云管理网关证书Certificates for the cloud management gateway

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

根据通过云管理网关 (CMG) 管理 Internet 上的客户端所用的方案,可能需要以下一个或多个数字证书:Depending upon the scenario you use to manage clients on the internet with the cloud management gateway (CMG), you need one or more of the following digital certificates:

有关不同方案的详细信息,请参阅规划云管理网关For more information about the different scenarios, see plan for cloud management gateway.

常规信息General information

云管理网关的证书支持以下配置:Certificates for the cloud management gateway support the following configurations:

  • 2048 位或 4096 位密钥长度2048-bit or 4096-bit key length

  • 证书私钥的密钥存储提供程序。Key storage providers for certificate private keys. 有关详细信息,请参阅 CNG 证书概述For more information, see CNG certificates overview.

  • 在使用以下策略配置 Windows 时:系统加密:对加密、哈希和签名使用 FIPS 兼容算法When you configure Windows with the following policy: System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing

  • TLS 1.2。TLS 1.2. 有关详细信息,请参阅如何启用 TLS 1.2For more information, see How to enable TLS 1.2.

CMG 服务器身份验证证书CMG server authentication certificate

所有方案都需要此证书。This certificate is required in all scenarios.

在 Configuration Manager 控制台中创建 CMG 时需要提供此证书。You supply this certificate when creating the CMG in the Configuration Manager console.

CMG 创建基于 Internet 的客户端要连接到的 HTTPS 服务。The CMG creates an HTTPS service to which internet-based clients connect. 此服务器需要使用服务器身份验证证书构建安全频道。The server requires a server authentication certificate to build the secure channel. 请从公共提供程序获取此用途的证书,或通过公钥基础结构 (PKI) 颁发此证书。Acquire a certificate for this purpose from a public provider, or issue it from your public key infrastructure (PKI). 有关详细信息,请参阅针对客户端的 CMG 受信任的根证书For more information, see CMG trusted root certificate to clients.

备注

CMG 服务器身份验证证书支持通配符。The CMG server authentication certificate supports wildcards. 某些证书颁发机构颁发证书时将通配符用作主机名。Some certificate authorities issue certificates using a wildcard character for the hostname. 例如,*.contoso.comFor example, *.contoso.com. 某些组织使用通配符证书简化其 PKI 并降低维护成本。Some organizations use wildcard certificates to simplify their PKI and reduce maintenance costs.

有关如何将 CMG 与通配符证书配合使用的详细信息,请参阅设置 CMGFor more information on how to use a wildcard certificate with a CMG, see Set up a CMG.

此证书需要使用全局唯一名称标识 Azure 中的服务。This certificate requires a globally unique name to identify the service in Azure. 请求证书前,请确认所需的 Azure 域名是否唯一。Before requesting a certificate, confirm that the Azure domain name you want is unique. 例如,GraniteFalls.CloudApp.Net。For example, GraniteFalls.CloudApp.Net.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“所有资源”,然后选择“添加”。 Select All resources, and then select Add.

  3. 搜索“云服务”。Search for Cloud service. 选择“创建”。Select Create.

  4. 在“DNS 名称”字段中,键入所需的前缀,例如 GraniteFalls。In the DNS name field, type the prefix you want, for example GraniteFalls. 界面将反映域名是否可用,或是否已被其他服务使用。The interface reflects whether the domain name is available or already in use by another service.

    重要

    不要在门户中创建服务,仅使用此流程检查名称可用性。Don't create the service in the portal, just use this process to check the name availability.

