SCCM CMG Setup Guide – Part 3 | Configure SCCM Site for SSL

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet.

In the previous post, we discussed about server authentication certificate requirements for CMG. In the part 3 of SCCM CMG setup guide series, we will discuss about SSL configurations for SCCM site and client authentication certificate requirements.

Post in this series:

Part 1 | Cloud Management Gateway (CMG) Setup Guide
Part 2 | Issue, Enroll & Export Server Authentication Certificate
Part 3 | Configure SCCM Site for SSL
Part 4 | Integrate Azure Active Directory with ConfigMgr
Part 5 | Setup Cloud Management Gateway
Part 6 | Validate CMG Health & Client Communication

Table Of Contents

Post in this series:
Deploy Client Authentication Certificate for ConfigMgr Clients
Configure Management Point for HTTPS
Configure Software Update Point for SSL
Configure SCCM Site for HTTPS
Related posts:

Deploy Client Authentication Certificate for ConfigMgr Clients

A client certificate is required on any computer that needs SSL communication with the Configuration Manager HTTPS Management Point or SSL Software Update Point.

A client certificate is also required on any computer that will be managed via the Cloud Management Gateway ( CMG ), and devices are not Azure AD / Hybrid AD joined. It is also required on the server that will host the Cloud Management Gateway connection point.

Follow the steps below to issue and auto-enroll a client authentication certificate for Configuration Manager clients. We will issue the certificate from Microsoft Active Directory Certificate Service (PKI) and use Group Policy ( GPO) to auto-enroll the certificate on all domain computers.

Issue and auto-enroll client authentication certificate for SCCM clients

Issue Client Authentication Certificate
Configure Client Authentication Certificate Auto Enrollment
Export Trusted Root Certificate

Note: The certificate exported in the last step will be required during CMG setup.

Configure Management Point for HTTPS

The Cloud management gateway (CMG) requires an HTTPS management point for secure communication. You need at least one management point in HTTPS mode in your hierarchy to support internet-based client through CMG.

If you don’t have an HTTPS management point in your ConfigMgr hierarch,y then follow the below article to configure the same prior to going ahead with CMG setup.

Configure Management Point for HTTPS | SCCM | ConfigMgr

Configure Software Update Point for SSL

The Cloud management gateway (CMG) requires an SSL-enabled software update point to support an internet-based client. You need at least one SSL-enabled software update point in the hierarchy to deploy software updates on internet-based clients.

If you don’t have an SSL-enabled software update point in your ConfigMgr hierarchy, then follow the below article to configure the same. The software update point role is not a mandatory requirement for CMG setup, and you can perform this step later as well.

Configure Software Update Point for SSL | ConfigMgr | SCCM

Configure SCCM Site for HTTPS

The SCCM site needs to be configured for SSL communication with clients. Please ensure that the following settings are configured.

In the SCCM console, go to Administration/Site configuration/Sites, select Properties, and click on the Communication Security tab.

Ensure that the HTTPS or HTTP option is selected under Site System Settings.
Under Client Settings, select Use PKI client certificate when available
Under Trusted Root Certificate Authority, click on Set and upload the trusted root certificate you exported during client authentication certificate deployment (refer: Export Trusted Root Certificate ).

Next Post: Part 4 | Integrate Azure Active Directory with ConfigMgr

Tags: CMG

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.