SCCM – Cloud Management Gateway

The fast channel of the current branch 1610 of System Center Configuration Manager (SCCM) got an interesting update which deliver the Cloud Management Gateway.

This new feature will help to reduce the infrastructure complexity to manage internet based client.

NOTE if the update is not displayed in the Update and Servicing section, you may not have enabled the fast channel. To do this, download the script available here

Install and Enable Cloud Management Gateway feature

From the console, access the Update and Servicing section to download and install the update

image   image

When installing the update, ensure you enable the Cloud Management Gateway feature

image   image  image


Create the Cloud Management Gateway

Before starting you will need to request a new certificate to include the namespace.

Then from the SCCM console, go to the Administration\Cloud Services\Cloud Management Gateway to create the new gateway.

The process is pretty straight forward


Provide the Subscription ID and the management certificate (the new one with in a .CER and .PFX format) – the CER file will be uploaded into the Azure subscription while the PFX will be imported into SCCM with the wizard.

NOTE if you do not upload the certificate into Azure, you will get an error “The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription”


You can get the Subscription ID from the Azure portal

image image

To define the VM creation details you need to import again the certificate (PFX file); you may got a pop up being displayed “The service certificate has the following errors/warnings.”, do not be afraid this is because you generates your certificate with the SCCM server name, you will be able to select the service FQDN after the import which will generates the service name correctly


Select the correct FQDN (* to generate the service name as well as the Region where the VM will be provisioned

You can uncheck the ​Verify client certificate revocation, unless your internal CA is publicly published


The next settings define the alert thresholds; keep it as default or change it to match your need


After the usual configuration summary you can complete the creation process; you will to wait some time to get the VM provisioned on your Azure tenant; you can check the progress from the SCCM console



Configure the Cloud Management Gateway

Once the Cloud Management Gateway status is provisioning completed in the SCCM console, you can continue to configure the gateway

To do so, you need to define a connection point with the Cloud Management Gateway by adding the new server role “Cloud management gateway connection point”


Once you have enabled the cloud management gateway connection point role, you need to update your management point to take advantage of the new role


At this stage, the status of the Cloud Management Gateway is now Ready and you can see the connection point(s) using the Connection Point tab (the status is Disconnected if you do not have yet enabled the management point)


Once the connection point status is Ready, you can also see the role endpoints associated with the gateway



Check the client

Once you have configured the gateway, you should see your Internet based client using the new Internet-based management point which will be something like <your Cloud Management Gateway service><GUID>


Leave a Comment

Your email address will not be published. Required fields are marked *