none
SCCM Cloud Management Gateway vs Traditional Distribution Point (DP) RRS feed

  • Question

  • Hello,

     We're using SCCM 1706. We have virtual machines in Azure (IaaS) in classic and ARM subscriptions. We're looking at creating DPs in Azure in our 2 main VNETs so that we're covering 2 different geographic regions. We have around 60 IaaS VMs we want to use the DPs to apply security updates to, rather than rely on all Azure VMs pulling their updates over our on premise to Azure VPN. I'm looking for a bit of advice:

    1. Given we're on 1706, are Cloud Management Gateways (GMGs) a reliable way of providing security update patches to Azure VMs? Would we better of building traditional DPs in Azure as IaaS VMs?
    2. Can the CMGs accomodate classic VMs (as opposed to just ARM)? If not, presumably we'd need to build IaaS VMs in Azure as DPs anyway.

    Thanks


    IT Support/Everything

    Monday, September 9, 2019 10:51 AM

Answers

  • As long as the VPN connection can support the traffic, then yes, that's probably the best way. Azure is just another datacenter so any and all decisions that you make around have systems that you want to manage located in it are exactly the same and thus based on connectivity, nothing more and nothing special about it.

    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Aetius2012 Tuesday, September 10, 2019 8:18 AM
    Monday, September 9, 2019 4:24 PM

All replies

  • First of all important side note:

    CB 1706 is completly out of support.

    Please update to CB 1906 asap, also important for any planing regarding CMG.

    Monday, September 9, 2019 12:04 PM
  • First, Big +1 to Michael's comments. 1706 has been out of support for more than a year now.

    1. The CMG does not provide update binaries to managed clients, only the WSUS metadata and deployments. Binaries for Internet-connected clients always come from Windows update. Thus, adding a DP would be meaningless regardless of the location of the clients.

    2. CMG and ConfigMgr don't car about or know anything about how the VM was built; ConfigMgr manages Windows regardless of all other factors. As long as connectivity exists, ConfigMgr can manage any Windows system. The restriction in CMG is that the CMG itself must be ARM instead of classic.

    The main lingering question here though is don't you have express route or a VPN to connect your on-prem environment to Azure. If so, why wouldn't use that instead of a CMG to manage Azure IaaS-based Windows hosts? And if not, why not?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, September 9, 2019 1:51 PM
  • Hi Jason,

     We have a VPN to connect on-premise to Azure. I'm just looking at the best way to provide updates to clients, from what's being said, I'm inclined to go with building traditional VMs in Azure, configured as Distribution Points - rather than pull updates over the WAN.

     


    IT Support/Everything

    Monday, September 9, 2019 4:10 PM
  • As long as the VPN connection can support the traffic, then yes, that's probably the best way. Azure is just another datacenter so any and all decisions that you make around have systems that you want to manage located in it are exactly the same and thus based on connectivity, nothing more and nothing special about it.

    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Aetius2012 Tuesday, September 10, 2019 8:18 AM
    Monday, September 9, 2019 4:24 PM