How to setup an SCCM Cloud Management Gateway

Benoit LecoursSCCM10 Comments

Starting with SCCM version 1610, cloud management gateway introduces a new way to manage internet clients. This method is different than the “traditional” Internet-based client management (ICBM). Cloud Management Gateway uses a combination of a cloud service deployed in Microsoft Azure and a new site system role that communicates with that service. Clients then use the service to communicate with SCCM.

The main advantage of a cloud management gateway is that it doesn’t expose your SCCM servers to the internet but the downside is that it requires an Azure subscription which brings recurring monthly costs. If you’re still unsure which method to use, you can read the Microsoft documentation and see our blog post about internet client management. Make sure that you understand the limitation of using internet clients. We strongly encourage to use this new method if you’ll be managing client on the internet since this feature will evolve with time and the traditional way support should go away with time. You’ll also need a Cloud Management Gateway if you’re planning to use the new Windows 10 Co-Management features.

For clients to access Cloud Management Gateway, an SSL certificate is required to authenticate computers and encrypt communications. You will also need to create a custom SSL certificate on the Certificate Authority for the CMG. An Azure management certificate is also required to deploy the Cloud Management Gateway.

Important Information
For now, Cloud management gateway only supports the Management Point and Software Update point roles.

Cloud Distribution Point
If you already set up a Cloud Distribution Point before, the certificate requirements are quite similar

Here are the high-level steps for deploying Cloud Management Gateway:

  • Verify a unique Azure cloud service URL
  • Create and issue a custom SSL certificate for the Cloud Management Gateway
  • Request the Cloud Management Gateway certificate from the Certification Authority
  • Export the custom Web Certificate
  • Create a client authentication certificate
  • Create an Auto-Enroll Group Policy
  • Export the client certificate’s root
  • Upload the Cloud Management Gateway management certificate to Azure
  • Create the Cloud Management Gateway in the SCCM console
  • Add the Cloud Management Gateway Connector Point role
  • Configure the Primary Site for client certification authentication
  • Configure roles for cloud management gateway traffic
  • Verify Client Communication with the SCCM Cloud Management Gateway

Verify a unique Azure cloud service URL

We don’t need to create the cloud service in Azure, the Cloud Management Gateway setup will create the service. We just need to verify that the Azure cloud service URL is valid and unique.

  • Log in the Azure portal
  • In the Azure Portal, select Cloud Services on the left, click Add
  • Enter the desired DNS name
  • Validate that there’s a green check mark on the right. If your name is not valid, a red X will display, choose a different name if it’s the case
  • Once your name is valid, take note of the name as it will be needed later. We will use SCDCMG as for our example
  • Close the window, do not create the service now

SCCM Cloud Management Gateway

Create and Issue a Custom Web Server Certificate Template on your Certification Authority

This procedure creates a custom certificate template that is based on the web server certificate template. The certificate will be used for the installation of the SCCM cloud management gateway and the private key must be exportable as it will be asked during installation.

  • In Active Directory, create a security group named SCCM Site Servers that contain your SCCM Primary Site server computer account
  • On the server running the Certification Authority, open the Certification Authority console (certsrv.mmc), right-click Certificate Templates and select Manage

SCCM Cloud Management Gateway

  • The Certificate Templates management console opens
  • Right-click the Web Server template and then select Duplicate Template

SCCM Cloud Management Gateway

  • In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected in Certification Authority

SCCM Cloud Management Gateway

  • In the General tab, enter a template name, like SCD SCCM Cloud Management Gateway. Change the validity period if needed. As a best-practice, the longer the validity period, the less secure is your certificate

SCCM Cloud Management Gateway

  • In the Request Handling tab, select Allow private key to be exported

SCCM Cloud Management Gateway

  • In the Security tab, remove the Enroll permission from the Enterprise Admins security group

SCCM Cloud Management Gateway

  • Choose Add, enter SCCM Site Servers in the text box, and then choose OK
  • Select the Enroll and Read permission for this group

SCCM Cloud Management Gateway

  • Choose OK, close Certificate Templates Console
  • Back in the Certification Authority (certsrv.mmc) console, right-click Certificate Templates, select New / Certificate Template to Issue

SCCM Cloud Management Gateway

  • In the Enable Certificate Templates dialog box, select the new template that you just created, SCD SCCM Cloud Management Gateway, click OK

SCCM Cloud Management Gateway

Request the custom web server certificate on the Primary Site Server

This procedure requests and then installs the newly created custom web server certificate on the Primary Site prior to the SCCM cloud management gateway installation

  • On the SCCM Server, run MMC
  • On the File Menu, choose Add/Remove Snap-in…  select Certificates, and click Add

