Cloud Support
Nomad supports the following Configuration Manager (CM) on Azure scenarios:
-
Infrastructure as a Service (IaaS) - your host CM infrastructure servers are in Azure virtual machines.
-
Cloud based Distribution Points - CM distribution points are hosted in Microsoft Azure as a cloud service.
-
Cloud Management Gateway (CMG) - CM management points are hosted in the cloud, including support for CMG VM scale sets.
Infrastructure as a Service (IaaS)
Nomad 6.3 and later supports integration with Configuration Manager (CM) and Active Directory (AD) infrastructure servers in Azure virtual machines (Infrastructure as a Service). This is where CM and AD are being run in Azure, managing local clients network on organization's premises and this local network is connected to Azure using Microsoft Azure Site-to-Site Connectivity. 1E Platform may be hosted on a virtual machine hosted in the Azure cloud or locally on the on-premises network, with Nomad as usual installed on all client devices.
Cloud based Distribution Points
Configuration Manager (CM) now supports Distribution Points (DP) that are hosted in Microsoft Azure. The DP Site system role hosted on Windows Azure is referred to as a site system cloud service. The site system cloud service contrasts to a site system server, which refers to an on-premises computer that is managed in the local network environment. Nomad also support Cloud Management Gateway (CMG) for management point roles to manage CM clients on the Internet.
When a CM Client (ContentTransferManager) requests Nomad to download the content from a cloud based Distribution Point, Nomad performs the following tasks:
-
Downloads the encrypted content.
-
Decrypts the content before copying it to its own cache.
-
When the download is complete, Nomad encrypts the content and copies it to the CM cache.
-
Nomad peers looking for the original content in the subnet, perform an election for the decrypted content and then copy it from an elected master.
-
When the peer copy is complete, the peer Nomad encrypts the content and copies it to the CM cache.
Unlike other content, for content downloaded from a cloud based Distribution Point, Nomad does not create hard links between the Nomad cache content and the CM cache, but the Nomad cache cleaner is able to delete the content from both the Nomad cache and the CM cache.
Support is not yet available for Delta downloads, like Office 365 or Windows 10 software updates in Nomad. Microsoft does not recommend using distributing software update content on Cloud Distribution Points, for more information refer to docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#content-storage.
Cloud based DP content and LSZ/LST file generation
Nomad content distribution relies on having access to an LSZ file that provides metadata regarding the download content. With on-premises Distribution Points, the LSZ file is normally generated by a local Nomad service. That option is not available for cloud based DP as they run as a service in Azure, and a Nomad service cannot be installed. Instead, the LSZ file is generated locally by mimicking the process used by CM agent, which queries the content's metadata from the DP directly.
-
Cloud based Distribution Points are not currently supported for Office 365 updates.
-
RDC is not supported on cloud-based Distribution Points.
-
If content is marked to be delivered as 1 (Compressed) or 2 (Encrypted) under Nomad SECure and needs to be downloaded to the client from a cloud based distribution point, these settings are ignored and content is downloaded in the original format. For the same reason, Ahead Of Time (AOT) LSZ generation is also not supported for cloud-based distribution points.
Cloud Management Gateway (CMG)
From Configuration Manager (CM) version 1610 and above, the cloud management gateway provides a simple way to manage CM clients on the Internet. The Cloud Management Gateway (CMG) service is deployed to Microsoft Azure and requires an Azure subscription. It connects to your on-premises CM infrastructure using a new role called the Cloud Management Gateway connector point. Once deployed and configured, clients will be able to access on-premises CM site system roles regardless of whether they're on the internal private network or on the Internet. Currently, CMG only supports management point and software update point roles, and Nomad has only been tested with management points.
When a client is on the Internet, the CM Client requests Nomad to download the content from a cloud based distribution point. Nomad gets the management point list (including cloud management gateway enabled Internet management points) from WMI and uses those to determine the appropriate distribution points. The rest works as usual.