Cloud management gateway deep dive


Following up on last week's episode, Cloud management gateway: what you need to know & what’s next, today we're taking an in-depth look at the cloud management gateway and offering general CMG enablement guidelines as well as tips on how to reduce reliance on VPN. We'll also provide some immediate next steps you can take to design a CMG plan for your Configuration Manager environment.




Learn more

Here are links to the resources mentioned in this session:  


While not mentioned specifically in this session, here are some additional resources you might find helpful:

Frequently asked questions

Q: What is the minimum version of Configuration Manager that is required to utilize the cloud management gateway?

A: The CMG role is supported in all currently supported versions of Configuration Manager Current Branch (CB). Currently, that is version 1810+. If you’re on a version of Configuration Manager older than 1810, you are running an unsupported version of Configuration Manager CB.

Q: What is the connectivity requirement for the CMG and on-premises site server? We have a single primary server in South Africa and want to build CMGs in Europe and Latin America. Would that work over busy WAN links?

A: The CMG communicates with on-premises through the connector that is installed at the site level. We use a level of filtering to make sure CMG traffic for a primary site goes to the connector for that site. Those connectors make outbound connections to the CMG, so there’s no internal traffic requirement. Connectivity requirements are outbound only. For more details, check out Ports and data flow.

Q: Our VPN only supports split-tunneling via IP addresses, not fully-qualified domain name (FQDN). What is the suggestion around this given Microsoft doesn’t have IP addresses for software updates?

A: Windows Update relies on multiple CDN partners. We recommend if you have a hard requirement to leverage the CMG to store the content in your Azure subscription and then point to the Azure IP ranges. Take a look at the recent blog post from Rob York for more information.

Q: Is there a good resource to configure split tunneling with Windows Update for Business/Microsoft Update?

A: Yes - Managing Patch Tuesday with Configuration Manager in a remote work world.

Q: Does the “Windows Update content to pull from Microsoft” require Windows Update for Business and Windows update co-management workload slider to be set to Intune for co-managed clients?

A: No, it doesn’t.

Q: Can we control what content (packages/apps) we want to sync on the Cloud DP?

A: Yes, you distribute content to CMG/Cloud DP just like you would any other distribution point in your infrastructure.

Q: What will be the cost of using Cloud DP per GB of data?

A: For insight into the costs related to CMG usage, see the Cost section of Plan for the cloud management gateway in Configuration Manager.

Q: Can Microsoft provide a list of IP address ranges (not URLs) to split out?

A: For guidance around this, see Managing Patch Tuesday with Configuration Manager in a remote work world.

Q: Do we have a way to report, on a client basis, who is downloading what from the CMG and Windows Update for billing purposes?

A: It doesn’t show Windows Update, but it does show the CMG. See Monitor cloud management gateway for more details.

Q: Would Microsoft suggest altering or adjusting BITS client settings at all to control software updates across VPN?

A: If you need to reduce pressure on the VPN, then yes, that’s one way to throttle the traffic. Low Extra Delay Background Transport (LEDBAT) is another option.

Q: What if internet-based client management (IBCM) is currently being used and the CMG is set up? Does that conflict; does IBCM need to be removed?

A: No, there is no conflict. Similar to having two management points (MPs) or two distribution points (DPs), the clients will randomly choose between the two if they are both currently configured for a single site. We would recommend moving to the CMG if possible. It requires no ports to be opened from the CMG to the site server (the CMG Connection Point reached out). For IBCM, the MP needs to be able to reach into the environment.

Q: Do you need CMG Connection Points for secondary sites?

A: No, secondary sites have no part in a CMG.


We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!

0 Replies