在 Configuration Manager 中规划云管理网关Plan for the cloud management gateway in Configuration Manager

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

云管理网关 (CMG) 提供一种简单的方法来管理 Internet 上的 Configuration Manager 客户端。The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. 将 CMG 部署为 Microsoft Azure 中的云服务,即可管理在 Internet 上漫游的传统客户端,无需其他本地基础结构。By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional on-premises infrastructure. 也不需要将本地基础结构向 Internet 公开。You also don't need to expose your on-premises infrastructure to the internet.

备注

默认情况下,Configuration Manager 不启用此项可选功能。Configuration Manager doesn't enable this optional feature by default. 必须在使用前启用此功能。You must enable this feature before using it. 有关详细信息,请参阅启用更新中的可选功能For more information, see Enable optional features from updates.

建立先决条件后,通过在 Configuration Manager 控制台中执行以下三个步骤创建 CMG:After establishing the prerequisites, creating the CMG consists of the following three steps in the Configuration Manager console:

  1. 将 CMG 云服务部署到 Azure。Deploy the CMG cloud service to Azure.
  2. 添加 CMG 连接点角色。Add the CMG connection point role.
  3. 配置服务站点和站点角色。Configure the site and site roles for the service. 完成部署和配置后,客户端可无缝访问本地站点角色,无论其位于 Intranet 还是 Internet 上。Once deployed and configured, clients seamlessly access on-premises site roles regardless of whether they're on the intranet or internet.

本文介绍了关于 CMG 的涵义、如何设计使其符合你的环境以及规划实现的基础知识。This article provides the foundational knowledge to learn about the CMG, design how it fits in your environment, and plan the implementation.

方案Scenarios

有多种方案受益于 CMG。There are several scenarios for which a CMG is beneficial. 以下是一些较常见的方案:The following scenarios are some of the more common:

  • 使用 Active Directory 加入域的身份管理传统 Windows 客户端。Manage traditional Windows clients with Active Directory domain-joined identity. 这些客户端包括 Windows 8.1 和 Windows 10。These clients include Windows 8.1 and Windows 10. 它使用 PKI 证书来保护信道。It uses PKI certificates to secure the communication channel. 管理活动包括:Management activities include:

    • 软件更新和 Endpoint ProtectionSoftware updates and endpoint protection
    • 清单和客户端状态Inventory and client status
    • 符合性设置Compliance settings
    • 到设备的软件分发Software distribution to the device
    • Windows 10 就地升级任务序列Windows 10 in-place upgrade task sequence
  • 使用现代身份管理传统 Windows 10 客户端,可以是加入云域的混合 Azure Active Directory (Azure AD) 或纯 Azure Active Directory (Azure AD)。Manage traditional Windows 10 clients with modern identity, either hybrid or pure cloud domain-joined with Azure Active Directory (Azure AD). 客户端使用 Azure AD 进行身份验证而不是使用 PKI 证书。Clients use Azure AD to authenticate rather than PKI certificates. Azure AD 的设置、配置和维护比复杂的 PKI 系统更简单。Using Azure AD is simpler to set up, configure and maintain than more complex PKI systems. 管理活动与第一种方案相同,加上:Management activities are the same as the first scenario, as well as:

    • 到用户的软件分发Software distribution to the user
  • 通过 Internet 在 Windows 10 设备上安装 Configuration Manager 客户端。Install the Configuration Manager client on Windows 10 devices over the internet. 使用 Azure AD 允许设备对 CMG 进行身份验证,以注册和分配客户端。Using Azure AD allows the device to authenticate to the CMG for client registration and assignment. 可手动安装客户端,也可使用其他软件分发方法(如 Microsoft Intune)。You can install the client manually, or using another software distribution method, such as Microsoft Intune.

  • 通过共同管理预配新设备。New device provisioning with co-management. 自动注册现有客户端时,不需要使用 CMG 来实现共同管理。When auto-enrolling existing clients, CMG isn't required for co-management. 对于涉及 Windows Autopilot、Azure AD、Microsoft Intune 和 Configuration Manager 的新设备来说,这是必需的。It is required for new devices involving Windows Autopilot, Azure AD, Microsoft Intune, and Configuration Manager. 有关详细信息,请参阅共同管理的路径For more information, see Paths to co-management.

特定用例Specific use cases

在这些方案中,以下特定设备用例可能适用:Across these scenarios the following specific device use cases may apply:

  • 漫游笔记本电脑等设备Roaming devices such as laptops

  • 相比通过 WAN 或 VPN,通过 Internet 管理远程/分支办公设备更加便宜、高效。Remote/branch office devices that are less expensive and more efficient to manage over the internet than across a WAN or through a VPN.

  • 合并和收购,这可能是将设备加入 Azure AD 并通过 CMG 进行管理的最简单的方法。Mergers and acquisitions, where it may be easiest to join devices to Azure AD and manage through a CMG.

  • 工作组客户端。Workgroup clients. 这些设备可能需要其他配置(例如证书)。These devices may require additional configuration, such as certificates.

