- Article
- 9 minutes to read
Applies to: Configuration Manager (current branch)
If you need to change the configuration, you can change the Cloud Management Gateway (CMG).
configure properties
After you create a CMG, you can change some of its settings. Select the CMG in the Configuration Manager console and selectCharacteristics. Configure the settings on the following tabs:
Settings tab
certificate file: Change the server authentication certificate for the CMG. This option is useful when renewing the certificate before it expires. If you get a new certificate, make sure its common name is the same.
note
When you renew the server authentication certificate for the CMG, the FQDN that you provide for the certificate's common name (CN) is case-sensitive. For example, if the CN of the current certificate is
granitfälle.contoso.com, create the new certificate with the same CN in lower case. The wizard does not accept a certificate with the CNGRANITEFALLS.CONTOSO.COM.If you make significant changes to the certificate, you may need to do soDeploy the service again. For example, changing the organization name on the certificate.
Description: Provide an optional description to further identify this CMG in the Configuration Manager console.
VM instance: Change the number of VMs the service uses in Azure. This setting allows you to dynamically scale the service up or down based on usage or cost considerations.
certificates: Add or remove trusted root or intermediate CA certificates. This option is useful when adding new CAs or retiring expired certificates.
Check client certificate revocation: If you didn't originally enable this setting when creating the CMG, you can enable it after publishing the CRL. For more information, seePublish the certificate revocation list.
Enforce TLS 1.2: The CMG enables this option by default. Request the use of TLS 1.2 encryption protocol. From version 2107 with theUpdate rollups, this setting also applies to the CMG storage account. For more information, seeHow to enable TLS 1.2.
Allow CMG to act as a cloud distribution point and serve content from Azure storage: The CMG enables this option by default. If you plan to target content delivery to clients, you must configure the CMG for content delivery.
Alerts tab
You can reconfigure the alerts at any time after you create the CMG. For more information, seeMonitor the CMG: Set up outgoing traffic alerts.
Content tab
View the packages assigned to the cloud storage account for this CMG. See how much space each package occupies in the storage account. When you select a package, you can redistribute or remove the content files.
To verify that the content files for a package are available on the content-enabled CMG, go tocontent statusknots in themonitoringWorkplace. For more information, seeMonitor the content you distribute.
Convert
note
Configuration Manager does not enable this optional feature by default. You must enable this feature before you can use it. For more information, seeEnable optional features of updates.
Starting in version 2107, if you have a CMG that uses the classic cloud service, convert it to use a virtual machine scale set.
Top
This process reuses the underlying storage account.
When converting a CMG, you cannot change all settings:
| Attitude | Convert |
|---|---|
| VM size |  |
| VM Instances | |
| Check the CRL | |
| TLS required | |
| serve content | |
| Azure environment |  |
| Subscription | |
| Azure AD-App | |
| Region | |
| resource group | |
To make changes that the conversion process doesn't support, you need to do thisDeploy the service again.
Important
If your CMGsservice nameis in thatcloudapp.netdomain, you cannot convert it to a virtual machine scale set. For example, you have a server authentication certificate from your internal PKI with the common name "GraniteFalls.cloudapp.net.Da Microsoft diecloudapp.netdomain, you cannot create a DNS CNAME to map this service name to the new deployment name in thecloudapp.azure.comDomain.
- Issue a new server authentication certificate from your internal PKI with a new service name. Consider using your domain name instead of a Microsoft domain. For more information, seeUse a corporate PKI certificate.
- Deploy a new CMG as a virtual machine scale set with the new certificate.
- Once clients update the policy to get this new CMG, delete the old CMG.
For more information, seeReplace a CMG with a new service name.
Process to convert a CMG to a virtual machine scale set
Important
First, check the prerequisites forVirtual Machine Scale Sets. For example, make sure you register what is necessaryAzure resource providerin subscription. You also need both Subscription Owner permission for the associated subscription and Global Admin permission for the associated tenant.
In the Configuration Manager console, go toAdministrationworkspace, expandCloud-Services, and select theCloud-Management-GatewayNode.
(Video) How To Setup Cloud Management Gateway (CMG) in Microsoft SCCM to Manage Internet ClientsSelect a CMG instance whoseStatusIsReady. Select on the ribbonConvert. This action will open the Convert CMG wizard.
On the page, select GeneralNext. You cannot change any of these settings.
On the Settings page, note the new onedeployment namewith the suffix for the virtual machine scale set.
Make other configuration changes as needed. Then selectNextand complete the wizard.
Monitor the conversion process just like you would a new deployment. For example, view and check the status in the consolecloudmgr.log. For more information, seeMonitor CMG.
Update or create a DNS CNAME
Because the deployment name has changed, you must update or create a DNS canonical name (CNAME) record. This alias maps the service name to the deployment name. For more information, seeCreate a DNS CNAME alias.
