Setup MECM Cloud Management Gateway (CMG)

In this post I will cover the steps to setup MECM Cloud management gateway (CMG).

Cloud Management Gateway:- It provides a simple way to manage the configuration manager clients on the internet. When we deploy the MECM CMG as cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure.

The main Advantage CMG is you don't need to expose your on-premises infrastructure to the internet.

Components of CMG:-

  • CMG cloud service - It Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.

  • CMG Connection point - It site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.

  • Service Connection point - It site system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Make sure your service connection point is in online mode.

  • Management Point - It site system role services client requests per normal.

  • Software update point - It site system role services client requests per normal.

  • internet-based clients - It connect to the CMG to access on-premises Configuration Manager components.

  1. The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.

  2. Internet-based clients use PKI certificates or Azure AD for identity and authentication

  • Cloud distribution point - provides content to internet-based clients, as needed


  • An Azure subscription to host the CMG

  • To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin

  • To deploy the CMG, you need a Subscription Admin

  • Windows server to host the CMG connection point.

  • The service connection point must be in online mode.

  • A server authentication certificate for the CMG.

  • Other certificates may be required, depending upon your client OS version and authentication model.

  • Clients must use IPv4.


  • You don't need to open any inbound ports to your on-premises network.

  • TCP- TLS: Preferred protocol to build CMG Channel

  • HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)

  • HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)

  • For more information about MECM CMG ports, refer this article.

Cost & Outbound Data Traffic

  • CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.

  • CMG uses a Standard A2 V2 VM.

  • You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale the CMG to support more clients by adding more VM instances.)

  • Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload).

  • CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. These responses include inventory reports, status messages, and compliance status.

  • Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG.

Azure Resource Manager

  • Create the CMG using an Azure Resource Manager deployment.

  • Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group.

  • To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances.

  • This modernized deployment doesn't require the classic Azure management certificate.

  • ARM Deployment use Apps as credentials and it needs Azure Services.

Create and Issue Web server CMG Certificate

Let's see how we will create new custom web server certificate.

  • Login into Certification Authority server (CA server). Right click on Certificate Templates and select Manage

  • Right click Web server and click Duplicate template

  • Click on compatibility Tab and ensure the settings are same as per below screenshot

  • Click General Tab and specify a name to this template.

  • Click Request Handling and ensure Allow private key to be exported is checked.

  • Now click security Tab and select Allow Enroll Permission.

  • Now right click on certificate template and click New --> Certificate Template to issue.

  • Import webserver CMG certificate on the primary site server. Open the certificate console (certlm.msc). Personal --> certificates -->All task --> Request new certificate

  • From list of certificate, select MECM CMG Certificate and click on More information is required to enroll for this certificate

  • In certificate properties under subject name, select type as Full FQDN. Under alternative name select type as DNS and enter service name. So I will enter

  • Click on Enroll and finish.

  • Select CMG Certificate, right click and click All Task --> export -->Next --> select yes export the private key. Click Next

  • Make no change here and click next

  • Enter a password and click Next

  • Save the certificate and click Finish.

Provide Unique MECM CMG DNS Name

We need to confirm that Azure domain name is unique. Can check in Azure portal. We need to create DNS name.

  • Login into Azure portal and search for cloud services (Classic) and open service

  • Click on Add

  • Create Resource Group

  • Provide DNS name and Region

  • Select Review option once validation is passed, click on Create

Steps to Configure Server App & Client App

(Note:- Free Trail account used for this Demo)

  • Let make a note of Azure AD tenant Name. (Login to Azure portal --> Azure Active directory --> Custom domain names

  • Let's have Tenant ID. Azure Active Directory -> Properties -> Directory ID (Tenant ID)

Registration Server App

  • let's register Server app Azure Active Directory -> App registrations -> Click on New registration to create a new Server App

  • Provide the App Name and select "Accounts in this organizational directory only (Default Directory)" and click on Register

  • Make a note of newly registered Server App Display Name and Application (client) ID

  • Need to provide the authentication for newly created Server App and leave it default