The SCCM cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet. CMG does not require any additional on-premises infrastructure. The CMG services are hosted in Microsoft Azure cloud and act as a gateway for internet client to communicate with on-premises Configuration Manager infrastructure.
In this blog post series, you will find the step by step guide to plan and implement Cloud management gateway virtual machine scale set deployment.
We will understand the prerequisites and requirements for CMG VMSS implementation in first part of this series.
Please note that option to deploy CMG as a cloud service (Classic) is deprecated. All new CMG deployment should be Virtual machine scale set.
Post in this series:
- Part 1 | Cloud Management Gateway (CMG) Setup Guide
- Part 2 | Issue, Enroll & Export Server Authentication Certificate
- Part 3 | Configure SCCM Site for SSL
- Part 4 | Integrate Azure Active Directory with ConfigMgr
- Part 5 | Setup Cloud Management Gateway
- Part 6 | Validate CMG Health & Client Communication
- Azure Subscription
- Identify Globally Unique CMG Service URL
- Check Unique CMG Service URL Availability
- Create DNS CNAME
- Register Azure Resource Providers
- Internet Access / Firewall Ports Requirements
- Identify Certificates Requirements for Server and Clients
- Active Directory Groups
- Service Connection Point
- Identify Servers for Site System Roles
- Related posts:
Azure Subscription
An Azure subscription is required to host the Cloud management gateway. This subscription can be in one of the following environments:
- Global Azure cloud
- Azure US Government cloud
An Azure administrator needs to participate in the initial creation of certain components.When you create the CMG, you need an account that is an Azure Subscription Owner and an Azure AD Global Administrator.
Identify Globally Unique CMG Service URL
ConfigMgr VM Scale Set ( VMSS )Deployment do not use *.cloudapp.net address. The service name uses the cloudapp.azure.com domain along with the region. For example, GraniteFalls.EastUS.CloudApp.Azure.Com
Deployment Name should be globally unique. ConfigMgr client policy includes Service Name. The client resolve Service Name via CNAME alias to Deployment name.
The following options are available to decide a service name.
With DNS CNAME :
You can have your own domain in service name
Service Name: cmgprefix.<Your Domain FQDN>
Deployment Name: cmgprefix.region.cloudapp.azure.com
Without DNS CNAME
Both Service Name and Deployment name should be same.
Service Name: cmgprefix.region.cloudapp.azure.com
Deployment Name: cmgprefix.region.cloudapp.azure.com
For this deployment, we will use below CMG service and Deployment name.
Service Name: techuisitivecmg.techuisitive.com
Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com
Check Unique CMG Service URL Availability
The CMG Server Authentication Certificate requires a globally unique name to identify the service in Azure. The Service Name we identified in previous steps will be used for requesting the certificate. Hence, follow the next steps to confirm that service name is available for Virtual machine scale set, Key Vault and Storage.
Check name availability for Virtual Machine Scale Set
- Sign in to the Azure Portal
- From the Azure portal home page, select Create a resource under Azure Services
- Search for Virtual machine scale set, select Create
- Select the Subscription and Resource group that you’will use for the CMG.
- In the Virtual machine scale set name filed, type the prefix techuisitivecmg
- Select the Region that you will use for CMG: East US
The interface reflacted that Domain is available.
Check name availability for Key Vault
- Sign in to the Azure Portal
- From the Azure portal home page, select Create a resource under Azure Services
- Search for Key Vault, select Create
- Select the Subscription and Resource group that you’will use for the CMG.
- In the Key vault field, type the prefix techuisitivecmg
- Select the Region that you will use for CMG: East US
The interface reflacted that Domain is available.
Check name availability for Storage Account
- Sign in to the Azure Portal
- From the Azure portal home page, select Create a resource under Azure Services
- Search for Storage Account, select Create
- Select the Subscription and Resource group that you’will use for the CMG.
- In the Storage Account Name field, type the prefix techuisitivecmg
- Select the Region that you will use for CMG: East US
- The interface reflacted that Domain is available.
Create DNS CNAME
A DNS CNAME is required if you want to use your own corporate domain name for Service Name.
e.g,
Service Name: techuisitivecmg.techusitive.com
Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com
The following CNAME need to be created at your domain registrar.
Host : techuisitivecmg.techusitive.com
Destination: techuisitvecmg.eastus.cloudapp.azure.com
Register Azure Resource Providers
The CMG service requires that you register specific resource providers in your Azure subscription. When you deploy the CMG to a virtual machine scale set, register the following resource providers:
- Microsoft.KeyVault
- Microsoft.Storage
- Microsoft.Network
- Microsoft.Compute
Follow the below steps to register Azure Resource Providers in Microsoft Azure Portal. If your Azure subscription is being used for other services then most probably these resource providers will be registered already. However. validate the same before proceeding to next steps.
- Login to Azure Portal
- In the Azure Portal, select Cost management and billing
- Click on Cost Management and select Go to subscription
- Under the section Settings, select Resource Provider and click on Register if it’s not already registered.
Internet Access / Firewall Ports Requirements
Allowing required internet traffics from SCCM servers to Microsoft portals and Azure services is one of the critical step for any production environment. Follow the below Microsoft documentation to understand the internet access requirements.
Identify Certificates Requirements for Server and Clients
The Cloud Management Gateway uses a certificate-based HTTPS web service to help secure network communication with clients. You need a web server authentication certificate for CMG. The certificate can be obtained from internal PKI or Public certificate authority. If you want to go for public certificate authority then CMG service name must use your own domain and a DNS CNAME will be required. We already discussed this in previos steps.
Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication:
- Azure AD
- PKI certificates
- Configuration Manager site-issued tokens
We will use PKI certificate from Microsoft PKI / Active Directory Certificate Service for this deployment.
Active Directory Groups
The following Active Directory group is required for issuing PKI certificate for SCCM site server and SCCM Management Point / Software Update Point.
Group name: SCCM Site Server
Member: SCCM Site servers
Group Name: SCCM IIS Servers
Member: Management Point and Software Update Point Site System servers
Service Connection Point
Configuration Manager service connection point must be in online mode.
Identify Servers for Site System Roles
The following On Premises roles are required for Cloud Management Gateway.
- Cloud Management Gateway Connection Point
- Management Point (HTTPS)
- Software Update Point (SSL)
Configure at least one Management Point and Software Update Point for Secure Communication to be used with CMG.
Nex post : Part 2 | Issue, Enroll & Export Server Authentication Certificate
Related posts:
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Configure Software Update Point for SSL | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.