites/distribution points that they have in every remote office—yes, the offices you see in your neighborhood. I could go on. With the trend of more and more employers allowing for telecommuting, I expect to see a lot of you using cloud-based distribution points in the near future.

Cloud-based distribution points have some limitations. They cannot host software updates packages and cannot be used for PXE or multicast operating system deployments. Cloud-based distribution points cannot be configured as pull distribution points. They do not support prestaged content, and the primary site that manages the distribution point encrypts and copies the content to the distribution point on Windows Azure. The encryption key used to encrypt the content is different for each package. Because of that, cloud-based distribution points do not support Single Instance Storage. In addition, cloud-based distribution points do not support packages configured to run from the distribution point; all content must be downloaded to the client cache and executed locally. Because of that limitation, clients are not offered a cloud-based distribution point as a content location when a task sequence uses the Download Content Locally When Needed By Running Task Sequence option. On the other hand, if the task sequence is configured with the Download All Content Locally Before Starting Task Sequence option, a cloud-based distribution point will be offered as a valid content location. Another limitation is that cloud-based distribution points do not support streaming of App-V applications.

In this chapter, you will learn to

· Test cloud distribution points before going into production

· Control cloud distribution points usage costs

· Simplify your hierarchy

Windows Azure Integration

Windows Azure is Microsoft’s cloud platform. It allows you to quickly build, deploy, and manage applications across a global network of Microsoft-managed datacenters. Windows Azure is an open and flexible platform that allows you to integrate your existing IT environment with public cloud applications. Support for cloud-based distribution points in Configuration Manager 2012 is a good example of how Windows Azure allows you to integrate and expand your private cloud environment with public cloud applications. To be able to use Configuration Manager 2012 integration with Windows Azure and deploy a cloud-based distribution point, you must meet some prerequisites:

· You must have a Windows Azure service subscription.

· You must have a self-signed or public key infrastructure (PKI) management certificate. This can be created with Visual Studio Express.

· You must set the client setting Allow Access To Cloud Distribution Points under Cloud Services to Yes.

· You must have a PKI service certificate for the clients to use to connect to cloud-based distribution points. You will need either a Microsoft or a third-party PKI infrastructure and a way to issue the certificate.

· Clients must have Internet access to use the cloud-based distribution point.

· Clients must be able to resolve the name of the cloud service, so a Domain Name System (DNS) record is required in your DNS namespace.

Management Certificate for Site Server to Distribution Point Communication

The communication between Configuration Manager 2012 and cloud-based distribution points is secured and encrypted. Microsoft wants to make sure your content is well protected, so every package is encrypted with a different encryption key before it gets copied to the cloud-based distribution points. To make this process secure, you will need a couple of certificates. In this section, you will find information about the certificate requirements and also about other requirements for the clients to be able to communicate with cloud-based distribution points.

· The management certificate establishes trust between Windows Azure and Configuration Manager. This authentication enables Configuration Manager to call on the Windows Azure API when you perform tasks such as deploying content to the cloud-based distribution point. Windows Azure subscribers can create their own management certificates, which can be either a self-signed certificate or a certificate that is issued by a certification authority (CA). This certificate will have to be exported as a .pfx file and a .cerfile.

· The .cer file of the management certificate is the one that has to be uploaded to Windows Azure. If your company is already using Windows Azure, there is a very good chance that a management certificate was already created and uploaded there. In that case you will only need to get the .pfx file and its password. If that is not the case, the certificate will have to be uploaded to the Windows Azure portal. We will cover that in the next section. The .cer file contains the public key for the management certificate. You must upload this certificate to Windows Azure before you create a cloud-based distribution point in the Configuration Manager Administration console.

· The .pfx file of the management certificate is provided to Configuration Manager when you create the cloud-based distribution point. The .pfx file contains the private key for the management certificate. Configuration Manager stores this certificate in the site database. Because the .pfx file contains the private key, you will be prompted for the certificate password.

· The service certificate is the other certificate you are going to need as a .pfx file. This certificate is provided to Configuration Manager when creating the cloud-based distribution point. The service certificate establishes trust between the Configuration Manager clients and the cloud-based distribution point. The service certificate also secures the data that clients download from the cloud-based distribution point by using Secure Socket Layer (SSL) over HTTPS.

