Reducing VPN Surge on Patch Tuesday

When the Lords and Ladies Leave the Castle:

With a fleet of now nearly 100% mobile PCs, there’s reason for concern about the impact of April’s patch Tuesday on VPNs. This patch will be larger than usual, ranging between 193MB (for machines on 1909) to ~400MB (for 1903). Add that traffic to already busy ISP circuits, and it could make for a long week.

Enter Cloud Management Gateway, an Azure (Platform) Service which extends the automation of on-premises Configuration Manager, while streaming PC update traffic from Azure, not the VPN. 

Architectural Choices:

There are three main ways for remote PCs to be managed by System Center Configuration Manager.

  1. Connect through VPN and use ConfigMan’s normal “intranet” profile
  2. Use internet-based client management (IBCM),
  3. Use Cloud Management Gateway (CMG)

Microsoft published a succinct list of pros/cons of options 2 and 3.

CMG is the most elegant way to offload System Center’s traffic from the data center’s ISP circuit. As shown in the reference architecture below, the PC communicates only to the Azure PaaS. The connection between the on-prem System Center and the Azure PaaS is made securely, over the Internet. Communication from the client computers use custom SSL certificates from the internal CA or AAD token Authentication, encrypting and authenticating the identity of the cloud management gateway service. An Azure management certificate is used to authenticate Configuration Manager with Azure.

Keith blog 1

1. The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. It connects to Azure over HTTPS port 443. It authenticates using Azure AD or the Azure management certificate. It also monitors and reports service health and logging information from Azure AD. The service connection point must be in online mode.

2. The CMG connection point site system role connects to the CMG in Azure over TCP-TLS or HTTPS. It holds the connection open, and builds the channel for future two-way communication. It also publishes settings to the CMG including connection information and security settings.

3. Internet-based clients connect to the CMG over HTTPS port 443 to access on-premises Configuration Manager components. They authenticate using Azure AD or the client authentication certificate.

4. The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point. The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. You don't need to open any inbound firewall ports.

5. The CMG connection point then forwards the client request to the on-premises ConfigMan roles according to URL mappings. From there, it’s ConfigMan business as usual. The software update point site system role handles client requests, and interacts with the WSUS services to configure the software update settings. The management point site system role is the primary point of contact between Configuration Manager clients and the site server, and services client requests as usual.


Costs are comprised of 4 main elements: 

1. VMs: CMG uses between one and sixteen Standard A2 V2 VMs. Each supports up to 6,000 active user sessions. Multiple VMs can be deployed for redundancy and in desired locations. Two A2 V2s in an availability set would run approximately $200+/month.

2. Outbound data transfer: You can estimate approximately 100-300 MB per client per month for internet-based clients. Anecdotally and on average, a cumulative update costs $0.11 per machine per update. For an organization who has 750 laptops, they're seeing about $84 a month in egress bandwidth.

3. Content storage: While Internet-based clients get Microsoft software update content from Windows Update at no charge, if updates are uploaded to the cloud distribution point, or if third party app updates are uploaded to the cloud distribution point, storage costs will be incurred.

4. IP address: Each CMG uses a new dynamic IP address

Due to the attractive cost versus the risk of machines missing updates or the cost of upgrading ISP circuits, connections of Microsoft’s Cloud Management Gateway have surged 300% since the start of the work from home era (Source:

keith blog 2

Making the cut

Roaming clients that connect to your environment via a VPN are commonly detected as intranet-facing, and will attempt to connect to your on-premises infrastructure over the VPN. To have these roaming clients managed by cloud services even when connected via VPN, associate the CMG with a boundary group. Clients will then be deterred from using the on-premises site systems. For more information, see Configure boundary groups.


Split the Tunnel

Crucially, CMG only pays off if the PCs can access Azure directly, meaning a split tunnel configuration is required. Additionally, splitting the VPN tunnel for Office 365 traffic is recommended, as shown.

keith blog 3


Combined with a configuration that allows split tunneling, and direct access to the Internet for cloud apps, the cloud management gateway is a best practice for patch Tuesdays of the future.

Contact us for help designing and implementing Cloud Management Gateway at

Credits: Much of the content here is covered in more detail at


Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.


Search by Category or Author: