The cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet.
In the previous post, we discussed about server authentication certificate requirements for CMG. In the part 3 of SCCM CMG setup guide series, we will discuss about SSL configurations for SCCM site and client authentication certificate requirements.
Post in this series:
- Part 1 | Cloud Management Gateway (CMG) Setup Guide
- Part 2 | Issue, Enroll & Export Server Authentication Certificate
- Part 3 | Configure SCCM Site for SSL
- Part 4 | Integrate Azure Active Directory with ConfigMgr
- Part 5 | Setup Cloud Management Gateway
- Part 6 | Validate CMG Health & Client Communication
Deploy Client Authenticatoin Certificate for ConfigMgr Clients
A client certificate is required on any computer which need SSL communication with Configuration Manager HTTPS Management Point or SSL Software Update Point.
A client certificate is aslo required on any computer which will be managed via the Cloud Management Gateway ( CMG ) and devices are not Azure AD / Hybrid AD join. It is also required on the server that will host the Cloud Management Gateway connection point.
Follow the below article to issue and autoenroll client authentication certificate for Configuration Manager clients. We will issue the certificate from Micrsoft Active Directory Certificate Service (PKI) and use Group Policy ( GPO) to auto enroll the certificate on all domain computers.
- Issue Client Authentication Certificate
- Configure Client Authentication Certificate Auto Enrollment
- Export Trusted Root Certificate
Note: The certificate exported in last step will be required during CMG setup.
Configure Management Point for HTTPS
The Cloud management gateway (CMG) requires a HTTPS management point for secure communuication. You need at least one manaement point in HTTPS mode in your hierachy to support internet based client through CMG.
If you don’t have a HTTPS management point in your ConfigMgr hierarchy then follow the below article to configure the same prior to going ahead with CMG setup.
Configure Software Update Point for SSL
The Cloud management gateway (CMG) requires SSL enabled software update point to support internet based client. You need at least one SSL enabled software update point in hierarchy to deploy software updates on internet based clients.
If you don’t have a SSL enabled software update point in your ConfigMgr hierarchy then follow the below article to configure the same. The software update point role is not a mandatory requirement for CMG setup and your can perform this step later as well.
Configure SCCM Site for HTTPS
The SCCM site need to configured for SSL communication with clients. Please ensure that following settings are configured.
In the SCCM console, go to Administration/Site configuration/Sites , select Properties and click on Communication Security tab.
- Ensure that HTTPS or HTTP option is selected under Site system Settings.
- Under Client Settings , select Use PKI client certificate when available
- Under Trusted Root Certificate Authority, click on Set and uplod the trusted root certificate you exported during client authentication certificate deployment (reffer: Export Trusted Root Certificate ).
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Configure Software Update Point for SSL | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
- SCCM CMG Part 1 | Cloud Management Gateway (CMG) Setup Guide
- SCCM CMG Part 2 | Issue, Enroll & Export Server Authentication Certificate
- SCCM CMG Part 3 | Configure SCCM Site for SSL
- SCCM CMG Part 4 | Integrate Azure Active Directory with ConfigMgr
- SCCM CMG Part 5 | Setup Cloud Management Gateway
- SCCM CMG Part 6 | Validate CMG Health & Client Communication
- Location of smsts.log file during Operating System Deployment (OSD)
- Schedule SCCM Client Reboot through ConfigMgr
- Check Software Center Business Hours of Remote Computer
- SCCM Software deployment strategy
- How to deal with wrong deployment in ConfigMgr
- How to Initiate SCCM client agent actions using PowerShell
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.