Set up checklist for CMG
Applies to: Configuration Manager (current branch)
Before you deploy a cloud management gateway (CMG), use this article to understand the setup process. Also make sure you have all of the prerequisites ready to get started.
First, develop your design and plan for implementing a CMG in your environment. For more information, see Plan for cloud management gateway. Use that section of articles to determine your CMG design.
The overall CMG setup process is divided into the following five main parts:
Get the CMG server authentication certificate: The CMG uses HTTPS for secure client communication over the public internet. You can get a certificate from a public provider, or issue one from your public key infrastructure (PKI).
Configure Azure Active Directory (Azure AD): Configuration Manager requires app registrations in Azure AD. You can let Configuration Manager create them, or an Azure administrator can pre-create the registrations.
Configure client authentication: Because clients communicate across the internet, Configuration Manager requires more security for this channel. You can use Azure Active Directory (Azure AD), PKI certificates, or token-based authentication from the site server.
Set up the CMG: This step also includes configuring the site, and adding the CMG connection point site system role.
Configure clients to use the CMG.
The other articles in this section step through each part of the process.
The following terms are used in the context of setting up a CMG. They're defined here for clarity.
Azure AD tenant: The directory of user accounts and app registrations. One tenant can have multiple subscriptions.
Azure subscription: A subscription separates billing, resources, and services. It's associated with a single tenant.
For more information, see Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings.
Azure resource group: A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. For more information, see Resource groups.
CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG connection point site system role communicate with this service name. For example,
CMG deployment name: The first part of the service name plus the Azure location for the cloud service deployment. The cloud service manager component of the service connection point uses this name when it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon the deployment method, for example:
- Virtual machine scale set:
- Classic deployment:
- Virtual machine scale set:
Use the following checklist to make sure you have the necessary information and prerequisites to create a CMG:
The Azure environment to use. For example, the Azure Public Cloud or the Azure US Government Cloud.
The Azure region for this CMG deployment.
How many VM instances you need for scale and redundancy.
An Azure global administrator role to register apps in Azure AD.
An Azure subscription owner role for when you create the CMG in Azure.
At least one existing site system server on which you plan to add the CMG connection point role.
You'll set up other prerequisite components during the next steps in the process.
Automate with PowerShell
Optionally, you can automate aspects of the CMG setup using PowerShell. While some cmdlets were available in earlier versions, version 2010 includes new cmdlets and significant improvements to existing cmdlets.
For example, an Azure administrator first creates the two required apps in Azure Active Directory (Azure AD). Then you write a script that uses the following cmdlets to deploy a CMG:
- Import-CMAADServerApplication: Create the Azure AD server app definition in Configuration Manager.
- Import-CMAADClientApplication: Create the Azure AD client app definition in Configuration Manager.
- Use Get-CMAADApplication to get the app objects, and then pass to New-CMCloudManagementAzureService to create the Azure service connection in Configuration Manager.
- New-CMCloudManagementGateway: Create the CMG service in Azure.
- Add-CMCloudManagementGatewayConnectionPoint: Create the CMG connection point site system.
You can use these cmdlets to automate the creation, configuration, and management of the CMG service and Azure Active Directory (Azure AD) requirements.
Azure AD app definitions in Configuration Manager:
The Cloud Management Azure service in Configuration Manager:
The cloud management gateway service in Configuration Manager:
The CMG connection point site system role:
Get started with your CMG setup by getting a server authentication certificate: