This article details the steps to set up SCCM Cloud Management Gateway role. SCCM CMG provides a simple way to manage Configuration Manager clients on the internet.
You can use this implementation guide to install and configure CMG in your setup. Setting up the cloud management gateway is straightforward in SCCM, and thanks to Microsoft for simplifying the deployment.
You deploy CMG as a cloud service in Microsoft Azure. The best thing about implementing CMG is you don’t need to expose your on-premises infrastructure to the internet. When using CMG, your Management Points are not at risk when they’re facing the internet.
In this guide, we will understand what SCCM CMG is and how to set up and configure CMG and CMG log files for troubleshooting.
What is SCCM Cloud Management Gateway?
The Cloud Management Gateway (CMG) is a feature in Microsoft Configuration Manager (SCCM) that allows organizations to manage their on-premises and internet-based devices using the power of the cloud. It provides a secure, scalable, and reliable way to manage devices over the internet without requiring them to connect to the corporate network.
Benefits of using CMG
Using the Cloud Management Gateway offers the following benefits:
- Simplified Remote Management: IT teams can manage remote devices without the need for VPNs or other traditional methods.
- Reduced On-Premises Infrastructure: CMG leverages Azure, which reduces dependency on on-premises servers. There is almost no downtime when the servers are placed in the cloud.
- Enhanced Security: Communication is encrypted, and authentication is managed using Azure Active Directory (Azure AD) or PKI certificates.
- Support for Hybrid Scenarios: CMG works seamlessly with devices that are hybrid Azure AD joined or internet-based.
- Scalability: CMG can handle workloads of various sizes by scaling Azure resources as needed.
SCCM CMG Ports and Data Flow
When you plan to set up SCCM CMG, you don’t need to open any inbound ports to your on-premises network. The service connection point and CMG connection point are the ones that initiate all communication with Azure and the CMG.
The service connection point deploys and monitors the service in Azure, and therefore it must be in online mode. The connection point connects to the CMG to manage communication between the SCCM CMG and on-premises site system roles.
The below screenshot shows the SCCM cloud management gateway diagram. For complete information about SCCM cloud management gateway ports, read the following article.
SCCM CMG Prerequisites
Listed below are important requirements or prerequisites for setting up CMG in SCCM:
- To host the cloud management gateway, you must first have an Azure subscription. It can be either in the Global Azure cloud or the Azure US Government cloud.
- Customers with a Cloud Service Provider (CSP) subscription need to use SCCM version 2010 or later with a virtual machine scale set deployment.
- Your user account needs to be a full administrator or infrastructure administrator in Configuration Manager.
- If you are deploying CMG, you need a subscription admin. To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a global admin.
- The SCCM service connection point should be in online mode before setting up cloud management gateway.
- You need a server authentication certificate for the CMG.
- Clients must use IPv4.
- Configure the management point to allow traffic from the CMG. It also needs to require HTTPS, or configure the site for Enhanced HTTP.
- Integration with Azure AD for deploying the service with Azure Resource Manager.
- When you integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Administrator.
- When you create the CMG, you need an account that is an Azure Subscription Owner and an Azure AD Global Administrator.
- You need at least one on-premises Windows Server to host the CMG Connection Point.
- The following client settings in the Cloud services group are enabled for devices that will use the CMG:
- Enable clients to use a cloud management gateway.
- Allow access to cloud distribution point
- Starting in ConfigMgr version 2203, the option to deploy a CMG as a cloud service (classic) is removed. All CMG deployments should use a virtual machine scale set.
Supported Configurations for Cloud Management Gateway
When planning for a CMG, it is crucial to understand which configurations are supported by the Cloud Management Gateway.
- For Windows versions, almost all Windows versions supported by Configuration Manager are supported for CMG.
- CMG only supports the management point and software update point roles. You can also deploy task sequence over internet using CMG.
- The CMG doesn’t support clients that only communicate with IPv6 addresses. The IPv4 clients are fully supported by CMG.
- Software update points using a network load balancer don’t work with CMG.