    从版本 2002 开始,Configuration Manager 支持基于令牌的身份验证,这样有助于管理远程工作组客户端。Starting in version 2002, Configuration Manager supports token-based authentication, which may help with management of remote workgroup clients. 有关详细信息,请参阅基于令牌的 CMG 身份验证For more information, see Token-based authentication for CMG.

重要

默认情况下,所有客户端都会接收 CMG 的策略,并在其成为基于 Internet 的客户端时开始使用该策略。By default all clients receive policy for a CMG, and start using it when they become internet-based. 可能需要根据适用于组织的方案和用例确定 CMG 的使用范围。Depending upon the scenario and use case that applies to your organization, you may need to scope usage of the CMG. 有关详细信息,请参阅允许客户端使用云管理网关客户端设置。For more information, see the Enable clients to use a cloud management gateway client setting.

拓扑设计Topology design

CMG 组件CMG components

CMG 部署和操作包括以下组件:Deployment and operation of the CMG includes the following components:

  • Azure 中的“CMG 云服务”对 Configuration Manager 客户端请求进行身份验证并将其转发给 CMG 连接点。The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.

  • “CMG 连接点”站点系统角色可实现从本地网络到 Azure 中 CMG 服务的一致且高性能的连接。The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. 它还可将设置发布到 CMG 中,其中包括连接信息和安全设置。It also publishes settings to the CMG including connection information and security settings. CMG 连接点根据 URL 映射将客户端请求从 CMG 转发到本地角色。The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.

  • 服务连接点站点系统角色运行云服务管理器组件,该组件负责处理所有 CMG 部署任务。The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. 此外,它还可以监视并报告 Azure AD 中的服务运行状况和日志信息。Additionally, it monitors and reports service health and logging information from Azure AD. 确保服务连接点处于联机模式Make sure your service connection point is in online mode.

  • “管理点”站点系统角色按照惯例处理客户端请求。The management point site system role services client requests per normal.

  • “软件更新点”站点系统角色按照惯例处理客户端请求。The software update point site system role services client requests per normal.

    备注

    管理点和软件更新点的调整大小指南并不会更改它们是在本地还是基于 Internet 的客户端提供服务。Sizing guidance for management points and software update points doesn't change whether they service on-premises or internet-based clients. 有关详细信息,请参阅调整大小和扩展数量For more information, see Size and scale numbers.

  • “基于 Internet 的客户端”连接到 CMG 以访问本地 Configuration Manager 组件。Internet-based clients connect to the CMG to access on-premises Configuration Manager components.

  • CMG 使用“基于证书的 HTTPS”Web 服务来帮助保护与客户端的网络通信。The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.

  • 基于 Internet 的客户端使用“PKI 证书或 Azure AD”进行标识和身份验证。Internet-based clients use PKI certificates or Azure AD for identity and authentication.

  • 云分发点按需向基于 Internet 的客户端提供内容。A cloud distribution point provides content to internet-based clients, as needed.

    • CMG 还可向客户端提供内容。A CMG can also serve content to clients. 此功能减少了所需的证书和 Azure VM 的成本。This functionality reduces the required certificates and cost of Azure VMs. 有关详细信息,请参阅修改 CMGFor more information, see Modify a CMG.

Azure 资源管理器Azure Resource Manager

使用 Azure 资源管理器部署创建 CMG。Create the CMG using an Azure Resource Manager deployment. Azure 资源管理器是一个现代平台,用于以单个实体(称为资源组)的方式来管理所有解决方案资源。Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. 如果在 Azure 资源管理器中部署 CMG,站点将使用 Azure Active Directory (Azure AD) 进行身份验证并创建必要的云资源。When deploying CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. 此现代化部署不需要经典 Azure 管理证书。This modernized deployment doesn't require the classic Azure management certificate.

备注

此功能不提供对 Azure 云服务提供商 (CSP) 的支持。This capability doesn't enable support for Azure Cloud Service Providers (CSP). Azure 资源管理器中的 CMG 部署将继续使用 CSP 不支持的经典云服务。The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. 有关详细信息,请参阅 Azure CSP 中可用的 Azure 服务For more information, see available Azure services in Azure CSP.

从 Configuration Manager 版本 1902 起,Azure 资源管理器是云管理网关的新实例的唯一部署机制。Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. 现有部署将继续使用。Existing deployments continue to work.

在 Configuration Manager 版本 1810 及更早版本中,CMG 向导仍提供使用 Azure 管理证书的“经典服务部署”选项。In Configuration Manager version 1810 and earlier, the CMG wizard still provides the option for a classic service deployment using an Azure management certificate. 要简化资源的部署和管理,建议为所有新的 CMG 实例使用 Azure 资源管理器部署模型。To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances. 如果可以,请通过资源管理器重新部署现有 CMG 实例。If possible, redeploy existing CMG instances through Resource Manager. 有关详细信息,请参阅修改 CMGFor more information, see Modify a CMG.

