How to Setup SCCM Cloud Management Gateway

In this post I will cover the steps to setup a cloud management gateway (CMG) in SCCM. I have got Configuration Manager 1902 in my setup and I will use the same to configure the CMG.

Setting up the cloud management gateway in Configuration Manager 1902 is very easy. If you are using earlier versions of SCCM such as SCCM 1802 or SCCM 1806 you might not see some options that are included in SCCM 1902.

What is Cloud Management Gateway in SCCM

The cloud management gateway also known as CMG, that provides a simple way to manage Configuration Manager clients on the internet. When you deploy the CMG as a cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure.

The biggest advantage of cloud management gateway in SCCM is you don’t need to expose your on-premises infrastructure to the internet. If you are planning to use CMG, I would suggest you to read this article by Microsoft.

The CMG uses Azure Cloud Services as PaaS, this service uses virtual machines (VMs) that will involve compute costs. By default the CMG uses a Standard A2 V2 VM.

When you create a CMG, you select how many VM instances support the CMG. By default it 1 and 16 is the maximum. But the question is how many such VM’s do you actually require ?. That’s answered here.

CMG Ports and Data Flow

When you plan to setup CMG, you don’t need to open any inbound ports to your on-premises network. The service connection point and CMG connection point are the ones that initiate all communication with Azure and the CMG.

The service connection point deploys and monitors the service in Azure, hence it must be in online mode. The CMG connection point connects to the CMG to manage communication between the CMG and on-premises site system roles.

For complete information about cloud management gateway ports, read this article.

CMG Data Flow
Copyright Microsoft – Conceptual data flow for the CMG

SCCM Cloud Management Gateway Setup Requirements / Prerequisites

Here are the important requirements or prerequisites for SCCM CMG :-

  • First of all you need an Azure Subscription to host the cloud management gateway.
  • If you are deploying CMG, you need a Subscription Admin. To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin.
  • Ensure the SCCM service connection point is in online mode.
  • Integration with Azure AD for deploying the service with Azure Resource Manager.
  • If you ask me use at-least SCCM 1806 and above if you are creating a CMG in your setup. I will explain the reason for this in next section.
  • You need at-least one on-prem Windows Server to host the CMG.

Certificates for Configuration Manager Cloud Management Gateway

One thing that you must really work on is the CMG certificates. I have not included this info under CMG prerequisites section because this topic is quite complex. However I will try my best to make it easy for you.

  • CMG server authentication certificate
  • CMG trusted root certificate to clients
  • Server authentication certificate issued by public provider / Enterprise PKI
  • Client Authentication Certificate
  • Client trusted root certificate to CMG
  • HTTPS certs for Management Points
  • Azure Management Certificate

CMG Server Authentication Certificate

The CMG server authentication certificate is required while creating the CMG in the Configuration Manager console. When you setup a CMG, it basically creates a HTTPS service to which your internet clients connect.

For a valid CMG server auth cert, you can either acquire a certificate from a public provider or issue it from your public key infrastructure (PKI). In this post, I will be issuing the cert from my PKI.

If you are using SCCM 1802 and above, you can use a wildcard certificates as CMG server cert. Before you create this certificate, ensure the Azure domain name that you use is unique.

CMG trusted root certificate to clients

This certificate is for clients that must trust the CMG server authentication certificate. There are two methods to accomplish this :-

  • Use a certificate from a public and globally trusted certificate provider.
  • Use a certificate issued by an enterprise CA from your public key infrastructure (PKI).

Client trusted root certificate to CMG

You supply this root certificate when you setup the cloud management gateway in the Configuration Manager console. The CMG must trust the client authentication certificates. If you’re using PKI client authentication certificates, then you must add a trusted root certificate to the CMG.

HTTPS certs for Management Points

To configure HTTPS on Management points requires PKI and this topic is huge. Don’t worry, I have covered step-by-step deployment of the PKI certificates for SCCM here.

Azure management certificate

The Azure management certificate is required for classic service deployments. With SCCM 1810 and above the classic service deployments in Azure are deprecated. So start using Azure Resource Manager deployments for the cloud management gateway.

Confirm Unique Azure Domain Name

You must confirm that the Azure domain name you want is unique. You can check this in Azure portal. When you enter the DNS name, you should see either a green tick or red X. Green tick means yes the domain name is available and red X means it is not available.