- Starting in version 2203, the option to deploy a CMG as a cloud service (classic) is removed. All CMG deployments should use a virtual machine scale set.
Cost of Cloud Management Gateway
When you plan for a CMG in SCCM, you must know that it is not free and there are costs associated. with it. The CMG comes with a cost because it uses several components in Azure.
The cost charges are incurred to your Azure subscription account. Some costs are fixed, but some vary depending upon usage.
Transferring data to the CMG and the cost of the virtual machine hosting the CMG service are the two primary CMG expenses.
The following components are involved when you calculate the cost for CMG:
- Virtual machine scale set
- Outbound data transfer
- Content storage
For more information on CMG Cost, refer to cost of cloud management gateway article.
Configuration Manager CMG Components
When you plan for a CMG, the deployment and operation of the CMG includes the following components:
- The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests over the internet to the on-premises CMG connection point.
- The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG, including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
- The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure Active Directory (Azure AD). Make sure your service connection point is in online mode.
- The management point and software update point site system roles service client requests per normal.
- The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
- Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication:
- Azure AD
- PKI certificates
- Configuration Manager site-issued token
- The CMG creates an Azure storage account, which it uses for its standard operations. By default, the CMG is also content-enabled to provide deployment content to internet-based clients. This storage account doesn’t support customizations, such as virtual network restrictions.
Certificate Requirements
Before you set up ConfigMgr CMG, one thing that you must really work on is the CMG certificates. I have not included this info under the SCCM CMG prerequisites section because this topic is quite complex. However, I will try my best to make it easy for you.
- CMG server authentication certificate
- CMG trusted root certificate to clients
- Server authentication certificate issued by public provider / Enterprise PKI
- Client Authentication Certificate
- Client trusted root certificate to SCCM CMG
- HTTPS certs for management points
- Azure Management Certificate
SCCM CMG Server Authentication Certificate
The server authentication certificate is required while creating the cloud management gateway in the Configuration Manager console. The SCCM CMG setup basically creates an HTTPS service to which your internet clients connect.
For a valid Configuration Manager CMG server authentication certificate, you can either acquire a certificate from a public provider or issue it from your public key infrastructure (PKI). In this post, I will be issuing the cert from my PKI.
If you are using SCCM version 1802 and above, you can use the wildcard certificates as CMG server certs. Before you create this certificate, make sure the Azure domain name that you use for CMG is unique.
SCCM CMG trusted root certificate to clients
This certificate is for clients that must trust the CMG server authentication certificate. There are two methods to accomplish this:
- Use a certificate from a public and globally trusted certificate provider.
- Use a certificate issued by an enterprise CA from your public key infrastructure (PKI).
Client trusted root certificate to SCCM CMG
You supply this root certificate when you set up the cloud management gateway in the Configuration Manager console. The CMG must trust the client authentication certificates. If you’re using PKI client authentication certificates, then you must add a trusted root certificate to the CMG.
HTTPS certs for management points
To configure HTTPS on management points requires PKI, and this topic is huge. Don’t worry; I have covered the step-by-step deployment of the PKI certificates for SCCM here.
Azure management certificate
The Azure management certificate is required for classic service deployments. With SCCM 1810 and above, the classic service deployments in Azure are deprecated. So you should start using Azure Resource Manager deployments for the cloud management gateway.
Specify Unique DNS Name for CMG
The DNS name that you use for setting up CMG in Azure must be unique. You can check the availability of the CMG DNS name in the Azure portal. When you enter the DNS name, you should see either a green tick or a red X. A green tick means YES, the domain name is available, and a red X means the DNS name is not available.
Log in to the Azure portal and select Cloud Services (classic). Click the +Add button.
Enter the DNS name, which should be unique, as I mentioned earlier. In my case, I see a green tick, so I will be using prajwalcmg.cloudapp.net as the CMG DNS name.
At this point, there are two options that you have. You can skip creating this service because it will be created automatically when we set up SCCM CMG. You may also create the service and use it while setting up SCCM CMG.