重要

Configuration Manager 已弃用 Azure 的经典服务部署。The classic service deployment in Azure is deprecated for use in Configuration Manager. 1810 版是支持创建这些 Azure 部署的最后一个版本。Version 1810 is the last to support creation of these Azure deployments. 此功能将在未来的 Configuration Manager 版本中删除。This functionality will be removed in a future Configuration Manager version.

层次结构设计Hierarchy design

在层次结构的顶层站点创建 CMG。Create the CMG at the top-tier site of your hierarchy. 如果该站点为管理中心站点,则可在子级主站点创建 CMG 连接点。If that's a central administration site, then create CMG connection points at child primary sites. 云服务管理器组件位于服务连接点上,该连接点也位于管理中心站点上。The cloud service manager component is on the service connection point, which is also on the central administration site. 如有需要,此设计可在不同主站点上共享该服务。This design can share the service across different primary sites if needed.

可在 Azure 中创建多个 CMG 服务,并且可创建多个 CMG 连接点。You can create multiple CMG services in Azure, and you can create multiple CMG connection points. 多个 CMG 连接点提供从 CMG 到本地角色的客户端流量负载均衡。Multiple CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.

从版本 1902 开始,可以将 CMG 与边界组关联。Starting in version 1902, you can associate a CMG with a boundary group. 此配置允许客户端根据边界组关系默认或回退到 CMG 以进行客户端通信。This configuration allows clients to default or fallback to the CMG for client communication according to boundary group relationships. 在分支机构和 VPN 方案中,这一行为特别有用。This behavior is especially useful in branch office and VPN scenarios. 可以将客户端通信从昂贵且速度缓慢的 WAN 链接中分离出来,转为使用 Microsoft Azure 中更为快速的服务。You can direct client traffic away from expensive and slow WAN links to instead use faster services in Microsoft Azure.

自版本 2006 起,Intranet 客户端可以在分配到边界组后访问 CMG 软件更新点。Starting in version 2006, intranet clients can access a CMG software update point when it's assigned to a boundary group. 有关详细信息,请参阅配置边界组For more information, see Configure boundary groups.

备注

基于 Internet 的客户端不属于任何边界组。Internet-based clients don't fall into any boundary group.

在 Configuration Manager 版本 1810 及更早版本中,CMG 不属于任何边界组。In Configuration Manager version 1810 and earlier, the CMG doesn't fall into any boundary group.

其他因素(如要管理的客户端数量)也会影响 CMG 的设计。Other factors, such as the number of clients to manage, also impact your CMG design. 有关详细信息,请参阅性能和规模For more information, see Performance and scale.

示例 1:独立主站点Example 1: standalone primary site

在纽约总部,Contoso 在本地数据中心内有一个独立的主站点。Contoso has a standalone primary site in an on-premises datacenter at their headquarters in New York City.

  • 他们会在美国东部 Azure 区域创建 CMG 以减少网络延迟。They create a CMG in the East US Azure region to reduce network latency.
  • 他们会创建两个 CMG 连接点,这两个连接点都与单个 CMG 服务相关联。They create two CMG connection points, both linked to the single CMG service.

当客户端漫游到 Internet 时,他们就会与美国东部 Azure 区域的 CMG 通信。As clients roam onto the internet, they communicate with the CMG in the East US Azure region. CMG 通过这两个 CMG 连接点转发此通信。The CMG forwards this communication through both of the CMG connection points.

示例 2:层次结构Example 2: hierarchy

在西雅图总部,Fourth Coffee 在本地数据中心有一个管理中心站点。Fourth Coffee has a central administration site in an on-premises datacenter at their headquarters in Seattle. 一个主站点位于同一数据中心,另一主站点位于其巴黎的欧洲主办事处。One primary site is in the same datacenter, and the other primary site is in their main European office in Paris.

  • 在管理中心站点上,他们会创建一个美国西部 Azure 区域的 CMG 服务。On the central administration site, they create a CMG service in the West US Azure region. 它们可为整个层次结构中的漫游客户端的预期负载缩放 VM 数量。They scale the number of VMs for the expected load of roaming clients in the entire hierarchy.
  • 在西雅图的主站点上,他们会创建一个与单个 CMG 关联的 CMG 连接点。On the Seattle-based primary site, they create a CMG connection point linked to the single CMG.
  • 在巴黎的主站点上,他们会创建一个与单个 CMG 关联的 CMG 连接点。On the Paris-based primary site, they create a CMG connection point linked to the single CMG.

当客户端漫游到 Internet 时,他们就会与美国西部 Azure 区域的 CMG 通信。As clients roam onto the internet, they communicate with the CMG in the West US Azure region. CMG 将此通信转发到客户端分配的主站点中的 CMG 连接点。The CMG forwards this communication to the CMG connection point in the client's assigned primary site.

提示

无需部署多个云管理网关即可满足地理位置的需求。You don't need to deploy more than one cloud management gateway for the purposes of geolocation. Configuration Manager 客户端通常不受云服务发生的轻微延迟的影响,即使在地理位置上相距遥远时也是如此。The Configuration Manager client is mostly unaffected by the slight latency that can occur with the cloud service, even when geographically distant.

测试环境Test environments

许多组织拥有独立的生产、测试、开发或质量保证环境。Many organizations have separate environments for production, test, development, or quality assurance. 计划 CMG 部署时,请考虑下列问题:When you plan your CMG deployment, consider the following questions:

  • 你的组织有多少个 Azure AD 租户?How many Azure AD tenants does your organization have?

    • 是否有用于测试的单独租户?Is there a separate tenant for testing?
    • 同一租户中的用户和设备标识是否相同?Are user and device identities in the same tenant?
  • 每个租户有多少订阅?How many subscriptions are in each tenant?

    • 是否有特定于测试的订阅?Are there subscriptions that are specific for testing?

Configuration Manager 的 Azure 云管理服务支持多个租户。Configuration Manager's Azure service for Cloud management supports multiple tenants. 多个 Configuration Manager 站点可连接到同一个租户。Multiple Configuration Manager sites can connect to the same tenant. 单个站点可以将多个 CMG 服务部署到不同的订阅中。A single site can deploy multiple CMG services into different subscriptions. 多个站点可以将 CMG 服务部署到同一订阅中。Multiple sites can deploy CMG services into the same subscription. Configuration Manager 提供的灵活性取决于你的环境和业务要求。Configuration Manager provides flexibility depending upon your environment and business requirements.

有关详细信息,请参阅以下常见问题解答:用户帐户是否必须与托管 CMG 云服务的订阅关联的租户位于同一 Azure AD 租户中?For more information, see the following FAQ: Do the user accounts have to be in the same Azure AD tenant as the tenant associated with the subscription that hosts the CMG cloud service?

要求Requirements

  • 承载 CMG 的 Azure 订阅。An Azure subscription to host the CMG.

    重要

    CMG 不支持使用 Azure 云服务提供商 (CSP) 的订阅。CMG doesn't support subscriptions with an Azure Cloud Service Provider (CSP).

  • 你的用户帐户必须是 Configuration Manager 中的“完全权限管理员”或“基础结构管理员” 。Your user account needs to be a Full administrator or Infrastructure administrator in Configuration Manager.

  • Azure 管理员需参与某些组件的初始创建,具体视设计而定。An Azure administrator needs to participate in the initial creation of certain components, depending upon your design. 此角色可以与 Configuration Manager 管理员相同,也可是独立角色。This persona can be the same as the Configuration Manager administrator, or separate. 如果是独立角色,则不需要 Configuration Manager 中的权限。If separate, it doesn't require permissions in Configuration Manager.

    • 要部署 CMG,你需要“订阅所有者”To deploy the CMG, you need a Subscription Owner
    • 要将站点与 Azure AD 集成以使用 Azure Resource Manager 部署 CMG,你需要全局管理员To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin
  • 至少一个承载 CMG 连接点的本地 Windows 服务器。At least one on-premises Windows server to host the CMG connection point. 可将此角色与其他 Configuration Manager 站点系统角色归置在一起。You can colocate this role with other Configuration Manager site system roles.

  • 服务连接点必须处于联机模式The service connection point must be in online mode.

  • 与 Azure AD 集成,用于通过 Azure 资源管理器部署该服务。Integration with Azure AD for deploying the service with Azure Resource Manager. 有关详细信息,请参阅配置 Azure 服务For more information, see Configure Azure services.

  • 用于 CMG 的服务器身份验证证书A server authentication certificate for the CMG.

  • 可能需要其他证书,具体取决于客户端操作系统版本和身份验证模型。Other certificates may be required, depending upon your client OS version and authentication model. 有关详细信息,请参阅 CMG 证书For more information, see CMG certificates.

    使用站点选项“将 Configuration Manager 生成的证书用于 HTTP 站点系统”时,管理点可以是 HTTP。When you use the site option to Use Configuration Manager-generated certificates for HTTP site systems, the management point can be HTTP. 有关详细信息,请参阅增强型 HTTPFor more information, see Enhanced HTTP.

  • 在 Configuration Manager 版本 1810 或更早版本中,如果使用 Azure 经典部署方法,则必须使用 Azure 管理证书In Configuration Manager version 1810 or earlier, if using the Azure classic deployment method, you must use an Azure management certificate.

    提示

    使用“Azure 资源管理器”部署模型。Use the Azure Resource Manager deployment model. 它不需要此管理证书。It doesn't require this management certificate.

    从版本 1810 开始弃用经典部署方法。The classic deployment method is deprecated as of version 1810.

  • 客户端必须使用 IPv4。Clients must use IPv4.

规格Specifications

  • CMG 支持客户端和设备支持的操作系统中列出的所有 Windows 版本。All Windows versions listed in Supported operating systems for clients and devices are supported for CMG.

  • CMG 只支持管理点和软件更新点角色。CMG only supports the management point and software update point roles.