若还要为内容启用 CMG,请确认 CMG 服务名称也是唯一的 Azure 存储帐户名称。If you also enable the CMG for content, confirm that the CMG service name is also a unique Azure storage account name. 若 CMG 云服务名称是唯一的,但存储帐户名称不是唯一的,Configuration Manager 将无法在 Azure 中预配此服务。If the CMG cloud service name is unique, but the storage account name isn't, Configuration Manager fails to provision the service in Azure. 在 Azure 门户中重复上面的过程,并执行下面的更改:Repeat the above process in the Azure portal with the following changes:

  • 搜索“存储帐户”Search for Storage account
  • 在“存储帐户名称”字段中测试你的名称Test your name in the Storage account name field

DNS 名称前缀(例如 GraniteFalls)的长度应为 3 到 24 个字符,并且只能使用字母数字字符。The DNS name prefix, for example GraniteFalls, should be 3 to 24 characters long, and only use alphanumeric characters. 不要使用特殊字符,如短划线 (-)。Don't use special characters, like a dash (-).

针对客户端的 CMG 受信任的根证书CMG trusted root certificate to clients

客户端必须信任 CMG 服务器身份验证证书。Clients must trust the CMG server authentication certificate. 有两种方法可实现此信任:There are two methods to accomplish this trust:

  • 使用公共和全局受信任的证书提供程序提供的证书。Use a certificate from a public and globally trusted certificate provider. 例如(但不限于)DigiCert、Thawte 或 VeriSign。For example, but not limited to, DigiCert, Thawte, or VeriSign. Windows 客户端包括来自这些提供程序的受信任的根证书颁发机构 (CA)。Windows clients include trusted root certificate authorities (CAs) from these providers. 通过使用这些受信任提供程序中的一个提供程序发布的服务器身份验证证书,客户端会自动信任该证书。By using a server authentication certificate issued by one of these providers, your clients automatically trust it.

  • 使用公钥基础结构 (PKI) 中的企业 CA 颁发的证书。Use a certificate issued by an enterprise CA from your public key infrastructure (PKI). 大多数企业 PKI 实现会向 Windows 客户端添加受信任的根 CA。Most enterprise PKI implementations add the trusted root CAs to Windows clients. 例如,在组策略中使用 Active Directory 证书服务。For example, using Active Directory Certificate Services with group policy. 如果从客户端不自动信任的 CA 颁发 CMG 服务器身份验证证书,请将 CA 受信任的根证书添加到基于 Internet 的客户端。If you issue the CMG server authentication certificate from a CA that your clients don't automatically trust, add the CA trusted root certificate to internet-based clients.

由公共提供程序颁发的服务器身份验证证书Server authentication certificate issued by public provider

第三方证书提供商无法为 CloudApp.net 创建证书,因为该域为 Microsoft 所拥有。A third-party certificate provider can't create a certificate for CloudApp.net, as that domain is owned by Microsoft. 你只能获取为你拥有的域颁发的证书。You can only get a certificate issued for a domain you own. 从第三方提供商获取证书的主要原因是你的客户已经信任该提供商的根证书。The main reason for acquiring a certificate from a third-party provider is that your clients already trust that provider's root certificate.

使用以下流程创建 DNS 别名:Use the following process to create a DNS alias:

  1. 在组织的公共 DNS 中创建规范名称记录 (CNAME)。Create a canonical name record (CNAME) in your organization's public DNS. 该记录会将 CMG 的别名创建为一个友好名称,你可以在公共证书中使用。This record creates an alias for the CMG to a friendly name that you use in the public certificate.

    例如,Contoso 将其 CMG 命名为“GraniteFalls”。For example, Contoso names their CMG GraniteFalls. 在 Azure 中,此名称变为“GraniteFalls.CloudApp.Net”。This name becomes GraniteFalls.CloudApp.Net in Azure. 在 Contoso 的公共 DNS contoso.com 命名空间中,DNS 管理员为实际主机名 GraniteFalls.CloudApp.net 新建 GraniteFalls.Contoso.com 的 CNAME 记录 。In Contoso's public DNS contoso.com namespace, the DNS administrator creates a new CNAME record for GraniteFalls.Contoso.com for the real host name, GraniteFalls.CloudApp.net.

  2. 使用 CNAME 别名的公用名称 (CN) 向公共提供程序请求一个服务器身份验证证书。Request a server authentication certificate from a public provider using the Common Name (CN) of the CNAME alias. 例如,Contoso 对证书 CN 使用 GraniteFalls.Contoso.comFor example, Contoso uses GraniteFalls.Contoso.com for the certificate CN.

  3. 使用此证书在 Configuration Manager 控制台中创建 CMG。Create the CMG in the Configuration Manager console using this certificate. 在创建云管理网关向导的“设置”页面:On the Settings page of the Create Cloud Management Gateway Wizard:

    • 当(从“证书文件”)添加此云服务的服务器证书时,向导将从证书 CN 中提取主机名用作服务名称。When you add the server certificate for this cloud service (from Certificate file), the wizard extracts the hostname from the certificate CN as the service name.

    • 然后将该主机名追加到 Azure 美国政府云的 cloudapp.net 或 usgovcloudapp.net,作为用于在 Azure 中创建服务的服务 FQDN 。It then appends that hostname to cloudapp.net, or usgovcloudapp.net for the Azure US Government cloud, as the Service FQDN to create the service in Azure.

    • 例如,当 Contoso 创建 CMG 时,Configuration Manager 会从证书 CN 中提取主机名 GraniteFalls。For example, when Contoso creates the CMG, Configuration Manager extracts the hostname GraniteFalls from the certificate CN. Azure 将实际服务创建为 GraniteFalls.CloudApp.net。Azure creates the actual service as GraniteFalls.CloudApp.net.

在 Configuration Manager 中创建 CMG 实例时,虽然该证书具有 GraniteFalls.Contoso.com,但 Configuration Manager 仅提取主机名,例如:GraniteFalls。When you create the CMG instance in Configuration Manager, while the certificate has GraniteFalls.Contoso.com, Configuration Manager only extracts the hostname, for example: GraniteFalls. 它将该主机名追加到创建云服务时 Azure 所需的 CloudApp.net。It appends this hostname to CloudApp.net, which Azure requires when creating a cloud service. 域的 DNS 命名空间中的 CNAME 别名 Contoso.com 将这两个 FQDN 映射在一起。The CNAME alias in the DNS namespace for your domain, Contoso.com, maps together these two FQDNs. Configuration Manager 为客户端提供了用于访问此 CMG 的策略,DNS 映射将其绑定在一起,以便它们可以安全地访问 Azure 中的服务。Configuration Manager gives clients a policy to access this CMG, the DNS mapping ties it together so that they can securely access the service in Azure.

企业 PKI 颁发的服务器身份验证证书Server authentication certificate issued from enterprise PKI

为 CMG 创建与云分发点相同的自定义 SSL 证书。Create a custom SSL certificate for the CMG the same as for a cloud distribution point. 按照为基于云的分发点部署服务证书中的说明,但以不同方式执行以下操作:Follow the instructions for Deploying the service certificate for cloud-based distribution points but do the following things differently:

  • 请求自定义 Web 服务器证书时,为证书公用名称提供 FQDN。When requesting the custom web server certificate, provide an FQDN for the certificate's common name. 该名称可以是你拥有的公共域名,或者你也可以使用 cloudapp.net 域。This name can be a public domain name you own or you may use the cloudapp.net domain. 如果使用你自己的公共域,请参阅以上过程,以便在组织的公共 DNS 中创建 DNS 别名。If using your own public domain, refer to the process above for creating a DNS alias in your organization's public DNS.

  • 将 cloudapp.net 公共域用于 CMG Web 服务器证书时:When using the cloudapp.net public domain for the CMG web server certificate:

    • 在 Azure 公有云上,请使用以 cloudapp.net 结尾的名称On the Azure public cloud, use a name that ends in cloudapp.net

    • 针对 Azure 美国政府云,请使用以 usgovcloudapp.net 结尾的名称Use a name that ends in usgovcloudapp.net for the Azure US Government cloud

客户端身份验证证书Client authentication certificate

客户端身份验证证书要求:Client authentication certificate requirements:

