CMG basics

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional infrastructure. You also don’t need to expose your on-premises infrastructure to the internet.

Deploy the CMG cloud service to Azure.

Add the CMG connection point role.

Configure the site and site roles for the service. Once deployed and configured, clients seamlessly access on-premises site roles regardless of whether they’re on the intranet or internet.

Deployment and operation of the CMG includes the following components:

  • The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.
  • The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
  • The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Ensure your service connection point is in online mode.
  • The management point site system role services client requests per normal.
  • The software update point site system role services client requests per normal.
  • Internet-based clients connect to the CMG to access on-premises Configuration Manager components.
  • The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
  • Internet-based clients use PKI certificates or Azure AD for identity and authentication.
  • cloud distribution point provides content to internet-based clients, as needed.

Azure resource Manager

Starting in version 1802, you can create the CMG using an Azure Resource Manager deploymentAzure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. When deploying CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. This modernized deployment does not require the classic Azure management certificate.


  • An Azure subscription to host the CMG.
    • An Azure administrator needs to participate in the initial creation of certain components, depending upon your design. This person does not require permissions in Configuration Manager.
  • At least one on-premises Windows server to host the CMG connection point. You can co-locate this role with other Configuration Manager site system roles.
  • The service connection point must be in online mode.
  • server authentication certificate for the CMG.
  • If using the Azure classic deployment method, you must use an Azure management certificate but using the Azure Resource Manager deployment model is recommended.
  • Other certificates may be required, depending upon your client OS version and authentication model. For more information, see CMG certificates.
  • Integration with Azure AD may be required for Windows 10 clients. For more information, see Configure Azure services.
  • Clients must use IPv4.


  • CMG only supports the management point and software update point roles.
  • CMG does not support clients that only communicate with IPv6 addresses.
  • Software update points using a network load balancer do not work with CMG.


  • Azure Cloud Services as platform as a service (PaaS)
  • A2 V2 VM
  • Outbound data transfer: For estimating purposes only, expect approximately 100-300 MB per client per month for internet-based clients. The lower estimate is for a default client configuration. The upper estimate is for a more aggressive client configuration. Your actual usage may vary depending upon how you configure client settings.

Content Storage

  • Internet-based clients get Microsoft software update content from Windows Update at no charge. Do not distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.
  • For any other necessary content, such as applications or third-party software updates, you must distribute to a cloud-based distribution point. Currently, the CMG supports only the cloud-based distribution point for sending content to clients.

CMG Certificates

Certificat Name Type Target Details
Cloud Management Gateway Certificate


ConfigMgr Cloud Management Gateway Certificate Server authentication certificate ConfigMgr Cloud Management Gateway installation
  • « Read/Enroll »
  • “Supply in the request”
  • “Allow private key to be exported”
  • Remplir le Common Name : «»
  • Droits : Serveurs SCCM, Read, Enroll
  • Name must be unique !!
  • Subject :
    • CN =
Server Authentication Certificate


ConfigMgr Web Server Certificate Server authentication certificate
  • MP (IIS)
  • SUP (IIS)
  • « Read/Enroll (IIS Servers) »
  • “Windows 2003 Server”
  • “Supply in the request”
  • Droits : Serveurs SCCM, Read, Enroll
  • Subject :
    • CN = Local FQDN
  • Subject Alternative Name
    • DNS Name = Local FQDN
    • DNS Name = FQDN
Client Authentication Certificate


ConfigMgr Client Certificate
  • Laptop, Desktop (GPO)
  • CMG Connector Point server
  • “Read/Enroll/AutoEnroll (All computers)”
  • “Windows 2003 Server”
  • “Supply in the request”
  • Droits : Serveurs SCCM, Read, Enroll
  • Subject :
    • CN = Local FQDN
  • Subject Alternative Name
    • DNS Name = Local FQDN
Cloud Distribution Point


ConfigMgr Cloud-Based Distribution Point Certificate ConfigMgr Cloud DP installation

Azure Management Certificate

  • « Read/Enroll »
  • “Supply in the request”
  • “Allow private key to be exported”
  • Remplir le Common Name : « »
  • Droits : Serveurs SCCM, Read, Enroll
Root Certificate


All Validate certification path
Sub Certificate


All Validate certification path

Set up cloud management gateway for Configuration Manager

Administration Clous Services Cloud Management Gateway

Click Create Cloud Management Gateway

Select Azure Public Cloud, Select Arm deployment, Sign in to your Azure subscription, Click Next

Enter your Azure AD login, Click Next

If you are successfully signed in. Click Next.

Select the CMG certificate in PFX format. Click Open.

On the Settings page of the wizard, first click Browse and select the .PFX file for the CMG server authentication certificate. The name from this certificate populates the required Service FQDN and Service name fields.

Enter a description Create a new resource group Select CMG deployment region Select VM Instance number.

Untick Verify client certificates Revocation

Click Next.

Import root certificate and sub certificates Click Next

Configure threshold Click Next.

Starting provisionning

New resource group is creating

Cloud Service And Storage account

Proxy Service is Running

Check if CMG is in ready status in SCCM console

To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log. For more information, see Log files.

Configure primary site for client certificate authentication

Administration Site Configuration Sites Primary site Propertie

  • Select HTTPS or HTTP
  • Tick use PKI client certificate
  • Untick Clients check the certificate revocation list
  • Import root CA
  • Click Apply

Add the CMG connection point role

Important :

The CMG connection point must have a client authentication certificate in some scenarios.

Administration Site Configuration Servers and Site System roles

Select the server

Click Add Site System Role

Click Next

Click Next

Select Cloud Management gateway connection point Click Next

Select the previously deployed CMG in Azure Click Next.

Click Next Click Close.

To troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

On primary server

On CMG Server


Administration Cloud Services Cloud Management Gateway CMG Name Connection Point tab

CMG Connection point is now connected to azure CMG

Configure client-facing roles for CMG traffic

  • Select CMG MP Properties
  • Click Allow CMG traffic
  • IIS Endpoints are now listed in SCCM console

Configure clients for CMG

Note : Clients must be on the intranet to receive the location of the CMG service, unless you install and assign Windows 10 clients using Azure AD for authentication

By default all clients receive CMG policy. Control this behavior with the client setting, Enable clients to use a cloud management gateway.

The Configuration Manager client automatically determines whether it’s on the intranet or the internet. If the client can contact a domain controller or an on-premises management point, it sets its connection type to Currently intranet. Otherwise, it switches to Currently Internet, and uses the location of the CMG service to communicate with the site.

To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an administrator on the client computer, and run the following command:

Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq « Internet »}

To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. For more information, see Log files.

Always keep at least one active CMG for internet-based clients to receive updated policy. Internet-based clients can’t communicate with a removed CMG. Clients don’t know about a new one until they roam back to the intranet. When creating a second CMG instance in order to delete the first, also create another CMG connection point.

Only modify the CMG from the Configuration Manager console. Making modifications to the service or underlying VMs directly in Azure is not supported. Any changes may be lost without notice. As with any PaaS, the service can rebuild the VMs at anytime. These rebuilds can happen for backend hardware maintenance, or to apply updates to the VM OS.

Enroll Client Certificate

Click Finish

On intranet

Launch a machine policy retrieval & Evaluation cycle, The client receive the policy with the CMG location.

Connect SCCM client to internet network Client Certificate is now PKI Connection type in Internet

For client troubleshotting, check :




SCCM client is now connected to the CMG



Enjoy this blog? Please spread the word :)

Follow by Email