  • CMG 不支持仅与 IPv6 地址通信的客户端。CMG doesn't support clients that only communicate with IPv6 addresses.

  • 使用网络负载均衡器的软件更新点不适用于 CMG。Software update points using a network load balancer don't work with CMG.

  • 使用 Azure 资源模型的 CMG 部署不启用对 Azure 云服务提供程序 (CSP) 的支持。CMG deployments using the Azure Resource Model don't enable support for Azure Cloud Service Providers (CSP). Azure 资源管理器中的 CMG 部署将继续使用 CSP 不支持的经典云服务。The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. 有关详细信息,请参阅 Azure CSP 计划中可用的 Azure 服务For more information, see Azure services available in the Azure CSP program.

Configuration Manager 功能支持Support for Configuration Manager features

下表列出了 CMG 对 Configuration Manager 的功能支持:The following table lists CMG support for Configuration Manager features:

功能Feature 支持Support
软件更新Software updates 支持
Endpoint ProtectionEndpoint protection 支持 备注 1Supported Note 1
硬件和软件清单Hardware and software inventory 支持
客户端状态和通知Client status and notifications 支持
运行脚本Run scripts 支持
CMPivotCMPivot 支持
符合性设置Compliance settings 支持
客户端安装Client install
(带 Azure AD 集成(with Azure AD integration)
支持
客户端安装Client install
(带令牌身份验证(with token authentication)
支持 (2002)(2002)
软件分发(以设备为目标)Software distribution (device-targeted) 支持
软件分发(以用户为目标,必需)Software distribution (user-targeted, required)
(带 Azure AD 集成)(with Azure AD integration)
支持
软件分发(以用户为目标,可用)Software distribution (user-targeted, available)
所有要求(all requirements)
支持
Windows 10 就地升级任务序列Windows 10 in-place upgrade task sequence 支持
没有启动映像的任务序列,使用选项“在启动任务序列之前在本地下载所有内容”进行部署Task sequence without a boot image, deployed with the option to Download all content locally before starting task sequence 支持
没有启动映像的任务序列,使用两个下载选项之一进行部署Task sequence without a boot image, deployed with either download option 支持 (1910)(1910)
包含启动映像的任务序列,从软件中心启动Task sequence with a boot image, started from Software Center 支持 (2006)(2006)
任何其他任务序列方案Any other task sequence scenario 不支持
客户端推送Client push 不支持
自动站点分配Automatic site assignment 不支持
软件批准请求Software approval requests 不支持
Configuration Manager 控制台Configuration Manager console 不支持
远程工具Remote tools 不支持
报表网站Reporting website 不支持
LAN 唤醒Wake on LAN 不支持
Mac、Linux 和 UNIX 客户端Mac, Linux, and UNIX clients 不支持
对等缓存Peer cache 不支持
本地 MDMOn-premises MDM 不支持
BitLocker 管理BitLocker Management 不支持
KeyKey
支持 = 所有受支持的 Configuration Manager 版本的 CMG 都支持此功能= This feature is supported with CMG by all supported versions of Configuration Manager
支持 (YYMM) = 自 Configuration Manager YYMM 版起,CMG 支持此功能 Supported (YYMM) = This feature is supported with CMG starting with version YYMM of Configuration Manager
不支持 = CMG 不支持此功能= This feature isn't supported with CMG

注释 1:支持 Endpoint ProtectionNote 1: Support for endpoint protection

自版本 2006 起,通过 CMG 通信的客户端可以立即应用终结点保护策略,而无需与 Active Directory 建立活动连接。Starting in version 2006, clients that communicate via a CMG can immediately apply endpoint protection policies without an active connection to Active Directory.

在版本 2002 及更低版本中,域加入设备需要有权访问域,才能应用 Endpoint Protection 策略。In version 2002 and earlier, for domain-joined devices to apply endpoint protection policy, they require access to the domain. 不常访问内部网络的设备在应用 Endpoint Protection 策略时可能会出现延迟。Devices with infrequent access to the internal network may experience delays in applying endpoint protection policy. 如果需要设备在接收 Endpoint Protection 策略后立即应用该策略,请考虑以下选项之一:If you require that devices immediately apply endpoint protection policy after they receive it, consider one of the following options:

成本Cost

重要

以下费用信息仅用作估算用途。The following cost information is for estimating purposes only. 环境可能具有其他会影响使用 CMG 总费用的变量。Your environment may have other variables that affect the overall cost of using CMG.

CMG 使用以下 Azure 组件,使用这些组件会向 Azure 订阅帐户收费:CMG uses the following Azure components, which incur charges to the Azure subscription account:

虚拟机Virtual machine

  • CMG 使用 Azure 云服务作为平台即服务 (PaaS)。CMG uses Azure Cloud Services as platform as a service (PaaS). 此服务使用会产生计算成本的虚拟机 (VM)。This service uses virtual machines (VMs) that incur compute costs.

  • CMG 使用标准 A2 V2 VM。CMG uses a Standard A2 V2 VM.