Configure Azure Services for Cloud Management
We will now configure Azure cloud services for CMG that you can use with SCCM using the Azure Services Wizard. In order to authenticate communications with Azure AD, we will set up a web application and a native client application that offer subscription and configuration details.
Go to Administration > Overview > Cloud Services > Azure Services. Right-click Azure Services and click Configure Azure Services.
Select the Azure services as Cloud Management and specify a name and description. Click Next.
Select the Azure environment, which is AzurePublicCloud. First we will create a web app; click Browse.
In the Server App box, click Create.
In the Create Server Application box, enter the application name. It can be anything. Specify the key validation period and then click the Sign-in button.
You should now see a box wherein you must sign in. Once you enter the correct credentials, your Azure AD tenant name will be shown along with the Signed in successfully message. Click OK.
Select the server app that you just created and click OK.
We will now create a native client app, so click Browse.
Enter the application name, and you must sign in again. When you do that click OK.
Now we have Server and Client app created. Click Next.
You can leave this option, “Enable Azure Active Directory User Discovery,” selected. Click Next.
Click Next on the Summary page.
Finally, on the Completion window, click Close.
Verify Configuration Manager Azure Service
To verify the Azure service that you created for Configuration Manager, click Azure Services. On the right pane you should see the Azure service and Associated Azure Service which is Cloud Management.
If you click Azure Active Directory Tenants, you should see the tenant name and tenant ID. In addition to that, you will see the Application Name, Tenant ID, Client ID in the bottom pane.
Create and Issue Web Server SCCM CMG Certificate Template
In this section, we will create a new custom certificate by using the web server certificate template. At this point, if you have templates created during implementing PKI, you can simply duplicate the SCCM IIS Certificate and use it.
If not, you can duplicate the web server template and configure it. This certificate will be used for the installation of the SCCM cloud management gateway.
Log in to the Certification Authority server and open the Certification Authority console. Right-click Certificate Templates and select Manage.
Right click Web Server and click Duplicate Template.
Click Compatibility tab and ensure the settings are same as per below screenshot.
Click General tab and specify a name to this temple. I will name it as SCCM CMG Certificate.
Click Request Handling and ensure Allow private key to be exported is checked.
Now click Security tab, add the group that contains your SCCM Primary Site server computer account. Select the group and enable Enroll permission.
For Enterprise Admins, you can uncheck Enroll permission. Click Apply and OK. Close the console.
Now right click Certificate Templates and click New > Certificate Template to Issue.
Select the SCCM CMG Certificate and click OK.
Import Web Server CMG certificate on the Primary Site Server
After you have created the SCCM CMG certificate, we will now import this certificate on our SCCM server.
Login to SCCM server. Open the Certificates console (run the command certlm.msc – this saves your time). Expand Personal > Certificates. Right click Certificates > All Tasks > Request New Certificate.
From the list of certs, select SCCM CMG Certificate and click the link below it.
In the Certificate Properties dialog box, under for Subject name, select Type as Full DN. Under Alternative name, select Type as DNS and enter the service name.
Enter a public DNS name that you want to use with SCCM CMG. I will enter *.prajwal.org here which allows me to use any subdomain for CMG.
Click General tab and specify a friendly name for this certificate and then click Apply and OK.
Click Enroll.
The certificate is enrolled successfully. Click Finish.
Export CMG Web Server Certificate
In the above step, on the site server, you requested the CMG certificate and enrolled it. Now we will export this certificate in a .PFX format. This certificate will be required while creating cloud management gateway.
Select the CMG certificate, right click and click All Tasks > Export.
On welcome to certificate export wizard, click Next.
Select Yes, export the private key. Click Next.
Make no changes here and click Next.
Enter a password for the CMG certificate and click Next.
Save the CMG certificate on your computer. Click Next.
Click Finish. This completes the CMG certificate export process.
Setup SCCM Cloud Management Gateway (SCCM CMG)
Follow the below steps to set up cloud management gateway in SCCM:
- Launch the SCCM console.
