Setup MECM Cloud Management Gateway (CMG)

Original post Setup MECM Cloud Management Gateway (CMG) (

In this post I will cover the steps to setup MECM Cloud management gateway (CMG).

Cloud Management Gateway:- It provides a simple way to manage the configuration manager clients on the internet. When we deploy the MECM CMG as cloud service in Microsoft Azure, you can manage internet clients without additional infrastructure.

The main Advantage CMG is you don’t need to expose your on-premises infrastructure to the internet.

Components of CMG:-

  • CMG cloud service – It Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.
  • CMG Connection point – It site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG including connection information and security settings. The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.
  • Service Connection point – Itsite system role runs the cloud service manager component, which handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging information from Azure AD. Make sure your service connection point is in online mode.
  • Management Point – Itsite system role services client requests per normal.
  • Software update point – Itsite system role services client requests per normal.
  • internet-based clients – It connect to the CMG to access on-premises Configuration Manager components.
  1. The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.
  2. Internet-based clients use PKI certificates or Azure AD for identity and authentication
  • Cloud distribution point – provides content to internet-based clients, as needed


  • An Azure subscription to host the CMG
  • To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin
  • To deploy the CMG, you need a Subscription Admin
  • Windows server to host the CMG connection point.
  • The service connection point must be in online mode.
  • A server authentication certificate for the CMG.
  • Other certificates may be required, depending upon your client OS version and authentication model.
  • Clients must use IPv4.


  • You don’t need to open any inbound ports to your on-premises network.
  • TCP- TLS: Preferred protocol to build CMG Channel
  • HTTPS 443: Fallback Protocol (Fallback protocol to build CMG channel to only one VM instance)
  • HTTPS 10124 – 10139(Fallback protocol to build CMG channel to two or more VM instances)
  • For more information about MECM CMG ports, refer this article.

Cost & Outbound Data Traffic

  • CMG uses Azure Cloud Services as platform as a service (PaaS). This service uses virtual machines (VMs) that incur compute costs.
  • CMG uses a Standard A2 V2 VM.
  • You select how many VM instances support the CMG. One is the default, and 16 is the maximum. (Scale the CMG to support more clients by adding more VM instances.)
  • Charges are based on data flowing out of Azure (egress or download). Any data flows into Azure are free (ingress or upload).
  • CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. These responses include inventory reports, status messages, and compliance status.
  • Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG.

Azure Resource Manager

  • Create the CMG using an Azure Resource Manager deployment.
  • Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group.
  • To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances.
  • This modernized deployment doesn’t require the classic Azure management certificate.
  • ARM Deployment use Apps as credentials and it needs Azure Services.

Create and Issue Web server CMG Certificate

Let’s see how we will create new custom web server certificate.

  • Login into Certification Authority server (CA server). Right click on Certificate Templates and select Manage
  • Right click Web server and click Duplicate template
  • Click on compatibility Tab and ensure the settings are same as per below screenshot
  • Click General Tab and specify a name to this template.
  • Click Request Handling and ensure Allow private key to be exported is checked.
  • Now click security Tab and select Allow Enroll Permission.
  • Now right click on certificate template and click New –> Certificate Template to issue.
  • Import webserver CMG certificate on the primary site server. Open the certificate console (certlm.msc). Personal –> certificates –>All task –> Request new certificate
  • From list of certificate, select MECM CMG Certificate and click on More information is required to enroll for this certificate
  • In certificate properties under subject name, select type as Full FQDN. Under alternative name select type as DNS and enter service name. So I will enter
  • Click on Enroll and finish.
  • Select CMG Certificate, right click and click All Task –> export –>Next –> select yes export the private key. Click Next
  • Make no change here and click next
  • Enter a password and click Next
  • Save the certificate and click Finish.

Provide Unique MECM CMG DNS Name

We need to confirm that Azure domain name is unique. Can check in Azure portal. We need to create DNS name.