  • 你可以选择有多少 VM 实例支持 CMG。You select how many VM instances support the CMG. 默认为 1 个,最多 16 个。One is the default, and 16 is the maximum. 创建 CMG 时会设置此数字,随后可根据需要进行更改,缩放服务。This number is set when creating the CMG, and can be changed afterwards to scale the service as needed.

  • 若要详细了解支持客户端所需的 VM 数量,请参阅性能和规模For more information on how many VMs you need to support your clients, see Performance and scale.

  • 请参阅 Azure 定价计算器以帮助确定潜在的费用。See the Azure pricing calculator to help determine potential costs.

    备注

    虚拟机费用因区域而异。Virtual machine costs vary by region.

出站数据传输Outbound data transfer

  • 根据从 Azure 流出的数据收取费用(出口或下载)。Charges are based on data flowing out of Azure (egress or download). 所有流入 Azure 的数据均不收费(入口或上传)。Any data flows into Azure are free (ingress or upload). CMG 数据从 Azure 流出,包括策略到客户端、客户端通知和由 CMG 转发到站点的客户端响应。CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. 这些响应包括库存报表、状态消息和符合性状态。These responses include inventory reports, status messages, and compliance status.

  • 即使没有任何客户端与 CMG 进行通信,某些后台通信也会使 CMG 和本地站点之间出现网络流量。Even without any clients communicating with a CMG, some background communication causes network traffic between the CMG and the on-premises site.

  • 在 Configuration Manager 控制台中查看出站数据传输 (GB)。View the Outbound data transfer (GB) in the Configuration Manager console. 有关详细信息,请参阅监视 CMG 上的客户端For more information, see Monitor clients on CMG.

  • 请参阅 Azure 带宽定价详细信息以帮助确定潜在的费用。See the Azure bandwidth pricing details to help determine potential costs. 数据传输定价是分层的。Pricing for data transfer is tiered. 使用得越多,每 GB 支付的费用就越少。The more you use, the less you pay per gigabyte.

  • 出于估算目的,可假设基于 Internet 的每个客户端每月大约耗费 100-300 MB。For estimating purposes only, expect approximately 100-300 MB per client per month for internet-based clients. 预计默认客户端配置使用的数据会更少。The lower estimate is for a default client configuration. 预计高性能客户端配置使用的数据会更多。The upper estimate is for a more aggressive client configuration. 实际使用情况可能会有所不同,具体取决于客户端设置的配置。Your actual usage may vary depending upon how you configure client settings.

    备注

    执行其他操作(例如,部署软件更新或应用程序)时,从 Azure 传输的出站数据量会增加。Performing other actions, such as deploying software updates or applications, increases the amount of outbound data transfer from Azure.

  • 基于 Internet 的客户端可免费从 Windows 更新获取 Microsoft 软件更新内容。Internet-based clients get Microsoft software update content from Windows Update at no charge. 不要将包含 Microsoft 更新内容的更新包分发到云分发点,否则可能会造成存储和数据出口成本。Don't distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.

  • 如果用于验证客户端证书吊销的 CMG 选项配置错误,可能会导致从客户端到 CMG 的额外流量。Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG. 这种额外的流量可能会增加 Azure 流出量数据,从而增加 Azure 成本。This additional traffic can increase the Azure egress data, which can increase your Azure costs. 有关详细信息,请参阅发布证书吊销列表For more information, see Publish the certificate revocation list.

内容存储Content storage

  • 基于 Internet 的客户端可免费从 Windows 更新获取 Microsoft 软件更新内容。Internet-based clients get Microsoft software update content from Windows Update at no charge. 不要将包含 Microsoft 更新内容的更新包分发到云分发点,否则可能会造成存储和数据出口成本。Don't distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.

  • 对于其他任何必要内容(例如应用程序或第三方软件更新),必须分发到云分发点。For any other necessary content, such as applications or third-party software updates, you must distribute to a cloud distribution point. 目前,CMG 仅支持从云分发点向客户端发送内容。Currently, the CMG supports only the cloud distribution point for sending content to clients.

    • 将 CMG 用于内容存储时,如果“在有可用内容时下载增量内容”客户端设置已启用,则第三方更新内容不会下载到客户端。When using a CMG for content storage, the content for third-party updates won't download to clients if the Download delta content when available client setting is enabled.
  • 有关详细信息,请参阅使用云分发点所产生的成本。For more information, see the cost of using cloud distribution points.

  • CMG 也可以是向客户端提供内容的云分发点。A CMG can also be a cloud distribution point to serve content to clients. 此功能减少了所需的证书和 Azure VM 的成本。This functionality reduces the required certificates and cost of Azure VMs. 有关详细信息,请参阅修改 CMGFor more information, see Modify a CMG.

  • CMG 使用 Azure 本地冗余存储 (LRS)。CMG uses Azure locally redundant storage (LRS). 有关详细信息,请参阅本地冗余存储For more information, see Locally redundant storage.