· Clients must be able to access the Internet to be able to use cloud-based distribution points. They also need to be able to resolve the name of the cloud-based distribution point. This requires a DNS alias and a CNAME record in your DNS namespace.

Creating a Cloud Distribution Point

This section covers creating the certificates, requesting and exporting the certificates, uploading the management certificate to Windows Azure, and finally creating the cloud-based distribution point. If you are an MSDN subscriber or have access via a corporate subscription, you have access to a limited Windows Azure subscription that will allow you to test cloud-based distribution points. You could also sign up for a free Windows Azure trial to test cloud-based distribution points.

We are going to show you how to use Visual Studio Express 2013 to create the management certificate. Since it would be impossible to cover every public key infrastructure (PKI) service in this book, we are going to use Microsoft’s PKI services to create the service certificate. If you are using a different PKI service, please refer to the “PKI Certificate Requirements for Configuration Manager” TechNet article available at http://technet.microsoft.com/en-us/library/gg699362.

Creating and Exporting the Management Certificate

To create the management certificate, you will use Visual Studio Express 2013. You can get it free from www.microsoft.com/visualstudio/eng/downloads. You don’t need to install Visual Studio on your Configuration Manager server. You can install Visual Studio on your workstation or on any other computer since you are going to export the certificate after its creation.

1. Install Visual Studio Express 2013. Go to the Visual Studio Tools and open as administrator Developer Command Prompt for VS2013. In the command prompt window run the following command, as shown in Figure 5.1:image

Figure 5.1 Creating the Windows Azure Management Certificate

makecert -sky exchange -r -n "CN=Windows Azure Management Certificate"

-pe -a sha1 -len 2048 -ss My "Windows Azure Management Certificate.cer"

2. Open the MMC, add the Certificates snap-in, and then select My User Account. Click Finish and then click OK.

3. Under Certificates expand Personal, and then expand Certificates.

4. Right-click the Windows Azure Management Certificate, select All Tasks, and then select Export.

5. Click Next, select No, Do Not Export The Private Key, and then click Next. See Figure 5.2.image

Figure 5.2 Exporting the private key

6. Make sure DER Encoded Binary X.509 (.CER) is selected, and then click Next, as shown in Figure 5.3.image

Figure 5.3 DER encoded binary

7. Specify a name for the certificate such as Windows Azure Management Certificate, and then click Next. See Figure 5.4.image

Figure 5.4 Name the certificate

8. Click Next, and then click Finish.

9. Click OK on the Export Was Successful dialog box.

Note that if you do not specify a patch for the certificate, the .cer file will be saved under ...\Windows\System32.

10.You need to export the management certificate one more time but this time as a .pfx file. Under Certificates expand Personal, and then expand Certificates.

11.Right-click Windows Azure Management Certificate, select All Tasks, and then select Export.

12.Select Yes, Export The Private Key and then click Next, as shown in Figure 5.5.image

Figure 5.5 Exporting the private key

13.Click Next, provide a password for the certificate, and then click Next again.

14.Provide a name for the certificate such as Windows Azure Management Certificate, and then click Next. Click Finish. Click OK to dismiss the Certificate Export Wizard successful completion message. Again, if you do not specify a patch for the certificate, the .pfxfile will be saved under ...\Windows\System32.

15.Now is a good time to copy the management certificates’ .cer and .pfx files to a safe location.

Creating the Service Certificate Template

To create the service certificate, you are going to use Microsoft’s PKI services. In most enterprises, we don’t expect the Configuration Manager administrators to have access to the PKI services. PKI is something that is usually managed by another team. The following steps and the “PKI Certificate Requirements for Configuration Manager” TechNet article mentioned earlier can be used as references by the PKI team. We will be creating the service certificate on the Enterprise CA, but the PKI services configuration in your environment will dictate where you need to create this certificate.

1. Before you create the cloud-based distribution point service certificate, create a security group named ConfigMgr Site Servers and add all the Configuration Manager SP1 primary site servers that will be managing cloud-based distribution points.

2. Open the Certification Authority console on the Enterprise CA, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

3. Right-click the Web Server entry in the column Template Display Name, and then click Duplicate Template, as shown on Figure 5.6.image

Figure 5.6 Select Duplicate Template.

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected for compatibility.

5. In the Properties Of New Template dialog box, on the General tab, enter a template name to generate the web server certificate for cloud-based distribution points, such as ConfigMgr Cloud-based Distribution Point Certificate.