  • 运行未加入 Azure Active Directory (Azure AD) 的 Windows 8.1 和 Windows 10 设备的基于 Internet 的客户端需要此证书。This certificate is required for internet-based clients running Windows 8.1, and Windows 10 devices not joined to Azure Active Directory (Azure AD).
  • CMG 连接点可能需要此证书。It may be required on the CMG connection point. 有关详细信息,请参阅 CMG 连接点For more information, see CMG connection point.
  • 加入 Azure AD 的 Windows 10 客户端不需要此证书。It isn't required for Windows 10 clients joined to Azure AD.
  • 如果你的站点为版本 2002 或更高版本,则设备可以使用由该站点颁发的令牌。If your site is version 2002 or later, devices can use a token issued by the site. 有关详细信息,请参阅基于令牌的 CMG 身份验证For more information, see Token-based authentication for CMG.

客户端使用此证书向 CMG 进行身份验证。The clients use this certificate to authenticate with the CMG. 已加入混合域或云域的 Windows 10 设备不需要此证书,因为它们使用 Azure AD 进行身份验证。Windows 10 devices that are hybrid or cloud domain-joined don't require this certificate because they use Azure AD to authenticate.

请在 Configuration Manager 的上下文外预配此证书。Provision this certificate outside of the context of Configuration Manager. 例如,使用 Active Directory 证书服务和组策略颁发客户端身份验证证书。For example, use Active Directory Certificate Services and group policy to issue client authentication certificates. 有关详细信息,请参阅为 Windows 计算机部署客户端证书For more information, see Deploying the client certificate for Windows computers.

备注

Microsoft 建议将设备加入 Azure AD。Microsoft recommends joining devices to Azure AD. 基于 Internet 的设备可以使用 Azure AD 向 Configuration Manager 进行身份验证。Internet-based devices can use Azure AD to authenticate with Configuration Manager. 无论设备是在 Internet 上还是连接到内部网络,它都同时支持设备和用户方案。It also enables both device and user scenarios whether the device is on the internet or connected to the internal network. 有关详细信息,请参阅使用 Azure AD 标识安装和注册客户端For more information, see Install and register the client using Azure AD identity.

从版本 2002 开始,Starting in version 2002, Configuration Manager 扩展了它对基于 Internet 的设备的支持,这些设备不经常连接到内部网络、无法加入 Azure AD 且无法安装 PKI 颁发的证书。Configuration Manager extends its support for internet-based devices that don't often connect to the internal network, aren't able to join Azure AD, and don't have a method to install a PKI-issued certificate. 有关详细信息,请参阅基于令牌的 CMG 身份验证For more information, see Token-based authentication for CMG.

CMG 连接点CMG connection point

若要安全转发客户端请求,CMG 连接点需要与管理点建立安全连接。To securely forward client requests, the CMG connection point requires a secure connection with the management point. 根据配置设备和管理点的方式,确定 CMG 连接点配置。Depending upon how you configure your devices and management points determines the CMG connection point configuration.

  • 管理点是 HTTPSThe management point is HTTPS

    • 客户端具有客户端身份验证证书:CMG 连接点需要与 HTTPS 管理点上的服务器身份验证证书相对应的客户端身份验证证书。Clients have a client authentication certificate: The CMG connection point requires a client authentication certificate that corresponds to the server authentication certificate on the HTTPS management point.

    • 客户端使用 Azure AD 身份验证或 Configuration Manager 令牌:此证书不是必需的。Clients use Azure AD authentication or a Configuration Manager token: This certificate isn't required.

  • 如果为增强型 HTTP 配置管理点:此证书不是必需的。If you configure the management point for Enhanced HTTP: This certificate isn't required.

有关详细信息,请参阅为管理点启用 HTTPSFor more information, see Enable management point for HTTPS.

针对 CMG 的客户端受信任的根证书Client trusted root certificate to CMG

使用客户端身份验证证书时需要此证书。如果所有客户端使用 Azure AD 进行身份验证,则不需要此证书This certificate is required when using client authentication certificates. When all clients use Azure AD for authentication, this certificate isn't required.