  • Login into Azure portal and search for cloud services (Classic) and open service
  • Click on Add
  • Create Resource Group
  • Provide DNS name and Region
  • Select Review option once validation is passed, click on Create

Steps to Configure Server App & Client App

(Note:- Free Trail account used for this Demo)

  • Let make a note of Azure AD tenant Name. (Login to Azure portal –> Azure Active directory –> Custom domain names
  • Let’s have Tenant ID. Azure Active Directory -> Properties -> Directory ID (Tenant ID)

Registration Server App

  • let’s register Server app Azure Active Directory -> App registrations -> Click on New registration to create a new Server App
  • Provide the App Name and select “Accounts in this organizational directory only (Default Directory)” and click on Register
  • Make a note of newly registered Server App Display Name and Application (client) ID
  • Need to provide the authentication for newly created Server App and leave it default
  • Let’s create Client secret. Expiry has to be 1 or 2 years.
  • Once click on ADD and Immediately make a note of Secret Key and Expiry date. If you move away from screen you won’t be able to get the same secret key again and need to generate a new secret.
  • Let’s modify the Microsoft Graph API Permission from User.Read to Directory.Read.all click on Microsoft Graph to enumerate list of API permission. Select Application Permission and under directory, select Directory.Read.All and unselect User.Read under User.
  • Click on Grant Admin consent for Default directory
  • Let’ set Application ID URI (Azure Active Directory ->MECMTechie-Server App -> Expose API). Select Add a Scope
  • Provide App ID URI and provide Scope name: user_impersonation and who can consent as Admins and users and provide the meaning full text and click on Add Scope.
  • Make a note of App ID URI

Register Client App

  • Let’s register client App Azure Active Directory -> App registrations -> Click on New registration to create a new Client App
  • Make of note newly created Client App’s Application ID and Display Name
  • In Authentication it’s an important step, we are going to redirect URI using following syntax

Syntax:- ms-appx-web://Microsoft.AAD.BrokerPlugin/Client App’s Application ID- copy exact string with your client Application ID. Change the type to public client (Mobile & desktops) and click on Save

  • Let’s remove default Microsoft graph User.Read permission
  • Click on Add permission and select Azure Active Directory Graph from API’s. when prompted with What type of permissions does your application require? under list of permission, select directory and then and select Add permissions.
  • We need to one more permissions here, Adding access to server/webapp we created earlier. Select on Add a permission again, select My API’s and select MECMServerApp
  • Confirm user_impersonation is selected and click on Add permission and Grant admin context for default directory.

Enable two services Microsoft.ClassCompute & Microsoft.Storage

  • Enable two service All Services -> Subscriptions -> Select the appropriate Subscription -> Resource Providers

Note:- The user credentials used to sign in here must be either be of a Co-Administrator or subscription owner.

Importing ServerApp & Client App in MECM Console

  • Open the MECM console (Administration –> Azure Services –> Configure Azure services ) and select cloud Management Gateway and select Next
  • Browse WebApp and select Import option
  • Provide details for Server App/Web App
  1. Azure AD Tenant name – Select Tenant name click here
  2. Azure AD Tenant ID – select Tenant ID from here
  3. Application Name – Select Application from here
  4. client ID – Select Client ID from here
  5. Secret Key – Select Secret Key from here
  6. Secret key expiry -Select Secret Key expiry from here
  7. App ID URI – Select App ID URI from here
  8. Click on verify and click Ok.
  • Browse Native Client App
  • Provide details for Native client App
  1. Application Name – Select application from here
  2. Client ID – select client ID from here
  3. Click on OK
  • Enable AAD User discovery, Next and close
  • Once completed, browse to Administration –> cloud service –> Azure Active directory Tenants. You should see Tenant name and Tenant ID. In addition to that, you can see the application name,Tenant ID, Client ID.

Installing Cloud Management Gateway

  • Open MECM Console (Administration –> Cloud services –> Cloud management gateway –> Click on Create cloud management gateway)
  • Select the cloud services option
  • Click on Sign In option and once sign In successfully and click on Next
  • Provide *.PFX certificate file. To know how to create certification for CMG click here.

Note:- Make sure service CName should a valid Unique FQDN

  • Select the option if you want to use as Cloud distribution point
  • Specify alerts and click on Next and close
  • Make sure status should change to ready state
  • Install Cloud management gateway connection point (MECM Console –> Administration –> site configuration –> servers and site system roles –> select server you want to install role).

Allow MECM CMG Traffic

  • We need to configure the management point and software update point to accept the MECM CMG traffic.
  • Go to administration — > Site configuration –>Servers and site system roles. Select Management point and click Properties
  • Select the Software update point and check box Allow configuration Manager cloud management gateway traffic and click Ok


• Deployments, use CloudMgr.log and CMGSetup.log

• Service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

• Client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.