Best Guide to Set up SCCM CMG Cloud Management Gateway
This article details the steps to set up SCCM Cloud Management Gateway role. SCCM CMG provides a simple way to manage Configuration Manager clients on the internet.
You can use this cloud management gateway implementation guide to install and configure CMG. Setting up the CMG (cloud management gateway) is straightforward in SCCM.
You deploy CMG as a cloud service in Microsoft Azure. The best thing about SCCM CMG setup is you don’t need to expose your on-premises infrastructure to the internet. Your Management Points are not exposed to internet when you use CMG.
You can install multiple instances of the cloud management gateway (CMG) at primary sites, or the central administration site (CAS).
In this guide, we will understand what is SCCM CMG, how to set up and configure CMG and CMG log files for troubleshooting.
What is SCCM Cloud Management Gateway?
The cloud management gateway also known as SCCM CMG provides a simple way to manage Configuration Manager clients on the internet. When you deploy the SCCM CMG as a cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure.
The biggest advantage or benefits of SCCM cloud management gateway is you don’t need to expose your on-premises infrastructure to the internet. If you are planning to use CMG, I would suggest you to read this article by Microsoft.
The CMG uses Azure Cloud Services as PaaS, this service uses virtual machines (VMs) that will involve compute costs. By default, the SCCM CMG uses a Standard A2 V2 VM.
When you set up SCCM cloud management gateway, you select how many VM instances support the CMG. One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud service.
SCCM CMG High-Level Steps
Setup SCCM CMG Server Authentication Certificate
Setup SCCM CMG trusted root certificate to clients
Setup Client trusted root certificate to SCCM CMG
Configure HTTPS certs for Management Points
Configure Azure management certificate
Specify Unique SCCM CMG DNS Name
Configure Azure Services for Cloud Management
Verify Configuration Manager Azure Service
Create and Issue Web Server SCCM CMG Certificate Template
Import Web Server CMG certificate on the Primary Site Server
Export CMG Web Server Certificate
Setup SCCM Cloud Management Gateway (SCCM CMG)
Install Cloud Management Gateway Connection Point
Allow SCCM Cloud Management Gateway Traffic and cloud distribution points
Associate SCCM CMG with Boundary groups
Configure Clients for CMG
SCCM CMG Ports and Data Flow
When you plan to set up SCCM CMG, you don’t need to open any inbound ports to your on-premises network. The service connection point and CMG connection point are the ones that initiate all communication with Azure and the CMG.
The service connection point deploys and monitors the service in Azure, and therefore it must be in online mode. The SCCM CMG connection point connects to the CMG to manage communication between the SCCM CMG and on-premises site system roles.
The below screenshot shows the SCCM cloud management gateway diagram. For complete information about SCCM cloud management gateway ports, read the following article.
Copyright Microsoft – Conceptual data flow for the CMG
SCCM CMG Prerequisites
Listed below are important requirements or prerequisites for SCCM CMG:
First of all you need an Azure Subscription to host the cloud management gateway. It can be either in Global Azure cloud or Azure US Government cloud.
Customers with a Cloud Service Provider (CSP) subscription need to use SCCM version 2010 or later with a virtual machine scale set deployment.
Your user account needs to be a Full administrator or Infrastructure administrator in Configuration Manager.
or in Configuration Manager. If you are deploying SCCM CMG, you need a Subscription Admin. To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin.
The SCCM service connection point should be in online mode before setting up cloud management gateway.
You need a server authentication certificate for the CMG.
Clients must use IPv4.
Configure the management point to allow traffic from the CMG. It also needs to require HTTPS, or configure the site for Enhanced HTTP.
Integration with Azure AD for deploying the service with Azure Resource Manager.
When you integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Administrator .
. When you create the CMG, you need an account that is an Azure Subscription Owner and an Azure AD Global Administrator .
. You need at-least one on-premises Windows Server to host the CMG Connection Point.
The following client settings in the Cloud services group are enabled for devices that will use the CMG: Enable clients to use a cloud management gateway Allow access to cloud distribution point
Starting in ConfigMgr version 2203, the option to deploy a CMG as a cloud service (classic) is removed. All CMG deployments should use a virtual machine scale set.
Supported Configurations for Cloud Management Gateway
When you plan for a CMG, is it important to understand what configurations are supported by Cloud Management Gateway.
For Windows version, almost all Windows versions supported by Configuration Manager are supported for CMG.
CMG only supports the management point and software update point roles. You can also deploy task sequence over internet using CMG.
The CMG doesn’t support clients that only communicate with IPv6 addresses. The IPv4 clients are fully supported by CMG.
Software update points using a network load balancer don’t work with CMG.
Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is removed. All CMG deployments should use a virtual machine scale set.
Cost of Cloud Management Gateway
When you plan for a CMG in SCCM, you must know that it is not free and there are costs associated. with it. The CMG comes with a cost because it uses several components in Azure.
The cost charges are incurred to your Azure subscription account. Some costs are fixed, but some vary depending upon usage.
The two main CMG costs include the cost of virtual machine that hosts CMG service and the amount of data that you transfer to the CMG.
Following components are involved when you calculate the cost for CMG:
Virtual machine scale set
Outbound data transfer
Content storage
For more information on CMG Cost, refer to cost of cloud management gateway article.
Configuration Manager CMG Components
When you plan for a CMG, the deployment and operation of the CMG includes the following components:
The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests over the internet to the on-premises CMG connection point.
