One small correction, the on-prem MP and SUP don’t actually have to be HTTPS 
enabled (unless you choose to use Azure AD domain instead of PKI client auth 
certs which is new in 1706).

It is ultimately just a proxy for the data.


From: [] On 
Behalf Of Nemec, Dale
Sent: Wednesday, August 9, 2017 6:41 PM
Subject: RE: [mssms] Cloud Management Gateway

As Jason and Aaron have pointed out, the CMG service in Azure is not a domain 
joined machine.

The CMG is a proxy service that communicates via https to your on-prem MP and 
SUP server(s) on your internal network.

The MP and SUP server(s) are the ones that initiate the contact to the CMG web 
service.  Traffic is encrypted via certificate and only travels on the https 

Hopefully that helps.

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

[] On Behalf Of SCCM Admin
Sent: Wednesday, August 9, 2017 2:19 PM
Subject: Re: [mssms] Cloud Management Gateway

So what about the server that the MP and DP reside on? How will devices get 
applications and policies that are on the internet?

On Wed, Aug 9, 2017 at 3:50 PM Jason Sandys 
<<>> wrote:
That documentation in no way says anything about your site server in Azure and 
in no way discusses the CMG as being domain joined either. Whomever is drawing 
this conclusion is incorrect and needs to read the documentation. In fact, the 
CMG is a service provide by Azure – you have no explicit control over it. There 
is also a CMG connector role that you load on a site system (or your site 
server) but this is an on-prem role and has nothing to do with Azure except 
that it communicates with the CMG that is in Azure. So, it’s time to either 
correct the security guys and/or give them the proper information.


On Behalf Of SCCM Admin
Sent: Wednesday, August 9, 2017 11:52 AM
Subject: Re: [mssms] Cloud Management Gateway<>

On Wed, Aug 9, 2017 at 11:43 AM, Nemec, Dale 
<<>> wrote:
My CMG’s are not domain joined and are working as expected.

Do you have a link to the documentation that you are following/referencing?

Dale Nemec | Global Architecture & Technology Ops (ESS) | Tektronix

On Behalf Of SCCM Admin
Sent: Tuesday, August 8, 2017 4:24 PM
Subject: [mssms] Cloud Management Gateway

We submitted our plans to implement CMG and after speaking with security they 
had issues with securing our site server in Azure since it has to be domain 

Could we put that server in another trusted domain and apply a trust between 
the two.

Also is there that much of a security threat to having a server in Azure as 
apposed on premises?


Please be advised that this email may contain confidential information. If you 
are not the intended recipient, please notify us by email by replying to the 
sender and delete this message. The sender disclaims that the content of this 
email constitutes an offer to enter into, or the acceptance of, any agreement; 
provided that the foregoing does not invalidate the binding effect of any 
digital or other electronic reproduction of a manual signature that is included 
in any attachment.

Reply via email to