It connects to the first VM instance on port 10140. The CMG connection point first tries to establish a long-lived TCP-TLS connection with each CMG VM instance. These ports only apply when you deploy the CMG as a cloud service (classic), which was the only method available in version 2006 and earlier. Notes on ports Note 1: CMG connection point TCP-TLS ports
#Cloudapp azure update
On-premises traffic, port depends upon software update point configuration On-premises traffic, port depends upon management point configuration Preferred protocol to build CMG channel Note 1įall back protocol to build CMG channel to only one VM instance Note 2įall back protocol to build CMG channel to two or more VM instances Note 3 Protocol to build CMG channel to two or more VM instances Note 3ĬMG connection point (classic cloud service)
Protocol to build CMG channel to only one VM instance Note 2 ClientĬMG connection point (virtual machine scale set) The Server is the device that accepts the connection, requiring an inbound port. The Client is the device that starts the connection, requiring an outbound port. This table lists the required network ports and protocols.
#Cloudapp azure download
If the client trusts the CMG's server authentication certificate, it connects to Azure storage to download the content. The CMG authenticates the client's access token, and then gives the client the exact content location in Azure storage. The client authenticates itself using the access token. Azure load balances the connection to one of the VM instances. The client next resolves the deployment name to a valid IP address. Clients use the CNAME alias in your domain's internet-facing DNS to resolve the Azure deployment name. If you're using your domain name, for example,, then the client first tries to resolve this FQDN. This property is the same as the common name of the server authentication certificate. The management point responds to the client's location request with the service name of the CMG. This token is valid for 24 hours, and gives the client access to the cloud-based content source. The management point gives the client an access token along with the list of content sources. When a client uses a CMG as a content location: The CMG connection point forwards the client communication to the on-premises management point and software update point.įor more information when you integrate with Azure AD, see Configure Azure services: Cloud management data flow. You don't need to open any inbound firewall ports. The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. For more information, see Content data flow. If you enable the CMG to serve content, the client connects directly to Azure blob storage over HTTPS port 443.
It authenticates using Azure AD, the client authentication certificate, or a site-issued token. The client connects to the CMG over HTTPS port 443. If that connection fails, it switches to HTTPS.įor more information, see Note 2: CMG connection point HTTPS ports for one VM. If you deploy the CMG as a classic cloud service, it first tries TCP-TLS. When you deploy the CMG as a virtual machine scale set, this flow is over HTTPS. It holds the connection open, and builds the channel for future two-way communication. The CMG connection point connects to the CMG in Azure. The CMG creates the HTTPS service using the server authentication certificate. The service connection point deploys the CMG in Azure. It authenticates using Azure Active Directory (Azure AD).
The service connection point connects to Azure over HTTPS port 443. The following diagram is a basic, conceptual data flow for the CMG: The CMG connection point connects to the CMG to manage communication between the CMG and on-premises site system roles. The service connection point deploys and monitors the service in Azure, so needs to be online. These two roles need to create outbound connections to the Microsoft cloud. The service connection point and CMG connection point site system roles start all communication with Azure and the CMG. You don't need to open any inbound ports to your on-premises network.
It requires specific network ports and internet endpoints to function. Use this article to understand how data flows between components of the cloud management gateway (CMG). Applies to: Configuration Manager (current branch)
0 kommentar(er)