在 Configuration Manager 控制台中创建 CMG 时需要提供此证书。You supply this certificate when creating the CMG in the Configuration Manager console.

CMG 必须信任客户端身份验证证书。The CMG must trust the client authentication certificates. 要实现此信任,请提供受信任的根证书链。To accomplish this trust, provide the trusted root certificate chain. 请务必添加信任链中的所有证书。Make sure to add all certificates in the trust chain. 例如,若客户端身份验证证书由中间 CA 颁发,请同时添加中间和根 CA 证书。For example, if the client authentication certificate is issued by an intermediate CA, add both the intermediate and root CA certificates.

备注

创建 CMG 时,不再需要在“设置”页面上提供受信任的根证书。When you create a CMG, you're no longer required to provide a trusted root certificate on the Settings page. 使用 Azure AD 进行客户端身份验证时不需要此证书,但往往在向导中需要。This certificate isn't required when using Azure AD for client authentication, but used to be required in the wizard. 如果使用 PKI 客户端身份验证证书,则仍须向 CMG 添加受信任的根证书。If you're using PKI client authentication certificates, then you still must add a trusted root certificate to the CMG.

在版本 1902 和更早版本中,只能添加两个受信任的根 CA 和四个中间(从属)CA。In version 1902 and earlier, you can only add two trusted root CAs and four intermediate (subordinate) CAs.

导出客户端证书的受信任根Export the client certificate's trusted root

向计算机颁发客户端身份验证证书后,在该计算机上使用以下流程导出受信任的根。After issuing a client authentication certificate to a computer, use this process on that computer to export the trusted root.

  1. 单击“开始”菜单。Open the Start menu. 键入“run”打开“运行”窗口。Type "run" to open the Run window. 打开 mmcOpen mmc.

  2. 在“文件”菜单中,选择“添加/删除管理单元...”。From the File menu, choose Add/Remove Snap-in....

  3. 在“添加/删除管理单元”对话框中,选择“证书”,然后选择“添加” 。In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.

    1. 在“证书管理单元”对话框中,选择“计算机帐户”,然后选择“下一步” 。In the Certificates snap-in dialog box, select Computer account, then select Next.

    2. 在“选择计算机”对话框中,选择“本地计算机”,然后选择“完成” 。In the Select Computer dialog box, select Local computer, then select Finish.

    3. 在“添加/删除管理单元”对话框中,选择“确定”。In the Add or Remove Snap-ins dialog box, select OK.

  4. 依次展开“证书”、“个人”,然后选择“证书” 。Expand Certificates, expand Personal, and select Certificates.

  5. 选择一个预期用途为“客户端身份验证”的证书。Select a certificate whose Intended Purpose is Client Authentication.

    1. 从“操作”菜单中,选择“打开”。From the Action menu, select Open.

    2. 转到“证书路径”选项卡。Go to the Certification Path tab.

    3. 从证书链上选择下一个证书,然后选择“查看证书”。Select the next certificate up the chain, and select View Certificate.

  6. 在新“证书”对话框中,转到“详细信息”选项卡。选择“复制到文件...”。On this new Certificate dialog box, go to the Details tab. Select Copy to File....

  7. 使用默认证书格式(DER 编码二进制 X.509 (.CER))完成证书导出向导。Complete the Certificate Export Wizard using the default certificate format, DER encoded binary X.509 (.CER). 记下导出证书的名称和位置。Make note of the name and location of the exported certificate.

  8. 导出原始客户端身份验证证书的证书路径中的所有证书。Export all of the certificates in the certification path of the original client authentication certificate. 记下哪些导出证书是中间 CA,哪些是受信任的根 CA。Make note of which exported certificates are intermediate CAs, and which ones are trusted root CAs.

为 HTTPS 启用管理点Enable management point for HTTPS

请在 Configuration Manager 的上下文外预配此证书。Provision this certificate outside of the context of Configuration Manager. 例如,使用 Active Directory 证书服务和组策略颁发 Web 服务器证书。For example, use Active Directory Certificate Services and group policy to issue a web server certificate. 有关详细信息,请参阅 PKI 证书要求为运行 IIS 的站点系统部署 Web 服务器证书For more information, see PKI certificate requirements and Deploy the web server certificate for site systems that run IIS.

