SCCM CMG Setup Guide – Part 3 | Configure SCCM Site for SSL

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager client over internet.

In the previous post, we discussed about server authentication certificate requirements for CMG. In the part 3 of SCCM CMG setup guide series, we will discuss about SSL configurations for SCCM site and client authentication certificate requirements.

Post in this series:

Deploy Client Authentication Certificate for ConfigMgr Clients

A client certificate is required on any computer which need SSL communication with Configuration Manager HTTPS Management Point or SSL Software Update Point.

A client certificate is aslo required on any computer which will be managed via the Cloud Management Gateway ( CMG ) and devices are not Azure AD / Hybrid AD join. It is also required on the server that will host the Cloud Management Gateway connection point.

Follow the below article to issue and autoenroll client authentication certificate for Configuration Manager clients. We will issue the certificate from Micrsoft Active Directory Certificate Service (PKI) and use Group Policy ( GPO) to auto enroll the certificate on all domain computers.

Issue and autoenroll client authentication certificate for SCCM clients

  • Issue Client Authentication Certificate
  • Configure Client Authentication Certificate Auto Enrollment
  • Export Trusted Root Certificate

Note: The certificate exported in last step will be required during CMG setup.

Configure Management Point for HTTPS

The Cloud management gateway (CMG) requires a HTTPS management point for secure communuication. You need at least one manaement point in HTTPS mode in your hierachy to support internet based client through CMG.

If you don’t have a HTTPS management point in your ConfigMgr hierarchy then follow the below article to configure the same prior to going ahead with CMG setup.

Configure Management Point for HTTPS | SCCM | ConfigMgr

Configure Software Update Point for SSL

The Cloud management gateway (CMG) requires SSL enabled software update point to support internet based client. You need at least one SSL enabled software update point in hierarchy to deploy software updates on internet based clients.

If you don’t have a SSL enabled software update point in your ConfigMgr hierarchy then follow the below article to configure the same. The software update point role is not a mandatory requirement for CMG setup and your can perform this step later as well.

Configure Software Update Point for SSL | ConfigMgr | SCCM

Configure SCCM Site for HTTPS

The SCCM site need to configured for SSL communication with clients. Please ensure that following settings are configured.

In the SCCM console, go to Administration/Site configuration/Sites , select Properties and click on Communication Security tab.

  • Ensure that HTTPS or HTTP option is selected under Site system Settings.
  • Under Client Settings , select Use PKI client certificate when available
  • Under Trusted Root Certificate Authority, click on Set and uplod the trusted root certificate you exported during client authentication certificate deployment (reffer: Export Trusted Root Certificate ).

SCCm Site Properties PKI Certificate

Next Post: Part 4 | Integrate Azure Active Directory with ConfigMgr

Related posts:

Subscribe to Techuisitive Newsletter

Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top