Setup MECM Cloud Management Gateway (CMG)
In this post I will cover the steps to setup MECM Cloud management gateway (CMG).
Cloud Management Gateway:- It provides a simple way to manage the configuration manager clients on the internet. When we deploy the MECM CMG as cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure.
The main Advantage CMG is you don't need to expose your on-premises infrastructure to the internet.
Components of CMG:-
CMG cloud service - It Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.
CMG Connection point - It site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
Service Connection point - It site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Make sure your service connection point is in online mode.
Management Point - It site system role services client requests per normal.
Software update point - It site system role services client requests per normal.
internet-based clients - It connect to the CMG to access on-premises Configuration Manager components.
The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
Internet-based clients use PKI certificates or Azure AD for identity and authentication
Cloud distribution point - provides content to internet-based clients, as needed
An Azure subscription to host the CMG
To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin
To deploy the CMG, you need a Subscription Admin
Windows server to host the CMG connection point.
The service connection point must be in online mode.
A server authentication certificate for the CMG.
Other certificates may be required, depending upon your client OS version and authentication model.
Clients must use IPv4.
You don't need to open any inbound ports to your on-premises network.
TCP- TLS: Preferred protocol to build CMG Channel
HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)
HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)
For more information about MECM CMG ports, refer this article.
Cost & Outbound Data Traffic
CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.
CMG uses a Standard A2 V2 VM.
You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale the CMG to support more clients by adding more VM instances.)
Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload).
CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. These responses include inventory reports, status messages, and compliance status.
Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG.
Azure Resource Manager
Create the CMG using an Azure Resource Manager deployment.
Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group.
To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances.
This modernized deployment doesn't require the classic Azure management certificate.
ARM Deployment use Apps as credentials and it needs Azure Services.
Create and Issue Web server CMG Certificate
Let's see how we will create new custom web server certificate.
Login into Certification Authority server (CA server). Right click on Certificate Templates and select Manage
Right click Web server and click Duplicate template
Click on compatibility Tab and ensure the settings are same as per below screenshot
Click General Tab and specify a name to this template.
Click Request Handling and ensure Allow private key to be exported is checked.
Now click security Tab and select Allow Enroll Permission.
Now right click on certificate template and click New --> Certificate Template to issue.
Import webserver CMG certificate on the primary site server. Open the certificate console (certlm.msc). Personal --> certificates -->All task --> Request new certificate
From list of certificate, select MECM CMG Certificate and click on More information is required to enroll for this certificate
In certificate properties under subject name, select type as Full FQDN. Under alternative name select type as DNS and enter service name. So I will enter MECMTechie.cloudapp.net
Click on Enroll and finish.
Select CMG Certificate, right click and click All Task --> export -->Next --> select yes export the private key. Click Next
Make no change here and click next
Enter a password and click Next
Save the certificate and click Finish.
Provide Unique MECM CMG DNS Name
We need to confirm that Azure domain name is unique. Can check in Azure portal. We need to create DNS name.
Login into Azure portal and search for cloud services (Classic) and open service
Click on Add
Create Resource Group
Provide DNS name and Region
Select Review option once validation is passed, click on Create
Steps to Configure Server App & Client App
(Note:- Free Trail account used for this Demo)
Let make a note of Azure AD tenant Name. (Login to Azure portal --> Azure Active directory --> Custom domain names
Let's have Tenant ID. Azure Active Directory -> Properties -> Directory ID (Tenant ID)
Registration Server App
let's register Server app Azure Active Directory -> App registrations -> Click on New registration to create a new Server App
Provide the App Name and select "Accounts in this organizational directory only (Default Directory)" and click on Register
Make a note of newly registered Server App Display Name and Application (client) ID
Need to provide the authentication for newly created Server App and leave it default
Let's create Client secret. Expiry has to be 1 or 2 years.
Once click on ADD and Immediately make a note of Secret Key and Expiry date. If you move away from screen you won't be able to get the same secret key again and need to generate a new secret.
Let's modify the Microsoft Graph API Permission from User.Read to Directory.Read.all click on Microsoft Graph to enumerate list of API permission. Select Application Permission and under directory, select Directory.Read.All and unselect User.Read under User.
Click on Grant Admin consent for Default directory
Let' set Application ID URI (Azure Active Directory ->MECMTechie-Server App -> Expose API). Select Add a Scope
Provide App ID URI and provide Scope name: user_impersonation and who can consent as Admins and users and provide the meaning full text and click on Add Scope.
Make a note of App ID URI
Register Client App
Let's register client App Azure Active Directory -> App registrations -> Click on New registration to create a new Client App
Make of note newly created Client App's Application ID and Display Name
In Authentication it's an important step, we are going to redirect URI using following syntax
Syntax:- ms-appx-web://Microsoft.AAD.BrokerPlugin/Client App's Application ID- copy exact string with your client Application ID. Change the type to public client (Mobile & desktops) and click on Save
Let's remove default Microsoft graph User.Read permission
Click on Add permission and select Azure Active Directory Graph from API's. when prompted with What type of permissions does your application require? under list of permission, select directory and then Directory.read.all and select Add permissions.
We need to one more permissions here, Adding access to server/webapp we created earlier. Select on Add a permission again, select My API's and select MECMServerApp
Confirm user_impersonation is selected and click on Add permission and Grant admin context for default directory.
Enable two services Microsoft.ClassCompute & Microsoft.Storage
Enable two service All Services -> Subscriptions -> Select the appropriate Subscription -> Resource Providers
Note:- The user credentials used to sign in here must be either be of a Co-Administrator or subscription owner.
Importing ServerApp & Client App in MECM Console
Open the MECM console (Administration --> Azure Services --> Configure Azure services ) and select cloud Management Gateway and select Next
Browse WebApp and select Import option
Provide details for Server App/Web App
Azure AD Tenant name - Select Tenant name click here
Azure AD Tenant ID - select Tenant ID from here
Application Name - Select Application from here
client ID - Select Client ID from here
Secret Key - Select Secret Key from here
Secret key expiry -Select Secret Key expiry from here
App ID URI - Select App ID URI from here
Click on verify and click Ok.
Browse Native Client App
Provide details for Native client App
Enable AAD User discovery, Next and close
Once completed, browse to Administration --> cloud service --> Azure Active directory Tenants. You should see Tenant name and Tenant ID. In addition to that, you can see the application name,Tenant ID, Client ID.
Installing Cloud Management Gateway
Open MECM Console (Administration --> Cloud services --> Cloud management gateway --> Click on Create cloud management gateway)
Select the cloud services option
Click on Sign In option and once sign In successfully and click on Next
Provide *.PFX certificate file. To know how to create certification for CMG click here.
Note:- Make sure service CName should a valid Unique FQDN
Select the option if you want to use as Cloud distribution point
Specify alerts and click on Next and close
Make sure status should change to ready state
Install Cloud management gateway connection point (MECM Console --> Administration --> site configuration --> servers and site system roles --> select server you want to install role).
Allow MECM CMG Traffic
We need to configure the management point and software update point to accept the MECM CMG traffic.
Go to administration -- > Site configuration -->Servers and site system roles. Select Management point and click Properties
Select the Software update point and check box Allow configuration Manager cloud management gateway traffic and click Ok
• Deployments, use CloudMgr.log and CMGSetup.log
• Service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.
• Client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.