Microsoft’s Cloud Management Gateway (CMG): 8 of Our Most Frequently Asked Questions

While some employees are slowly returning to the office, a generous portion of the workforce is still logging in remotely. In some capacity, remote work is here to stay indefinitely.  

As more companies become acquainted with a hybrid workforce, they’re often met with challenges related to managing their remote clients, enabling endpoint protection, distributing software, and more. With Microsoft’s Cloud Management Gateway, users can safely manage remote clients without exposing their on-premises infrastructure to the internet.  

So, what is Cloud Management Gateway?  

Cloud Management Gateway, or CMG for short, is a cloud extension of Microsoft Endpoint Configuration Manager that enables remote systems’ management without VPN (Virtual Private Networks) and without an extensive certificate requirement.  

Cloud Management Gateway FAQ’s:  

If you’re considering CMG for your business or organization, we’ve broken down the most frequently asked questions we receive so you know what to expect:  

1. Do I need certificates? 

Yes, a trusted third-party certificate or public key infrastructure (PKI) certificates are required to create a secure communication between your on-premises Configuration Manager and the CMG resources that are primarily hosted in Azure. As far as the client certificates, plan to enable certificate enrollment for the workstations when domain joined. 

Please note that the use of certificates is less than a traditional SCCM Internet Based Computer Management (IBCM) configuration when using modern authentication and enhanced http in MECM (Microsoft Endpoint Configuration Manager). This configuration does not require that the management point be converted to operate only with https. 

2. Where would a CMG get installed? 

The CMG is configured as a site system role, using the Configuration Manager console and with the use of an active Azure tenant. The resources used by the CMG are provisioned in the Azure cloud. 

3. Are there fees associated with running the CMG? 

Yes, there are compute fees for the virtual machine scale sets and egress fees for non-Microsoft provided content. 

4. Do I need an Azure Cloud subscription? 

Yes, there are Azure resources used for various purposes. In addition to authentication tokens provided by Azure AD (Active Directory), Intune integration with Microsoft Endpoint Configuration Manager (co-management) is highly recommended but not required.  

5. Which version of Configuration Manager is required?  

2107 (July 2021 release) or later, is required to support the current features and deployment practices for the CMG. 

6. What is enhanced http or e-http?  

E-http allows you to secure sensitive client communication without the need for PKI server authentication certificates. Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, or Windows authentication.  

7. Do I still need a split-tunnel VPN configuration for my Microsoft content?  

Yes. To keep the costs down when utilizing Azure stored content and make this fully independent of on-premises content, this configuration is recommended to allow Microsoft edge content locations to download the content when connected to VPN. Microsoft related content provided in this configuration is not billed as egress when servicing internet-based clients. 

8. How does this change my non-Microsoft content delivery?  

When completely disconnected, the client will negotiate the state and switch to internet managed. Internet managed devices are configured to get Microsoft updates through Microsoft resources. As far as non-Microsoft content is concerned, the client will be able to only get content that is distributed to the CMG Servers in Azure, also known as a Virtual Machine Scale Set.  

Next Steps: Enhance Your Remote Environment 

CMG provides users with a straightforward way to manage Configuration Manager clients remotely so clients can seamlessly access on-premises site roles whether on the intranet or internet. As the workforce continues to rapidly change, it’s important that your business takes advantage of the latest means to support your employees.  

For more information on Cloud Management Gateway, contact an Arraya expert today to start a conversation.  

Visit https://www.arrayasolutions.com//contact-us/ to connect with our team now. 

Comment on this and all of our posts on: LinkedIn, Twitter and Facebook.     

Follow us to stay up to date on our industry insights and unique IT learning opportunities.