The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure Active Directory (Azure AD). Make sure your service connection point is in online mode.
The management point and software update point site system roles service client requests per normal.
The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication: Azure AD PKI certificates Configuration Manager site-issued token
The CMG creates an Azure storage account, which it uses for its standard operations. By default, the CMG is also content-enabled to provide deployment content to internet-based clients. This storage account doesn’t support customizations, such as virtual network restrictions.
SCCM CMG Certificates Requirements
Before you set up ConfigMgr CMG, one thing that you must really work on is the CMG certificates. I have not included this info under SCCM CMG prerequisites section because this topic is quite complex. However, I will try my best to make it easy for you.
CMG server authentication certificate
CMG trusted root certificate to clients
Server authentication certificate issued by public provider / Enterprise PKI
Client Authentication Certificate
Client trusted root certificate to SCCM CMG
HTTPS certs for Management Points
Azure Management Certificate
SCCM CMG Server Authentication Certificate
The server authentication certificate is required while creating the cloud management gateway in the Configuration Manager console. The SCCM CMG setup basically creates a HTTPS service to which your internet clients connect.
For a valid Configuration Manager CMG server authentication cert, you can either acquire a certificate from a public provider or issue it from your public key infrastructure (PKI). In this post, I will be issuing the cert from my PKI.
If you are using SCCM version 1802 and above, you can use the wildcard certificates as CMG server cert. Before you create this certificate, make sure the Azure domain name that you use for CMG is unique.
SCCM CMG trusted root certificate to clients
This certificate is for clients that must trust the CMG server authentication certificate. There are two methods to accomplish this :-
Use a certificate from a public and globally trusted certificate provider.
Use a certificate issued by an enterprise CA from your public key infrastructure (PKI).
Client trusted root certificate to SCCM CMG
You supply this root certificate when you set up cloud management gateway in the Configuration Manager console. The CMG must trust the client authentication certificates. If you’re using PKI client authentication certificates, then you must add a trusted root certificate to the CMG.
HTTPS certs for Management Points
To configure HTTPS on Management points requires PKI and this topic is huge. Don’t worry, I have covered step-by-step deployment of the PKI certificates for SCCM here.
Azure management certificate
The Azure management certificate is required for classic service deployments. With SCCM 1810 and above the classic service deployments in Azure are deprecated. So start using Azure Resource Manager deployments for the cloud management gateway.
Specify Unique SCCM CMG DNS Name
The DNS name that you use for setting up CMG in Azure must be unique. You can check the availability of CMG DNS name in Azure portal. When you enter the DNS name, you should see either a green tick or red X. Green tick means YES the domain name is available and red X means the DNS name is not available.
Login to Azure portal and select Cloud Services (classic). Click +Add button.
Specify Unique SCCM CMG DNS Name
Enter the DNS name which should be unique as I mentioned earlier. In my case, I see a green tick, so I will be using as CMG DNS name.
At this point, there are two options that you have. You can skip creating this service because it will be created automatically when we set up SCCM CMG. You may also create the service and use it while setting up SCCM CMG.
Specify Unique SCCM CMG DNS Name
Configure Azure Services for Cloud Management
We will now configure Azure cloud services for CMG that you can use with SCCM using the Azure Services Wizard. We will create web app and native client app that provide subscription and configuration details, and authenticate communications with Azure AD.
Go to Administration > Overview > Cloud Services > Azure Services. Right click Azure Services and click Configure Azure Services.
Configure Azure Services for Cloud Management
Select the Azure Services as Cloud Management and specify a name and description. Click Next.
Configure Azure Services for Cloud Management
Select the Azure environment which is AzurePublicCloud. First we will create a web app, click Browse.
Create Web App for server
In the Server App box, click Create.
Create Web App for server
In the Create Server Application box, enter the application name. It can be anything. Specify key validation period and next click Sign-in button.
You should now see a box where-in you must sign in. Once you enter the correct credentials, your Azure AD tenant name will be shown along with Signed in successfully message. Click OK.
Create Web App for server
Select the server app that you just created and click OK.
Create Web App for server
We will now create a native client app, so click Browse.
Create Native App for Client
Enter the application name, and you must sign in again. When you do that click OK.
Create Native App for Client
Now we have Server and Client app created. Click Next.
SCCM Azure Service
You can leave this option “Enable Azure Active Directory User Discovery” selected. Click Next.
SCCM Azure Service
Click Next on Summary page.
SCCM Azure Service
Finally, on the Completion window, click Close.
Close Azure Services Wizard
Verify Configuration Manager Azure Service
To verify the Azure Service that you created for Configuration Manager, click Azure Services. On the right pane you should see the Azure service and Associated Azure Service which is Cloud Management.
Configuration Manager Azure Service
If you click Azure Active Directory Tenants, you should see Tenant name and tenant ID. In addition to that, you will see the Application Name, Tenant ID, Client ID in the bottom pane.
SCCM Client App and SCCM Server App
Create and Issue Web Server SCCM CMG Certificate Template
In this section, we will create a new custom certificate which by using the web server certificate template. At this point, if you have templates created during implementing PKI, you can simply duplicate the SCCM IIS Certificate and use it.
If not, you can duplicate the web server template and configure it. This certificate will be used for the installation of the SCCM cloud management gateway.
