Applies to: Configuration Manager (current branch)
This article answers frequently asked questions about Cloud Management Gateway (CMG). For more information, seeCMG review.
Do I need a certificate?
Yes, at least one and possibly others depending on your project.
server authentication certificate: The CMG creates an HTTPS service that Internet clients connect to. The service requires a server authentication certificate to build a secure channel. You can buy a certificate for this from a public provider or issue it from a public key infrastructure (PKI). For more information, seeCMG server authentication certificate.
client authentication certificate: Depending on your CMG environment and design, you can use PKI certificates to authenticate clients. This authentication method doesn't support user scenarios, but it does support devices running a supported version of Windows. For more information, seeConfigure client authentication for CMG: PKI certificate.
When using this client authentication method, you must also export the root trust chain of the client certificate. You will then use this certificate chain when creating the CMG and the CMG junction point.
HTTPS checkpoint: Depending on how the website is configured and the client authentication method selected, it may be necessary to configure Internet management points to support HTTPS. For more information, seeConfigure client authentication for the CMG: Enable the management point for HTTPS.
Do I need Azure ExpressRoute?
From home.Azure ExpressRouteyou can extend your local network to the Microsoft cloud. ExpressRoute or other virtual network connections are not required for CMG. The CMG project allows Internet clients to communicate via Azure with on-premises systems without additional network configuration. For more information, seeCMG review.
Do I need to maintain or protect Azure VMs?
NO. The CMG project uses Azure as a Service (PaaS). Using the subscription provided, Configuration Manager creates the necessary VMs, storage, and networking. Azure protects and updates your VMs. You don't need to monitor these VMs. Azure VMs for CMG are not part of an on-premises environment such as Infrastructure as a Service (IaaS). CMG is a PaaS service that extends the Configuration Manager environment to the cloud. For more information, seeSecuring PaaS deployments.
Since CMG acts as an intermediary for communication with customers, no customer data is processed, maintained or stored. The Internet communication path always uses HTTPS. For additional security, configure the management point for HTTPS. Also configure the site option for clients to encrypt inventory and status messages. For more information, seeSecurity plan: signing and encryption.
How can I ensure service continuity during service updates?
When you scale your CMG to include two or more instances, you automatically take advantage of domain updates in Azure. SeeUpdate the cloud service.
I already use IBM. If I add a CMG, how will the customers behave?
If you already installedonline customer management(IBCM), CMG can also be deployed. Customers receive policies for both services. While browsing the Internet, they randomly choose and use one of these Internet services.
Do user accounts need to be in the same Azure AD tenant as the tenant associated with the subscription that hosts the CMG cloud service?
No, you can deploy CMG in any subscription that can support Azure cloud services.
To clarify the terms:
- O Azure ADtenantis the folder that contains user accounts and application logs. A tenant can have multiple subscriptions.
- azure blueregistrationseparates billing, features, and services. It is associated with one tenant.
For more information, seeSubscriptions, licenses, accounts, and tenants for Microsoft Cloud offerings.
This question is common in the following scenarios:
When you have separate Active Directory and Azure AD test and production environments, but one centralized Azure hosting subscription.
Azure usage grew organically across teams.
When you use a Resource Manager deployment, you participate in the Azure AD tenant associated with your subscription. This connection enables Configuration Manager to authenticate to Azure to create, deploy, and manage the CMG.
If you use Azure AD authentication for CMG-managed users and devices, you must join that tenant to Azure AD. For more information on Azure cloud management services, seeConfigure Azure services. With each Azure AD tenant integration, a single CMG can provide Azure AD authentication for multiple tenants, regardless of where they are hosted.
Example 1: Tenant with multiple subscriptions
User identities, device registrations, and app registrations are in the same tenant. You can choose the signature used by the CMG. You can deploy multiple CMG services from a site in separate subscriptions. The site has a one-to-one relationship with the tenant. You decide which plans to use for various reasons, such as billing or logical separation.
Example 2: Multiple tenants
In other words, your environment has more than one Azure AD. If you need to support user and device identities in both tenants, you must associate a site with each tenant. This process requires an administrator account from each tenant to create an app registration in that tenant. The site can then host CMG services across multiple tenants. You can create a CMG in any subscription available in any tenant. Azure AD joined or hybrid joined devices can use the CMG.
