您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

激活和设置本地管理控制台Activate and set up your on-premises management console

激活和设置本地管理控制台可确保:Activation and setup of the on-premises management console ensures that:

  • 通过连接的传感器监视的网络设备将注册到 Azure 帐户。Network devices that you're monitoring through connected sensors are registered with an Azure account.

  • 传感器将信息发送到本地管理控制台。Sensors send information to the on-premises management console.

  • 本地管理控制台在连接的传感器上执行管理任务。The on-premises management console carries out management tasks on connected sensors.

  • 已安装 SSL 证书。You have installed an SSL certificate.

首次登录Sign in for the first time

若要登录到管理控制台:To sign in to the management console:

  • 打开 web 浏览器,输入系统安装期间为本地管理控制台收到的 IP 地址和密码。Open a web browser and enter the IP address and password that you received for the on-premises management console during the system installation. 如果忘记了密码,请选择 " 恢复密码 " 并参阅 " 密码恢复"。If you forgot your password, select Recover Password and see Password recovery.

上传激活文件Upload an activation file

首次登录后,通过从 Azure Defender for IoT 门户的 定价 页下载激活文件,激活本地管理控制台。After first-time sign-in, activate the on-premises management console by downloading an activation file from the Pricing page of the Azure Defender for IoT portal. 此文件包含在载入过程中定义的已提交的聚合设备。This file contains the aggregate committed devices defined during the onboarding process. 提交的设备 指示每个订阅的 IoT 用于监视的设备数。Committed devices indicates the number of devices that Defender for IoT will monitor per subscription.

上载激活文件:To upload an activation file:

  1. 请参阅适用于 IoT 定价 的 Defender 页。Go to the Defender for IoT Pricing page.

  2. 选择 " 下载管理控制台 " 选项卡的激活文件。下载激活文件。Select the Download the activation file for the management console tab. The activation file is downloaded.

    下载激活文件。

  3. 从管理控制台中选择 " 系统设置 "。Select System Settings from the management console.

  4. 选择 " 激活"。Select Activation.

  5. 选择 " 选择文件 ",然后选择已保存的文件。Select Choose a File and select the file that you saved.

初始激活后,受监视的设备数可能会超过在载入期间定义的已提交设备数。After initial activation, the number of monitored devices might exceed the number of committed devices defined during onboarding. 例如,如果将更多的传感器连接到管理控制台,就可能会发生这种情况。This might happen, for example, if you connect more sensors to the management console. 如果监视的设备数和已提交设备数之间存在差异,则管理控制台中会出现警告。If there's a discrepancy between the number of monitored devices and the number of committed devices, a warning appears in the management console. 如果发生这种情况,你应该上载新的激活文件。If this happens, you should upload a new activation file.

设置证书Set up a certificate

在安装管理控制台后,将生成一个本地自签名证书并用于访问控制台。Following installation of the management console, a local self-signed certificate is generated and used to access the console. 管理员首次登录到管理控制台后,系统会提示该用户加入 SSL/TLS 证书。After an administrator signs in to the management console for the first time, that user is prompted to onboard an SSL/TLS certificate.

提供两个安全级别:Two levels of security are available:

  • 通过上传 CA 签名证书来满足组织要求的特定证书和加密要求。Meet specific certificate and encryption requirements requested by your organization by uploading the CA-signed certificate.
  • 允许在管理控制台和连接的传感器之间进行验证。Allow validation between the management console and connected sensors. 对照证书吊销列表和证书到期日期对验证进行评估。Validation is evaluated against a certificate revocation list and the certificate expiration date. 如果验证失败,则会停止管理控制台和传感器之间的通信,并在控制台中显示验证错误。If validation fails, communication between the management console and the sensor is halted and a validation error is presented in the console. 默认情况下,安装后会启用此选项。This option is enabled by default after installation.

