Configuration Manager 1610 introduced a new feature to manage clients on the internet - the Cloud Management Gateway. The Cloud Management Gateway service is deployed to Microsoft Azure (an Azure subscription is required), and connects to your Configuration Manager site via the Cloud Management Gateway connection point – a new site system role also introduced in 1610. This allows Configuration Manager clients to access your Configuration Manager site system roles even if they are not on the intranet.
The attached guide will walk through the full process of setting up the Cloud Management Gateway with Configuration Manager current branch 1610.
Like internet based client management, for clients to access site system roles using the Cloud Management Gateway, SSL certificates are required to authenticate computers and encrypt communications between the different layers of the service. To encrypt traffic between Configuration Manager clients and the site system server hosting the Cloud Management Gateway connector, Software Update Point, and Management point roles, you will also need to create a custom SSL certificate on the CA for the site system. An Azure management certificate is required to deploy the Cloud Management Gateway as well as the Cloud Distribution Point.
In the 1610 release, the Cloud Management Gateway only supports the management point and software update point roles. If you will be deploying anything other than software updates to clients managed via the Cloud Management Gateway, you will also need to configure a Cloud Distribution Point for clients to download content from.
The guide below covers the full process of creating the required certificates on the Issuing CA server, creating the Cloud Management Gateway and Cloud Management Gateway connection point, uploading management certificates to Azure, configuring the site system roles to accept cloud management gateway traffic, and verifying that clients on the internet can connect to the cloud management gateway. The last section also covers creating the Cloud Distribution Point.
More information on the Cloud Management Gateway, including prerequisites, can be found here https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-cloud-management-gateway
The process for deploying Cloud Management Gateway includes the following steps:
- Create and issue a custom SSL certificate for the Cloud Management Gateway (and optionally, the Cloud Distribution Point).
- Create a client authentication certificate
- Export the client certificate's root
- Verify a unique Azure cloud service URL
- Request the Cloud Management Gateway certificate from the Certification Authority
- Upload the Cloud Management Gateway (and optionally, the Cloud Distribution Point) management certificate to Azure.
- Create the Cloud Management Gateway in the Configuration Manager console
- Install the Cloud Management Gateway connection point in the Configuration Manager console
- Configure Site System Roles to accept cloud management gateway traffic
- Verify Client Communication with the Cloud Management Gateway
- Configure a Cloud Distribution Point (optional)
Check out the attached guide, and please feel free to add your comments!