Login to Certification Authority server, open the Certification Authority console. Right-click Certificate Templates and select Manage.
SCCM CMG Certificate Template
Right click Web Server and click Duplicate Template.
SCCM CMG Certificate Template
Click Compatibility tab and ensure the settings are same as per below screenshot.
SCCM CMG Certificate Template
Click General tab and specify a name to this temple. I will name it as SCCM CMG Certificate.
SCCM CMG Certificate Template
Click Request Handling and ensure Allow private key to be exported is checked.
SCCM CMG Certificate Template
Now click Security tab, add the group that contains your SCCM Primary Site server computer account. Select the group and enable Enroll permission.
SCCM CMG Certificate Template
For Enterprise Admins, you can uncheck Enroll permission. Click Apply and OK. Close the console.
SCCM CMG Certificate Template
Now right click Certificate Templates and click New > Certificate Template to Issue.
SCCM CMG Certificate Template
Select the SCCM CMG Certificate and click OK.
SCCM CMG Certificate Template
Import Web Server CMG certificate on the Primary Site Server
After you have created the SCCM CMG certificate, we will now import this certificate on our SCCM server.
Login to SCCM server. Open the Certificates console (run the command – this saves your time). Expand Personal > Certificates. Right click Certificates > All Tasks > Request New Certificate.
Import Web Server CMG certificate
From the list of certs, select SCCM CMG Certificate and click the link below it.
Import Web Server CMG certificate
In the Certificate Properties dialog box, under for Subject name, select Type as Full DN. Under Alternative name, select Type as DNS and enter the service name.
Enter a public DNS name that you want to use with SCCM CMG. I will enter here which allows me to use any subdomain for CMG.
Import Web Server CMG certificate
Click General tab and specify a friendly name for this certificate and then click Apply and OK.
Import Web Server CMG certificate
Click Enroll.
Import Web Server CMG certificate
The certificate is enrolled successfully. Click Finish.
Import Web Server CMG certificate
Export CMG Web Server Certificate
In the above step, on the site server, you requested the CMG certificate and enrolled it. Now we will export this certificate in a .PFX format. This certificate will be required while creating cloud management gateway.
Select the CMG certificate, right click and click All Tasks > Export.
Export CMG Web Server Certificate
On welcome to certificate export wizard, click Next.
Export CMG Web Server Certificate
Select Yes, export the private key. Click Next.
Export CMG Web Server Certificate
Make no changes here and click Next.
Export CMG Web Server Certificate
Enter a password for the CMG certificate and click Next.
Export CMG Web Server Certificate
Save the CMG certificate on your computer. Click Next.
Export CMG Web Server Certificate
Click Finish. This completes the CMG certificate export process.
Export CMG Web Server Certificate
Setup SCCM Cloud Management Gateway (SCCM CMG)
Follow the below steps to set up cloud management gateway in SCCM:
Launch the SCCM console.
Navigate to Administration > Cloud Services > Cloud Management Gateway .
> > . Right click Cloud Management Gateway and click Create Cloud Management Gateway
Setup SCCM Cloud Management Gateway (SCCM CMG)
You should now see the Create Cloud Management Gateway Wizard. Click Sign-in and login with your subscription admin account.
On successful sign-in you should see Subscription ID, Azure AD app name and tenant name automatically populated. Click Next
Set up SCCM Cloud Management Gateway (SCCM CMG)
On the Settings page, click Browse and select the CMG certificate. The Service name and deployment name are populated automatically.
You can use an existing resource group or create a new resource group. I will go with just 1 VM instance.
You see two options and a certificates button.
Verify Client Certificate Revocation .
. Allow CMG to function as a cloud distribution point and serve content from Azure storage – With SCCM 1806, you get this new option. Now a CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs.
I will leave both the above options checked. Next click Certificates.
Setup SCCM Cloud Management Gateway (SCCM CMG)
You need to specify a certificate that tells CMG what certs it needs to trust. In my case, I have got an PKI setup, so I will add the root certificate. If you need help with exporting the root certificate, refer to how to export Root CA certificate for ConfigMgr.
Setup SCCM Cloud Management Gateway (SCCM CMG)
Click Next.
Setup SCCM Cloud Management Gateway (SCCM CMG)
On the Alerts page, click Next.
Setup SCCM Cloud Management Gateway (SCCM CMG)
On the Completion page click Close.
Setup SCCM Cloud Management Gateway (SCCM CMG)
Cloud Management Gateway Status
After you set up cloud management gateway, monitor the status in the SCCM console. Right now, the status in Provisioning.
Cloud Management Gateway Status
After few minutes the status is changed to Provisioning Completed. Later I will cover what log file do you need to monitor for this.
Cloud Management Gateway Status
Install Cloud Management Gateway Connection Point
To install cloud management gateway connection point role in SCCM:
In SCCM console, go to Administration > Site Configuration > Servers and Site System Roles .
> > . Right-click site server and select Add Site System Roles.
Install Cloud Management Gateway Connection Point
On the General window of Add Site System roles wizard, click Next.
Install Cloud Management Gateway Connection Point
Check the box for Cloud Management gateway connection point. Click Next.
Install Cloud Management Gateway Connection Point
Select your cloud management gateway and click Next.
Install Cloud Management Gateway Connection Point
On the Completion window, click Close.
Install Cloud Management Gateway Connection Point
Allow Cloud Management Gateway Traffic
You must configure the management point and software update point site systems to accept cloud management gateway traffic. Do this procedure on the primary site, for all management points and software update points that service internet-based clients.
Go Administration > Site Configuration > Servers and Site System Roles. Select the site server and in the bottom pane, right click Management point and click Properties.
Under Management Point Properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.
Allow SCCM Cloud Management Gateway Traffic
Under Software update point properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.
Allow SCCM Cloud Management Gateway Traffic
Allow access to Cloud Distribution Points
Under the client settings, click Cloud Services. Under Device/User Settings, set Allow access to cloud distribution point to Yes.
Allow access to cloud distribution points
SCCM CMG Boundary Group
If you are using Configuration Manager 1902, you can associate a SCCM Cloud Management Gateway with a boundary group. You can do this after you setup SCCM cloud management gateway. When you create or configure a boundary group, on the References tab, add a cloud management gateway.
Associate SCCM CMG with Boundary groups
Configure Clients for CMG
After you set up SCCM cloud management gateway and all the site system roles are running, clients get the location of the CMG service automatically on the next location request.
Most of all the clients must be on the intranet to receive the location of the SCCM CMG service. By default, the polling cycle for location requests is every 24 hours. However, to speed up the request, you can restart the SMS Agent Host service on the computer.
Sometimes when you switch the client to internet, the client still talks to your internal management point. In such cases, you can force the client to always use the CMG with a registry key change. This configuration is useful for testing purposes, or for clients that you want to force to always use the CMG.
You can set the following registry key on the client. By setting ClientAlwaysOnInternet = 1, the clients will use SCCM CMG service.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCCMSecurity, ClientAlwaysOnInternet = 1
To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. I will cover more about CMG troubleshooting and other stuff related to it another post.
Enable Remote Desktop on SCCM CMG
Once you set up SCCM CMG, you can enable remote desktop and access the virtual machine located in Azure. Once you enable remote desktop on CMG, you can review the IIS log files from the CMG Virtual Machine. Here is a step-by-step guide on how to enable remote desktop in SCCM cloud management gateway.
SCCM CMG Logs for Troubleshooting
When you set up the SCCM cloud management gateway, you must know the CMG log files that can help you to troubleshoot issues.
The below table lists all the CMG log files useful for troubleshooting issues related to cloud management gateway.
CMG Log File Name Description Log File Location SMS_Cloud_ProxyConnector.log Records details about setting up connections between the cloud management gateway service and the cloud management gateway connection point. This log file is located on site system server – C:Program FilesMicrosoft Configuration ManagerLogs CloudMgr.log This file logs details related to cloud management gateway service, ongoing service status, and all the data associated with the service. On site server – C:Program FilesMicrosoft Configuration ManagerLogs CMGContentService.log This log records the details of the service when you enable a CMG to also serve content from Azure storage. %approot%logs on your Azure server CMGService.log Records details about the cloud management gateway (CMG) service core component in Azure. %approot%logs on your Azure server CMGHttpHandler.log You see this log file only if you are using version 1802. This is because in SCCM 1806, this log has been removed. The component functionality is merged into the CMG service component. Therefore see the CMGService.log instead. %approot%logs on your Azure server CMGSetup.log Records details about the second phase of the cloud management gateway deployment (local deployment in Azure). %approot%logs on your Azure server
SCCM CMG (Cloud Management Gateway) FAQs
Some common questions related to SCCM cloud management gateway setup.
Setup SCCM Cloud Management Gateway (SCCM CMG)
April 2022 Download and own the latest version of this SCCM Cloud Management Gateway Installation Guide in a single PDF file. Download and own the latest version of this SCCM Cloud Management Gateway Installation Guide in a single PDF file. The guide was recently updated to cover the latest method of building a Cloud management Gateway with the VM Scale set. The below information cover the CMG with Cloud Service (classic) which will be retired in Q1 2023. The PDF file is a 50 pages document that contains all information to install a cloud management gateway with SCCM. Use our products page or use the button below to download it. Download We can also set up a Cloud Management Gateway for your organization through our consulting services. See our Fixed Price Plan page to see our prices.
The ConfigMgr team is working really hard to make SCCM admins job easier for some of the key components of Modern Management. Starting with SCCM 1806 release, they ease a bit the setup of the SCCM Cloud Management Gateway (CMG).
If you are new to the concept of SCCM Cloud Management Gateway, the main advantage is that it doesn’t expose your SCCM servers to the internet. The downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients.
We strongly encourage to use the SCCM Cloud Management Gateway if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away.
January 2021 This post has been updated to reflect recent addition with SCCM 2010 release. This post has been updated to reflect recent addition with SCCM 2010 release. The main new feature is Token-based authentication for clients.
Also added more tips and tricks to ease implementation
If you are not yet running SCCM 1806 , but still would like to use Cloud Management Gateway, see our previous post
Here the available features supported through the Cloud Management Gateway:
In this post, we will configure an SCCM Cloud Management Gateway by using the Azure Resource Manager.
Some sections from our previous post are brought back here to ease reading.
SCCM CMG High-level steps
All steps are done directly in the SCCM console and from the Azure Portal. We will describe each step:
SCCM Cloud Management Gateway Prerequisites
SCCM Current Branch 1806 or higher
Have a valid Azure Subscription
Azure administrators rights – We used a Global Administrator role but the official documentation is not clear as which level of Administrator is needed. It is not required that the Azure admin account has access in SCCM.
role but the official documentation is not clear as which level of Administrator is needed. On-prem server to host Cloud management gateway connection point
The SCCM service connection point must be set to Online
Note Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Configuring the Cloud Management gateway with SCCM 1806 remove the requirement of an Azure Management certificate
Verify a unique Azure cloud service URL
We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.
Log in the Azure portal
In the Azure Portal , select Cloud Services on the left, click Add
, select on the left, click Enter the desired DNS name
Validate that there’s a green checkmark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as DNS Name for our example
as DNS Name for our example Close the window, do not create the service now
Verify Azure subscription’s Resource Provider
This is not documented in the official Cloud Management gateway docs from Microsoft, but 2 resource providers are now defaulted to Not Registered for newer Azure Subscription.
To validate the status, follow these steps
Log in the Azure portal
In the Azure Portal, select Cost management and billing
Click on Cost Management and select Go to subscription If you see multiple subscriptions, select the one that will host the Cloud Management Gateway
Under the section Settings, select Resource Provider
Make sure Microsoft.ClassicCompute and Microsoft.Storage are registered. If not, select one and click on Register
Configure the Azure Service – Cloud Management
Go to Administration/Cloud Services/Azure Services and select Configure Azure Services
Specify a name and select Cloud Management, click Next
In this step, the Azure Administrator will be required to create the web app and native client app. Click on Browse for the Web app
Click on Create
Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed
Select the App that was just created and click OK
Click Browse for the Native client app. Click Create
Click the Sign in and provide Azure administrator credentials. Default names do just fine. Click OK when login completed
Select the App that was just created and click OK
Click Next
Chose to Enable Azure Active Directory User Discovery or not.
Note The Azure AD Discovery is not a requirement for Cloud Management gateway to work
Click Next
The Azure service is completed. If enabled, the AAD user discovery can be modified
the Azure AD Tenant is now configured
Cloud Management Gateway server authentication Certificate requirements
The certificate requirements are the most complex part of configuring the Cloud Management Gateway.
A certificate is needed between the SCCM server and the Cloud Management Gateway.
The following choices are available :
Use a certificate from a public trusted provider This option requires a CNAME to be created in the DNS for to the real hostname CMGSCD.CloudApp.Net
Use a certificate from an enterprise CA This certificate must be trusted by all computers that will connect with the Cloud Management Gateway Use format
The CMG server authentication certificate supports wildcards. Some certificate authorities issue certificates using a wildcard character for the service name prefix. For example,
For this post, we will use a certificate from an Enterprise CA.
Create and Issue a Custom Web Server Certificate Template on your Certification Authority
This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud management gateway and the private key must be exportable as it will be asked during installation.
In Active Directory , create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
, create a security group named that contain your SCCM Primary Site server computer account On the server running the Certification Authority, open the Certification Authority console right-click Certificate Templates and select Manage
The Certificate Templates management console opens
console opens Right-click the Web Server template and then select Duplicate Template
In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority
In the General tab, enter a template name, like SCD SCCM Cloud Management Gateway. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate
In the Request Handling tab, select Allow private key to be exported
In the Security tab, remove the Enroll permission from the Enterprise Admins security group
Choose Add , enter SCCM Site Servers in the text box, and then choose OK
, enter in the text box, and then choose Select the Enroll and Read permission for this group
Choose OK , close Certificate Templates Console
, close Back in the Certification Authority console, right-click Certificate Templates, select New / Certificate Template to Issue
In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud Management Gateway, click OK
Request the custom web server certificate on the Primary Site Server
This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud management gateway installation
On the SCCM Server, run MMC
On the File Menu, choose Add/Remove Snap-in… select Certificates, and click Add
When prompted for what you want to manage certificates for, select Computer Account, click Next
Select Local Computer and then click Finish
Click OK to close the Add/Remove Snap-ins
In the Add or Remove Snap-ins dialog box, choose OK .
dialog box, choose . In the console, expand Certificates (Local Computer) / Personal / Certificates
Right-click Certificates , select All Tasks / Request New Certificate
, select On the Before You Begin page, click Next
If you see the Select Certificate Enrollment Policy page, choose Next
On the Request Certificates page, identify the SCD SCCM Cloud Management Gateway from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings
In the Certificate Properties dialog box, in the Subject tab Subject name: in Type choose Common name Value: Specify your service name and your domain name by using an FQDN format. (For example: ) and select Add Alternative name : in Type choose DNS Value: Specify your service name and your domain name by using an FQDN format. (For example: ) and select Add
dialog box, in the tab
Important Info In all cases this certificate will determine the name of the Cloud Management Gateway. In all cases this certificate will determine the name of the Cloud Management Gateway. Only letters and numbers are allowed in the name. A valid example is An invalid example is
Click OK to close the Certificate Properties dialog box
to close the dialog box On the Request Certificates page, select SCD SCCM Cloud Management Gateway from the list of available certificates, click Enroll
page, select from the list of available certificates, click On the Certificates Installation Results page, wait until the certificate is installed, click Finish
Export Web Server Certificate
This procedure exports the custom web server certificate to file. We will export it as a .CER file for the Azure Management Certificate and in a .PFX format for the cloud management gateway creation.