控制台支持以下类型的证书:The console supports the following types of certificates:

  • 专用 PKI 和企业密钥基础结构 (专用 PKI) Private and Enterprise Key Infrastructure (private PKI)

  • 公共密钥基础结构 (公共 PKI) Public Key Infrastructure (public PKI)

  • 在设备上本地生成 (本地自签名) Locally generated on the appliance (locally self-signed)

    重要

    建议你不要使用自签名证书。We recommend that you don't use a self-signed certificate. 证书不安全,只应用于测试环境。The certificate is not secure and should be used for test environments only. 无法验证证书的所有者,并且无法维护系统的安全。The owner of the certificate can't be validated, and the security of your system can't be maintained. 请勿将此选项用于生产网络。Never use this option for production networks.

上载证书:To upload a certificate:

  1. 登录后,请定义证书名称。When you're prompted after sign-in, define a certificate name.
  2. 上传 CRT 和密钥文件。Upload the CRT and key files.
  3. 如果需要,请输入通行短语并上传 PEM 文件。Enter a passphrase and upload a PEM file if required.

上载 CA 签名的证书后,你可能需要刷新屏幕。You might need to refresh your screen after you upload the CA-signed certificate.

在管理控制台和连接的传感器之间禁用验证:To disable validation between the management console and connected sensors:

  1. 选择“下一步”。Select Next.
  2. 关闭 " 启用系统范围的验证 " 切换。Turn off the Enable system-wide validation toggle.

有关上传新证书、支持的证书文件和相关项目的信息,请参阅 管理本地管理控制台For information about uploading a new certificate, supported certificate files, and related items, see Manage the on-premises management console.

将传感器连接到本地管理控制台Connect sensors to the on-premises management console

必须确保传感器向本地管理控制台发送信息,并且本地管理控制台可以执行备份、管理警报和在传感器上执行其他活动。You must ensure that sensors send information to the on-premises management console, and that the on-premises management console can perform backups, manage alerts, and carry out other activity on the sensors. 为此,请使用以下过程来验证是否在传感器与本地管理控制台之间建立了初始连接。To do that, use the following procedures to verify that you make an initial connection between sensors and the on-premises management console.

有两个选项可用于将用于 IoT 的 Azure Defender 传感器连接到本地管理控制台:Two options are available for connecting Azure Defender for IoT sensors to the on-premises management console:

  • 从传感器控制台进行连接Connect from the sensor console

  • 使用隧道连接Connect by using tunneling

连接之后,必须使用这些传感器设置站点。After connecting, you must set up a site with these sensors.

从传感器控制台连接传感器Connect sensors from the sensor console

要从传感器控制台将特定传感器连接到本地管理控制台,请执行以下操作:To connect specific sensors to the on-premises management console from the sensor console:

  1. 在传感器控制台的左窗格中,选择 " 系统设置"。On the left pane of the sensor console, select System Settings.

  2. 选择 " 连接到管理"。Select Connection to Management.

    本地管理控制台状态窗口的屏幕截图,显示 "未连接"。

  3. 在 " 地址 " 文本框中,输入要连接到的本地管理控制台的 IP 地址。In the Address text box, enter the IP address of the on-premises management console to which you want to connect.

  4. 选择“连接”。Select Connect. 状态更改:The status changes:

    本地管理控制台状态窗口的屏幕截图,显示 "已连接"。

使用隧道连接传感器Connect sensors by using tunneling

在组织传感器与本地管理控制台之间启用安全隧道连接。Enable a secured tunneling connection between organizational sensors and the on-premises management console. 此设置可避免与组织防火墙交互,因此会减少攻击面。This setup circumvents interaction with the organizational firewall, and as a result reduces the attack surface.

通过使用隧道,你可以从其 IP 地址和单个端口 ((9000) 到任何传感器)连接到本地管理控制台。Using tunneling allows you to connect to the on-premises management console from its IP address and a single port (that is, 9000) to any sensor.

若要在本地管理控制台上设置隧道:To set up tunneling at the on-premises management console:

  • 登录到本地管理控制台并运行以下命令:Sign in to the on-premises management console and run the following commands:

    cyberx-management-tunnel-enable
    service apache2 reload
    sudo cyberx-management-tunnel-add-xsense --xsenseuid <sensorIPAddress> --xsenseport 9000
    service apache2 reload
    

在传感器上设置隧道:To set up tunneling on the sensor:

  1. 在传感器上打开 TCP 端口 9000 (") 手动"。Open TCP port 9000 on the sensor (network.properties) manually. 如果端口未打开,则传感器将拒绝本地管理控制台的连接。If the port is not open, the sensor will reject the connection from the on-premises management console.

