Download and own the latest version of this SCCM Cloud Management Gateway Installation Guide in a single PDF file.

The PDF file is a 50 pages document that contains all information to install a cloud management gateway with SCCM. Use our products page or use the button below to download it.

Download

We can also set up a Cloud Management Gateway for your organization through our consulting services. See our Fixed Price Plan page to see our prices.


If you’re using SCCM 1806 or later, see our updated post on how to setup a cloud management gateway using SCCM 1806 and later

Starting with SCCM version 1610, cloud management gateway introduces a new way to manage internet clients. This method is different than the “traditional” Internet-based client management (ICBM). Cloud Management Gateway uses a combination of a cloud service deployed in Microsoft Azure and a new site system role that communicates with that service. Clients then use the service to communicate with SCCM.

The main advantage of a cloud management gateway is that it doesn’t expose your SCCM servers to the internet but the downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients. We strongly encourage to use this new method if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away with time. You’ll also need a Cloud Management Gateway if you’re planning to use the new Windows 10 Co-Management features.

For clients to access Cloud Management Gateway, an SSL certificate is required to authenticate computers and encrypt communications. You will also need to create a custom SSL certificate on the Certificate Authority for the CMG. An Azure management certificate is also required to deploy the Cloud Management Gateway.

Important Information

For now, Cloud management gateway only supports the Management Point and Software Update point roles.

Cloud Distribution Point

If you already set up a Cloud Distribution Point before, the certificate requirements are quite similar

Here are the high-level steps for deploying Cloud Management Gateway:

  • Verify a unique Azure cloud service URL
  • Create and issue a custom SSL certificate for the Cloud Management Gateway
  • Request the Cloud Management Gateway certificate from the Certification Authority
  • Export the custom Web Certificate
  • Create a client authentication certificate
  • Create an Auto-Enroll Group Policy
  • Export the client certificate’s root
  • Upload the Cloud Management Gateway management certificate to Azure
  • Create the Cloud Management Gateway in the SCCM console
  • Add the Cloud Management Gateway Connector Point role
  • Configure the Primary Site for client certification authentication
  • Configure roles for cloud management gateway traffic
  • Verify Client Communication with the SCCM Cloud Management Gateway

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

  • Log in the Azure portal
  • In the Azure Portal, select Cloud Services on the left, click Add
  • Enter the desired DNS name
  • Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
  • Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as for our example
  • Close the window, do not create the service now
SCCM Cloud Management Gateway

Create and Issue a Custom Web Server Certificate Template on your Certification Authority

This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud management gateway and the private key must be exportable as it will be asked during installation.

  • In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
  • On the server running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage
SCCM Cloud Management Gateway
  • The Certificate Templates management console opens
  • Right-click the Web Server template and then select Duplicate Template
SCCM Cloud Management Gateway
  • In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority
SCCM Cloud Management Gateway
  • In the General tab, enter a template name, like SCD SCCM Cloud Management Gateway. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate
SCCM Cloud Management Gateway
  • In the Request Handling tab, select Allow private key to be exported
SCCM Cloud Management Gateway
  • In the Security tab, remove the Enroll permission from the Enterprise Admins security group
SCCM Cloud Management Gateway
  • Choose Add, enter SCCM Site Servers in the text box, and then choose OK
  • Select the Enroll and Read permission for this group
SCCM Cloud Management Gateway
  • Choose OK, close Certificate Templates Console
  • Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue
SCCM Cloud Management Gateway
  • In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud Management Gateway, click OK
SCCM Cloud Management Gateway

Request the custom web server certificate on the Primary Site Server

This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud management gateway installation

  • On the SCCM Server, run MMC
  • On the File Menu, choose Add/Remove Snap-in…  select Certificates, and click Add
SCCM Cloud Management Gateway
  • When prompted for what you want to manage certificates for, select Computer Account, click Next
SCCM Cloud Management Gateway
  • Select Local Computer and then click Finish
SCCM Cloud Management Gateway
  • Click OK to close the Add/Remove Snap-ins
SCCM Cloud Management Gateway
  • In the Add or Remove Snap-ins dialog box, choose OK.
  • In the console, expand Certificates (Local Computer) / Personal / Certificates
  • Right-click Certificates, select All Tasks / Request New Certificate
  • On the Before You Begin page, click Next
SCCM Cloud Distribution Point
  • If you see the Select Certificate Enrollment Policy page, choose Next
  • On the Request Certificates page, identify the SCD SCCM Cloud Management Gateway from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings
SCCM Cloud Management Gateway
  • In the Certificate Properties dialog box, in the Subject tab
    • Subject name: in Type choose Common name
    • Value:  Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
    • Alternative name: in Type choose DNS
    • Value: Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
SCCM Cloud Management Gateway
  • Click OK to close the Certificate Properties dialog box
  • On the Request Certificates page, select SCD SCCM Cloud Management Gateway from the list of available certificates, click Enroll
  • On the Certificates Installation Results page, wait until the certificate is installed, click Finish
SCCM Cloud Management Gateway

Export Web Server Certificate

This procedure exports the custom web server certificate to file. We will export it as a .CER file for the Azure Management Certificate and in a .PFX format for the cloud management gateway creation.

.CER EXPORT

  • In the Certificates (Local Computer) console, right-click the SCD Cloud Management Gateway certificate that you just created, select All Tasks / Export
SCCM Cloud Management Gateway
  • In the Certificates Export Wizard, choose Next
SCCM Cloud Management Gateway
  • On the Export Private Key page, select No do not export the private key and click Next
SCCM Cloud Management Gateway
  • On the Export file format, select CER and click Next
SCCM Cloud Management Gateway
  • Save your certificate in a folder and close the wizard
SCCM Cloud Management Gateway
  • To close the wizard, click Finish in the Certificate Export Wizard page
SCCM Cloud Management Gateway

.PFX EXPORT

  • Redo the export task a second time
  • On the Export Private Key page, choose Yes, export the private key, click Next
SCCM Cloud Management Gateway
  • On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected
SCCM Cloud Management Gateway
  • On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next
SCCM Cloud Management Gateway
  • On the File to Export page, specify the name of the file that you want to export
SCCM Cloud Management Gateway
  • To close the wizard, click Finish in the Certificate Export Wizard page
SCCM Cloud Management Gateway
  • Close Certificates (Local Computer).

The certificate is now ready to be imported to create an SCCM Cloud Management Point Gateway

Create the Client Certificate

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. If you do not already have a client certificate template, follow these steps:

  • RDP to an Intermediate Certification Authority
  • Open Certification Authority console, right-click Certificate Templates and click Manage
  • Right-click Workstation Authentication and click Duplicate Template
SCCM Cloud Management Gateway
  • Make sure to use Server 2003, not 2008
  • In the General, name this SCCM Client Certificate
SCCM Cloud Management Gateway
  • Set the Validity Period to 5 years
  • Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK
SCCM Cloud Management Gateway
  • When you refresh your console, you will see that the new template is there

Create an Auto-Enroll Group Policy

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point.

The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO :

  1. Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management)
  2. Right-click the desired OU and select Create a GPO in this domain, and Link it here… as we are going to create a new GPO
  3. Name your GPO AutoEnroll ConfigMgr Client Cert, then click OK
  4. Right-click and Edit your newly created GPO
  5. Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies
SCCM Cloud Management Gateway
  • Right-click on Certificate Services Client – Auto-Enrollment and then click Properties
  • Change the Configuration Model: to Enabled
  • Check the Update certificates that use certificate templates and Renew expired certificates, update pending certificates, and remove revoked certificates
SCCM Cloud Management Gateway
  • Click Apply and OK
  • Reboot a workstation and when you run a gpupdate /force or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be placed in theLocal Computer Personal Certificate Store

The easiest way to export the root of the client certificates used on the network is to get it on one of the domain-joined machines that receive it through your auto-enrollment GPO

Requirements

Client certificates are required on any computer you want to manage with cloud management gateway and on the site system server hosting the cloud management gateway connector point

  • Run MMC
  • From the File menu, choose Add/Remove Snap-in…
  • In the Add or Remove Snap-ins dialog box, choose Certificates / Add / Computer account / Local computer
  • Go to Certificates / Personal / Certificates
  • Double-click the certificate for client authentication on the computer, choose the Certification Path tab, and double-click the root authority (at the top of the path).
  • On the Details tab, choose Copy to File…
  • Complete the Certificate Export Wizard using the default certificate format.You’ll need it to configure cloud management gateway later

Upload the certificate to your Azure Subscription

If your company is already using Windows Azure, there is a very good chance that a management certificate is already created and uploaded. In that case, you will only need to get the .pfx file and its password. If not, follow these instructions to upload the management certificate (.Cer file) into the Azure portal.