.CER EXPORT
In the Certificates (Local Computer) console, right-click the SCD Cloud Management Gateway certificate that you just created, select All Tasks / Export
In the Certificates Export Wizard, choose Next
On the Export Private Key page, select No do not export the private key and click Next
On the Export file format, select CER and click Next
Save your certificate in a folder and close the wizard
To close the wizard, click Finish in the Certificate Export Wizard page
.PFX EXPORT
Redo the export task a second time
On the Export Private Key page, choose Yes, export the private key, click Next
On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next
On the File to Export page, specify the name of the file that you want to export
To close the wizard, click Finish in the Certificate Export Wizard page
Close Certificates (Local Computer).
The certificate is now ready to be imported to create an SCCM Cloud Management Point Gateway.
Client Authentication
SCCM clients can authenticate on the Cloud Management gateway following one of these methods:
Devices are Azure AD joined (Hybrid AD Joined) Azure AD registered device is not enough for authentication This isn’t covered in this guide, but here’s more information from Microsoft Docs
Token-based authentication This feature is only available from SCCM 2002 release and above
Client certificate using an Enterprise CA
Token-based authentication
This feature is only available from SCCM 2002 or higher. If you do not have an Enterprise CA and computers are not joined yet to Azure AD, this is a good alternative.
The token-based does not require any kind of configuration or enablement once SCCM is up to date with 2002 or higher. The most important part is that the update on the client-side is mandatory to use the Token-based authentication.
The way it is working is simple. The Management Point issue a token to the client to be authenticated on the Cloud Management gateway while connected on-prem. This token is then automatically renewed each month and is valid for up to 90 days.
Important Info Microsoft still recommends using Azure AD joined to authenticate on the Cloud Management Gateway.
It is also possible to generate a bulk registration token to allow external devices for a first communication with the Cloud Management Gateway. This could be useful for devices in a DMZ for example.
For more details about Token-based authentication, see Microsoft docs
Client authentication certificate requirements
This method relies on an Enterprise CA to manage the client certificate.
If computers are Azure AD joined, or you have chosen to leverage the new Token-based authentication, this step can be skipped.
If you need to create a Client authentication certificate on your Enterprise CA, here’s the steps:
RDP to an Intermediate Certification Authority
Open Certification Authority console, right-click Certificate Templates and click Manage
console, right-click and click Right-click Workstation Authentication and click Duplicate Template
Make sure to use Server 2003 , not 2008
, not In the General, name this SCCM Client Certificate
Set the Validity Period to 5 years
Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK
When you refresh your console, you will see that the new template is there
Create an Auto-Enroll Group Policy
A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point.
The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO :
Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management) Right-click the desired OU and select Create a GPO in this domain, and Link it here… as we are going to create a new GPO Name your GPO AutoEnroll ConfigMgr Client Cert, then click OK Right-click and Edit your newly created GPO Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies
Right-click on Certificate Services Client – Auto-Enrollment and then click Properties
and then click Change the Configuration Model: to Enabled
to Check the Update certificates that use certificate templates and Renew expired certificates, update pending certificates, and remove revoked certificates
Click Apply and OK
and Reboot a workstation and when you run a gpupdate /force or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be placed in theLocal Computer Personal Certificate Store
Export the client certificate’s root
The easiest way to export the root of the client certificates used on the network is to get it on one of the domain-joined machines that receive it through your auto-enrollment GPO
× Requirements Client certificates are required on any computer you want to manage with cloud management gateway and on the site system server hosting the cloud management gateway connector point
Run MMC
From the File menu, choose Add/Remove Snap-in…
menu, choose In the Add or Remove Snap-ins dialog box, choose Certificates / Add / Computer account / Local computer
/ / Go to Certificates / Personal / Certificates
/ / Double-click the certificate for client authentication on the computer, choose the Certification Path tab, and double-click the root authority (at the top of the path).
On the Details tab, choose Copy to File…
Complete the Certificate Export Wizard using the default certificate format. You’ll need it to configure the cloud management gateway (CMG) later
Configure SCCM Cloud Management Gateway
Go to Administration/Cloud Services/Cloud Management Gateway, select Create cloud management gateway
Sign-in with Azure Administrator rights. The Azure AD App name should be auto-populated, click Next
Select : Service name: provided automatically if the certificate is using If using a public certificate or an internal certificate, the name will need to be entered manually. Remember, only letter and number for the name. Region: should be the same as the on-prem Management point Resource group: select an existing or create a new one VM instance: 1 Cloud service certificate: select the CMG server authentication certificate or the Public certificate Client authentication certificate: Provide the client authentication certificate when using an Enterprise CA Choose to Verify client certificate revocation or not See the following blog post for details about certificate revocation Choose if you want to enable the Cloud DP See our previous post about CMG to function as a cloud DP for more details about the feature.
Note Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to Depending on the certificate used, the following message will display. This will happen when the certificate is not pointing to This is a reminder about the CNAME requirements. If you use a wildcard certificate, replace the asterisk (*) in the Service name field with the globally unique deployment name prefix for your CMG.
Set the threshold as needed
Summary, click Next
Click Close
The Cloud Management Gateway will show as Provisioning for about 10 minutes
The Cloud Management Gateway is ready for next steps
The cloud management gateway resources are also visible in the Azure portal.
Configure SCCM-generated certificates
This is a new feature from SCCM 1806, but still in Pre-Release. This means that this feature is still in development but is fully supported.
The goal of this feature is to enable an HTTP Management point and Software Update to support CMG traffic using HTTPS. Prior to SCCM 1806, it was needed to provide an HTTPS MP and SUP in order to connect those services to the Cloud Management Gateway.
Go to Administration/Updates and Servicing/Features
Turn on the feature Enhanced HTTP site system
Go to Administration/Site Configuration/Sites and select properties on your site
Under the Client computer communication tab, check to box for Use Configuration Manager-generated certificates for HTTP Systems
For more detail on the SCCM-Generated certificate, see
Add the Cloud Management Gateway Connector Point
The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.
In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
On the System Role Selection pane, select Cloud management gateway connection point
Your Cloud Management Gateway name and region will be auto-populated
Review your settings and complete the wizard
You can follow the installation progress in SMS_Cloud_ProxyConnector.log.
Configure System roles to communicate with the Cloud Management Gateway
Prior to SCCM 1806, it was not possible for the current Management Point and Software Update Point to remain in HTTP mode and support the Cloud Management Gateway.
Admins were in need of a new Management Point and Software Update Point configured in HTTPS mode or to switch current ones.
Now with the SCCM-generated certificate, a current HTTP MP and SUP can support the Cloud Management Gateway.
Under Administration/Site Configuration/Servers and site System roles , select the Management Point properties
, select the Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Client Connections remain in HTTP
Under Administration/Site Configuration/Servers and site System roles , select the Software Update Point properties
, select the Check the box Allow Configuration Manager cloud management gateway traffic. Notice that the Require SSL communication to the WSUS remains unchecked
Configure SCCM CMG Client settings
Under Administrations/Client Settings, under Cloud Services make sure Enable clients to use a cloud management gateway is set to yes.
Once configure, deploy your client settings to the desired clients.
If you plan to use Cloud Distribution Point, it is also configured here.
In order to be able to see Applications deployment targeted to users, the following client setting is also required.
Configure clients for cloud management gateway
We will now verify if clients are able to successfully communicate with our server via the SCCM Cloud Management Gateway.
On a client connected to the intranet, do a machine policy retrieval and restart the SMS Agent host.
On the Network tab of the Configuration Manager agent, the should be visible.
Additional information is available in the ClientLocation.log
Testing client connection to Cloud Management gateway
To test the cloud management gateway (CMG), get your machine on the internet … or force the SCCM client to be configured as Always Internet.
In the registry editor, set HKLM/Software/Microsoft/CCM/Security/ClientAlwaysOnInternet to 1 and restart the SMS Agent host service.
After the SMS Agent host service, the client will display connection type Always internet
From this point, you can try any of the supported features for the Cloud Management Gateway!
Warning Make sure to whitelist the address in your Enterprise Firewall. We’ve seen an issue with Cisco Umbrella blocking traffic thus preventing the Cloud connector point to keep the connection to the cloud management gateway. The following error found in the SMS_CLOUD_PROXYCONNECTOR.log was showing Failed to build HTTP connection with XXXXX.CloudApp.Net. The cloud management gateway check the connection every 60 seconds
Bonus Resources for Troubleshooting
We released a complete troubleshooting guide in a separate post. Use it to troubleshoot your errors.
If you want to easily identify your CMG client, we have developed a free report.
This was a big one, hope it helped! Are you using the Cloud Management Gateway ? Tell us your experience in the comment section.
Cloud Management Gateway for SCCM CB
Cloud Management Gateway for SCCM CB
CMG basics
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don’t need to expose your on-premises infrastructure to the internet.
Deploy the CMG cloud service to Azure.
Add the CMG connection point role.
Configure the site and site roles for the service. Once deployed and configured, clients seamlessly access on-premises site roles regardless of whether they’re on the intranet or internet.
Deployment and operation of the CMG includes the following components:
The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.
The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Ensure your service connection point is in online mode .
The management point site system role services client requests per normal.
The software update point site system role services client requests per normal.
Internet-based clients connect to the CMG to access on-premises Configuration Manager components.
The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
web service to help secure network communication with clients. Internet-based clients use PKI certificates or Azure AD for identity and authentication.
A cloud distribution point provides content to internet-based clients, as needed.
Azure resource Manager
Starting in version 1802, you can create the CMG using an Azure Resource Manager deployment. Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. When deploying CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. This modernized deployment does not require the classic Azure management certificate.
Requirements
An Azure subscription to host the CMG. An Azure administrator needs to participate in the initial creation of certain components, depending upon your design. This person does not require permissions in Configuration Manager.
At least one on-premises Windows server to host the CMG connection point. You can co-locate this role with other Configuration Manager site system roles.
The service connection point must be in online mode .
A server authentication certificate for the CMG.
If using the Azure classic deployment method, you must use an Azure management certificate but using the Azure Resource Manager deployment model is recommended.
Other certificates may be required, depending upon your client OS version and authentication model. For more information, see CMG certificates. Starting in version 1802, you must configure all CMG-enabled management points to use HTTPS .
Integration with Azure AD may be required for Windows 10 clients. For more information, see Configure Azure services.
Clients must use IPv4.
Spécifications
CMG only supports the management point and software update point roles.
CMG does not support clients that only communicate with IPv6 addresses.
Software update points using a network load balancer do not work with CMG.
Cost
Azure Cloud Services as platform as a service (PaaS)
A2 V2 VM
Outbound data transfer: For estimating purposes only, expect approximately 100-300 MB per client per month for internet-based clients. The lower estimate is for a default client configuration. The upper estimate is for a more aggressive client configuration. Your actual usage may vary depending upon how you configure client settings.
