规划如何在 Configuration Manager 中唤醒客户端Plan how to wake up clients in Configuration Manager

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

Configuration Manager 支持传统唤醒数据包,以在你要安装必需的软件(如软件更新和应用程序)时唤醒处于睡眠模式下的计算机。Configuration Manager supports traditional wake-up packets to wake up computers in sleep mode when you want to install required software, such as software updates and applications.

备注

本文介绍较旧版本的 LAN 唤醒的工作方式。This article describes how an older version of Wake on LAN functions. 此功能在 Configuration Manager 版本 1810 中仍然存在,该版本还包括较新版本的 LAN 唤醒。This functionality still exists in Configuration Manager version 1810, which also includes a newer version of Wake on LAN too. 在许多情况下,可以同时启用这两种版本的 LAN 唤醒。Both versions of Wake on LAN can, and in many cases will, be enabled simultaneously. 若要详细了解从 1810 开始新版 LAN 唤醒的工作方式以及如何启用其中一个版本或同时启用两个版本,请参阅如何配置 LAN 唤醒For more information about how the new version of Wake on LAN functions starting in 1810 and enabling either or both versions, see How to configure Wake on LAN.

如何在 Configuration Manager 中唤醒客户端How to wake up clients in Configuration Manager

Configuration Manager 支持传统唤醒数据包,以在你要安装必需的软件(如软件更新和应用程序)时唤醒处于睡眠模式下的计算机。Configuration Manager supports traditional wake-up packets to wake up computers in sleep mode when you want to install required software, such as software updates and applications.

可以使用唤醒代理客户端设置来对传统唤醒数据包方法进行补充。You can supplement the traditional wake-up packet method by using the wake-up proxy client settings. 唤醒代理使用对等协议和选定的计算机来检查子网上的其他计算机是否已唤醒并在必要时唤醒这些计算机。Wake-up proxy uses a peer-to-peer protocol and elected computers to check whether other computers on the subnet are awake, and to wake them if necessary. 在为 LAN 唤醒配置站点并为唤醒代理配置客户端后,过程将按以下方式工作:When the site is configured for Wake On LAN and clients are configured for wake-up proxy, the process works as follows:

  1. 安装有 Configuration Manager 的客户端并且未在子网上处于睡眠状态的计算机将检查子网上的其他计算机是否已唤醒。Computers with the Configuration Manager client installed and that aren't asleep on the subnet check whether other computers on the subnet are awake. 它们通过每隔五秒就相互发送 TCP/IP ping 命令来完成此检查。They do this check by sending each other a TCP/IP ping command every five seconds.

  2. 如果其他计算机没有响应,则假定它们已处于睡眠状态。If there's no response from other computers, they're assumed to be asleep. 已唤醒的计算机将成为子网的“管理器计算机” 。The computers that are awake become manager computer for the subnet.

    可能由于除计算机处于睡眠状态以外的原因(例如,计算机已关闭、已从网络中移除或者不再应用代理唤醒客户端设置)而导致计算机可能无法响应,因此将于当地时间每天下午两点向计算机发送唤醒数据包Because it's possible that a computer might not respond because of a reason other than it's asleep (for example, it's turned off, removed from the network, or the proxy wake-up client setting is no longer applied), the computers are sent a wake-up packet every day at 2 P.M. local time. 未响应的计算机将不会被认为处于睡眠状态并且唤醒代理不会将其唤醒。Computers that don't respond will no longer be assumed to be asleep and will not be woken up by wake-up proxy.