  2. 登录到每个传感器,并运行以下命令:Sign in to each sensor and run the following commands:

    sudo cyberx-xsense-management-connect -ip <centralmanagerIPAddress>
    sudo cyberx-xsense-management-tunnel
    sudo vi /var/cyberx/properties/network.properties
    opened_tcp_incoming_ports=22,80,443,102,9000
    sudo cyberx-xsense-network-validation
    sudo /etc/network/if-up.d/iptables-recover
    sudo iptables -nvL
    

设置站点Set up a site

默认的企业地图根据多个地理位置级别提供设备的总体视图。The default enterprise map provides an overall view of your devices according to several levels of geographical locations.

组织结构和用户权限非常复杂时,可能需要设备的视图。The view of your devices might be required where the organizational structure and user permissions are complex. 在这些情况下,除了标准站点或区域结构之外,站点设置可能由全局组织结构确定。In these cases, site setup might be determined by a global organizational structure, in addition to the standard site or zone structure.

若要支持此环境,需要创建基于你的组织的业务部门、区域、站点和区域的全局业务拓扑。To support this environment, you need to create a global business topology that's based on your organization's business units, regions, sites, and zones. 还需要使用访问组来定义针对这些实体的用户访问权限。You also need to define user access permissions around these entities by using access groups.

访问组可以更好地控制用户在 IoT 平台的 Defender 中管理和分析设备的位置。Access groups enable better control over where users manage and analyze devices in the Defender for IoT platform.

工作原理How it works

对于每个站点,你可以定义一个业务单位和一个区域。For each site, you can define a business unit and a region. 然后,可以添加区域,这些区域是网络中的逻辑实体。Then you can add zones, which are logical entities in your network.

对于每个区域,应至少分配一个传感器。For each zone, you should assign at least one sensor. 五级模型提供提供保护系统所需的灵活性和粒度,以反映组织的结构。The five-level model provides the flexibility and granularity required to deliver the protection system that reflects the structure of your organization.

您可以直接从任何地图视图编辑您的网站。You can edit your sites directly from any of the map views. 从地图视图打开站点时,每个区域旁边会出现打开的警报数。When you're opening a site from a map view, the number of open alerts appears next to each zone.

使用柏林数据覆盖的本地管理控制台映射屏幕截图。

显示传感器和区域关系的图表。

设置站点:To set up a site:

  1. 添加新的业务部门,以反映组织的逻辑结构。Add new business units to reflect your organization's logical structure.

  2. 添加新区域以反映组织的区域。Add new regions to reflect your organization's regions.

  3. 添加站点。Add a site.

  4. 将区域添加到站点。Add zones to a site.

  5. 连接传感器。Connect the sensors.

  6. 将传感器分配到站点区域。Assign sensor to site zones.

添加业务部门:To add business units:

  1. 从 "企业" 视图中,选择 "所有网站" " > 管理业务单位"。From the Enterprise view, select All Sites > Manage Business Units.

    显示 &quot;管理业务部门&quot; 视图的屏幕截图。

  2. 输入新的业务部门名称,然后选择 " 添加"。Enter the new business unit name and select ADD.

添加新区域:To add a new region:

  1. 从 "企业" 视图中,选择 "所有区域" " > 管理区域"。From the Enterprise view, select All Regions > Manage Regions.

    显示 &quot;管理区域&quot; 视图的屏幕截图。

  2. 输入新的区域名称,然后选择 " 添加"。Enter the new region name and select ADD.

添加新站点:To add a new site:

  1. 从 "企业" 视图的 顶部栏中选择。 光标显示为加号 (+) 。Your cursor appears as a plus sign (+).

  2. 将放置在 + 新站点的位置并选择它。Position the + at the location of the new site and select it. 此时将打开 "新建 站点 " 对话框。The Create New Site dialog box opens.

    创建新站点视图的屏幕截图。

  3. 为新站点定义名称和物理地址,然后选择 " 保存"。Define the name and the physical address for the new site and select SAVE. 新站点将显示在站点图上。The new site appears on the site map.