  • Open Azure Portal
  • Go to Subscription / [Your Subscription] / Management Certificate / Upload
  • Select the .cer file that you exported earlier
SCCM Cloud Management Gateway
  • The management certificate is now created and ready to use
  • Copy the value of Subscription ID for your certificate. It will be needed to create the SCCM cloud management gateway.
SCCM Cloud Management Gateway

Create the SCCM Cloud Management Gateway

We will now create the Cloud Management Gateway in the SCCM console.

Pre-release

In SCCM 1710, the Cloud Management Gateway is still a pre-release feature. Be sure to turn it on before going further.

  • Open the SCCM Console
  • Click Administration \ Cloud Services \ Cloud Management Gateway
  • Right-Click Cloud Management Gateway and click on Create Cloud Management Gateway
SCCM Cloud Management Gateway
  • In the General pane, paste your Subscription ID and select your Management certificate (.PFX)
SCCM Cloud Management Gateway
  • On the Settings page
    • Service name: Enter the cloud service name which was verified in the first step of the post (Ex: Scdcmg)
    • Description: Enter a description for the Cloud Management Gateway
    • Region: Enter your Geographical region based on your organization
    • Instance number: Specify the number of VM instance
    • Certificate file: Select the PFX certificate created for the Cloud Management Gateway
    • Service FQDN: Will be populated by your FQDN
  • At the bottom, click the certificate button and select your certificate
  • Uncheck the box to Verify Client Certificate Revocation
SCCM Cloud Management Gateway
  • In the Alerts pane, configure the desired settings
SCCM Cloud Management Gateway
  • Review your setting and complete the wizard
SCCM Cloud Management Gateway

Once the wizard completed, it will take between 5 to 15 minutes to provision the service in Azure. Check the Status column for the new cloud management gateway to determine when the service is ready. You can also follow the progress in the CloudMgr.log

In progress :

SCCM Cloud Management Gateway

When completed :

SCCM Cloud Management Gateway

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
  • Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
  • On the System Role Selection pane, select Cloud management gateway connection point
SCCM Cloud Management Gateway
  • Your Cloud Management Gateway name and region will be auto-populated
SCCM Cloud Management Gateway
  • Review your settings and complete the wizard
SCCM Cloud Management Gateway
SCCM Cloud Management Gateway

You can follow the installation progress in SMS_Cloud_ProxyConnector.log

We will now specify settings for clients computers when they communicate with our Management Point

  • In the SCCM console, go to Administration / Site Configuration / Sites
  • Select your primary site for the clients you want to manage through cloud management gateway, select Properties
  • On the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available
  • Clear Clients check the certificate revocation list (CRL) for site systems
  • Click OK
SCCM Cloud Management Gateway

The final step in setting up cloud management gateway is to configure the site system roles to accept cloud management gateway traffic. Only the management point and software update point roles are supported by cloud management gateway. We recommend having a separate machine acting as the management point for your internet clients as it gives you the option to put this management point in HTTPS mode while having an HTTP MP for all your internal clients.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles.
  • Right-click the site system server for the role you want to configure for cloud management gateway traffic. In our case, we will configure a management point
  • Select the Management Point role and select Properties
  • In the General tab, check the box next to Allow Configuration Manager cloud management gateway traffic, and then click OK.
  • If you require HTTPS communication, select HTTPS here and follow the next steps
SCCM Cloud Management Gateway

Management Point HTTPS only

If you require having your management point in HTTPS communication, you must ensure that the server has requested the Server Authentification Certificate (SCD SCCM Cloud Management Gateway) and that IIS is configured with this certificate. If you are going with HTTP communication, you can skip this step.