Content Storage
Internet-based clients get Microsoft software update content from Windows Update at no charge. Do not distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.
For any other necessary content, such as applications or third-party software updates, you must distribute to a cloud-based distribution point. Currently, the CMG supports only the cloud-based distribution point for sending content to clients.
CMG Certificates
Certificat Name Type Target Details Cloud Management Gateway Certificate (.PFX)
(.CER) ConfigMgr Cloud Management Gateway Certificate Server authentication certificate ConfigMgr Cloud Management Gateway installation « Read/Enroll »
“Supply in the request”
“Allow private key to be exported”
Remplir le Common Name :
: Droits : Serveurs SCCM, Read, Enroll
Name must be unique !!
Subject : CN =
Server Authentication Certificate (.CER) ConfigMgr Web Server Certificate Server authentication certificate MP (IIS)
SUP (IIS) « Read/Enroll (IIS Servers) »
“Windows 2003 Server”
“Supply in the request”
Droits : Serveurs SCCM, Read, Enroll
Subject : CN = Local FQDN
Subject Alternative Name DNS Name = Local FQDN DNS Name = FQDN
Client Authentication Certificate (.CER) ConfigMgr Client Certificate Laptop, Desktop (GPO)
CMG Connector Point server “Read/Enroll/AutoEnroll (All computers)”
“Windows 2003 Server”
“Supply in the request”
Droits : Serveurs SCCM, Read, Enroll
Subject : CN = Local FQDN
Subject Alternative Name DNS Name = Local FQDN
Cloud Distribution Point (.PFX)
(.CER) ConfigMgr Cloud-Based Distribution Point Certificate ConfigMgr Cloud DP installation Azure Management Certificate « Read/Enroll »
“Supply in the request”
“Allow private key to be exported”
Remplir le Common Name : »
Droits : Serveurs SCCM, Read, Enroll Root Certificate (.CER) All Validate certification path Sub Certificate (.CER) All Validate certification path
Set up cloud management gateway for Configuration Manager
Administration Clous Services Cloud Management Gateway
Click Create Cloud Management Gateway
Select Azure Public Cloud, Select Arm deployment, Sign in to your Azure subscription, Click Next
Enter your Azure AD login, Click Next
If you are successfully signed in. Click Next.
Select the CMG certificate in PFX format. Click Open.
On the Settings page of the wizard, first click Browse and select the .PFX file for the CMG server authentication certificate. The name from this certificate populates the required Service FQDN and Service name fields.
Enter a description Create a new resource group Select CMG deployment region Select VM Instance number.
Untick Verify client certificates Revocation
Click Next.
Import root certificate and sub certificates Click Next
Configure threshold Click Next.
Starting provisionning
New resource group is creating
Cloud Service And Storage account
Proxy Service is Running
Check if CMG is in ready status in SCCM console
To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log. For more information, see Log files.
Configure primary site for client certificate authentication
Administration Site Configuration Sites Primary site Propertie
Select HTTPS or HTTP
Tick use PKI client certificate
Untick Clients check the certificate revocation list
Import root CA
Click Apply
Add the CMG connection point role
Important :
The CMG connection point must have a client authentication certificate in some scenarios.
Administration Site Configuration Servers and Site System roles
Select the server
Click Add Site System Role
Click Next
Click Next
Select Cloud Management gateway connection point Click Next
Select the previously deployed CMG in Azure Click Next.
Click Next Click Close.
To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
On primary server
On CMG Server
E:SMSLogs
Administration Cloud Services Cloud Management Gateway CMG Name Connection Point tab
CMG Connection point is now connected to azure CMG
Configure client-facing roles for CMG traffic
Select CMG MP Properties
Click Allow CMG traffic
IIS Endpoints are now listed in SCCM console
Configure clients for CMG
Note : Clients must be on the intranet to receive the location of the CMG service, unless you install and assign Windows 10 clients using Azure AD for authentication.
By default all clients receive CMG policy. Control this behavior with the client setting, Enable clients to use a cloud management gateway.
The Configuration Manager client automatically determines whether it’s on the intranet or the internet. If the client can contact a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet, and uses the location of the CMG service to communicate with the site.
To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an administrator on the client computer, and run the following command:
Get-WmiObject -Namespace RootCcmLocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq « Internet »}
To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. For more information, see Log files.
Always keep at least one active CMG for internet-based clients to receive updated policy. Internet-based clients can’t communicate with a removed CMG. Clients don’t know about a new one until they roam back to the intranet. When creating a second CMG instance in order to delete the first, also create another CMG connection point.
Only modify the CMG from the Configuration Manager console. Making modifications to the service or underlying VMs directly in Azure is not supported. Any changes may be lost without notice. As with any PaaS, the service can rebuild the VMs at anytime. These rebuilds can happen for backend hardware maintenance, or to apply updates to the VM OS.
Enroll Client Certificate
Click Finish
On intranet
Launch a machine policy retrieval & Evaluation cycle, The client receive the policy with the CMG location.
Connect SCCM client to internet network Client Certificate is now PKI Connection type in Internet
For client troubleshotting, check :
Locationservices.log
CCMMessaging.log
PolicyAgent.log
SCCM client is now connected to the CMG
Leave a Comment