为 Configuration Manager 设置云管理网关Set up cloud management gateway for Configuration Manager

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

此过程包括设置云管理网关 (CMG) 所需执行的步骤。This process includes the steps required to set up a cloud management gateway (CMG).

备注

默认情况下,Configuration Manager 不启用此项可选功能。Configuration Manager doesn't enable this optional feature by default. 必须在使用前启用此功能。You must enable this feature before using it. 有关详细信息,请参阅启用更新中的可选功能For more information, see Enable optional features from updates.

在开始之前Before you begin

先阅读规划云管理网关一文。Start by reading the article Plan for cloud management gateway. 使用该文章确定你的 CMG 设计。Use that article to determine your CMG design.

使用以下清单确保具有创建 CMG 所需的信息和先决条件:Use the following checklist to make sure you have the necessary information and prerequisites to create a CMG:

  • 要使用的 Azure 环境。The Azure environment to use. 例如,Azure 公有云或 Azure 美国政府云。For example, the Azure Public Cloud or the Azure US Government Cloud.

  • 需要一个或多个 CMG 证书,具体取决于你的设计。You need one or more certificates for CMG, depending upon your design. 有关详细信息,请参阅云管理网关的证书For more information, see Certificates for cloud management gateway.

  • 对于 CMG 的 Azure 资源管理器部署,需要满足以下要求:You need the following requirements for an Azure Resource Manager deployment of CMG:

    • Azure AD 集成以实现云管理Integration with Azure AD for Cloud Management. 不需要 Azure AD 用户发现。Azure AD user discovery isn't required. 要将站点与 Azure AD 集成以使用 Azure 资源管理器部署 CMG,你需要全局管理员。To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin.

    • 必须在 Azure 订阅中注册 Microsoft.ClassicCompute & Microsoft.Storage 资源提供程序 。The Microsoft.ClassicCompute & Microsoft.Storage resource providers must be registered within the Azure subscription. 有关详细信息,请参阅 Azure 资源管理器For more information, see Azure Resource Manager.

    • 订阅所有者需要登录才能部署 CMG。A Subscription Owner needs to sign in to deploy the CMG.

  • 服务的全局唯一名称。A globally unique name for the service. 此名称来自 CMG 服务器身份验证证书This name is from the CMG server authentication certificate.

  • 如果启用 CMG 作为云分发点,则所选的同一个全局唯一 CMG 服务名称还需要可用作全局唯一存储帐户名称。If enabling CMG as a cloud distribution point, the same globally unique CMG service name chosen also needs to be available as a globally unique storage account name. 此名称来自 CMG 服务器身份验证证书This name is from the CMG server authentication certificate.

  • 此 CMG 部署所在的 Azure 区域。The Azure region for this CMG deployment.

  • 实现扩展和冗余所需的 VM 实例数。How many VM instances you need for scale and redundancy.

  • 如果仍需要在 Configuration Manager 1810 版本或更早版本中使用 Azure 经典服务部署,则需要满足以下要求:If you still need to use the Azure classic service deployment in Configuration Manager version 1810 or earlier, you need the following requirements:

    重要

    从版本 1810 开始,Configuration Manager 已弃用 Azure 的经典服务部署。Starting in version 1810, classic service deployments in Azure are deprecated in Configuration Manager. 将 Azure 资源管理器部署用于云管理网关。Use Azure Resource Manager deployments for the cloud management gateway. 有关详细信息,请参阅 CMG 规划For more information, see Plan for CMG.

    从 Configuration Manager 版本 1902 起,Azure 资源管理器是云管理网关的新实例的唯一部署机制。Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway.

    • Azure 订阅 IDAzure subscription ID

    • Azure 管理证书Azure management certificate

设置 CMGSet up a CMG

在顶层站点上执行此过程。Do this procedure on the top-level site. 该站点要么是独立的主站点,要么是管理中心站点。That site is either a standalone primary site, or the central administration site.

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“云服务”,然后选择“云管理网关”。In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select Cloud Management Gateway.

  2. 选择功能区中的“创建云管理网关”。Select Create Cloud Management Gateway in the ribbon.