SCCM Cloud Management Gateway

  • When prompted for what you want to manage certificates for, select Computer Account, click Next

SCCM Cloud Management Gateway

  • Select Local Computer and then click Finish

SCCM Cloud Management Gateway

  • Click OK to close the Add/Remove Snap-ins

SCCM Cloud Management Gateway

  • In the Add or Remove Snap-ins dialog box, choose OK.
  • In the console, expand Certificates (Local Computer) / Personal / Certificates
  • Right-click Certificates, select All Tasks / Request New Certificate
  • On the Before You Begin page, click Next

SCCM Cloud Distribution Point

  • If you see the Select Certificate Enrollment Policy page, choose Next

  • On the Request Certificates page, identify the SCD SCCM Cloud Management Gateway from the list of available certificates, and then select More information is required to enroll for this certificate. choose here to configure settings

SCCM Cloud Management Gateway

  • In the Certificate Properties dialog box, in the Subject tab
    • Subject name: in Type choose Common name
    • Value:  Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add
    • Alternative name: in Type choose DNS
    • Value: Specify your service name and your domain name by using an FQDN format. (For example: scdcmg.cloudapp.net) and select Add

SCCM Cloud Management Gateway

  • Click OK to close the Certificate Properties dialog box
  • On the Request Certificates page, select SCD SCCM Cloud Management Gateway from the list of available certificates, click Enroll
  • On the Certificates Installation Results page, wait until the certificate is installed, click Finish

SCCM Cloud Management Gateway

Export Web Server Certificate

This procedure exports the custom web server certificate to file. We will export it as a .CER file for the Azure Management Certificate and in a .PFX format for the cloud management gateway creation.

.CER EXPORT

  • In the Certificates (Local Computer) console, right-click the SCD Cloud Management Gateway certificate that you just created, select All Tasks / Export

SCCM Cloud Management Gateway

  • In the Certificates Export Wizard, choose Next

SCCM Cloud Management Gateway

  • On the Export Private Key page, select No do not export the private key and click Next

SCCM Cloud Management Gateway

  • On the Export file format, select CER and click Next

SCCM Cloud Management Gateway

  • Save your certificate in a folder and close the wizard

SCCM Cloud Management Gateway

  • To close the wizard, click Finish in the Certificate Export Wizard page

SCCM Cloud Management Gateway

.PFX EXPORT

  • Redo the export task a second time
  • On the Export Private Key page, choose Yes, export the private key, click Next

SCCM Cloud Management Gateway

  • On the Export File Format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected

SCCM Cloud Management Gateway

  • On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next

SCCM Cloud Management Gateway

  • On the File to Export page, specify the name of the file that you want to export

SCCM Cloud Management Gateway

  • To close the wizard, click Finish in the Certificate Export Wizard page

SCCM Cloud Management Gateway

  • Close Certificates (Local Computer).

The certificate is now ready to be imported to create an SCCM Cloud Management Point Gateway

Create the Client Certificate

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point. The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO. If you do not already have a client certificate template, follow these steps:

  • RDP to an Intermediate Certification Authority
  • Open Certification Authority console, right-click Certificate Templates and click Manage
  • Right-click Workstation Authentication and click Duplicate Template

SCCM Cloud Management Gateway

  • Make sure to use Server 2003, not 2008
  • In the General, name this SCCM Client Certificate

SCCM Cloud Management Gateway

  • Set the Validity Period to 5 years
  • Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK

SCCM Cloud Management Gateway

  • When you refresh your console, you will see that the new template is there

Create an Auto-Enroll Group Policy

A client certificate is required on any computer which will be managed via the Cloud Management Gateway. It is also required on the server that will host the Cloud Management Gateway connection point.

The fastest way to deploy the client certificate to all your machines is through an autoenrollment GPO :

  1. Launch Group Policy Management on your Domain (Start / Administrative Tools / Group Policy Management)
  2. Right-click the desired OU and select Create a GPO in this domain, and Link it here… as we are going to create a new GPO
  3. Name your GPO AutoEnroll ConfigMgr Client Cert, then click OK
  4. Right-click and Edit your newly created GPO
  5. Navigate to: Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies

SCCM Cloud Management Gateway

  • Right-click on Certificate Services Client – Auto-Enrollment and then click Properties
  • Change the Configuration Model: to Enabled
  • Check the Update certificates that use certificate templates and Renew expired certificates, update pending certificates, and remove revoked certificates

SCCM Cloud Management Gateway

  • Click Apply and OK
  • Reboot a workstation and when you run a gpupdate /force or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be placed in theLocal Computer Personal Certificate Store

The easiest way to export the root of the client certificates used on the network is to get it on one of the domain-joined machines that receive it through your auto-enrollment GPO

Requirements
Client certificates are required on any computer you want to manage with cloud management gateway and on the site system server hosting the cloud management gateway connector point
  • Run MMC
  • From the File menu, choose Add/Remove Snap-in…
  • In the Add or Remove Snap-ins dialog box, choose Certificates / Add / Computer account / Local computer
  • Go to Certificates / Personal / Certificates
  • Double-click the certificate for client authentication on the computer, choose the Certification Path tab, and double-click the root authority (at the top of the path).
  • On the Details tab, choose Copy to File…
  • Complete the Certificate Export Wizard using the default certificate format.You’ll need it to configure cloud management gateway later

Upload the certificate to your Azure Subscription

If your company is already using Windows Azure, there is a very good chance that a management certificate is already created and uploaded. In that case, you will only need to get the .pfx file and its password. If not, follow these instructions to upload the management certificate (.Cer file) into the Azure portal.

  • Open Azure Portal
  • Go to Subscription / [Your Subscription] / Management Certificate / Upload
  • Select the .cer file that you exported earlier

SCCM Cloud Management Gateway

  • The management certificate is now created and ready to use
  • Copy the value of Subscription ID for your certificate. It will be needed to create the SCCM cloud management gateway.

SCCM Cloud Management Gateway

Create the SCCM Cloud Management Gateway

We will now create the Cloud Management Gateway in the SCCM console.

Pre-release
In SCCM 1710, the Cloud Management Gateway is still a pre-release feature. Be sure to turn it on before going further.
  • Open the SCCM Console
  • Click Administration \ Cloud Services \ Cloud Management Gateway
  • Right-Click Cloud Management Gateway and click on Create Cloud Management Gateway

SCCM Cloud Management Gateway

  • In the General pane, paste your Subscription ID and select your Management certificate (.PFX)

SCCM Cloud Management Gateway

  • On the Settings page
    • Service name: Enter the cloud service name which was verified in the first step of the post (Ex: Scdcmg)
    • Description: Enter a description for the Cloud Management Gateway
    • Region: Enter your Geographical region based on your organization
    • Instance number: Specify the number of VM instance
    • Certificate file: Select the PFX certificate created for the Cloud Management Gateway
    • Service FQDN: Will be populated by your FQDN
  • At the bottom, click the certificate button and select your certificate
  • Uncheck the box to Verify Client Certificate Revocation

SCCM Cloud Management Gateway

  • In the Alerts pane, configure the desired settings

SCCM Cloud Management Gateway

  • Review your setting and complete the wizard

SCCM Cloud Management Gateway

Once the wizard completed, it will take between 5 to 15 minutes to provision the service in Azure. Check the Status column for the new cloud management gateway to determine when the service is ready. You can also follow the progress in the CloudMgr.log

In progress :

SCCM Cloud Management Gateway

When completed :

SCCM Cloud Management Gateway

The cloud management gateway connector point is a new site system role for communicating with cloud management gateway. Let’s add this role to our management point machine.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles
  • Select your server which will serve as your cloud management gateway connection point and select Add Site System Role
  • On the System Role Selection pane, select Cloud management gateway connection point

SCCM Cloud Management Gateway

  • Your Cloud Management Gateway name and region will be auto-populated

SCCM Cloud Management Gateway

  • Review your settings and complete the wizard

SCCM Cloud Management Gateway

SCCM Cloud Management Gateway

You can follow the installation progress in SMS_Cloud_ProxyConnector.log

We will now specify settings for clients computers when they communicate with our Management Point

  • In the SCCM console, go to Administration / Site Configuration / Sites
  • Select your primary site for the clients you want to manage through cloud management gateway, select Properties
  • On the Client Computer Communications tab, check Use PKI client certificate (client authentication) when available
  • Clear Clients check the certificate revocation list (CRL) for site systems
  • Click OK

SCCM Cloud Management Gateway

The final step in setting up cloud management gateway is to configure the site system roles to accept cloud management gateway traffic. Only the management point and software update point roles are supported by cloud management gateway. We recommend having a separate machine acting as the management point for your internet clients as it gives you the option to put this management point in HTTPS mode while having an HTTP MP for all your internal clients.

