云管理网关的安全和隐私Security and privacy for the cloud management gateway

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

本文包含 Configuration Manager 云管理网关 (CMG) 的安全和隐私信息。This article includes security and privacy information for the Configuration Manager cloud management gateway (CMG). 有关详细信息,请参阅规划云管理网关For more information, see Plan for cloud management gateway.

CMG 安全性详细信息CMG security details

CMG 接受并管理来自 CMG 连接点的连接。The CMG accepts and manages connections from CMG connection points. 它使用证书和连接 ID 进行相互身份验证。It uses mutual authentication using certificates and connection IDs.

CMG 使用以下方法接受和转发客户端请求:The CMG accepts and forwards client requests using the following methods:

  • 使用相互 HTTPS 通过基于 PKI 的客户端身份验证证书或 Azure AD 对连接进行预身份验证。Pre-authenticates connections using mutual HTTPS with the PKI-based client authentication certificate or Azure AD.

    • CMG VM 实例上的 IIS 根据上传到 CMG 的受信任根证书来验证证书路径。IIS on the CMG VM instances verifies the certificate path based on the trusted root certificates that you upload to the CMG.

    • 如果启用证书吊销,VM 实例上的 IIS 还会验证客户端证书吊销。If you enable certificate revocation, IIS on the VM instance also verifies client certificate revocation. 有关详细信息,请参阅发布证书吊销列表For more information, see Publish the certificate revocation list.

  • 证书信任列表 (CTL) 检查客户端身份验证证书的根。The certificate trust list (CTL) checks the root of the client authentication certificate. 此外,它还与客户端的管理点执行相同的验证。It also does the same validation as the management point for the client. 有关详细信息,请参阅查看站点的证书信任列表中的条目For more information, see Review entries in the site's certificate trust list.

  • 验证并筛选客户端请求 (URL),以检查是否有任何 CMG 连接点可以处理该请求。Validates and filters client requests (URLs) to check if any CMG connection point can service the request.

  • 检查每个发布终结点的内容长度。Checks content length for each publishing endpoint.

  • 使用轮循行为在同一站点中均衡 CMG 连接点的负载。Uses round-robin behavior to load-balance CMG connection points in the same site.

CMG 连接点使用以下方法:The CMG connection point uses the following methods:

  • 针对 CMG 的所有 VM 实例生成一致的 HTTPS/TCP 连接。Builds consistent HTTPS/TCP connections to all VM instances of the CMG. 它对这些连接每分钟进行一次检查和维护。It checks and maintains these connections every minute.

  • 使用证书向 CMG 进行相互身份验证。Uses mutual authentication with the CMG using certificates.

  • 根据 URL 映射转发客户端请求。Forwards client requests based on URL mappings.

  • 报告连接状态,以显示控制台中的服务运行状态。Reports connection status to show service health status in the console.

  • 每五分钟报告一次每个终结点的通信。Reports traffic per endpoint every five minutes.

面向 Configuration Manager 客户端的角色Configuration Manager client-facing roles

管理点和软件更新点承载 IIS 中的终结点,用于处理客户端请求。The management point and software update point host endpoints in IIS to service client requests. CMG 不公开所有内部终结点。The CMG doesn't expose all internal endpoints. 发布到 CMG 的每个终结点都有对应的 URL 映射。Every endpoint published to the CMG has a URL mapping.

  • 外部 URL 是客户端在与 CMG 进行通信时使用的 URL。The external URL is the one the client uses to communicate with the CMG.

  • 内部 URL 是用于将请求转发给内部服务器的 CMG 连接点。The internal URL is the CMG connection point used to forward requests to the internal server.

URL 映射示例URL mapping example

在管理点上启用 CMG 通信时,Configuration Manager 会为每个管理点服务器创建一组内部 URL 映射。When you enable CMG traffic on a management point, Configuration Manager creates an internal set of URL mappings for each management point server. 例如:ccm_system、ccm_incoming 和 sms_mp。For example: ccm_system, ccm_incoming, and sms_mp. 管理点 ccm_system 终结点的外部 URL 可能如下所示:The external URL for the management point ccm_system endpoint might look like:
https://<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>/CCM_System
URL 对每个管理点都是唯一的。The URL is unique for each management point. 然后,Configuration Manager 客户端将启用了 CMG 的管理点的名称放入其 Internet 管理点列表中。The Configuration Manager client then puts the CMG-enabled management point name into its internet management point list. 此名称如下所示:This name looks like:
<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>
站点自动将发布的所有外部 URL 上载到 CMG。The site automatically uploads all published external URLs to the CMG. 此行为允许 CMG 进行 URL 筛选。This behavior allows the CMG to do URL filtering. 所有 URL 映射都复制到 CMG 连接点。All URL mappings replicate to the CMG connection point. 接着,它根据客户端请求中的外部 URL 将通信转发到内部服务器。It then forwards the communication to internal servers according to the external URL from the client request.