使用站点选项“使用 Configuration Manager 为 HTTP 站点系统生成的证书”时,管理点可以是 HTTP。When using the site option to Use Configuration Manager-generated certificates for HTTP site systems, the management point can be HTTP. 有关详细信息,请参阅增强型 HTTPFor more information, see Enhanced HTTP.

提示

如果未使用增强型 HTTP,并且你的环境具有多个管理点,则无需使用 HTTPS 针对 CMG 启用所有管理点。If you aren't using Enhanced HTTP, and your environment has multiple management points, you don't have to HTTPS-enable them all for CMG. 将启用 CMG 的管理点配置为“仅 Internet”。Configure the CMG-enabled management points as Internet only. 你的本地客户端就不会尝试使用它们。Then your on-premises clients don't try to use them.

管理点的增强型 HTTP 证书Enhanced HTTP certificate for management points

如果你启用增强型 HTTP,站点服务器会生成名为“SMS 角色 SSL 证书”的自签名证书(由根 SMS 颁发证书颁发)。When you enable Enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate, issued by the root SMS Issuing certificate. 管理点将此证书添加到绑定到端口 443 的 IIS 默认网站。The management point adds this certificate to the IIS Default Web site bound to port 443.

管理点客户端连接模式摘要Management point client connection mode summary

这些表总结了管理点是否需要 HTTP 或 HTTPS,具体取决于客户端和站点版本的类型。These tables summarize whether the management point requires HTTP or HTTPS, depending upon the type of client and site version.

对于与云管理网关通信的基于 Internet 的客户端For internet-based clients communicating with the cloud management gateway

配置本地管理点以允许来自 CMG 的连接具有以下客户端连接模式:Configure an on-premises management point to allow connections from the CMG with the following client connection mode:

客户端的类型Type of client 管理点Management point
工作组Workgroup E-HTTP备注 1HTTPSE-HTTPNote 1, HTTPS
AD 域加入AD domain-joined E-HTTP备注 1HTTPSE-HTTPNote 1, HTTPS
Azure AD 加入Azure AD-joined E-HTTP、HTTPSE-HTTP, HTTPS
混合加入Hybrid-joined E-HTTP、HTTPSE-HTTP, HTTPS

备注

备注 1:此配置要求客户端具有客户端身份验证证书,并且仅支持以设备为中心的方案。Note 1: This configuration requires the client has a client authentication certificate, and only supports device-centric scenarios.

对于与本地管理点通信的本地客户端For on-premises clients communicating with the on-premises management point

使用以下客户端连接模式配置本地管理点:Configure an on-premises management point with the following client connection mode:

客户端的类型Type of client 管理点Management point
工作组Workgroup HTTP、HTTPSHTTP, HTTPS
AD 域加入AD domain-joined HTTP、HTTPSHTTP, HTTPS
Azure AD 加入Azure AD-joined HTTPSHTTPS
混合加入Hybrid-joined HTTP、HTTPSHTTP, HTTPS

备注

AD 域加入客户端支持与 HTTP 或 HTTPS 管理点通信的以设备和用户为中心的方案。AD domain-joined clients support both device- and user-centric scenarios communicating with an HTTP or HTTPS management point.

Azure AD 加入和混合加入客户端可以通过 HTTP 以设备为中心的方案进行通信,但需要使用 E-HTTP 或 HTTPS 来启用以用户为中心的方案。Azure AD-joined and hybrid-joined clients can communicate via HTTP for device-centric scenarios, but need E-HTTP or HTTPS to enable user-centric scenarios. 否则它们的行为与工作组客户端相同。Otherwise they behave the same as workgroup clients.

图例中的术语Legend of terms

  • 工作组:设备未加入域或 Azure AD,但具有客户端身份验证证书Workgroup: The device isn't joined to a domain or Azure AD, but has a client authentication certificate.