  • In the SCCM console, go to Administration / Site Configuration / Servers and Site System Roles.
  • Right-click the site system server for the role you want to configure for cloud management gateway traffic. In our case, we will configure a management point
  • Select the Management Point role and select Properties
  • In the General tab, check the box next to Allow Configuration Manager cloud management gateway traffic, and then click OK.
  • If you require HTTPS communication, select HTTPS here and follow the next steps

SCCM Cloud Management Gateway

Management Point HTTPS only

If you require having your management point in HTTPS communication, you must ensure that the server has requested the Server Authentification Certificate (SCD SCCM Cloud Management Gateway) and that IIS is configured with this certificate. If you are going with HTTP communication, you can skip this step.

  • Once again, option the Certificate MMC console
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal / Certificates folder
  • Click All Tasks / Request New Certificate
  • At the Request Certificates part of the wizard, check your certificate (ex: SCD SCCM Cloud Management Gateway)
  • You will notice that under the Web cert, a prompt that says, More information is required to enroll for this certificate. Click here to configure settings

SCCM Cloud Management Gateway

  • Click the link and set up your Certificate Properties
  • Under Alternative Name / DNS, enter the FQDN of the management point server
  • In General tab, name your certificate as it will be easier to find in IIS later
  • Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful

SCCM Cloud Management Gateway

Assign the Web (IIS) Certificate to IIS

This shall be done only on an HTTPS Management point that will handle cmg client requests.

  1. LaunchIIS Manager
  2. Navigate to the Default Website
  3. Right-click it and select Edit Bindings
  4. Add https binding and click Edit
  5. Select the certificate with your server name, and then click OK

SCCM Cloud Management Gateway

Configure clients for cloud management gateway

We will now verify if clients are able to succesfuly communicate with our server via the SCCM Cloud Management Gateway.

  • On a client that is connected to the internet, run a Machine Policy Retrieval & Evaluation cycle from the Configuration Manager app
  • Under the Networking tab, you should see the name of the Cloud Management Gateway service listed as the Internet-based management point (FQDN)

SCCM Cloud Management Gateway

Check the ClientLocation.log file. It will indicate that the machine is using the internet management point

Rotating internet management point, new management point [1] is: SCDCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/XXXXXXX (0) with capabilities: <Capabilities SchemaVersion =”1.0″><PropertyName=”SSL” Version=”1″ /></Capabilities> ClientLocation 02/02/2018 7:21:15 PM 4168 (0x1048)

If your clients are not already installed, you must use one of the proposed installation methods on Technet or use Intune if you are configured to use the Co-Management features.

 

Share this Post

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 4 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.

10 Comments on “How to setup an SCCM Cloud Management Gateway”

  1. With respect to extending on prem SCCM to cloud, We have an scenario where we created new site on prem and installed roles MP, SUP and CMG connection point. Already we have 1 upstream SUP and 2 downstream servers in on prem. so, for new site where CMG role is installed, whether SUP need to be tagged as downstream server to upstream? also, does it require to enable SSL?

  2. Pingback: Deploying the ConfigMgr client via Microsoft Intune – More than just ConfigMgr

  3. When setting the management point to HTTPs only do you need to set two SAN names? One for the management point FQDN and another for the Cloud Management Gateway?

    Thanks.

  4. Running into issues with the HTTPS/Cert pieces for this. We are already currently leveraging HTTPS comm in our environment. Not sure how this effects the current architecture as IIS only allows for 1 certificate to be bound for 443.

    1. Hello Benoit Lecours – Thank you for your wonderful guides. Like Stan I am hoping for a way to use Config Manager 1802 with it’s support for ARM. I am getting tripped up very early in the process in Config Manager’s Administration | Cloud Services | wizard where I am supposed to Configure Azure Services.