For example:
The CMGsservice nameIs
GraniteFalls.contoso.com.For thedeployment name:
Classic:
GraniteFalls.cloudapp.netVirtual Machine Scale Set:
GraniteFalls.EastUS.CloudApp.Azure.Com
Deploy the service again
Major changes such as the following configurations will require redeployment of the service:
- Subscription
- service name
- Region
- resource group
- Significant changes to server authentication certificate
Always have at least one active CMG for internet-based clients to receive updated policies. Internet-based clients cannot communicate with a remote CMG. Clients don't know about a new one until they update the policy. If you create a second CMG instance to delete the first, also create another CMG connection point.
Clients update the policy every 24 hours by default. Before deleting the old CMG, wait at least a day after creating a new one. If clients are powered off or not connected to the internet, you may have to wait longer.
If you have an existing CMG version 1810 or earlier, it uses the Azure Service Manager deployment method. This method used an Azure management certificate. This method is deprecated and will be removed in a later version of Configuration Manager. Redeploy a new CMG to use the Azure Resource Manager deployment method.
The process to redeploy the service depends on your service name and whether you want to reuse it.
note
In version 2107 and later, you can have multiple CMGs that use different delivery methods. You can also cast aCloud service (classic)CMG to aVirtual Machine Scale Set. For more information, seeConvert.
If you already have a CMG in versions 2010 and 2103 with theCloud service (classic)method, you cannot deploy a CMG other thanVirtual Machine Scale Set, and vice versa. FirstDelete the existing CMG, and then create a new one with the different deployment method. All CMG instances for the site must use the same delivery method. For more information, seePlan for CMG: Virtual Machine Scale Sets.
Replace a CMG and reuse the same service name
Important
This process assumes that you already have at least two CMG services and are replacing one of each. You must have at least one active CMG for internet-based clients.
Delete the old CMG.
Create a new CMG with the same server authentication certificate.
Reconfigure the CMG connection point to use the new CMG.
Replace a CMG with a new service name
Get a new server authentication certificate.
Create a new CMG.
Create a new CMG connection point and associate it with the new CMG.
Wait at least a day for internet-based clients to receive policies about the new CMG. If clients are powered off or not connected to the internet, you may have to wait longer.
Delete the old CMG and its associated CMG connection point.
Stop and start the service
Use the Configuration Manager console to stop and start the service as needed.
In the Configuration Manager console, go toAdministrationworkspace, expandCloud-Services, and select theCloud-Management-GatewayNode.
Select the CMG instance.
On the ribbon, choose one of the following actions:
- To stop a running CMG, selectstop service.
- To start a stopped CMG, selectstart service.
Configuration Manager can stop a CMG service when total data transfer exceeds your limit. For more information, seeStop CMG when it crosses the threshold
Important
Even if the service is not running, there are still charges for the cloud service. Stopping the service does not eliminate all associated Azure costs. To eliminate all cloud service costs,Delete the CMG.
If you stop the CMG service, internet-based clients cannot communicate with Configuration Manager.
You can also use PowerShell to stop and start a CMG:
- Start-CMCloudManagementGateway
- Stop-CMCloudManagementGateway
Determine the deployment model
To determine the current deployment model of a CMG:
In the Configuration Manager console, go toAdministrationworkspace, expandCloud-Services, and select theCloud-Management-GatewayNode.
Select the CMG instance.
Look for the in the details pane at the bottom of the windowdeployment modelAttribute.
From version 2010 you will see bothCloud service (classic)orVirtual Machine Scale Set.
In version 2006 and earlier, this attribute is for a Resource Manager deploymentAzure resource manager. The legacy deployment model with the Azure management certificate appears asAzure Service Manager.
Important
CMG deployments with Azure Service Manager are deprecated. Support will be removed in a later version of Configuration Manager. Redeploy a new CMG to use the Azure Resource Manager deployment method.
You can also adddeployment model-Attribute as column for list view.
Changes in the Azure portal
Change the CMG only through the Configuration Manager console. Making changes to the service or underlying VMs directly in Azure is not supported. All changes can be lost without prior notice. As with any platform as a service (PaaS), the service can rebuild the VMs at any time. These rebuilds can be done to service the backend hardware or to apply updates to the VM OS.
Renew the Azure service secret key
When you first configure Azure Active Directory (Azure AD) to allow the CMG to use theCloud-ManagementAzure service, you specify a secret key lifetime when registering the web (server) app. By default, the secret key is valid for one year, or you can specify two years. Renew the secret key before it expires. For more information, seeRenew the secret key.
Delete the service
If you need to delete the CMG, do so only from the Configuration Manager console. Manually removing components in Azure causes the system to become inconsistent. This condition leaves orphaned information and unexpected behavior can occur.