Login to Azure portal and select Cloud Services (classic). Click +Add button.
Confirm Unique Azure Domain Name

Enter the DNS name which should be unique as I mentioned before. In my case I see a green tick so I will be prajwalcmg.cloudapp.net will be my unique Azure domain name or DNS name.

At this post there are two options. You can skip creating this service because it will be created automatically when we setup CMG. You may also create the service and use it while setting up CMG.

Confirm Unique Azure Domain Name

Configure Azure Services for Cloud Management

We will now configure Azure cloud services that you can use with SCCM using the Azure Services Wizard. We will create web app and native client app that provide subscription and configuration details, and authenticate communications with Azure AD.

Go to Administration > Overview > Cloud Services > Azure Services. Right click Azure Services and click Configure Azure Services.

Configure Azure Services

Select the Azure Services as Cloud Management and specify a name and description. Click Next.

Configure Azure Services

Select the Azure environment which is AzurePublicCloud. First we will create a web app, click Browse.

Create Web App for server

In the Server App box, click Create.

Create Web App for server

In the Create Server Application box, enter the application name. It can be anything. Specify key validation period and next click Sign-in button.

You should now see a box where-in you must sign in. Once you enter the correct credentials, you Azure AD tenant name will be shown along with Signed in successfully message.

Click OK.

Create Web App for server

Select the server app that you just created and click OK.

Create Web App for server

We will now create a native client app, so click Browse.

Create Native App for Client

Enter the application name and you must sign-in again. When you do that click OK.

Create native App for client

Now we have Server and Client app created. Click Next.

SCCM Azure Service

You can leave this option “Enable Azure Active Directory User Discovery” selected. Click Next.

SCCM Azure Service

Click Next on Summary page.

SCCM Azure Service

Finally on Completion page, click Close.
SCCM Azure Service

Verify Configuration Manager Azure Service

To verify the Azure Service that you created for Configuration Manager, click Azure Services. On the right pane you should see the Azure service and Associated Azure Service which is Cloud Management.

SCCM Azure Service

If you click Azure Active Directory Tenants, you should see Tenant name and tenant ID. In addition to that, you will see the Application Name, Tenant ID, Client ID in the bottom pane.

SCCM client and Server app

Create and Issue Web Server CMG Certificate Template

In this section we will create a new custom certificate which by using the web server certificate template. At this point, if you have templates created during implementing PKI, you can simply duplicate the SCCM IIS Certificate and use it.

If not you can duplicate the web server template and configure it. This certificate will be used for the installation of the SCCM cloud management gateway.

Login to Certification Authority server, open the Certification Authority console. Right-click Certificate Templates and select Manage.

Create and Issue Web Server CMG Certificate Template

Right click Web Server and click Duplicate Template.

Create and Issue Web Server CMG Certificate Template

Click Compatibility tab and ensure the settings are same as per below screenshot.

Create and Issue Web Server CMG Certificate Template

Click General tab and specify a name to this temple. I will name it as SCCM CMG Certificate.

Create and Issue Web Server CMG Certificate Template

Click Request Handling and ensure Allow private key to be exported is checked.

Create and Issue Web Server CMG Certificate Template

Now click Security tab, add the group that contains your SCCM Primary Site server computer account. Select the group and allow Enroll permission.

Create and Issue Web Server CMG Certificate Template

For Enterprise Admins, you can uncheck Enroll permission. Click Apply and OK. Close the console.

Create and Issue Web Server CMG Certificate Template

Now right click Certificate Templates and click New > Certificate Template to Issue.

Create and Issue Web Server CMG Certificate Template

Select the SCCM CMG Certificate and click OK.

Create and Issue Web Server CMG Certificate Template

Import Web server CMG certificate on the Primary Site Server

After you have created the CMG certificate, we will now import this certificate on our SCCM server.

Login to SCCM server. Open the Certificates console (run the command certlm.msc – this saves your time). Expand Personal > Certificates. Right click Certificates > All Tasks > Request New Certificate.

Import Web server CMG certificate on the Primary Site Server

From the list of certs, select SCCM CMG Certificate and click the link below it.

Import Web server CMG certificate on the Primary Site Server

In the Certificate Properties dialog box, under for Subject name, select Type as Full DN. Under Alternative name, select Type as DNS and enter the service name.

Enter a public DNS name that you want to use with CMG. So I will enter *.prajwal.org here which allows me to use any subdomain for CMG.