  • AD 域加入:将设备加入本地 Active Directory 域。AD domain-joined: You join the device to an on-premises Active Directory domain.

  • Azure AD 加入:也称为云域加入,将设备加入 Azure AD 租户。Azure AD-joined: Also known as cloud domain-joined, you join the device to an Azure AD tenant. 有关详细信息,请参阅加入 Azure AD 的设备For more information, see Azure AD joined devices.

  • 混合加入:将设备加入本地 Active Directory,并向 Azure AD 注册。Hybrid-joined: You join the device to your on-premises Active Directory and register it with your Azure AD. 有关详细信息,请参阅已加入混合 Azure AD 的设备For more information, see Hybrid Azure AD joined devices.

  • HTTP:在管理点属性上,将客户端连接设置为“HTTP”。HTTP: On the management point properties, you set the client connections to HTTP.

  • HTTPS:在管理点属性上,将客户端连接设置为“HTTPS”。HTTPS: On the management point properties, you set the client connections to HTTPS.

  • E-HTTP:在站点属性的“通信安全”选项卡上,将站点系统设置设为“HTTPS 或 HTTP”,并启用选项“将 Configuration Manager 生成的证书用于 HTTP 站点系统”。E-HTTP: On the site properties, Communication Security tab, you set the site system settings to HTTPS or HTTP, and you enable the option to Use Configuration Manager-generated certificates for HTTP site systems. 为 HTTP 配置管理点,HTTP 管理点可用于 HTTP 和 HTTPS 通信(令牌身份验证方案)。You configure the management point for HTTP, the HTTP management point is ready for both HTTP and HTTPS communication (token auth scenarios).

    备注

    在版本 1902 及更早版本中,此选项卡称为“客户端计算机通信”。In version 1902 and earlier, this tab is called Client Computer Communication.

Azure 管理证书Azure management certificate

经典服务部署需要此证书。 Azure 资源管理器部署不需要此证书。This certificate is required for classic service deployments. It's not required for Azure Resource Manager deployments.

重要

从版本 1810 开始,Configuration Manager 已弃用 Azure 的经典服务部署。Starting in version 1810, classic service deployments in Azure are deprecated in Configuration Manager. 开始使用适用于云管理网关的 Azure 资源管理器部署。Start using Azure Resource Manager deployments for the cloud management gateway. 有关详细信息,请参阅 CMG 规划For more information, see Plan for CMG.

从 Configuration Manager 版本 1902 起,Azure 资源管理器是云管理网关的新实例的唯一部署机制。Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. Configuration Manager 版本 1902 或更高版本不再需要此证书。This certificate isn't required in Configuration Manager version 1902 or later.

在 Azure 门户中的 Configuration Manager 控制台中创建 CMG 时需要提供此证书。You supply this certificate in the Azure portal, and when creating the CMG in the Configuration Manager console.

要在 Azure 中创建 CMG,Configuration Manager 服务连接点需要首先对 Azure 订阅进行身份验证。To create the CMG in Azure, the Configuration Manager service connection point needs to first authenticate to your Azure subscription. 使用经典服务部署时,它将 Azure 管理证书用于此身份验证。When using a classic service deployment, it uses the Azure management certificate for this authentication. Azure 管理员会将此证书上传到你的订阅。An Azure administrator uploads this certificate to your subscription. 在 Configuration Manager 控制台中创建 CMG 时,请提供此证书。When you create the CMG in the Configuration Manager console, provide this certificate.

有关如何上传管理证书的详细信息和说明,请参阅 Azure 文档中的以下文章:For more information and instructions for how to upload a management certificate, see the following articles in the Azure documentation:

重要

请确保复制与管理证书关联的订阅 ID。Make sure to copy the subscription ID associated with the management certificate. 在 Configuration Manager 控制台中创建 CMG 时需使用此证书。You use it for creating the CMG in the Configuration Manager console.

后续步骤Next steps