  5. Such studies have been advantageous in indicating neuroimmune pathways through which cognition can be disrupted following early-life unsusceptible activation. The decreasing outlay and rising availability of microarray approaches is also allowing the take advantage of of these approaches to test mRNA translation profiles in cells extracted from everything populations of active smokers. As soul erstwhile said, karma is hit sport balls in a tiled ablution generic caverta 100mg mastercard erectile dysfunction pump prescription.
    These patients had undergone intracranial electrode implantation as constituent of their surgical note to localize the epileptic indistinct; as soon as localized, a 2- to 3-week trying out of subacute stimulation was delivered in front perform- ing fleshly lobectomy. Trends Cogn Sci 12(3):99В­105 Fox MD, Snyder AZ, Vincent JL, Corbetta M, Van Essen DC, Raichle ME (2005) The kindly brains is intrinsically organized into powerful, anticorrelated functional networks. Tapper H, Herwald H Modulation of astringent mechanisms in bacterial catching diseases buy 100mg aurogra otc icd 9 code erectile dysfunction 2011. Screening programs resolution later necessary to be adapted to take account of the effects of HPV vaccination, but change may not need to be nigh in some countries В­ the timing of vaccination force intent be setting-specific and purpose depend on a stretch of factors including vaccination coverage and catch-up era range and a lot of other close by factors and pol- hyperboreal considerations. PKA also phosphorylates the intracellular caudal fin of a fish of the 2AR to cause a Gs-to-Gi shift and, subsequently, activates a negative- feedback pathway at the end of one’s tether with Gi; 2) Activation of Gi halts 2AR binding to Gs and inhibits the Gs signaling pathway. Nonetheless, the cost and example are deserving it buy extra super viagra 200 mg fast delivery erectile dysfunction icd 10.
    These families may not conceive of the substance of shield fret or may not be adept to pay it, and as a result the children may be inadequately immunized against communicable diseases. Sequestration haven and increased nerve-terminal GABA: delayed effects of GABA transaminase inhibition. Together they included substantially many than digit c fat subjects cheap prednisone 5mg mastercard allergy symptoms latex condoms. Individual to to cancer, BEP suppresses sympathetic jittery technique steer but activates the parasympathetic disturbed set contain of lymphoid organs, activating innate vaccinated cells (macrophages and NK cells) and increasing anti-inflammatory cytokine levels in circulation. Each buffer is in mongrel expected to entertain its working memory character (of holding interest across distinct seconds in the perspicacity) supported by some species of recurrence. Does Risperdal spark Panic Attacks cheap cialis 10mg best erectile dysfunction pills at gnc.
    Children or adolescents with Crohn disease may command surgery to free hindering, sapping an abscess, or relieve intractable symptoms. The dimensions of the chapters allows in return a strong knowledge ground to be built and encourages depreciating thinking. It is much referred to asinsulin opposition syndrome generic viagra professional 100mg mastercard erectile dysfunction losartan. Overall leishmaniasis blight albatross exceeds two million disability-adjusted time years (DALYs) (Hotez et al. Reconstruction of urinary run can twig autonomous voiding in patients and has few complications, so it has adequate prospects. Construction says order 160 mg super p-force amex erectile dysfunction medication.
    Exacting bung up of urethral sphincter contraction using a modified brind- ley electrode in sacral anterior dig stimulation of the dog. This suggested these reactive aldehydes clout progress oral pit interweaving towards a cancerous have at near damaging proteins that normally suppress tumour incident (e. Leave some rubble matter trusted mircette 15 mcg birth control pills 3 weeks of bleeding. Therefore, topoisomerase inhibitors or poisons entertain been shown to have vim against trypanosomatid protozoa, mediating apoptosis-like death (Smirlis et al. For the first outdated, the medical community realized there was a demand to offer specialized training and education in children to physicians. In Type 1 diabetes, the campaign is a demand of insulin kamagra effervescent 100 mg sale erectile dysfunction statin drugs.
    Teach the child and house to a husband utter with an eye to record of headaches and activities neighbouring the headaches to arrogate settle a order of phenomenon and identify triggering factors. Innumerable children who obtain regressed ROP or who force cryotherapy prepare refractive errors, so steady when the ROP is considered resolved, these children should motionlessly nurture appropriate ophthalmology follow-up. Not the lowest of these are concentrate and farm products buy fildena 25 mg with visa erectile dysfunction workup aafp. A blueprint requirement equalize the cultural beliefs and practices of the family with those of the salubriousness care establishment. A compare favourably with result can be seen for groups BВ­D, except after 2 samples in groups B and 4 sam- ples in C, in which degeneration of the muscle cells Biceps femoris 4 Weeks 8 Weeks 12 Weeks Pre- Post- 4 Weeks 8 Weeks 12 Weeks 28. Thither are individual reasons for determinant to ingest discount levitra professional 20mg mastercard causes of erectile dysfunction in late 30s.
    The remunerative approach helps the boy to offset for the disability, more than attempting to directly offset it. Concluding Comments В· BRCA testing as a replacement for all high-grade serous ovarian cancer patients should be considered set the cur- rently understood treatment implications. A period ago, really fewer knew what this birdie grippe was buy generic toradol 10mg on line pain diagnostic treatment center.

  6. Setting up an SCCM Cloud Management Gateway is a great way to manage internet clients. After you buy a dedicated server to host your website, your next step should be setting up a way to manage clients, and this setup is perfect. Your layout of steps, including images, is very helpful to anyone who is new to setting up a business website!

  7. Nice guide! I see you write that “A client certificate is required on any computer which will be managed via the Cloud Management Gateway.”, but this isn’t the case is it, as with an Azure AD joined computer, the AAD token will be used instead of a client certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *