Cloud Management Gateway – CMG Setup Guide – Part 1 | SCCM | ConfigMgr

The SCCM cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients over the internet. CMG does not require any additional on-premises infrastructure. The CMG services are hosted in Microsoft Azure cloud and act as a gateway for internet clients to communicate with the on-premises Configuration Manager infrastructure.

In this blog post series, you will find the step-by-step guide to plan and implement a Cloud management gateway virtual machine scale set deployment.

We will understand the prerequisites and requirements for CMG VMSS implementation in the first part of this series.

Please note that the option to deploy CMG as a cloud service (Classic) is deprecated. All new CMG deployments should bea Virtual machine scale set.

Post in this series:

• Part 1 | Cloud Management Gateway (CMG) Setup Guide
• Part 2 | Issue, Enroll & Export Server Authentication Certificate
• Part 3 | Configure SCCM Site for SSL
• Part 4 | Integrate Azure Active Directory with ConfigMgr
• Part 5 | Setup Cloud Management Gateway
• Part 6 | Validate CMG Health & Client Communication

Azure Subscription

An Azure subscription is required to host the Cloud management gateway. This subscription can be in one of the following environments:

• Global Azure cloud
• Azure US Government cloud

An Azure administrator needs to participate in the initial creation of certain components. When you create the CMG, you need an account that is an Azure Subscription Owner and an Azure AD Global Administrator.

Identify Globally Unique CMG Service URL

ConfigMgr VM Scale Set ( VMSS )Deployment do not use *.cloudapp.net address. The service name uses the cloudapp.azure.com domain along with the region. For example, GraniteFalls.EastUS.CloudApp.Azure.Com

Deployment Name should be globally unique. ConfigMgr client policy includes the Service Name. The client resolves the Service Name via CNAME alias to the Deployment name.

The following options are available to decide a service name.

With DNS CNAME :

You can have your own domain in the service name

Service Name: cmgprefix.<Your Domain FQDN>

Deployment Name: cmgprefix.region.cloudapp.azure.com

Without DNS CNAME

Both Service Name and Deployment name should be the same.

Service Name: cmgprefix.region.cloudapp.azure.com

Deployment Name: cmgprefix.region.cloudapp.azure.com

For this deployment, we will use below CMG service and Deployment name.

Service Name: techuisitivecmg.techuisitive.com

Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com

Check Unique CMG Service URL Availability

The CMG Server Authentication Certificate requires a globally unique name to identify the service in Azure. The Service Name we identified in the previous steps will be used for requesting the certificate. Hence, follow the next steps to confirm that the service name is available for Virtual Machine Scale Set, Key Vault, and Storage.

Check name availability for Virtual Machine Scale Set

• Sign in to the Azure Portal
• From the Azure portal home page, select Create a resource under Azure Services
• Search for Virtual machine scale set, select Create
• Select the Subscription and Resource group that you will use for the CMG.
• In the Virtual machine scale set name field, type the prefix techuisitivecmg
• Select the Region that you will use for CMG: East US

The interface reflected that the Domain is available.

Check name availability for Key Vault

• Sign in to the Azure Portal
• From the Azure portal home page, select Create a resource under Azure Services
• Search for Key Vault, select Create
• Select the Subscription and Resource group that you will use for the CMG.
• In the Key vault field, type the prefix techuisitivecmg
• Select the Region that you will use for CMG: East US

The interface reflected that the Domain is available.

Check name availability for Storage Account

• Sign in to the Azure Portal
• From the Azure portal home page, select Create a resource under Azure Services
• Search for Storage Account, select Create
• Select the Subscription and Resource group that you’will use for the CMG.
• In the Storage Account Name field, type the prefix techuisitivecmg
• Select the Region that you will use for CMG: East US
• The interface reflacted that Domain is available.

Create DNS CNAME

A DNS CNAME is required if you want to use your own corporate domain name for the Service Name.

e.g,

Service Name: techuisitivecmg.techusitive.com

Deployment Name: techuisitvecmg.eastus.cloudapp.azure.com

The following CNAME need to be created at your domain registrar.

Host: techuisitivecmg.techusitive.com

Destination: techuisitvecmg.eastus.cloudapp.azure.com

Register Azure Resource Providers

The CMG service requires that you register specific resource providers in your Azure subscription. When you deploy the CMG to a virtual machine scale set, register the following resource providers:

• Microsoft.KeyVault
• Microsoft.Storage
• Microsoft.Network
• Microsoft. Compute

Follow the steps below to register Azure Resource Providers in the Microsoft Azure Portal. If your Azure subscription is being used for other services, then most probably these resource providers will be registered already. However. Validate the same before proceeding to the next steps.

• Log in tothe Azure Portal
• In the Azure Portal, select Cost management and billing
• Click on Cost Management and select Go to subscription
• Under the section Settings, select Resource Provider and click on Register if it’s not already registered.

Internet Access / Firewall Ports Requirements

Allowing required internet traffic from SCCM servers to Microsoft portals and Azure services is one of the critical steps for any production environment. Follow the below Microsoft documentation to understand the internet access requirements.

Identify Certificate Requirements for Server and Clients

The Cloud Management Gateway uses a certificate-based HTTPS web service to help secure network communication with clients. You need a web server authentication certificate for CMG. The certificate can be obtained from internal PKI or a Public certificate authority. If you want to go for a public certificate authority, then the CMG service name must use your own domain, and a DNS CNAME will be required. We already discussed this in previous steps.

Internet-based clients connect to the CMG to access on-premises Configuration Manager components. There are multiple options for client identity and authentication:

• Azure AD
• PKI certificates
• Configuration Manager site-issued tokens

We will use a PKI certificate from Microsoft PKI / Active Directory Certificate Service for this deployment.

Active Directory Groups

The following Active Directory group is required for issuing a PKI certificate for the SCCM site server and the SCCM Management Point / Software Update Point.

Group name: SCCM Site Server

Member: SCCM Site servers

Group Name: SCCM IIS Servers

Member: Management Point and Software Update Point Site System servers

Service Connection Point

Configuration Manager service connection point must be in online mode.

Identify Servers for Site System Roles

The following on-premises roles are required for Cloud Management Gateway.

• Cloud Management Gateway Connection Point
• Management Point (HTTPS)
• Software Update Point (SSL)

Configure at least one Management Point and Software Update Point for Secure Communication to be used with CMG.

Nex post : Part 2 | Issue, Enroll & Export Server Authentication Certificate

Related posts:

• Configure Management Point for HTTPS | ConfigMgr | SCCM
• Configure Software Update Point for SSL | ConfigMgr | SCCM
• Deploy client authentication certificate for SCCM clients