Applies to: Configuration Manager (current branch)
The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional on-premises infrastructure. You also don't need to expose your on-premises infrastructure to the internet.
What Is Contentmanagementserver.app Machine
Note
Download Box Drive for Mac Download Box Drive for Windows (64 bit) Download Box Drive for Windows (32 bit) Box Tools. Create and edit any file type, including Office, CAD, and Photoshop, directly from your web browser. Use the default application installed on your computer, knowing your files are automatically saved to Box. Aug 10, 2017 I continue to get this message EVERY TIME I start up my Mac. It's not for iTunes or Word, but I get it for my Logitech mouse and when I launch Hearthstone. Both of these apps have exceptions in my Firewall pane. I've set them to always allow, always block, deleted them, re-added them, it doesn't matter. I get the alert EVERY TIME since El Capitan.
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.
After establishing the prerequisites, creating the CMG consists of the following three steps in the Configuration Manager console:
This article provides the foundational knowledge to learn about the CMG, design how it fits in your environment, and plan the implementation.
Scenarios
There are several scenarios for which a CMG is beneficial. The following scenarios are some of the more common:
Specific use cases
Across these scenarios the following specific device use cases may apply:
Important
By default all clients receive policy for a CMG, and start using it when they become internet-based. Depending upon the scenario and use case that applies to your organization, you may need to scope usage of the CMG. For more information, see the Enable clients to use a cloud management gateway client setting.
What Is Contentmanagementserver.app Macbook ProTopology designCMG components
Deployment and operation of the CMG includes the following components:
Azure Resource Manager
Create the CMG using an Azure Resource Manager deployment. Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. When deploying CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. This modernized deployment doesn't require the classic Azure management certificate.
Note
This capability doesn't enable support for Azure Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. For more information, see available Azure services in Azure CSP.
Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. Existing deployments continue to work.
In Configuration Manager version 1810 and earlier, the CMG wizard still provides the option for a classic service deployment using an Azure management certificate. To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances. If possible, redeploy existing CMG instances through Resource Manager. For more information, see Modify a CMG.
Important
The classic service deployment in Azure is deprecated for use in Configuration Manager. Version 1810 is the last to support creation of these Azure deployments. This functionality will be removed in a future Configuration Manager version.
Hierarchy design
Create the CMG at the top-tier site of your hierarchy. If that's a central administration site, then create CMG connection points at child primary sites. The cloud service manager component is on the service connection point, which is also on the central administration site. This design can share the service across different primary sites if needed.
You can create multiple CMG services in Azure, and you can create multiple CMG connection points. Multiple CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.
Starting in version 1902, you can associate a CMG with a boundary group. This configuration allows clients to default or fallback to the CMG for client communication according to boundary group relationships. This behavior is especially useful in branch office and VPN scenarios. You can direct client traffic away from expensive and slow WAN links to instead use faster services in Microsoft Azure.
Note
Internet-based clients don't fall into any boundary group.
In Configuration Manager version 1810 and earlier, the CMG doesn't fall into any boundary group.
Other factors, such as the number of clients to manage, also impact your CMG design. For more information, see Performance and scale.
Example 1: standalone primary site
Contoso has a standalone primary site in an on-premises datacenter at their headquarters in New York City.
As clients roam onto the internet, they communicate with the CMG in the East US Azure region. The CMG forwards this communication through both of the CMG connection points.
Example 2: hierarchy
Fourth Coffee has a central administration site in an on-premises datacenter at their headquarters in Seattle. One primary site is in the same datacenter, and the other primary site is in their main European office in Paris.
As clients roam onto the internet, they communicate with the CMG in the West US Azure region. The CMG forwards this communication to the CMG connection point in the client's assigned primary site.
Tip
You don't need to deploy more than one cloud management gateway for the purposes of geolocation. The Configuration Manager client is mostly unaffected by the slight latency that can occur with the cloud service, even when geographically distant.
Test environments
Many organizations have separate environments for production, test, development, or quality assurance. When you plan your CMG deployment, consider the following questions:
Configuration Manager's Azure service for Cloud management supports multiple tenants. Multiple Configuration Manager sites can connect to the same tenant. A single site can deploy multiple CMG services into different subscriptions. Multiple sites can deploy CMG services into the same subscription. Configuration Manager provides flexibility depending upon your environment and business requirements.
For more information, see the following FAQ: Do the user accounts have to be in the same Azure AD tenant as the tenant associated with the subscription that hosts the CMG cloud service?
Requirements
Specifications
Support for Configuration Manager features
The following table lists CMG support for Configuration Manager features:
Note 1: Support for endpoint protection
For domain-joined devices to apply endpoint protection policy, they require access to the domain. Devices with infrequent access to the internal network may experience delays in applying endpoint protection policy. If you require that devices immediately apply endpoint protection policy after they receive it, consider one of the following options:
Cost
Important
The following cost information is for estimating purposes only. Your environment may have other variables that affect the overall cost of using CMG.
CMG uses the following Azure components, which incur charges to the Azure subscription account:
Virtual machine
Outbound data transfer
Content storage
Other costs
Performance and scale
For more information on CMG scale, see Size and scale numbers.
What Is Contentmanagementserver.app Machines
The following recommendations can help you improve CMG performance:
![]()
Note
While Configuration Manager has no hard limit on the number of clients for a CMG connection point, Windows Server has a default maximum TCP dynamic port range of 16,384. If a Configuration Manager site manages more than 16,384 clients with a single CMG connection point, you must increase the Windows Server limit. All clients maintain a channel for client notifications, which holds a port open on the CMG connection point. For more information on how to use the netsh command to increase this limit, see Microsoft Support article 929851.
Ports and data flow
You don't need to open any inbound ports to your on-premises network. The service connection point and CMG connection point initiate all communication with Azure and the CMG. These two site system roles need to create outbound connections to the Microsoft cloud. The service connection point deploys and monitors the service in Azure, thus must be online mode. The CMG connection point connects to the CMG to manage communication between the CMG and on-premises site system roles.
The following diagram is a basic, conceptual data flow for the CMG:
For more information when you host content in Azure, see Use a cloud-based distribution point.
Required ports
This table lists the required network ports and protocols. The Client is the device initiating the connection, requiring an outbound port. The Server is the device accepting the connection, requiring an inbound port.
![]() Note 1: CMG connection point TCP-TLS ports
The CMG connection point first tries to establish a long-lived TCP-TLS connection with each CMG VM instance. It connects to the first VM instance on port 10140. The second VM instance uses port 10141, up to the 16th on port 10155. A TCP-TLS connection performs the best, but it doesn't support internet proxy. If the CMG connection point can't connect via TCP-TLS, then it falls back to HTTPSNote 2.
Note 2: CMG connection point HTTPS ports for one VM
If the CMG connection point can't connect to the CMG via TCP-TLSNote 1, it connects to the Azure network load balancer over HTTPS 443 only for one VM instance.
Note 3: CMG connection point HTTPS ports for two or more VMs
If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to the first VM instance, not HTTPS 443. It connects to the second VM instance on HTTPS 10125, up to the 16th on HTTPS port 10139.
Internet access requirements
If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow CMG connection point and service connection point to access internet endpoints.
For more information, see Internet access requirements.
What Is Contentmanagementserver.app MacbookNext stepsComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |