ConfigMgr Cloud Distribution Points

One of the new features in ConfigMgr SP1 is Cloud based distribution points. ConfigMgr SP1 clients can use the CDP as a fallback solution when the requested content is not available at an on-premise distribution point (the new term for the “old fashion DP”). It is not a replacement for Internet Based Client Management.

The benefit of having cloud distribution points are:

  • You can easily create them
  • You can easily add more resources if the scenarios where extra bandwidth is needed e.g. when upgrading to Office 2013 worldwide
  • Nice fallback solution
  • Clients will fallback to the Cloud DP if the requested packages are not found on the local DP or a remote DP.

Installing the Cloud DP – high level

When installing the Cloud DP you will have to go thru these steps.

  • Prepare Configuration Manager, install and export the needed certificate
  • Configure Windows Azure
  • Install the CloudDP in SCCM 2012 and configure the Client Settings to allow the use of a Cloud DP
  • Configure DNS so clients can connect with the Cloud DP

Prepare Configuration Manager

First you need to create a certificate that can be uploaded to Azure and also used when installing the Cloud DP role.

  1. I used the Windows Server 2012 certificate authority to create the certificate with these settings:
  2. from the Server Manager Dashboard, select Tools and Certification Authority
  3. Right click Certificate Templates and click Manage.
  4. Select the WEB Server Template and click Duplicate Template
  5. General tab, Name: CM12 Windows Azure
    image
  6. Request handling tab, allow the private key to be exported True
    image
  7. Security tab: Added the Active Directory group CM Servers with Read and Enroll Certificate permissions
    image
  8. Click OK and close Certificate Templates Console.
  9. Right click Certificate Template, select New Certificate Template to Issue
  10. Select the CM12 Windows Azure Certificate and click OK. The certificate is now created and must be enrolled on the server.
  11. Open an MMC and add the Certificates snap-in, select the Local Computer.
  12. Open the Personal store, right click Certificates and select  All Tasks, Request New certificate.
  13. On the Before you begin page, click Next.
  14. On the Select Certificate Enrollment Policy page, select Active Directory Enrollment Policy and click Next.
  15. On the Request Certificates page, select the CM12 Windows Azure certificate and click the link more information is required to enroll this certificate…..
    image
  16. In the Subject name, select Common name and type CloudDP.SC2012.Local and click Add (where SC2012.local is the name of your domain)
  17. In Alternative name, select DNS, type CloudDP.SC2012.local and click Add.
    image
  18. Click OK and finish the enrollment.
  19. Still in the Certificates snap-in, right click the new CloudDP, select All Tasks, Export. You need to walkthru the export process twice, export a cer file and a pxf certificate.
    image 
  20. On the first page click Next.
  21. On the Export Private Key page, select No do not export the private key and click Next.
  22. On the Export file format, select CER and click Next.
    image
  23. Save the file as CloudDP.cer and finish the wizard.
  24. Export the certificate once more and this time select Yes, I want to export the private key.
    image
  25. Finish the export and save the certificate using the default settings.

Configuring Windows Azure

  • In order to get started you first need to create a Windows Azure account.
  • Log on to Windows Azure with you account
  • Select Hosted Services, Storage Accounts & CDN
  • Click on Management Certificates.
    image
  • Right click on the subscribtion and select Add Certificate and add the .Cer file.
    image
  • That was it for Azure – it takes a little while before the settings are applied.

Install the Cloud DP

  1. In Configuration Manager, select the Administration Workspace, Hierarchy Configuration, Cloud
  2. Click Create Cloud Distribution Point on the Ribbon.
  3. In Subscription ID, copy the subscription ID from you Azure account (you find it, by selecting Certificates).
  4. In Management Certificate, click Browse and select th PXF certificate.
    image
  5. Click Next – it might take a little while to verify the subscription ID.
  6. Select your “local region” and click Next
    image
  7. Configure the exptected storage quota, monthly transfer rate and finish the wizard.
    image
  8. In the background the CloudDP manager component will connect to Azure and start creating the service. This process can easily take several minutes (as in 30).
  9. When Azure is configured the Status in the ConfigMgr console will change to Ready.
    image
  10. The Cloud DP is now ready and you can start distributing content to the service in the same way as you normally distribute content.
    image
  11. You can monitor the content in Azure or open the Cloud DP properties and select the Content tab.
    image

Configure DNS

  1. In order for the clients to be able to download content, they must be able to resolve the CloudDP.SC2012.Local name to an IP address. You find the IP address in Windows Azure. Select Hosted Services, and navigate to the BLOB.

    image

  2. Open DNS and create a new host record for CloudDP.SC2012.Local
    image

Testing the deployment

  1. Distribute the content as any other regular package and select the CloudDP type
    image
  2. The package transfer manager will copy the content to the Cloud
    image
  3. The client receives the policy and initiates the download. Notice that the contentlocation is our new CloudDP
    image

At the same time I was writting this blog post, my good friend and fellow MVP James Bannan posted a similar post -  make sure you also read that article.


Comments (10):

  1. Vasu Miriyala says:

    Hi Kent,

    Good one, well detailed !!!
    Yes, I appreciate your sensibility to friendship, and I read your fiends article too
    Thanks, Vasu

  2. Tom says:

    Really good article!! Well explained.
    Thanks.

  3. Bharat says:

    Hi Kent,

    I have a question and i belive you can explain this.

    If i have two Cloud DP according to my site location one is US and Other is in UK.

    How client will come to know which cloud DP is near like in normal DP they have booundary group and all.

    What is the mechanism behind client detecting nearest cloud DP.

    Regards
    Bharat Chand

  4. It’s very straightforward to find out any matter on net as compared to books, as I found this post at this site.

  5. Hi Kent

    I have a question with regards to the cloud distribution point and when to use it. I have a customer with around 500 reps who are on the road constantly. The never come into the office but connect using VPN connections to use company LOB applications. I am not looking to distribute applications to them but would like to distribute Microsoft Security patches to them. Would you suggest using a cloud DP to deploy the distribution points to them or configure the microsoft’s windowsupdate.com as a fall back for download and install the patches.

    I am just unclear on if the clients will just install all the patches available from windowsupdate.com or only the ones i specified in my deployment package. Also if i do not go with the Cloud DP would i need to create a ICMB server for them to receive the policies i configured for the Windows update package i created?

    Any help would be greatly appriciated.

    Kind regards
    mark

  6. Hey Kent….Nice Blog.
    If we deploy cloud DP for one of the branch sites haaving 100 clients, so that means all clients will be connecting over WAN to cloud DP. So It is as good as all clients connecting to Microsoft update and using same level of b/w Is my understanding is wrong?

  7. Kent Agerlund Kent Agerlund says:

    that’s correct

  8. Russell says:

    Hi Kent,
    Is there a way to prioritize the cloud DP for remote clients? Downloading when connected via DirectAccess or VPN is taking too long (hours in some cases). I’d like those remote clients to use the cloud DP first.

    The same goes for updates. I’d like remote clients to get them from Microsoft when not on on-site. I don’t see a way to configure connections as slow or fast in SCCM 2012

    Thanks,
    Russell

Leave a Reply