Import Web server CMG certificate on the Primary Site Server

Click General tab and specify a friendly name to this certificate and then click Apply and OK.

Import Web server CMG certificate on the Primary Site Server

Click Enroll.

SCCM CMG Certificate

The certificate is enrolled successfully. Click Finish.

SCCM CMG Certificate

Export the CMG Web Server Certificate

In the above step, on the site server, you requested the CMG certificate and enrolled it. Now we will export this certificate in a .PFX format. This certificate will required while creating cloud management gateway.

Select the CMG certificate, right click and click All Tasks > Export.

Export SCCM CMG Certificate

On welcome to certificate export wizard, click Next.

Export SCCM CMG Certificate

Select Yes, export the private key. Click Next.

Export SCCM CMG Certificate

Make no changes here and click Next.

Export SCCM CMG Certificate

Enter a password and click Next.

Export SCCM CMG Certificate

Save the CMG certificate on your computer. Click Next.

Export SCCM CMG Certificate

Click Finish. This completes the CMG certificate export process.

Export SCCM CMG Certificate

Setup / Create SCCM Cloud Management Gateway

To create or setup cloud management gateway in SCCM –

  • Launch the SCCM console.
  • Navigate to Administration > Cloud Services > Cloud Management Gateway.
  • Right click Cloud Management Gateway and click Create Cloud Management Gateway

Setup SCCM Cloud Management Gateway

You should now see the Create Cloud Management Gateway Wizard. Click Sign-in and login with your subscription admin account.

On successful sign-in you should see Subscription ID, Azure AD app name and tenant name automatically populated. Click Next

Setup SCCM Cloud Management Gateway

On the Settings page, click Browse and select the CMG certificate. The Service name and deployment name are populated automatically.

At this step you can use an existing resource group or create new resource group. I will go with just 1 VM instance.

You see two options and a certificates button.

  • Verify Client Certificate Revocation – To understand this refer this article.
  • Allow CMG to function as a cloud distribution point and serve content from Azure storage – With SCCM 1806, you get this new option. Now a CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs.

I will leave both the above options checked. Next click Certificates.

Setup SCCM Cloud Management Gateway

You need to specify a certificate that tells CMG what certs it needs to trust. In my case I have got an PKI setup, so I will add the root certificate.

Setup SCCM Cloud Management Gateway

Click Next.

Setup SCCM Cloud Management Gateway

On the Alerts page, click Next.

Setup SCCM Cloud Management Gateway

On the completion page click Close.

Setup ConfigMgr Cloud Management Gateway

Cloud Management Gateway Status

After you setup cloud management gateway, monitor the status in the SCCM console. Right now the status in Provisioning.

Setup SCCM Cloud Management Gateway

After few minutes the status is changed to Provisioning Completed. Later I will cover what log file do you need to monitor for this.

Setup ConfigMgr Cloud Management Gateway

Install Cloud Management Gateway Connection Point

To install cloud management gateway connection point role in SCCM

  • In SCCM console, go to Administration > Site Configuration > Servers and Site System Roles.
  • Right click site server and click Add Site System Roles.

Add Cloud Management Gateway Connection Point

Click Next.

Add Cloud Management Gateway Connection Point

Check the box for Cloud Management gateway connection point. Click Next.

Add Cloud Management Gateway Connection Point

Select the cloud management gateway and click Next.

Add Cloud Management Gateway Connection Point

On the completion page, click Close.

Add Cloud Management Gateway Connection Point

Allow SCCM Cloud Management Gateway Traffic

You must configure the management point and software update point site systems to accept CMG traffic. Do this procedure on the primary site, for all management points and software update points that service internet-based clients.

Go Administration > Site Configuration > Servers and Site System Roles. Select the site server and in the bottom pane, right click Management point and click Properties.

Under Management Point Properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.

Allow SCCM Cloud Management Gateway traffic

Under Software update point properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.

Allow Configuration Manager Cloud Management Gateway traffic

Allow access to cloud distribution points

Under the client settings, click Cloud Services. Under Device/User Settings, set Allow access to cloud distribution point to Yes.

Allow access to cloud distribution point

Associate CMG with Boundary groups

If you are using SCCM 1902, you can associate a CMG with a boundary group. You can do this after you setup cloud management gateway. When you create or configure a boundary group, on the References tab, add a cloud management gateway.