删除站点:To delete a site:

  1. 在 " 站点管理 " 窗口中, 从包含站点名称的栏中进行选择,然后选择 " 删除站点"。 此时将显示确认框,验证你是否要删除此站点。The confirmation box appears, verifying that you want to delete the site.

  2. 在确认框中,选择 "是"In the confirmation box, select YES. 确认框将关闭,并且 " 站点管理 " 窗口将显示,但不会删除已删除的站点。The confirmation box closes, and the Site Management window appears without the site that you've deleted.

创建企业区域Create enterprise zones

区域是逻辑实体,使你能够根据各种特征将站点中的设备划分为组。Zones are logical entities that enable you to divide devices within a site into groups according to various characteristics. 例如,你可以为生产线、变电站、站点区域或设备类型创建组。For example, you can create groups for production lines, substations, site areas, or types of devices. 你可以根据适用于你的组织的任何特性来定义区域。You can define zones based on any characteristic that's suitable for your organization.

将区域配置为站点配置过程的一部分。You configure zones as a part of the site configuration process.

站点管理区域视图的屏幕截图。

下表描述了 " 站点管理 " 窗口中的参数。The following table describes the parameters in the Site Management window.

参数Parameter 说明Description
名称Name 传感器的名称。The name of the sensor. 只能从传感器更改此名称。You can change this name only from the sensor. 有关详细信息,请参阅用于 IoT 的 Defender 用户指南。For more information, see the Defender for IoT user guide.
IPIP 传感器 IP 地址。The sensor IP address.
版本Version 传感器版本。The sensor version.
连接Connectivity 传感器连接状态。The sensor connectivity status. 状态可以为 " 已连接 " 或 "已 断开 连接"。The status can be Connected or Disconnected.
上次升级Last Upgrade 上次升级的日期。The date of the last upgrade.
升级进度Upgrade Progress 进度栏显示升级过程的状态,如下所示:The progress bar shows the status of the upgrade process, as follows:
-正在上传包- Uploading package
-正在准备安装- Preparing to install
-正在停止进程- Stopping processes
-备份数据- Backing up data
-拍摄快照- Taking snapshot
-正在更新配置- Updating configuration
-更新依赖项- Updating dependencies
-更新库- Updating libraries
-修补数据库- Patching databases
-正在启动进程- Starting processes
-正在验证系统是否稳定- Validating system sanity
-验证成功- Validation succeeded
-成功- Success
-失败- Failure
-升级已启动- Upgrade started
-正在启动安装- Starting installationogress bar shows the status of the upgrade process, as follows:
- Uploading package
- Preparing to install
- Stopping processes
- Backing up data
- Taking snapshot
- Updating configuration
- Updating dependencies
- Updating libraries
- Patching databases
- Starting processes
- Validating system sanity
- Validation succeeded
- Success
- Failure
- Upgrade started
- Starting installation

有关升级的详细信息,请参阅 Microsoft 支持部门 获取帮助。
ogress bar shows the status of the upgrade process, as follows:
- Uploading package
- Preparing to install
- Stopping processes
- Backing up data
- Taking snapshot
- Updating configuration
- Updating dependencies
- Updating libraries
- Patching databases
- Starting processes
- Validating system sanity
- Validation succeeded
- Success
- Failure
- Upgrade started
- Starting installation

For details about upgrading, refer to Microsoft Support for help.
设备Devices 传感器监视的设备的数量。The number of OT devices that the sensor monitors.
警报Alerts 传感器上的警报数。The number of alerts on the sensor.
允许将传感器分配给区域。Enables assigning a sensor to zones.
允许从站点中删除断开连接的传感器。Enables deleting a disconnected sensor from the site.
指示当前连接到区域的传感器的数量。Indicates how many sensors are currently connected to the zone.
指示当前已将多少个 OT 资产连接到该区域。Indicates how many OT assets are currently connected to the zone.
指示分配给该区域的传感器发送的警报数。Indicates the number of alerts sent by sensors that are assigned to the zone.
从区域其分配传感器。Unassigns sensors from zones.

