How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet Clients

by | Jun 2, 2018 | CMG, IBCM, Intune, PKI, SCCM Guides | 14 comments

Overview

In this video guide, we will be covering how you can set up the cloud management gateway in Configuration Manager to manage clients on the internet. This guide covers essential aspects of CMG such as certificates, site system roles, Azure prerequisites and much more!

Topics in Video

CMG Vs. IBCM – https://youtu.be/kTOPhVHyZtE?t=42
Certificates needed for Cloud Management Gateway – https://youtu.be/kTOPhVHyZtE?t=186
Create Web Server CMG Certificate Template – https://youtu.be/kTOPhVHyZtE?t=289
Review Client Communication Settings- https://youtu.be/kTOPhVHyZtE?t=401
Request Server/Web Server Certificate for CMG – https://youtu.be/kTOPhVHyZtE?t=446
Export Internal Root CA Certificate to use in CMG – https://youtu.be/kTOPhVHyZtE?t=583
Allow Client to Use Cloud DP and CMG – https://youtu.be/kTOPhVHyZtE?t=622
Configure Azure Subscription – https://youtu.be/kTOPhVHyZtE?t=658
Give App Registrations Permissions in Azure – https://youtu.be/kTOPhVHyZtE?t=821
Create Cloud Management Gateway – https://youtu.be/kTOPhVHyZtE?t=884
Install Cloud Management Gateway Connection Point Role – https://youtu.be/kTOPhVHyZtE?t=1600
Set Management Point and Software Update Point to Allow CMG Traffic – https://youtu.be/kTOPhVHyZtE?t=1660
Distribute Content to CMG – https://youtu.be/kTOPhVHyZtE?t=1755
Enable RDP for the Azure CMG Server – https://youtu.be/kTOPhVHyZtE?t=1869
Verify Client Receive CMG Server for IBCM Mangement Point – https://youtu.be/kTOPhVHyZtE?t=2154
Verify Client Notifications Work on Internet Client – https://youtu.be/kTOPhVHyZtE?t=2372
Verify App Deployment Works from Internet Client using CMG – https://youtu.be/kTOPhVHyZtE?t=2491
Verify Software Updates Works from Internet Client using CMG – https://youtu.be/kTOPhVHyZtE?t=2523
Verify Hardware Inventory from Client Notification Channel Works – https://youtu.be/kTOPhVHyZtE?t=2650

Notes From Justin

Niall Brady’s (windows-noob.com) CMG BlogN
- Niall’s guide should be out soon. It looks like I beat him to it :).

Helpful Resources:

Plan for the cloud management gateway in Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway
IBCM Vs. CMG – https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients-internet
Set up cloud management gateway for Configuration Manager- https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway
Support for Configuration Manager features from CMG – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#support-for-configuration-manager-features
Cloud Management Gateway Performance and scale – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#performance-and-scale
Ports and data flow – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#ports-and-data-flow
Required ports – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#required-ports
Publish the certificate revocation list – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/security-and-privacy-for-cloud-management-gateway#publish-the-certificate-revocation-list
Plan for PKI certificate revocation – https://docs.microsoft.com/en-us/sccm/core/plan-design/security/plan-for-security#BKMK_PlanningForCRLs
Certificates for the cloud management gateway – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/certificates-for-cloud-management-gateway
CMG server authentication certificate – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/certificates-for-cloud-management-gateway#cmg-server-authentication-certificate
CMG trusted root certificate to clients – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/certificates-for-cloud-management-gateway#cmg-trusted-root-certificate-to-clients
Enable management point for HTTPS – https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/certificates-for-cloud-management-gateway#enable-management-point-for-https
Classic Servier Deployment | Create Management Certificate – https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create
Classic Servier Deployment | Upload your service certificate to the Azure portal – https://docs.microsoft.com/en-us/azure/azure-api-management-certs

14 Comments

jesse on April 16, 2019 at 2:15 PM

Where did you put the Cloud Subscription Calculator link? Thanks
Reply
- Justin Chalfant on April 16, 2019 at 5:55 PM
  
  Check out https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/plan-cloud-management-gateway#cost. They made some improvements and even have a CAP option now.
  Reply
Sukpaisan on June 4, 2019 at 2:04 AM

Can you provide me how to delete CMG gateway that lost connection to Azure? I try to delete on SCCM console but the status is shown deleting for a week. Thanks.
Reply
- Justin Chalfant on July 17, 2019 at 4:10 AM
  
  Deleting in Azure?
  Reply
Dan A on March 3, 2020 at 8:08 AM

We have a site configured for HTTP is changing the site to HTTPS a requirement prior to setting up a CMG? Or is it just enabling management points for HTTPS?
Reply
- Justin Chalfant on April 2, 2020 at 7:50 AM
  
  You need to have at least one MP in HTTPs for CMG to talk to.
  Reply
Dhaval on May 29, 2020 at 12:34 PM

What is Client Trusted Root certificate to CMG and CMG- Trusted Root certificate to clients ? Where it needs to be used
Reply
- Justin Chalfant on July 9, 2020 at 12:34 PM
  
  If would be the root certificate authority issuing any client-authentication certificates.
  Reply
John Henry on August 5, 2020 at 5:16 AM

Hi Justin

Can’t find a link to a Niall Brady CMG blog anywhere online, do you know if he published one?

Thanks for the video, very helpful.
Reply
- Justin Chalfant on October 14, 2020 at 5:39 PM
  
  Maybe this one? https://www.niallbrady.com/2018/07/22/how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/
  Reply
Matt on August 10, 2020 at 11:23 PM

Hi Justin, I have built few new servers in our DMZ and would like to manage their security updates using the CMG. Upon few readings, i will need a client certificate installed on the server. So I would like to know what client certificate does my server require in order to work with the CMG?
Reply
- Justin Chalfant on April 25, 2021 at 10:01 AM
  
  It would need the ConfigMgr client.
  Reply
Goutham on July 13, 2021 at 5:06 PM

Hi Justin,

I would like to thank you for your you-tube videos on SCCM setup with which I have successfully built it for my organization.

Now we are in HTTP site and planning to move to CMG managed. I have the below questions and it will be really helpful if you guide me on this.

1. Before starting up on your video on CMG do I need to have PKI isnatlled on all the clients as per your 3rd video?

2. our devices are Hybrid Azure AD joined , do we still need certificates ?
Reply
- Justin Chalfant on August 8, 2021 at 10:56 AM
  
  1. Yeah, that’s usually the easiest approach to ensure they have the client authentication cert. If they are Azure AD joined that can work as well.
  2. It looks like it should: https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/configure-authentication#azure-ad
  Reply