其他成本Other costs

  • 每个云服务都具有一个动态 IP 地址。Each cloud service has a dynamic IP address. 每个不同的 CMG 都使用新的动态 IP 地址。Each distinct CMG uses a new dynamic IP address. 为每个 CMG 添加更多 VM 不会使这些地址增加。Adding additional VMs per CMG doesn't increase these addresses.

性能和规模Performance and scale

有关 CMG 规模的详细信息,请参阅调整大小和扩展数量For more information on CMG scale, see Size and scale numbers.

以下建议有助于提高 CMG 的性能:The following recommendations can help you improve CMG performance:

  • Configuration Manager 客户端和 CMG 之间的连接无法感知区域。The connection between the Configuration Manager client and the CMG isn't region-aware. 客户端通信在很大程度上不受延迟/地理分散的影响。Client communication is largely unaffected by latency / geographic separation. 不必为地理邻近部署多个 CMG。It's not necessary to deploy multiple CMG for the purposes of geo-proximity. 在层次结构中的顶层站点部署 CMG 并添加实例以增加规模。Deploy the CMG at the top-level site in your hierarchy and add instances to increase scale.

  • 为实现服务的高可用性,请为每个站点创建至少具有两个 CMG 实例和两个 CMG 连接点的 CMG。For high availability of the service, create a CMG with at least two CMG instances and two CMG connection points per site.

  • 可以添加更多 VM 实例,将 CMG 扩展为支持更多客户端。Scale the CMG to support more clients by adding more VM instances. Azure 负载均衡器可控制客户端与服务的连接。The Azure load balancer controls client connections to the service.

  • 创建更多的 CMG 连接点,在它们之间分配负载。Create more CMG connection points to distribute the load among them. CMG 以轮询机制的方式将流量分发到其连接的 CMG 连接点。The CMG distributes the traffic to its connecting CMG connection points in a round-robin fashion.

  • 客户端数量超过受支持的数量导致 CMG 处于高负载状态时,它仍可处理请求,但可能会有延迟。When the CMG is under high load with more than the supported number of clients, it still handles requests but there may be delay.

备注

虽然 Configuration Manager 对 CMG 连接点的客户端数量没有硬性限制,但 Windows Server 的默认最大 TCP 动态端口范围为 16384。While Configuration Manager has no hard limit on the number of clients for a CMG connection point, Windows Server has a default maximum TCP dynamic port range of 16,384. 如果 Configuration Manager 站点通过一个 CMG 连接点管理超过 16384 个客户端,则必须增加 Windows 服务器的限制。If a Configuration Manager site manages more than 16,384 clients with a single CMG connection point, you must increase the Windows Server limit. 所有客户端都为客户端通知保留一个通道,该通道在 CMG 连接点上开放有一个端口。All clients maintain a channel for client notifications, which holds a port open on the CMG connection point. 有关如何使用 netsh 命令来增加此限制的详细信息,请参阅Microsoft 支持文章 929851For more information on how to use the netsh command to increase this limit, see Microsoft Support article 929851.

端口和数据流Ports and data flow

无需打开本地网络的任何入站端口。You don't need to open any inbound ports to your on-premises network. 服务连接点和 CMG 连接点可启动与 Azure 和 CMG 的所有通信。The service connection point and CMG connection point initiate all communication with Azure and the CMG. 这两个站点系统角色必须能够创建到 Microsoft 云的出站连接。These two site system roles need to create outbound connections to the Microsoft cloud. 服务连接点部署并监视 Azure 中的服务,因此必须处于联机模式。The service connection point deploys and monitors the service in Azure, thus must be online mode. CMG 连接点可连接到 CMG 以管理 CMG 和本地站点系统角色间的通信。The CMG connection point connects to the CMG to manage communication between the CMG and on-premises site system roles.

下图是一个基本的 CMG 概念数据流:The following diagram is a basic, conceptual data flow for the CMG:

CMG 数据流CMG data flow

  1. 服务连接点通过 HTTPS 端口 443 连接到 Azure。The service connection point connects to Azure over HTTPS port 443. 它使用 Azure AD 或 Azure 管理证书进行身份验证。It authenticates using Azure AD or the Azure management certificate. 服务连接点在 Azure 中部署 CMG。The service connection point deploys the CMG in Azure. CMG 使用服务器身份验证证书创建 HTTPS 云服务。The CMG creates the HTTPS cloud service using the server authentication certificate.

  2. CMG 连接点通过 TCP-TLS 或 HTTPS 连接到 Azure 中的 CMG。The CMG connection point connects to the CMG in Azure over TCP-TLS or HTTPS. 它使连接处于开放状态,并为将来的双向通信建立通道。It holds the connection open, and builds the channel for future two-way communication.

  3. 客户端通过 HTTPS 端口 443 连接到 CMG。The client connects to the CMG over HTTPS port 443. 它使用 Azure AD 或客户端身份验证证书进行身份验证。It authenticates using Azure AD or the client authentication certificate.