  3. 在向导的“常规”页上,选择“登录”。On the General page of the wizard, select Sign in. 使用 Azure 订阅所有者帐户进行身份验证。Authenticate with an Azure Subscription Owner account. 向导使用 Azure AD 集成先决条件过程中存储的信息,自动填充其余字段。The wizard automatically populates the remaining fields from the information stored during the Azure AD integration prerequisite. 如果拥有多个订阅,请选择要使用的订阅的订阅 ID。If you own multiple subscriptions, select the Subscription ID of the subscription you want to use.

    备注

    从版本 1810 开始,Configuration Manager 已弃用 Azure 的经典服务部署。Starting in version 1810, classic service deployments in Azure were deprecated in Configuration Manager. 在版本 1902 和更早版本中,选择 Azure 资源管理器部署作为 CMG 部署方法。In version 1902 and earlier, select Azure Resource Manager deployment as the CMG deployment method.

    如果需要使用经典服务部署,请在此页面上选择该选项。If you need to use a classic service deployment, select that option on this page. 首先输入 Azure 订阅 ID。First enter your Azure Subscription ID. 然后选择“浏览”并选择 Azure 管理证书的 .PFX 文件。Then select Browse, and choose the .PFX file for the Azure management certificate.

  4. 为此 CMG 指定 Azure 环境Specify the Azure environment for this CMG. 下拉列表中的选项可能会因部署方法而异。The options in the drop-down list may vary depending upon the deployment method.

  5. 选择“下一步”。Select Next. 等待站点测试与 Azure 的连接。Wait as the site tests the connection to Azure.

  6. 在向导的“设置”页上,先选择“浏览”,然后选择 CMG 服务器身份验证证书的 .PFX 文件。On the Settings page of the wizard, first select Browse and choose the .PFX file for the CMG server authentication certificate. 来自此证书的名称将填充“服务 FQDN”和“服务名称”必填字段。The name from this certificate populates the required Service FQDN and Service name fields.

    备注

    CMG 服务器身份验证证书支持通配符。The CMG server authentication certificate supports wildcards. 如果使用通配符证书,请将“服务 FQDN”字段中的星号 (*) 替换为 CMG 所需的主机名。If you use a wildcard certificate, replace the asterisk (*) in the Service FQDN field with the desired hostname for the CMG.

  7. 选择“区域”下拉列表,选择此 CMG 所在的 Azure 区域。Select the Region drop-down list to choose the Azure region for this CMG.

  8. 选择“资源组”选项。Select a Resource Group option.

    1. 如果选择“使用现有项”,则从下拉列表中选择现有的资源组。If you choose Use existing, then select an existing resource group from the drop-down list. 所选的资源组必须已位于步骤 7 中所选的区域。The selected resource group must already exist in the region you selected in step 7. 如果选择的现有资源组不在之前所选区域中,则 CMG 将预配失败。If you select an existing resource group, and it is in a different region than the previously selected region, CMG will fail to provision.
    2. 如果选择“新建”,则输入新的资源组名称。If you choose Create new, then enter the new resource group name.
  9. 在“VM 实例”字段中,输入此服务的 VM 数量。In the VM Instance field, enter the number of VMs for this service. 默认值为 1,但每个 CMG 最多可扩展到 16 个 VM。The default is one, but you can scale up to 16 VMs per CMG.

  10. 选择“证书”以添加受信任的客户端根证书。Select Certificates to add client trusted root certificates. 添加信任链中的所有证书。Add all of the certificates in the trust chain.

    备注

    使用 Azure Active Directory (Azure AD) 进行客户端身份验证时不需要受信任的根证书。A trusted root certificate isn't required when using Azure Active Directory (Azure AD) for client authentication. 如果使用 PKI 客户端身份验证证书,则需要向 CMG 添加受信任的根证书。If you're using PKI client authentication certificates, then you need to add a trusted root certificate to the CMG.

    在版本 1902 和更早版本中,只能添加两个受信任的根 CA 和四个中间(从属)CA。In version 1902 and earlier, you can only add two trusted root CAs and four intermediate (subordinate) CAs.

  11. 默认情况下,向导会启用“验证客户端证书吊销”选项。By default, the wizard enables the option to Verify Client Certificate Revocation. 必须公开发布证书吊销列表 (CRL) 才能使此验证生效。A certificate revocation list (CRL) must be publicly published for this verification to work. 有关详细信息,请参阅发布证书吊销列表For more information, see Publish the certificate revocation list.