  • Once again, option the Certificate MMC console
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal / Certificates folder
  • Click All Tasks / Request New Certificate
  • At the Request Certificates part of the wizard, check your certificate (ex: SCD SCCM Cloud Management Gateway)
  • You will notice that under the Web cert, a prompt that says, More information is required to enroll for this certificate. Click here to configure settings
SCCM Cloud Management Gateway
  • Click the link and set up your Certificate Properties
  • Under Alternative Name / DNS, enter the FQDN of the management point server
  • In General tab, name your certificate as it will be easier to find in IIS later
  • Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful
SCCM Cloud Management Gateway

Assign the Web (IIS) Certificate to IIS

This shall be done only on an HTTPS Management point that will handle cmg client requests.

  1. LaunchIIS Manager
  2. Navigate to the Default Website
  3. Right-click it and select Edit Bindings
  4. Add https binding and click Edit
  5. Select the certificate with your server name, and then click OK
SCCM Cloud Management Gateway

Configure clients for cloud management gateway

We will now verify if clients are able to succesfuly communicate with our server via the SCCM Cloud Management Gateway.

  • On a client that is connected to the internet, run a Machine Policy Retrieval & Evaluation cycle from the Configuration Manager app
  • Under the Networking tab, you should see the name of the Cloud Management Gateway service listed as the Internet-based management point (FQDN)
SCCM Cloud Management Gateway

Check the ClientLocation.log file. It will indicate that the machine is using the internet management point

Rotating internet management point, new management point [1] is: SCDCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/XXXXXXX (0) with capabilities: <Capabilities SchemaVersion =”1.0″><PropertyName=”SSL” Version=”1″ /></Capabilities> ClientLocation 02/02/2018 7:21:15 PM 4168 (0x1048)

If your clients are not already installed, you must use one of the proposed installation methods on Technet or use Intune if you are configured to use the Co-Management features.

Comments (13)

[email protected]

08.19.2021 AT 06:55 AM
Hello, Sorry, I little bit messy with certificates. (For example: scdcmg.cloudapp.net) Is it mandatory name like labcontoso.cloudapp.net, or I can use selfsigned like lab.contoso.local? Why *.cloudapp.net exactly and what does it affect? Thank you in advance!

Melba

09.22.2018 AT 02:02 AM
SSL certificate rates diffeers from company to company.

Nirmal

07.04.2018 AT 10:59 AM
With respect to extending on prem SCCM to cloud, We have an scenario where we created new site on prem and installed roles MP, SUP and CMG connection point. Already we have 1 upstream SUP and 2 downstream servers in on prem. so, for new site where CMG role is installed, whether SUP need to be tagged as downstream server to upstream? also, does it require to enable SSL?

Brett

05.31.2018 AT 03:22 PM
When setting the management point to HTTPs only do you need to set two SAN names? One for the management point FQDN and another for the Cloud Management Gateway? Thanks.

Jason

01.04.2019 AT 12:12 PM
Yes, same question, why are you applying the cloudapp.net cert to the MP in the last step?

I.Garcia

05.06.2018 AT 02:13 PM
Running into issues with the HTTPS/Cert pieces for this. We are already currently leveraging HTTPS comm in our environment. Not sure how this effects the current architecture as IIS only allows for 1 certificate to be bound for 443.

Prabakaran

04.18.2018 AT 01:02 AM
Nice one Mate!

Stan

03.15.2018 AT 01:53 PM
Why is this configured in the classic portal? Shouldn't it be in ARM?

David

03.27.2018 AT 07:26 PM
Hello Benoit Lecours - Thank you for your wonderful guides. Like Stan I am hoping for a way to use Config Manager 1802 with it's support for ARM. I am getting tripped up very early in the process in Config Manager's Administration | Cloud Services | wizard where I am supposed to Configure Azure Services.

Dennis

02.20.2018 AT 03:26 PM
Setting up an SCCM Cloud Management Gateway is a great way to manage internet clients. After you buy a dedicated server to host your website, your next step should be setting up a way to manage clients, and this setup is perfect. Your layout of steps, including images, is very helpful to anyone who is new to setting up a business website!

Ola Holtberget

02.08.2018 AT 04:52 PM
Nice guide! I see you write that "A client certificate is required on any computer which will be managed via the Cloud Management Gateway.", but this isn't the case is it, as with an Azure AD joined computer, the AAD token will be used instead of a client certificate.