- Navigate to Administration > Cloud Services > Cloud Management Gateway.
- Right click Cloud Management Gateway and click Create Cloud Management Gateway
You should now see the Create Cloud Management Gateway Wizard. Click Sign-in and login with your subscription admin account.
On successful sign-in you should see Subscription ID, Azure AD app name and tenant name automatically populated. Click Next
On the Settings page, click Browse and select the CMG certificate. The Service name and deployment name are populated automatically.
You can use an existing resource group or create a new resource group. I will go with just 1 VM instance.
You see two options and a certificates button.
- Verify Client Certificate Revocation.
- Allow CMG to function as a cloud distribution point and serve content from Azure storage – With SCCM 1806, you get this new option. Now a CMG can also serve content to clients. This functionality reduces the required certificates and cost of Azure VMs.
I will leave both the above options checked. Next click Certificates.
You need to specify a certificate that tells CMG what certs it needs to trust. In my case, I have got an PKI setup, so I will add the root certificate. If you need help with exporting the root certificate, refer to how to export Root CA certificate for ConfigMgr.
Click Next.
On the Alerts page, click Next.
On the Completion page click Close.
Cloud Management Gateway Status
After you set up cloud management gateway, monitor the status in the SCCM console. Right now, the status in Provisioning.
After few minutes the status is changed to Provisioning Completed. Later I will cover what log file do you need to monitor for this.
Install Cloud Management Gateway Connection Point
Here’s how you add the Cloud Management Gateway connection point role in SCCM:
- In SCCM console, go to Administration > Site Configuration > Servers and Site System Roles.
- Right-click the site server and select Add Site System Roles.
On the General window of the Add Site System Roles wizard, click Next.
Check the box for the Cloud Management Gateway connection point. Click Next.
Select your cloud management gateway and click Next.
On the Completion window, click Close.
Allow Cloud Management Gateway Traffic
You must configure the management point and software update point site systems to accept cloud management gateway traffic. Do this procedure on the primary site for all management points and software update points that service internet-based clients.
Go to Administration > Site Configuration > Servers and Site System Roles. Select the site server, and in the bottom pane, right-click Management Point and click Properties.
Under Management Point Properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.
Under Software update point properties, check the box Allow Configuration Manager cloud management gateway traffic. Click OK.
Allow access to Cloud Distribution Points
Under the client settings, click Cloud Services. Under Device/User Settings, set Allow access to cloud distribution point to Yes.
Link CMG to a Boundary Group
If you are using Configuration Manager current branch, you can associate the Cloud Management Gateway server with a boundary group. Create or configure a boundary group, go to the References tab, and add your CMG server. That’s it.
Configure Clients for CMG
After you set up the cloud management gateway and all the site system roles are running, clients get the location of the CMG service automatically on the next location request.
Most of all, the clients must be on the intranet to receive the location of the CMG service. By default, the polling cycle for location requests is every 24 hours. However, to speed up the request, you can restart the SMS Agent Host service (ccmexec.exe) on the computer.
Occasionally, when you switch the client to the internet, the client still talks to your internal management point. In such cases, you can force the client to always use the CMG with a registry key change. This configuration is useful for testing purposes or for clients that you want to force to always use the CMG.
You can set the following registry key on the client. By setting ClientAlwaysOnInternet value to 1, the clients will use the SCCM CMG service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an administrator on the client computer, and run the following command:
Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. I will cover more about CMG troubleshooting and other stuff related to it in another post.
Enable Remote Desktop on SCCM CMG
Once you set up CMG, you can enable remote desktop and access the virtual machine located in Azure. After enabling the RDP, you can review the IIS log files from the CMG Virtual Machine. Here is a step-by-step guide on how to enable remote desktop for CMG.
Logs for Troubleshooting CMG Issues
CMG troubleshooting is complex, especially if you are dealing with it for the first time. However, the CMG logs come to the rescue when you are dealing with content transfer failures, deployment, and upgrade issues.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.