  12. 从版本 1906 开始,可以强制执行 TLS 1.2。Starting in version 1906, you can Enforce TLS 1.2. 此设置仅适用于 Azure 云服务 VM。This setting only applies to the Azure cloud service VM. 它不适用于任何本地 Configuration Manager 站点服务器或客户端。It doesn't apply to any on-premises Configuration Manager site servers or clients. 有关 TLS 1.2 的详细信息,请参阅如何启用 TLS 1.2For more information on TLS 1.2, see How to enable TLS 1.2.

  13. 默认情况下,向导会启用以下选项:允许 CMG 充当云分发点,并提供 Azure 存储中的内容。By default, the wizard enables the following option: Allow CMG to function as a cloud distribution point and serve content from Azure storage. CMG 还可向客户端提供内容。A CMG can also serve content to clients. 此功能减少了所需的证书和 Azure VM 的成本。This functionality reduces the required certificates and cost of Azure VMs.

  14. 选择“下一步”。Select Next.

  15. 若要通过 14 天阈值监视 CMG 通信,请选中相应复选框以打开阈值警报。To monitor CMG traffic with a 14-day threshold, choose the check box to turn on the threshold alert. 然后,指定阈值,以及引发不同警报级别所依据的百分比。Then, specify the threshold, and the percentage at which to raise the different alert levels. 完成后选择“下一步”。Choose Next when you're done.

  16. 检查设置,然后选择“下一步”。Review the settings, and choose Next. Configuration Manager 开始设置服务。Configuration Manager starts setting up the service. 关闭向导后,需花 5 到 15 分钟在 Azure 中完整预配该服务。After you close the wizard, it will take between five to 15 minutes to provision the service completely in Azure. 检查新 CMG 的“状态”列,确定服务是否已准备就绪。Check the Status column for the new CMG to determine when the service is ready.

    备注

    若要排查 CMG 部署问题,请使用 CloudMgr.logCMGSetup.logTo troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log. 有关详细信息,请参阅日志文件For more information, see Log files.

为主站点配置客户端证书身份验证Configure primary site for client certificate authentication

如果在客户端向 CMG 验证身份时使用客户端身份验证证书,则按照以下过程来配置每个主站点。If you're using client authentication certificates for clients to authenticate with the CMG, follow this procedure to configure each primary site.

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“站点”。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select Sites.

  2. 选择要将基于 Internet 的客户端分配到的主站点,选择“属性”。Select the primary site to which your internet-based clients are assigned, and choose Properties.

  3. 切换到主站点属性表的“通信安全”选项卡,选中“在可用时使用 PKI 客户端证书(客户端身份验证)”。Switch to the Communication Security tab of the primary site property sheet, check Use PKI client certificate (client authentication) when available.

    备注

    在版本 1902 及更早版本中,此选项卡称为“客户端计算机通信”。In version 1902 and earlier, this tab is called Client Computer Communication.

  4. 如果未发布 CRL,请取消选择“客户端检查站点系统的证书吊销列表(CRL)”选项。If you don't publish a CRL, deselect the option for Clients check the certificate revocation list (CRL) for site systems.

添加 CMG 连接点Add the CMG connection point

CMG 连接点是与 CMG 通信的站点系统角色。The CMG connection point is the site system role for communicating with the CMG. 若要添加 CMG 连接点,请按照常规说明安装站点系统角色To add the CMG connection point, follow the general instructions to install site system roles. 在“添加站点系统角色”向导的“系统角色选择”页上,选择“云管理网关连接点”。On the System Role Selection page of the Add Site System Role Wizard, select Cloud management gateway connection point. 然后选择该服务器连接到的“云管理网关名称”。Then select the Cloud management gateway name to which this server connects. 该向导会显示选定 CMG 所在的区域。The wizard shows the region for the selected CMG.

重要

在某些情况下,CMG 连接点必须具有客户端身份验证证书The CMG connection point must have a client authentication certificate in some scenarios.

若要排查 CMG 服务运行状况问题,请使用 CMGService.logSMS_Cloud_ProxyConnector.logTo troubleshoot CMG service health, use CMGService.log and SMS_Cloud_ProxyConnector.log. 有关详细信息,请参阅日志文件For more information, see Log files.