CMG 安全指南Security guidance for CMG

发布证书吊销列表Publish the certificate revocation list

发布 PKI 的证书吊销列表 (CRL),以供基于 Internet 的客户端访问。Publish your PKI's certificate revocation list (CRL) for internet-based clients to access. 使用 PKI 部署 CMG 时,请在“设置”选项卡上将该服务配置为“验证客户端证书吊销”。此设置会将该服务配置为使用发布的证书吊销列表 (CRL)。When deploying a CMG using PKI, configure the service to Verify client certificate revocation on the Settings tab. This setting configures the service to use a published certificate revocation list (CRL). 有关详细信息,请参阅规划 PKI 证书吊销For more information, see Plan for PKI certificate revocation.

此 CMG 选项验证客户端身份验证证书。This CMG option verifies the client authentication certificate.

  • 如果客户端使用 Azure AD 身份验证,则 CRL 并不重要。If the client is using Azure AD authentication, the CRL doesn't matter.

  • 如果使用 PKI 并在外部发布 CRL,请启用此选项(推荐)。If you use PKI, and externally publish the CRL, then enable this option (recommended).

  • 如果使用 PKI,请不要发布 CRL,然后禁用此选项。If you use PKI, don't publish the CRL, then disable this option.

  • 如果此选项配置不正确,它可能会导致从客户端到 CMG 的额外流量。If you misconfigure this option, it can cause additional traffic from clients to the CMG. 这种额外的流量可能会增加 Azure 流出量数据,从而增加 Azure 成本。This additional traffic can increase the Azure egress data, which can increase your Azure costs.

查看站点的证书信任列表中的条目Review entries in the site's certificate trust list

每个 Configuration Manager 站点都包含一个受信任根证书颁发机构列表,即证书信任列表 (CTL)。Each Configuration Manager site includes a list of trusted root certification authorities, the certificate trust list (CTL). 通过转到“管理”工作区、展开“站点配置”并选择“站点”,可查看和修改该列表。View and modify the list by going to the Administration workspace, expand Site Configuration, and select Sites. 选择一个站点,然后选择功能区中的“属性”。Select a site, and then select Properties in the ribbon. 切换到“通信安全”选项卡,然后选择“受信任的根证书颁发机构”下的“设置”。Switch to the Communication Security tab, and then select Set under Trusted Root Certification Authorities.

备注

在版本 1902 及更早版本中,此选项卡称为“客户端计算机通信”。In version 1902 and earlier, this tab is called Client Computer Communication.

使用 PKI 客户端身份验证,为具有 CMG 的站点使用限制性更强的 CTL。Use a more restrictive CTL for a site with a CMG using PKI client authentication. 否则,客户端注册会自动接受这类客户端:使用由管理点上已存在的任何受信任根颁发的客户端身份验证证书的客户端。Otherwise, clients with client authentication certificates issued by any trusted root that already exists on the management point are automatically accepted for client registration.

该子集可让管理员更好地控制安全性。This subset provides administrators with more control over security. CTL 将服务器限制为仅接受从 CTL 中的证书颁发机构颁发的客户端证书。The CTL restricts the server to only accept client certificates that are issued from the certification authorities in the CTL. 例如,Windows 附带许多已知的第三方证书颁发机构 (CA) 证书,如 VeriSign 和 Thawte。For example, Windows ships with a number of well-known third-party certification authority (CA) certificates, such as VeriSign and Thawte. 默认情况下,运行 IIS 的计算机信任链接到这些已知 CA 的证书。By default, the computer running IIS trusts certificates that chain to these well-known CAs. 如果没有为 IIS 配置 CTL,则会接受具有这些 CA 颁发的客户端证书的任何计算机作为有效的 Configuration Manager 客户端。Without configuring IIS with a CTL, any computer that has a client certificate issued from these CAs are accepted as a valid Configuration Manager client. 如果为 IIS 配置的 CTL 不包含这些 CA,而证书已链接到这些 CA,则会拒绝客户端连接。If you configure IIS with a CTL that didn't include these CAs, client connections are refused if the certificate chained to these CAs.

强制执行 TLS 1.2Enforce TLS 1.2

从版本 1906 开始,使用 CMG 设置来强制执行 TLS 1.2。Starting in version 1906, use the CMG setting to Enforce TLS 1.2. 它仅适用于 Azure 云服务 VM。It only applies to the Azure cloud service VM. 它不适用于任何本地 Configuration Manager 站点服务器或客户端。It doesn't apply to any on-premises Configuration Manager site servers or clients. 有关 TLS 1.2 的详细信息,请参阅如何启用 TLS 1.2For more information on TLS 1.2, see How to enable TLS 1.2.

使用基于令牌的身份验证Use token-based authentication

从版本 2002 开始,Starting in version 2002, Configuration Manager 扩展了它对基于 Internet 的设备的支持,这些设备不经常连接到内部网络、无法加入 Azure AD 且无法安装 PKI 颁发的证书。Configuration Manager extends its support for internet-based devices that don't often connect to the internal network, aren't able to join Azure AD, and don't have a method to install a PKI-issued certificate. 站点会自动为在内部网络上注册的设备颁发令牌。The site automatically issues tokens for devices that register on the internal network. 可以为基于 Internet 的设备创建批量注册令牌。You can create a bulk registration token for internet-based devices. 有关详细信息,请参阅基于令牌的 CMG 身份验证For more information, see Token-based authentication for CMG.

后续步骤Next steps