The Viewfinder

SCCM Cloud Management Gateway

If you ask any SCCM administrator, they’ll tell the most obvious pain point around client management is how to deal with internet-facing clients.  In the early days of SCCM 2007, Microsoft developed a functional, yet complicated solution for internet-based client management, or otherwise known as IBCM….and no, not ICBM.  It required additional SCCM infrastructure to exist in the DMZ, while poking holes through the external firewalls to reach the internal network and SCCM hierarchy residing there.  This external infrastructure is also exposed to the Internet, as well as causes additional overhead and operational cost.  During those early days of configuring IBCM, there was not much supporting documentation from Microsoft or the community, and the SCCM admin usually would have to zigzag through the process.  Admittedly, Microsoft and the SCCM community have in the past few years put together comprehensive guides to implementing IBCM… and that is something this SCCM admin has been extremely grateful for.


Fast-forward nearly a decade later to SCCM 1610 Current Branch.  Microsoft releases a pre-release feature that has become a contender to the behemoth of IBCM: the Cloud Management Gateway.  In very elegant fashion, Microsoft simplified and modernized the notion of managing internet-facing devices through SCCM.  The hardware requirements to have in the DMZ and be exposed to the Internet was no more.  Instead, with the use of a new PaaS type cloud service residing inside a company’s Microsoft Azure tenant, communication between internet-based clients to the internal SCCM environment is now handled in a secure, certificate-based method.  Also, I might add that this is significantly easier to implement than an intercontinental ballistic missile … for those that are acronym-challenged.


CMG has some other side benefits besides the obvious connectivity feature to internet devices.  Combining the CMG service with another PaaS service, the Cloud Distribution Point, you then have a winning combination of actually deploying applications and software patches to our internet-facing client friends.  Then you have pure simple scalability.  Each PaaS service can support 4000 devices and provisioning another CMG service can be done very easily from within the SCCM console.


Some detractors would say that the requirement of an Azure subscription is a huge roadblock due to cost and overhead.  Perhaps network egress costs of content flowing to those internet clients is a scary thought.  I would say, yes proceed with caution, and that if you are really serious about leveraging Azure cloud in this manner, some math homework will be in order.


Just some quick calculations for outbound data transfer costs:

Assume 10,000 clients x 100MB (machine policy request/once per hour) = 1TB per month

Rate = $.14 per GB x 1TB = $140/mo.


CMG (PaaS Service Cost)

(A2 VM) = $133.92/mo


Total: $357/mo


Let’s not be neglectful by leaving out the costs of applications/patching payloads.  Of course, for every enterprise, those numbers will vary, and this will be the additional homework for any SCCM admin or organization that should be willing to do if attempting to persuade the power-that-be of this type of solution.


For those companies that are truly trying to embrace the cloud-side of life, this new feature for SCCM Current Branch helps to adopt a truly modern workplace IT scenario.  CMG is truly a testament to Microsoft’s dedication of a long-standing (25 years folks!) toolset that continues to deliver for enterprise environments everywhere.