Cloud Management Gateway – CMG Setup Guide – Part 1 | SCCM | ConfigMgr

The SCCM cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet. CMG does not require any additional on-premises infrastructure. The CMG services are hosted in Microsoft Azure cloud and act as a gateway for internet client to communicate with on-premises Configuration Manager infrastructure.

In this blog post series, you will find the step by step guide to plan and implement Cloud management gateway virtual machine scale set deployment.

We will understand the prerequisites and requirements for CMG VMSS implementation in first part of this series.

Please note that option to deploy CMG as a cloud service (Classic) is deprecated. All new CMG deployment should be Virtual machine scale set.

Post in this series:

Azure Subscription

An Azure subscription is required to host the Cloud management gateway. This subscription can be in one of the following environments:

  • Global Azure cloud
  • Azure US Government cloud

An Azure administrator needs to participate in the initial creation of certain components.When you create the CMG, you need an account that is an Azure Subscription Owner and an Azure AD Global Administrator.

Identify Globally Unique CMG Service URL

ConfigMgr VM Scale Set ( VMSS )Deployment do not use *.cloudapp.net address. The service name uses the cloudapp.azure.com domain along with the region. For example, GraniteFalls.EastUS.CloudApp.Azure.Com

Deployment Name should be globally unique. ConfigMgr client policy includes Service Name. The client resolve Service Name via CNAME alias to Deployment name.

The following options are available to decide a service name.

With DNS CNAME :

You can have your own domain in service name

Service Name: cmgprefix.<Your Domain FQDN>

Deployment Name: cmgprefix.region.cloudapp.azure.com

Without DNS CNAME

Both Service Name and Deployment name should be same.

Service Name: cmgprefix.region.cloudapp.azure.com

Deployment Name: cmgprefix.region.cloudapp.azure.com

For this deployment, we will use below CMG service and Deployment name.

Service Name: techuisitivecmg.techuisitive.com

Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com

Check Unique CMG Service URL Availability

The CMG Server Authentication Certificate requires a globally unique name to identify the service in Azure. The Service Name we identified in previous steps will be used for requesting the certificate. Hence, follow the next steps to confirm that service name is available for Virtual machine scale set, Key Vault and Storage.

Check name availability for Virtual Machine Scale Set

  • Sign in to the Azure Portal
  • From the Azure portal home page, select Create a resource under Azure Services
  • Search for Virtual machine scale set, select Create
  • Select the Subscription and Resource group that you’will use for the CMG.
  • In the Virtual machine scale set name filed, type the prefix techuisitivecmg
  • Select the Region that you will use for CMG: East US

The interface reflacted that Domain is available.

CMG | Virtual machine scale set

Check name availability for Key Vault

  • Sign in to the Azure Portal
  • From the Azure portal home page, select Create a resource under Azure Services
  • Search for Key Vault, select Create
  • Select the Subscription and Resource group that you’will use for the CMG.
  • In the Key vault field, type the prefix techuisitivecmg
  • Select the Region that you will use for CMG: East US

The interface reflacted that Domain is available.

CMG | Azure Key valut

Check name availability for Storage Account

  • Sign in to the Azure Portal
  • From the Azure portal home page, select Create a resource under Azure Services
  • Search for Storage Account, select Create
  • Select the Subscription and Resource group that you’will use for the CMG.
  • In the Storage Account Name field, type the prefix techuisitivecmg
  • Select the Region that you will use for CMG: East US
  • The interface reflacted that Domain is available.

CMG | Azure create storage account

Create DNS CNAME

A DNS CNAME is required if you want to use your own corporate domain name for Service Name.

e.g,

Service Name: techuisitivecmg.techusitive.com

Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com

The following CNAME need to be created at your domain registrar.

Host : techuisitivecmg.techusitive.com

Destination: techuisitvecmg.eastus.cloudapp.azure.com

nslookup CMG

Register Azure Resource Providers

The CMG service requires that you register specific resource providers in your Azure subscription. When you deploy the CMG to a virtual machine scale set, register the following resource providers:

  • Microsoft.KeyVault
  • Microsoft.Storage
  • Microsoft.Network
  • Microsoft.Compute

Follow the below steps to register Azure Resource Providers in Microsoft Azure Portal. If your Azure subscription is being used for other services then most probably these resource providers will be registered already. However. validate the same before proceeding to next steps.

  • Login to Azure Portal
  • In the Azure Portal, select Cost management and billing
  • Click on Cost Management and select Go to subscription
  • Under the section Settings, select Resource Provider and click on Register if it’s not already registered.

Azure Resource Provider

Internet Access / Firewall Ports Requirements

Allowing required internet traffics from SCCM servers to Microsoft portals and Azure services is one of the critical step for any production environment. Follow the below Microsoft documentation to understand the internet access requirements.

Identify Certificates Requirements for Server and Clients

The Cloud Management Gateway uses a certificate-based HTTPS web service to help secure network communication with clients. You need a web server authentication certificate for CMG. The certificate can be obtained from internal PKI or Public certificate authority. If you want to go for public certificate authority then CMG service name must use your own domain and a DNS CNAME will be required. We already discussed this in previos steps.

Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication:

  • Azure AD
  • PKI certificates
  • Configuration Manager site-issued tokens

We will use PKI certificate from Microsoft PKI / Active Directory Certificate Service for this deployment.

Active Directory Groups

The following Active Directory group is required for issuing PKI certificate for SCCM site server and SCCM Management Point / Software Update Point.

Group name: SCCM Site Server

Member: SCCM Site servers

Group Name: SCCM IIS Servers

Member: Management Point and Software Update Point Site System servers

Service Connection Point

Configuration Manager service connection point must be in online mode.

Identify Servers for Site System Roles

The following On Premises roles are required for Cloud Management Gateway.

  • Cloud Management Gateway Connection Point
  • Management Point (HTTPS)
  • Software Update Point (SSL)

Configure at least one Management Point and Software Update Point for Secure Communication to be used with CMG.

Nex post : Part 2 | Issue, Enroll & Export Server Authentication Certificate

Related posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.


Scroll to Top