    备注

    如果你启用 CMG 来提供内容或使用云分发点,则客户端将通过 HTTPS 端口 443 直接连接到 Azure blob 存储。If you enable the CMG to serve content or use a cloud distribution point, the client connects directly to Azure blob storage over HTTPS port 443. 有关详细信息,请参阅使用基于云的分发点For more information, see Use a cloud-based distribution point.

  4. CMG 通过现有连接将客户端通信转发到本地 CMG 连接点。The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. 无需打开任何入站防火墙端口。You don't need to open any inbound firewall ports.

  5. CMG 连接点将客户端通信转发到本地管理点和软件更新点。The CMG connection point forwards the client communication to the on-premises management point and software update point.

有关在 Azure 中托管内容的详细信息,请参阅使用基于云的分发点For more information when you host content in Azure, see Use a cloud-based distribution point.

所需端口Required ports

此表列出了所需网络端口和协议。This table lists the required network ports and protocols. 客户端是启动连接的设备,需要出站端口。The Client is the device initiating the connection, requiring an outbound port. 服务器是接受连接的设备,需要入站端口。The Server is the device accepting the connection, requiring an inbound port.

客户端Client 协议Protocol PortPort 服务器Server 说明Description
服务连接点Service connection point HTTPSHTTPS 443443 AzureAzure CMG 部署CMG deployment
CMG 连接点CMG connection point TCP-TLSTCP-TLS 10140-1015510140-10155 CMG 服务CMG service 建立 CMG 通道的首选协议注释 1Preferred protocol to build CMG channel Note 1
CMG 连接点CMG connection point HTTPSHTTPS 443443 CMG 服务CMG service 回退协议,将 CMG 通道构建为只有一个 VM 实例注释 2Fallback protocol to build CMG channel to only one VM instance Note 2
CMG 连接点CMG connection point HTTPSHTTPS 10124-1013910124-10139 CMG 服务CMG service 回退协议,将 CMG 通道构建为 2 个或更多 VM 实例注释 3Fallback protocol to build CMG channel to two or more VM instances Note 3
客户端Client HTTPSHTTPS 443443 CMGCMG 常规客户端通信General client communication
客户端Client HTTPSHTTPS 443443 Blob 存储Blob storage 下载基于云的内容Download cloud-based content
CMG 连接点CMG connection point HTTPS 或 HTTPHTTPS or HTTP 443 或 80443 or 80 管理点Management point 本地流量,端口取决于管理点配置On-premises traffic, port depends upon management point configuration
CMG 连接点CMG connection point HTTPS 或 HTTPHTTPS or HTTP 443 或 80443 or 80 软件更新点Software update point 本地流量,端口取决于软件更新点配置On-premises traffic, port depends upon software update point configuration

注释 1:CMG 连接点 TCP-TLS 端口Note 1: CMG connection point TCP-TLS ports

CMG 连接点先尝试与每个 CMG VM 实例建立长期 TCP-TLS 连接。The CMG connection point first tries to establish a long-lived TCP-TLS connection with each CMG VM instance. 它会连接到端口 10140 上的第一个 VM 实例。It connects to the first VM instance on port 10140. 第二个 VM 实例使用端口 10141,直到端口 10155 上的第 16 个实例。The second VM instance uses port 10141, up to the 16th on port 10155. TCP TLS 连接性能最佳,但不支持 Internet 代理。A TCP-TLS connection performs the best, but it doesn't support internet proxy. 如果 CMG 连接点无法通过 TCP-TLS 进行连接,则会回退到 HTTPS注释 2If the CMG connection point can't connect via TCP-TLS, then it falls back to HTTPSNote 2.

注释 2:用于一个 VM 的 CMG 连接点 HTTPS 端口Note 2: CMG connection point HTTPS ports for one VM

如果 CMG 连接点无法通过 TCP-TLS 连接到 CMG注释 1,则会通过仅用于一个 VM 实例的 HTTPS 443 连接到 Azure 网络负载均衡器。If the CMG connection point can't connect to the CMG via TCP-TLSNote 1, it connects to the Azure network load balancer over HTTPS 443 only for one VM instance.

注释 3:用于两个或多个 VM 的 CMG 连接点 HTTPS 端口Note 3: CMG connection point HTTPS ports for two or more VMs

如果有两个或多个 VM 实例,则 CMG 连接点将为第一个 VM 实例使用 HTTPS 10124,而不是 HTTPS 443。If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to the first VM instance, not HTTPS 443. 它会连接到 HTTPS 10125 上的第二个 VM 实例,直到 HTTPS 端口 10139 上的第 16 个 VM 实例。It connects to the second VM instance on HTTPS 10125, up to the 16th on HTTPS port 10139.

Internet 访问要求Internet access requirements

如果你的组织使用防火墙或代理设备限制与 Internet 的网络通信,则需要允许 CMG 连接点和服务连接点访问 Internet 终结点。If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow CMG connection point and service connection point to access internet endpoints.

有关详细信息,请参阅 Internet 访问要求For more information, see Internet access requirements.

后续步骤Next steps