Skip to main content

Configure Cloud Management Gateway (CMG)

By

The cloud management gateway (CMG) provides an easy way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, one can manage traditional clients that roam on the internet without additional infrastructure. Also, there is no need to expose on-premises infrastructure to the internet.

Pre-requisites

  1. Azure subscription (Activate it from MSDN account)
  2. SCCM environment (1802 or later)
  3. SCCM MP server has access to Azure services
  4. Certificate Authority setup, preferably AD CS
  5. Client Certificate on all machines: required on any computer which will be managed via the CMG. It is also required on the server that will host the Cloud Management Gateway connection point.

Subscription assignment

  1. Create tenant:
    • Home > Create a resource > Azure Active Directory > Create
  2. Create user:
    • Home > (AAD) > Users > New User with Global administrator role
  3. Re-assign subscription:
    • AAD having subscription > Home > Subscription > Overview > Change directory
    • Note: It takes some time so please wait for ~10 mins.
  4. Add new tenant's user as a co-administrator
    • New AAD > Subscription > Access control (IAM) > Add co-administrator

Cloud Services Certificate Template

  1. Create a template of type Web Server
    • Certificate Authority > Certificate Templates > Manage > Web Server > Duplicate Template
    • General tab: give a name, e.g., CM Cloud Service Certificate. Select Validity and Renewal as per requirement.
    • Request handling tab: select 'Allow private key to be exported'
    • Security tab: allow 'Read' and 'Enroll' permissions to SCCM servers/group
  2. Issue the template
    • Certificate Authority > Certificate Templates > New > Certificate Template to Issue > Select 'CM Cloud Service Certificate'

CMG certificate creation and export

  1. Check for the DNS availability
    • Home > Cloud Services (Classic) > Add > DNS name (P.S. Just check the availability and do NOT create it at this moment, e.g. nomadlab.cloudapp.net)
  2. Create a certificate
  3. Azure Management Certificate export
  4. Export certificate authority certificate
    • Export root certificate: Certificates (Local Computer) > Trusted Root Certificate Authorities > Certificates > Export (.CER)
    • Export intermediate certificate (if applicable): Certificates (Local Computer) > Intermediate certification Authorities > Certificates > Export (.CER)

Azure Management Certificate

  1. Upload the certificate to Azure Subscription
    1. Home > Subscription > Management certificates > Upload > Select the exported certificate (nomadlab.cloudapp.net.cer)

Configure Azure Services

  1. Create Azure Service
    • SCCM console > Administration > Cloud Services > Azure Services > Configure Azure Services
  2. App registration
    • Azure portal > Azure Active Directory > App registrations
    • WebApp > API permissions > Grant admin consent
    • ClientApp > API permissions > Grant admin consent
  3. Run Full Discovery
    • SCCM Console > Administration > Cloud Services > Azure Services > Azure Active Directory User Discovery > Run Full Discovery

Resource Providers

  1. Register resource providers
    • Azure portal > Subscriptions > Resource Providers
    • Register- Compute, ClassicCompute, Storage, and ClassicStorage

Cloud Management Gateway

  1. Create Cloud Management Gateway
    • SCCM console > Administration > Cloud Services > Cloud Management Gateway > Create Cloud Management Gateway
    • General: Azure environment: AzurePublicCloud > Sign In... (AAD admin user e.g. administrator@nomadlab.onmicrosoft.com)
    • Settings:
      • Certificate file- nomadlab.cloudapp.net.pfx
      • Service name, Deployment name, Region, and Resource Group should be auto populated
      • Specify security settings- Certificates... > Add exported root certificate (and intermediate certificate if applicable)
      • Uncheck "Verify Client Certificate Revocation"
    • Once completed, Status would be set to Ready

Site System Role

  1. Add Cloud management gateway connection point
    • SCCM Console > Administration > Site Configuration > Server and Site System Roles
    • Site server > Add Site System Roles > System Role Selection > Cloud management gateway connection point > Cloud Management Gateway name and region will be auto-populated

Client Certificate Authentication

  1. Remove the CRL check
    • SCCM Console > Administration > Site Configuration > Sites > Site server > Properties > Communication Security
    • Clear "Clients check the certificate revocation list (CRL) for site systems"

Configure roles for CMG Traffic

  1. Allow Management point
    • SCCM Console > Administration > Site Configuration > Server and Site System Roles > Site server > Management point > Properties
    • Enable "Allow Configuration Manager cloud management gateway traffic" and select Allow intranet and internet connections
  2. Allow Software update point
    • SCCM Console > Administration > Site Configuration > Server and Site System Roles > Site server > Software update point > Properties
    • Enable "Allow Configuration Manager cloud management gateway traffic" and Allow Internet and intranet client connections
  3. Client Settings
    • SCCM Console > Administration > Client Settings > Custom client device settings > Properties
      • Client Policy: Enable user policy requests from Internet clients - Yes
      • Cloud Services: Allow access to cloud distribution point and Enable clients to use a cloud management gateway - Yes
    • SCCM Console > Administration > Client Settings > Custom client user settings > Properties
      • Cloud Services: Allow access to cloud distribution point - Yes
  4. Distribution Point Group
    • SCCM Console > Administration > Distribution Point Groups > Properties > Members > Add > Cloud DP

Logs

  1. Azure AD Discovery Agent (Server): displays the synchronization for users/devices with Azure AD
    • \Microsoft Configuration Manager\Logs\SMS_AZUREAD_DISCOVERY_AGENT.log
  2. Cloud Proxy Connector (Server): details about setting up connections between the CMG service and the CMG connection point
    • \Microsoft Configuration Manager\Logs\SMS_CLOUD_PROXYCONNECTOR.log
  3. Cloud Management (Server): details about deploying the CMG service, ongoing service status, and use data associated with the service.
    • \Microsoft Configuration Manager\Logs\CloudMgr.log
  4. Policy Agent (Client): display requests for policies made by using the Data Transfer Service
    • \CCM\Logs\PolicyAgent.log
  5. Data Transfer (Client): displays all BITS communication for policy or package access
    • \CCM\Logs\DataTransferService.log
  6. Client Location: indicates that the machine is using the internet management point
    • \CCM\Logs\ClientLocation.log

 

Comments

  1. UnknownMay 21, 2021 at 10:47 AM

    Very informative . Thanks for sharing

    ReplyDelete
    Replies
    1. NidhishMay 23, 2021 at 3:02 AM

      Thank you. Let me know in case you struggle in other areas too. I'll try to prepare a doc for that too.

      Delete
  2. Harender SinghMay 22, 2021 at 1:09 AM

    Great explanation..

    ReplyDelete
    Replies
    1. NidhishMay 23, 2021 at 3:02 AM

      Thank you Harender. Let me know in case you struggle in other areas too. I'll try to prepare a doc for that too.

      Delete
  3. Harender SinghMay 22, 2021 at 1:09 AM

    Great explanation..

    ReplyDelete
  4. UnknownMarch 29, 2022 at 3:00 PM

    it is mandatory to have Client Certificate on all machines: required on any computer which will be managed via the CMG. if machines are Azure Ad Joined or Hybrid Azure AD joined still requires Client Certificate ?

    ReplyDelete

Post a Comment