Associate Cloud management gateway with Boundary groups

Configure clients for CMG

Once you setup cloud management gateway and all the site system roles are running, clients get the location of the CMG service automatically on the next location request.

Most of all the clients must be on the intranet to receive the location of the CMG service. By default the polling cycle for location requests is every 24 hours. However to speed up the request, you can restart the SMS Agent Host service (ccmexec.exe) on the computer.

To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.

I will cover more about CMG troubleshooting and other stuff related to it in some other post.

Enable Remote Desktop on SCCM CMG (Cloud Management Gateway)

Once you setup the SCCM CMG, you can enable remote desktop on SCCM CMG. Once you enable remote desktop on CMG, you can the IIS log files from the CMG Virtual Machine. Here is a step by step guide on how to enable remote desktop in SCCM cloud management gateway.

Cloud Management Gateway Log Files for Troubleshooting

When you setup the SCCM cloud management gateway, you must know the CMG log files that can help you to troubleshoot CMG issues. There are very few CMG log files and I have listed all the CMG log files in this post.

You might also like

14
Leave a Reply

avatar
12 Comment threads
2 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Mark Rogalski
Guest
Mark Rogalski

Between the instructions:
“In the Certificate Properties dialog box, under for Subject name, select Type as Full DN. Under Alternative name, select Type as DNS and enter the service name.”
AND
“Enter a public DNS name that you want to use with CMG. So I will enter *.prajwal.org here which allows me to use any subdomain for CMG.”

I think you forgot to insert a screenshot, I could use an illustration for each step as my CMG cert seems to continue to fail or prompt errors when using as described above.

Sagar Mane
Guest
Sagar Mane

We are having SCCM 1902 and configured CMG
So
Can we install sccm client in workgroup machines in CMG ?( machines which are not in Azure AD but connected to internet)

Sagar Mane
Guest
Sagar Mane

Sir
thanks for this documents with SCCM 1902
few questions related to Prerequisites
is it compulsory to have Azure AD (as we have Azure subscription but our machines are not registered in Azure AD)
we are implementing CMG to manage laptops (roaming user) which are in workgroup (not in domain and not in Azure AD)
so it is possible to manage workgroup machine in CMG ?
we are facing error while installing sccm client on workgoup Pc which is connected to internet

Jordan Spencer
Guest
Jordan Spencer

I am setting up CMG for the first time. I am getting the following error in the last part of connection analyzer and can’t figure it out.

Failed to get ConfigMgr token with Azure AD token. Status code is ‘500’ and status description is ‘CMGConnector_InternalServerError’. Google results don’t help too much with this error.

Nagayya P
Guest
Nagayya P

there is not proper documents in Microsoft website about using Wilcard domain name which is issued by public CA.

i have got wildcard certificate from public authority but am not able to authenticate from clients . the client requires Client authentication certificate which am struggling to find out

Rohit Chaudhary
Guest
Rohit Chaudhary

HI Prajwal,

I have configure the things but its giving me a error during provisioning. error : Failed to start deployment slot …. in cloudmgr.log

Jason
Guest
Jason

I have a question for you, we already have a PKI certificate setup for our Distribution Points and utilize Https internally. Do I need to setup another cert or can I use the existing one we are using already. I am asking as our main reason for using the gateway will be to patch machines that are domain joined but they are not using VPN often enough to get patched. Any guidance here would be appreciated.

Pete
Guest
Pete

Do you recommend using a Service Account with temp Global Admin privileges to setup the Azure AD link or does it require permanent global admin role?

Just curious if i need to use a global admin account just for setup then its done or to use the service account from SCCM with global admin?

Ehab
Guest
Ehab

Thank you for your effort, I would like to ask something I have two MPs is it required to make them work over https both, or shall I create a new one dedicated for that and regarding to boundary group that will be used for CMG what is the boundary configured

Qnap
Guest
Qnap

Great………. got it working at last 🙂

Cesar
Guest
Cesar

Great Post!! Thanks Prajwal!

Robert Schaaf
Guest
Robert Schaaf

Great document! Setting this up and make it work isn’t too difficult if u got the certificates in order. The problem we are having is that our clients are not Azure AD joined so we use the certificate for authentication. However the client in the internet doesn’t report the status back of an installation, the status message query stays empty and the deployment keeps the status in progress. Microsoft has confirmed this to be a bug but it surprises me that I can’t find any document on the internet about this or that anyone has this problem. Anyone recognizes this?

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More