向站点添加区域:To add a zone to a site:

  1. 在 " 站点管理 " 窗口中, 从包含站点名称的栏中进行选择,然后选择 " 添加区域"。 此时将显示 " 创建新区域 " 对话框。The Create New Zone dialog box appears.

    &quot;创建新的区域&quot; 视图的屏幕截图。

  2. 输入区域名称。Enter the zone name.

  3. 为新区域输入说明,该说明清楚地指出了用于将站点划分为区域的特征。Enter a description for the new zone that clearly states the characteristics that you used to divide the site into zones.

  4. 选择“保存” 。Select SAVE. 新区域将显示在此区域所属站点下的 " 站点管理 " 窗口中。The new zone appears in the Site Management window under the site that this zone belongs to.

编辑区域:To edit a zone:

  1. 在 " 站点管理 " 窗口中, 从包含区域名称的栏中进行选择,然后选择 " 编辑区域"。 此时将显示 " 编辑区域 " 对话框。The Edit Zone dialog box appears.

    显示 &quot;编辑区域&quot; 对话框的屏幕截图。

  2. 编辑区域参数并选择 " 保存"。Edit the zone parameters and select SAVE.

若要删除区域,请执行以下操作:To delete a zone:

  1. 在 " 站点管理 " 窗口中, 从包含区域名称的栏中进行选择,然后选择 " 删除区域"。

  2. 在确认框中,选择 "是"In the confirmation box, select YES.

根据连接状态进行筛选:To filter according to the connectivity status:

  • 从左上角选择 " 连接",然后选择下列选项之一:

    • 全部:显示向此本地管理控制台报告的所有传感器。All: Presents all the sensors that report to this on-premises management console.

    • 已连接:仅显示连接的传感器。Connected: Presents only connected sensors.

    • 断开连接:仅显示断开连接的传感器。Disconnected: Presents only disconnected sensors.

根据升级状态进行筛选:To filter according to the upgrade status:

  • 从左上角选择 " 升级状态 " 旁边,然后选择下列选项之一:

    • 全部:显示向此本地管理控制台报告的所有传感器。All: Presents all the sensors that report to this on-premises management console.

    • 有效:向传感器显示有效的升级状态。Valid: Presents sensors with a valid upgrade status.

    • 正在进行:显示处于升级过程中的传感器。In Progress: Presents sensors that are in the process of upgrade.

    • Failed:显示升级过程失败的传感器。Failed: Presents sensors whose upgrade process has failed.

将传感器分配到区域Assign sensors to zones

对于每个区域,需要分配执行本地流量分析和警报的传感器。For each zone, you need to assign sensors that perform local traffic analysis and alerting. 只能分配连接到本地管理控制台的传感器。You can assign only the sensors that are connected to the on-premises management console.

分配传感器:To assign a sensor:

  1. 选择 " 站点管理"。Select Site Management. 未分配的传感器将显示在对话框的左上角。The unassigned sensors appear in the upper-left corner of the dialog box.

    未分配的传感器视图的屏幕截图。

  2. 验证 连接 状态是否为 "已连接"。Verify that the Connectivity status is connected. 如果不是,请参阅 将传感器连接到本地管理控制台 ,以获取有关连接的详细信息。If not, see Connect sensors to the on-premises management console for details about connecting.

  3. 选择 要分配的传感器。

  4. 在 " 分配传感器 " 对话框中,选择要分配的业务部门、区域、站点和区域。In the Assign Sensor dialog box, select the business unit, region, site, and zone to assign.

    分配传感器视图的屏幕截图。

  5. 选择 " 分配"。Select ASSIGN.

要取消分配和删除传感器:To unassign and delete a sensor:

  1. 断开传感器与本地管理控制台的连接。Disconnect the sensor from the on-premises management console. 有关详细信息,请参阅 将传感器连接到本地管理控制台See Connect sensors to the on-premises management console for details.

  2. 在 " 站点管理 " 窗口中,选择传感器,然后选择 几分钟后,传感器将显示在未分配传感器的列表中。The sensor appears in the list of unassigned sensors after a few moments.

  3. 若要从站点中删除未分配的传感器,请从未分配传感器列表中选择该传感器,然后选择

后续步骤Next steps

排查传感器和本地管理控制台问题Troubleshoot the sensor and on-premises management console