    若要支持唤醒代理,必须为每个子网至少唤醒三台计算机。To support wake-up proxy, at least three computers must be awake for each subnet. 若要实现此要求,必须为子网随机选择三台计算机作为“守护计算机” 。To achieve this requirement, three computers are non-deterministically chosen to be guardian computers for the subnet. 该状态意味着尽管任何配置的电源策略在一段不活动时间后处于睡眠或休眠状态,它们也将保持唤醒状态。This state means that they stay awake, despite any configured power policy to sleep or hibernate after a period of inactivity. 例如为了维护任务,守护计算机将遵守关闭或重启命令。Guardian computers honor shutdown or restart commands, for example, as a result of maintenance tasks. 如果发生此操作,则其余守护计算机将唤醒子网上的另一计算机,从而子网将继续拥有三台守护计算机。If this action happens, the remaining guardian computers wake up another computer on the subnet so that the subnet continues to have three guardian computers.

  3. 管理器计算机将要求网络交换机为睡眠计算机将网络流量重定向到自身。Manager computers ask the network switch to redirect network traffic for the sleeping computers to themselves.

    此重定向是通过管理器计算机对使用睡眠计算机的 MAC 地址作为源地址的以太网帧进行广播实现的。The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the sleeping computer's MAC address as the source address. 此行为使网络交换机按睡眠计算机已移至管理器计算机所在的同一端口来处理。This behavior makes the network switch behave as if the sleeping computer has moved to the same port that the manager computer is on. 管理器计算机还会发送 ARP 包,以使睡眠计算机将 ARP 缓存中的条目保持最新。The manager computer also sends ARP packets for the sleeping computers to keep the entry fresh in the ARP cache. 管理器计算机还将代表睡眠计算机响应 ARP 请求,并使用睡眠计算机的 MAC 地址进行答复。The manager computer also responds to ARP requests on behalf of the sleeping computer and replies with the MAC address of the sleeping computer.

    警告

    在此过程中,睡眠计算机的 IP 至 MAC 映射将保持不变。During this process, the IP-to-MAC mapping for the sleeping computer remains the same. 唤醒代理的工作方式是将其他网络适配器正在使用另一网络适配器所注册端口的情况通知网络交换机。Wake-up proxy works by informing the network switch that a different network adapter is using the port that was registered by another network adapter. 但是,这种称作 MAC 漂移的行为在标准网络操作中并不常见。However, this behavior is known as a MAC flap and is unusual for standard network operation. 有些网络监控工具会查找此行为并可假定存在错误。Some network monitoring tools look for this behavior and can assume that something is wrong. 因此,这些监控工具可在你使用唤醒代理时生成警报或关闭端口。Consequently, these monitoring tools can generate alerts or shut down ports when you use wake-up proxy.

    如果你的网络监控工具和服务不允许 MAC 漂移,则请勿使用唤醒代理。Do not use wake-up proxy if your network monitoring tools and services do not allow MAC flaps.

  4. 当管理器计算机发现针对睡眠计算机的新 TCP 连接请求,并且该请求发往睡眠计算机在睡眠前侦听的端口,则管理器计算机会向睡眠计算机发送唤醒数据包,然后阻止为此计算机重定向流量。When a manager computer sees a new TCP connection request for a sleeping computer and the request is to a port that the sleeping computer was listening on before it went to sleep, the manager computer sends a wake-up packet to the sleeping computer, and then stops redirecting traffic for this computer.

  5. 睡眠计算机会收到唤醒数据包并唤醒。The sleeping computer receives the wake-up packet and wakes up. 发送计算机将自动重试连接,并且计算机这次会唤醒并可以响应。The sending computer automatically retries the connection and this time, the computer is awake and can respond.

    唤醒代理具有下列先决条件和限制:Wake-up proxy has the following prerequisites and limitations:

重要

如果由独立团队负责网络基础结构和网络服务,则在评估和测试期间通知此团队并将其包括进来。If you have a separate team that is responsible for the network infrastructure and network services, notify and include this team during your evaluation and testing period. 例如,在使用 802.1X 网络访问控制的网络上,唤醒代理将无法工作,而且可能会破坏网络服务。For example, on a network that uses 802.1X network access control, wake-up proxy will not work and can disrupt the network service. 此外,唤醒代理可能会导致某些网络监视工具在检测到与唤醒其他计算机相关的流量时生成警报。In addition, wake-up proxy could cause some network monitoring tools to generate alerts when the tools detect the traffic to wake-up other computers.

  • Wake On LAN 支持所有在客户端和设备支持的操作系统中列为受支持客户端的 Windows 操作系统。All Windows operating systems listed as supported clients in Supported operating systems for clients and devices are supported for Wake On LAN.

  • 不支持在虚拟机上运行来宾操作系统。Guest operating systems that run on a virtual machine are not supported.

  • 必须使用客户端设置为唤醒代理启用客户端。Clients must be enabled for wake-up proxy by using client settings. 尽管唤醒代理操作并不依赖硬件清单,但是除非已针对硬件清单将它们启用并在至少一个硬件清单中提交,否则客户端不会报告唤醒代理服务的安装。Although wake-up proxy operation does not depend on hardware inventory, clients do not report the installation of the wake-up proxy service unless they are enabled for hardware inventory and submitted at least one hardware inventory.

  • 对于唤醒数据包,必须启用并配置网络适配器(并且还有可能要启用 BIOS)。Network adapters (and possibly the BIOS) must be enabled and configured for wake-up packets. 如果未为唤醒数据包配置网络适配器或者此设置已禁用,则 Configuration Manager 将在收到客户端设置时为计算机自动配置并启用该设置,以启用唤醒代理。If the network adapter is not configured for wake-up packets or this setting is disabled, Configuration Manager will automatically configure and enable it for a computer when it receives the client setting to enable wake-up proxy.

  • 如果计算机具有多个网络适配器,则你无法配置即将用于唤醒代理的适配器;选择是不确定的。If a computer has more than one network adapter, you cannot configure which adapter to use for wake-up proxy; the choice is non-deterministic. 不过,所选的适配器记录在 SleepAgent_<DOMAIN>@SYSTEM_0.log 文件中。However, the adapter chosen is recorded in the SleepAgent_<DOMAIN>@SYSTEM_0.log file.

  • 网络必须允许 ICMP 回显请求(至少在子网中)。The network must allow ICMP echo requests (at least within the subnet). 你无法将用于发送 ICMP ping 命令的间隔配置为五秒。You cannot configure the five-second interval that is used to send the ICMP ping commands.

  • 通信未加密并且未经过身份验证,不支持 IPsec。Communication is unencrypted and unauthenticated, and IPsec is not supported.

  • 不支持下列网络配置:The following network configurations are not supported:

    • 具有端口身份验证的 802.1X802.1X with port authentication

    • 无线网络Wireless networks

    • 将 MAC 地址绑定到特定端口的网络交换机Network switches that bind MAC addresses to specific ports

    • 仅适用于 IPv6 的网络IPv6-only networks

    • DHCP 租赁持续时间不到 24 小时DHCP lease durations less than 24 hours

如果希望唤醒计算机以执行计划的软件安装,则必须配置每个主站点以使用唤醒数据包。If you want to wake up computers for scheduled software installation, you must configure each primary site to use wake-up packets.

若要使用唤醒代理,除了配置主站点之外,还必须部署电源管理唤醒代理客户端设置。To use wake-up proxy, you must deploy Power Management wake-up proxy client settings in addition to configuring the primary site.

决定是使用子网导向型广播包还是单播包以及要使用什么 UDP 端口号。Decide whether to use subnet-directed broadcast packets, or unicast packets, and what UDP port number to use. 默认情况下,传统唤醒数据包通过 UDP 端口 9 传输,但为便于提高安全级别,你可以为站点选择备用端口(如果干预路由器和防火墙支持该备用端口)。By default, traditional wake-up packets are transmitted by using UDP port 9, but to help increase security, you can select an alternative port for the site if this alternative port is supported by intervening routers and firewalls.

