The fast channel of the current branch 1610 of System Center Configuration Manager (SCCM) got an interesting update which deliver the Cloud Management Gateway.

This new feature will help to reduce the infrastructure complexity to manage internet based client.

NOTE if the update is not displayed in the Update and Servicing section, you may not have enabled the fast channel. To do this, download the script available here https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9

Install and Enable Cloud Management Gateway feature

From the console, access the Update and Servicing section to download and install the update

image   image

When installing the update, ensure you enable the Cloud Management Gateway feature

image   image  image

 

Create the Cloud Management Gateway

Before starting you will need to request a new certificate to include the cloudapp.net namespace.

Then from the SCCM console, go to the Administration\Cloud Services\Cloud Management Gateway to create the new gateway.

The process is pretty straight forward

image 

Provide the Subscription ID and the management certificate (the new one with cloudapp.net in a .CER and .PFX format) – the CER file will be uploaded into the Azure subscription while the PFX will be imported into SCCM with the wizard.

NOTE if you do not upload the certificate into Azure, you will get an error “The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription”

image 

You can get the Subscription ID from the Azure portal

image image

To define the VM creation details you need to import again the certificate (PFX file); you may got a pop up being displayed “The service certificate has the following errors/warnings.”, do not be afraid this is because you generates your certificate with the SCCM server name, you will be able to select the service FQDN after the import which will generates the service name correctly

image 

Select the correct FQDN (*.cloudapp.net) to generate the service name as well as the Region where the VM will be provisioned

You can uncheck the ​Verify client certificate revocation, unless your internal CA is publicly published

imageimage 

The next settings define the alert thresholds; keep it as default or change it to match your need

image 

After the usual configuration summary you can complete the creation process; you will to wait some time to get the VM provisioned on your Azure tenant; you can check the progress from the SCCM console

imageimage 

 

Configure the Cloud Management Gateway

Once the Cloud Management Gateway status is provisioning completed in the SCCM console, you can continue to configure the gateway

To do so, you need to define a connection point with the Cloud Management Gateway by adding the new server role “Cloud management gateway connection point”

imageimage 

Once you have enabled the cloud management gateway connection point role, you need to update your management point to take advantage of the new role

 

At this stage, the status of the Cloud Management Gateway is now Ready and you can see the connection point(s) using the Connection Point tab (the status is Disconnected if you do not have yet enabled the management point)

image 

Once the connection point status is Ready, you can also see the role endpoints associated with the gateway

imageimage 

 

Check the client

Once you have configured the gateway, you should see your Internet based client using the new Internet-based management point which will be something like <your Cloud Management Gateway service>.cloudapp.net/CCM_Proxy_MutualAuth/<GUID>

image