6. On the Request Handling tab, select Allow Private Key To Be Exported.

7. On the Cryptography tab, change Minimum Key Size to 2048.

8. On the Security tab, remove the Enroll permission from the Enterprise Admins and Domain Admins security groups.

9. Click Add, enter ConfigMgr Site Servers in the text box, and then click OK.

10.Check the Enroll permission for this group, and do not uncheck the Read permission.

11.Under the Subject Name tab make sure Supply In The Request is selected.

12.Click OK and close the Certificate Templates console.

13.In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template To Issue.

14.In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Cloud-based Distribution Point Certificate, and then click OK.

15.Close the Certification Authority console.

Requesting and Exporting the Service Certificate

In the previous section, you created the service certificate template on the Enterprise CA. In this section, you will request and export the service certificate. Perform the following steps on the primary site that is going to be managing cloud-based distribution points:

1. On the Configuration Manager SP1 site that is going to manage a cloud-based distribution point, open the MMC, add the Certificates snap-in and the Computer account, and then select Local Computer. Click Finish and then click OK.

2. Expand Personal and then right-click Certificates. Select All Tasks and then Request New Certificate, as shown in Figure 5.7.image

Figure 5.7 Request New Certificate

3. Accept the default options on the Certificate Enrollment Wizard until a list of available certificates is displayed.

4. Select the ConfigMgr Cloud-based Distribution Point certificate, and then click More Information Is Required To Enroll For This Certificate. Click Here To Configure Settings. That would be the line with the exclamation mark in a yellow triangle, as shown inFigure 5.8.image

Figure 5.8 More information

5. In the Certificate Properties window’s Subject tab, under Subject Name, select Common Name. In the Value field for Common Name, type CM2012R2CloudDP.cloudapp.net and then click Add. See Figure 5.9.image

Figure 5.9 Certificate Properties dialog

Note that the common name in the certificate subject box must be unique in your domain and not match any domain-joined device.

6. Click OK, click Enroll, and then click Finish.

7. Find the service certificate in the Certificates console, right-click it, select All Tasks, and then click Export.

8. Follow the Certificate Export Wizard and select Yes, Export The Private Key.

9. Click Next, provide a password for the certificate, and then click Next again.

10.Provide a name for the certificate like ConfigMgr Cloud-based Distribution Point Service Certificate, click Save, and then click Next.

11.Click Finish. Again, if you do not specify a patch for the certificate, the .pfx file will be saved under ...\Windows\System32. Save the service certificate .pfx file to a safe location.

Uploading the Management Certificate to Windows Azure

If your company has a Windows Azure subscription and they have already created a management certificate for Windows Azure, there is no need to upload another certificate. You can use the existing certificate as long as you can get its .pfx file and its password. In that case you can skip this section. If there is no Windows Azure management certificate already in place, use the following steps to upload the management certificate to Windows Azure:

1. Open and log on to the Windows Azure Management Portal (http://management.windowsazure.com).

2. Click Settings, and then click Management Certificates.

3. Click Upload A Management Certificate and browse to the .cer certificate that you create earlier. Click the check mark to upload the certificate. After the certificate is uploaded successfully, you should be able to see it in the Windows Azure Management Portal, as shown in Figure 5.10.

image

Figure 5.10 Management Certificates

Creating the Cloud Distribution Point

Now that you have taken care of all the prerequisites, you can go to the Configuration Manager Administration console to create the cloud-based distribution point.

1. Open the Configuration Manager Administration console.

2. Under Administration, expand Cloud Services, and then click Cloud Distribution Point.

3. Click Create Cloud Distribution Point. When the Create Cloud Distribution Point Wizard opens, enter your Windows Azure Subscription ID and browse to the .pfx management certificate you exported after creating it in Visual Studio. If your company already had a management certificate created for Windows Azure, select that .pfx file instead. Your Windows Azure Subscription ID is not the email address you used to open your Windows Azure subscription; it is actually a long string of numbers that you can get under the Windows Azure Cloud Services Dashboard.

4. Enter the password for the .pfx management certificate, and then click Next.

5. The service name is created automatically. Enter a description for the distribution point, select a region, and make sure the primary site managing the cloud-based distribution point is selected. Under Specify A Server PKI For This Cloud Service, browse to the.pfx file for the Cloud-Based Distribution Point Service Certificate (enrolled from your certificate authority) and enter its password. The Service FQDN field will be populated automatically with the service name you specified in the certificate. See Figure 5.11.image

Figure 5.11 Creating a cloud distribution point

6. Configure alerts for the cloud-based distribution point as you want, and then click Next. See Figure 5.12 for the default values.image

Figure 5.12 Configuring alerts

7. Click Next one more time on the Summary page, and then click Close after the cloud-based distribution point is created.

8. You can use the Configuration Manager Trace Log tool to open the Cloud Services Manager log file (CloudMgr.log) to monitor the cloud-based distribution point creation process. You will see entries like these in the log:

9. Skipping safe exception Microsoft.Windows Azure.StorageClient.StorageServerException. Will check again in 10 seconds.

Waiting for check if container exists. Will check again in 10 seconds.

After five minutes you will see the following error in the log:

ERROR: Timed out after 00:05:00 minutes waiting for check if container exists.

Do not worry about the timeout error; the provisioning process will continue behind the scenes on Windows Azure. You can go to the Windows Azure portal under Cloud Services and also under Storage and check that a new cloud service and storage are getting created with the service name generated by the Create Cloud Distribution Point Wizard. Later, in the Cloud Services Manager log, you will see that Configuration Manager started uploading contentwebrole.cspkg to Windows Azure.

10.You can also use the Configuration Manager console to make sure the cloud-based distribution point is provisioned before you start copying content to it. Under Administration, expand Cloud Services, and then click Cloud Distribution Points. Make sure that the Status field for the cloud distribution point shows Ready. The Status Description should be Provisioning Completed.

11.Test deploying content to the cloud-based distribution point. Choose an application in the Configuration Manager console and distribute it to the newly created cloud-based distribution point. Choose Monitoring ⇒ Content Status in the Configuration Manager Administration console to make sure content got copied to the cloud-based distribution point.

12.Before your clients can get content from the cloud-based distribution point, you need to deploy to them the cloud-based distribution point service certificate. Also remember that you need to enable Allow Access To Cloud Distribution Point under Device/User Settings, as shown in Figure 5.13.

image

Figure 5.13 Client Settings

Configure Name Resolution for Cloud-based Distribution Points

Before your clients can access the cloud-based distribution point, they must be able to resolve the name of the cloud-based distribution point to an IP address that matches the service in Windows Azure. Clients do this is two stages:

1. Clients map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate to your Windows Azure service fully qualified domain name (FQDN). This FQDN contains a GUID and the DNS suffix of cloudapp.net. The GUID is automatically generated after you install the cloud-based distribution point. You can see the full FQDN in the Windows Azure Management Portal, by referencing the SITE URL in the dashboard of the cloud service. An example site URL is http://f83e1229e5384427b325e44a.cloudapp.net/.

2. Clients resolve the Windows Azure service FQDN to the IP address that Windows Azure allocates. This IP address can also be identified in the dashboard for the cloud service in the Windows Azure portal and is named PUBLIC VIRTUAL IP (VIP) ADDRESS.

To map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate (for example, CM2012R2CloudDP.cloudapp.net) to your Windows Azure service FQDN (for example, f83e1229e5384427b325e44a.cloudapp.net), DNS servers on the Internet must have a DNS alias (CNAME record). Clients can then resolve the Windows Azure service FQDN to the IP address by using DNS servers on the Internet.

The Bottom Line

1. Test cloud distribution points before going into production. Before you go into production with cloud-based distribution points, you should test the service to make sure it meets your needs. The tools required for testing and the trial service are free.

1. Master It Creating a cloud distribution point is easy, but there are prerequisites that need to be met. You will need a Windows Azure account and Visual Studio to create the management certificate.

2. Control cloud distribution points usage costs. Don’t set and forget your cloud-based distribution points. Monitor its usage so you can control your costs. Monitoring usage will also help you determine when it is time to scale up.

1. Master It Make sure you have control of the charges associated with data transfers from your Windows Azure subscription.

3. Simplify your hierarchy. Since the early development stages of Configuration Manager 2012, Microsoft has been telling us to flatten or simplify our Configuration Manager hierarchies. Cloud-based distribution points provide you with another opportunity to do so.

1. Master It Flatten your Configuration Manager hierarchy. There are probably site roles that could be decommissioned by deploying cloud-based distribution points.