为 LAN 唤醒在单播和子网导向型广播之间选择Choose Between Unicast and Subnet-Directed Broadcast for Wake-on-LAN

如果选择通过发送传统的唤醒数据包来唤醒计算机,则你必须决定是传输单播包,还是传输子网导向型广播包。If you chose to wake up computers by sending traditional wake-up packets, you must decide whether to transmit unicast packets or subnet-direct broadcast packets. 如果使用唤醒代理,则必须使用单播包。If you use wake-up proxy, you must use unicast packets. 或者,可使用下表来帮助你确定要选择的传输方法。Otherwise, use the following table to help you determine which transmission method to choose.

传输方法Transmission method 优点Advantage 缺点Disadvantage
单播Unicast 此解决方案比子网导向型广播更为安全,因为数据包被直接发送到某台计算机而非子网上的所有计算机。More secure solution than subnet-directed broadcasts because the packet is sent directly to a computer instead of to all computers on a subnet.

可能不需要重新配置路由器(你可能必须配置 ARP 高速缓存)。Might not require reconfiguration of routers (you might have to configure the ARP cache).

比子网导向型广播传输消耗更少的网络带宽。Consumes less network bandwidth than subnet-directed broadcast transmissions.

支持 IPv4 和 IPv6。Supported with IPv4 and IPv6.
唤醒数据包不会查找在最后硬件清单计划之后更改了子网地址的目标计算机。Wake-up packets do not find destination computers that have changed their subnet address after the last hardware inventory schedule.

可能必须配置交换机以转发 UDP 包。Switches might have to be configured to forward UDP packets.

当使用单播作为传输方法时,某些网络适配器可能均会处于睡眠状态而不会响应唤醒数据包。Some network adapters might not respond to wake-up packets in all sleep states when they use unicast as the transmission method.
子网导向型广播Subnet-Directed Broadcast 如果你在同一子网上具有频繁更改其 IP 地址的计算机,则此解决方案比单播的成功率更高。Higher success rate than unicast if you have computers that frequently change their IP address in the same subnet.

无需进行交换机重新配置。No switch reconfiguration is required.

对于所有睡眠状态,与计算机适配器具有较高的符合率,因为子网导向型广播是用于发送唤醒数据包的原始传输方法。High compatibility rate with computer adapters for all sleep states, because subnet-directed broadcasts were the original transmission method for sending wake-up packets.
此解决方案没有使用单播安全,因为攻击者可能会从伪造的源地址向定向广播地址发送 ICMP 回显请求持续流。Less secure solution than using unicast because an attacker could send continuous streams of ICMP echo requests from a falsified source address to the directed broadcast address. 这导致所有主机均回复该源地址。This causes all of the hosts to reply to that source address. 如果路由器已配置为允许子网导向型广播,则出于安全原因,建议使用附加配置:If routers are configured to allow subnet-directed broadcasts, the additional configuration is recommended for security reasons:

- 通过使用指定的 UDP 端口号,将路由器配置为只允许来自 Configuration Manager 站点服务器的 IP 导向型广播。- Configure routers to allow only IP-directed broadcasts from the Configuration Manager site server, by using a specified UDP port number.
- 将 Configuration Manager 配置为使用指定的非默认端口号。- Configure Configuration Manager to use the specified non-default port number.

可能需要重新配置所有干预路由器以启用子网定向广播。Might require reconfiguration of all intervening routers to enable subnet-directed broadcasts.

比单播传输消耗更多网络带宽。Consumes more network bandwidth than unicast transmissions.

仅支持 IPv4;不支持 IPv6。Supported with IPv4 only; IPv6 is not supported.

警告

与子网定向广播相关的安全风险:攻击者可能会从伪造的源地址向定向广播地址发送 Internet 控制消息协议 (ICMP) 回显请求连续流,这可能会使所有主机回复该源地址。There are security risks associated with subnet-directed broadcasts: An attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, which cause all the hosts to reply to that source address. 此类型的拒绝服务攻击通常叫做 Smurf 攻击,通常可以通过不启用子网定向广播得到缓解。This type of denial of service attack is commonly called a smurf attack and is typically mitigated by not enabling subnet-directed broadcasts.