If your user and device identities are in one tenant, but your CMG subscription is in a different tenant, you need to connect your website to both tenants. Technically, a client app isn't required for a second tenant that only has a CMG service. The client application provides user and device authentication only to clients using the CMG service.
How does CMG affect my VPN-connected clients?
Mobile clients that connect to your environment via VPN are usually detected as available on your intranet. They try to connect to on-premises infrastructure such as management points and distribution points. Some customers prefer these roaming customers to be managed by cloud services even if they are connected via VPN.
You can also link a CMG to a boundary group. This action forces these clients not to use local site systems. For more information, seeSet up boundary groups.
How does management point configuration affect internal clients?
To protect sensitive traffic sent by the CMG, you must configure at least one management point to use HTTPS or configure the site to support enhanced HTTP.
Therefore, after deploying the CMG and using PKI certificates for HTTPS communication on the CMG management point, select the optionAllow internet-only clientsin the management point properties. This configuration ensures that internal clients continue to use HTTP management points in your environment.
If you're using Advanced HTTP, you don't need to configure this setting. Clients still use HTTP when communicating directly with the CMG management point. For more information, seeImproved HTTP protocol.
What are the differences in client authentication between Azure AD and certificates?
Azure AD or a client device authentication certificate can be used to authenticate to CMG. You can also use Configuration Manager site-issued tokens for authentication.
If you are managing traditional Windows clients with identities that are part of an Active Directory domain, they need PKI certificates to secure the communication channel. These clients can include any supported version of Windows. You can use all features supported by CMG, but software distribution is limited to devices only. Install the Configuration Manager client before the device comes online, or use token authentication.
You can also manage clients running Windows 10 or later with a modern, hybrid or pure identity - a cloud domain joined to Azure AD. Clients use Azure AD for authentication instead of PKI certificates. Using Azure AD is easier to install, configure, and maintain than more complex PKI systems. You can perform the same administration and software distribution for the user. It also allows additional client installation methods on a remote device.
Microsoft recommends joining devices to Azure AD. Internet devices can use Azure AD to authenticate with Configuration Manager. It also enables device and user scenarios, whether the device is online or connected to an internal network.
For more information, seeConfigure client authentication.
Should I use a virtual machine scale set deployment?
Yes, if your site is version 2107 or later. This is no longer a pre-release feature and is recommended for all customers. If you have an existing classic CMG implementation, you canconvert it to a virtual machine scale set.
If your site is version 2010 or 2103, the virtual machine scale set deployment method is a pre-release feature. It is only for customers with a Cloud Solution Provider (CSP) subscription.
Starting in version 2203, the option to deploy the CMG ascloud service (classic)is removed. All CMG implementations must have avirtual machine scale set. For more information, seeRemoved and deprecated features.
For more information on deploying the CMG as a virtual machine scale set, seeSchedule a CMG.
Does the content CMG use Azure CDN?
NO. Currently does not support Azure Content Delivery Network (CDN). CDN is a global solution for the rapid delivery of high-bandwidth content by caching content in strategically placed physical nodes around the world. For more information, seeWhat is Azure CDN?.
Do I need to do something with the Azure AD Graph API and replace the Azure AD Authentication Library (ADAL)?
NO. You may have seen the following blog post and wondered how it relates to Configuration Manager:Update your apps to use the Microsoft Authentication Library and the Microsoft Graph API. This post applies to any code developed that uses these authentication libraries. Configuration Manager has been using the Microsoft Graph API and the Microsoft Authentication Library (MSAL) in some locations for several years. All other components are updated in Configuration Manager version 2107 with extensioncumulative update. If you're up to date with Configuration Manager versions, you don't need to do anything else.
Some people confuse the information in this blog post with the Azure AD application registrations that Configuration Manager uses for various cloud-connected services. These application registries are cloud-based service entities that do not directly use these authentication libraries. If an Azure global administrator manually created Configuration Manager application records in Azure AD, they can verify that these records have permissions toMicrosoft ChartAPI Don't need permissionAzure AD GraphAPI For more information, seeRegister applications manually from Azure AD.