The cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet.
In the previous post, we discussed about server authentication certificate requirements for CMG. In the part 3 of SCCM CMG setup guide series, we will discuss about SSL configurations for SCCM site and client authentication certificate requirements.
Post in this series:
- Part 1 | Cloud Management Gateway (CMG) Setup Guide
- Part 2 | Issue, Enroll & Export Server Authentication Certificate
- Part 3 | Configure SCCM Site for SSL
- Part 4 | Integrate Azure Active Directory with ConfigMgr
- Part 5 | Setup Cloud Management Gateway
- Part 6 | Validate CMG Health & Client Communication
Table of contents
- Deploy Client Authentication Certificate for ConfigMgr Clients
- Configure Management Point for HTTPS
- Configure Software Update Point for SSL
- Configure SCCM Site for HTTPS
Deploy Client Authenticatoin Certificate for ConfigMgr Clients
A client certificate is required on any computer which need SSL communication with Configuration Manager HTTPS Management Point or SSL Software Update Point.
A client certificate is aslo required on any computer which will be managed via the Cloud Management Gateway ( CMG ) and devices are not Azure AD / Hybrid AD join. It is also required on the server that will host the Cloud Management Gateway connection point.
Follow the below article to issue and autoenroll client authentication certificate for Configuration Manager clients. We will issue the certificate from Micrsoft Active Directory Certificate Service (PKI) and use Group Policy ( GPO) to auto enroll the certificate on all domain computers.
Issue and autoenroll client authentication certificate for SCCM clients
- Issue Client Authentication Certificate
- Configure Client Authentication Certificate Auto Enrollment
- Export Trusted Root Certificate
Note: The certificate exported in last step will be required during CMG setup.
Configure Management Point for HTTPS
The Cloud management gateway (CMG) requires a HTTPS management point for secure communuication. You need at least one manaement point in HTTPS mode in your hierachy to support internet based client through CMG.
If you don’t have a HTTPS management point in your ConfigMgr hierarchy then follow the below article to configure the same prior to going ahead with CMG setup.
Configure Management Point for HTTPS | SCCM | ConfigMgr
Configure Software Update Point for SSL
The Cloud management gateway (CMG) requires SSL enabled software update point to support internet based client. You need at least one SSL enabled software update point in hierarchy to deploy software updates on internet based clients.
If you don’t have a SSL enabled software update point in your ConfigMgr hierarchy then follow the below article to configure the same. The software update point role is not a mandatory requirement for CMG setup and your can perform this step later as well.
Configure Software Update Point for SSL | ConfigMgr | SCCM
Configure SCCM Site for HTTPS
The SCCM site need to configured for SSL communication with clients. Please ensure that following settings are configured.
In the SCCM console, go to Administration/Site configuration/Sites , select Properties and click on Communication Security tab.
- Ensure that HTTPS or HTTP option is selected under Site system Settings.
- Under Client Settings , select Use PKI client certificate when available
- Under Trusted Root Certificate Authority, click on Set and uplod the trusted root certificate you exported during client authentication certificate deployment (reffer: Export Trusted Root Certificate ).
Next Post: Part 4 | Integrate Azure Active Directory with ConfigMgr