为面向客户端的角色配置 CMG 流量Configure client-facing roles for CMG traffic

配置管理点和软件更新点站点系统以接受 CMG 通信。Configure the management point and software update point site systems to accept CMG traffic. 在主站点上,针对为基于 Internet 的客户端提供服务的所有管理点和软件更新点执行以下过程。Do this procedure on the primary site, for all management points and software update points that service internet-based clients.

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“服务器和站点系统角色”节点 。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Servers and Site System Roles node. 在功能区“主页”选项卡的“查看”组中,选择“具有角色的服务器”。On the Home tab of the ribbon, in the View group, select Servers with Role. 然后从列表中选择“管理点”。Then select Management point from the list.

  2. 选择要为 CMG 通信配置的站点系统服务器。Select the site system server you want to configure for CMG traffic. 在细节窗格中选择“管理点”角色,然后选择功能区中的“属性” 。Select the Management point role in the details pane, and then select Properties in the ribbon.

  3. 在管理点属性表中的“客户端连接”下,选中“允许 Configuration Manager 云管理网关通信”旁边的复选框。In the Management point properties sheet under Client Connections, check the box next to Allow Configuration Manager cloud management gateway traffic.

    根据你的 CMG 设计和 Configuration Manager 版本,可能需要启用“HTTPS”选项。Depending upon your CMG design and Configuration Manager version, you may need to enable the HTTPS option. 有关详细信息,请参阅为管理点启用 HTTPSFor more information, see Enable management point for HTTPS.

  4. 选择“确认”以关闭管理点属性窗口。Select OK to close the management point properties window.

为其他管理点(酌情而定)和所有软件更新点重复这些步骤。Repeat these steps for additional management points as needed, and for any software update points.

配置边界组Configure boundary groups

从版本 1902 开始,可以将 CMG 与边界组关联。Starting in version 1902, you can associate a CMG with a boundary group. 此配置允许客户端根据边界组关系默认或回退到 CMG 以进行客户端通信。This configuration allows clients to default or fallback to the CMG for client communication according to boundary group relationships.

有关边界组的详细信息,请参阅配置边界组For more information on boundary groups, see Configure boundary groups.

创建或边界组时,在“引用”选项卡上,添加云管理网关。When you create or configure a boundary group, on the References tab, add a cloud management gateway. 此操作将 CMG 与此边界组关联。This action associates the CMG with this boundary group.

为 CMG 配置客户端Configure clients for CMG

一旦运行 CMG 和站点系统角色,客户端就会在发出下一个位置请求时自动获取 CMG 服务的位置。Once the CMG and site system roles are running, clients get the location of the CMG service automatically on the next location request. 除非安装并分配 Windows 10 客户端(使用 Azure AD 进行身份验证),否则客户端必须位于 Intranet 上,才能接收 CMG 服务的位置。Clients must be on the intranet to receive the location of the CMG service, unless you install and assign Windows 10 clients using Azure AD for authentication. 位置请求的轮询周期为 24 小时。The polling cycle for location requests is every 24 hours. 如果不想等待正常计划的位置请求,则可以强制执行请求。If you don't want to wait for the normally scheduled location request, you can force the request. 若要强制执行请求,请重启计算机上的 SMS Agent Host 服务 (ccmexec.exe)。To force the request, restart the SMS Agent Host service (ccmexec.exe) on the computer.

备注

默认情况下,所有客户端均接收 CMG 策略。By default all clients receive CMG policy. 可使用客户端设置“允许客户端使用云管理网关”控制此行为。Control this behavior with the client setting, Enable clients to use a cloud management gateway.

Configuration Manager 客户端会自动确定它是在 Intranet 上还是在 Internet 上。The Configuration Manager client automatically determines whether it's on the intranet or the internet. 如果客户端可以访问域控制器或本地管理点,它会将自己的连接类型设置为“当前 Intranet”。If the client can contact a domain controller or an on-premises management point, it sets its connection type to Currently intranet. 否则,它会切换为“当前 Internet”,并使用 CMG 服务的位置与站点通信。Otherwise, it switches to Currently Internet, and uses the location of the CMG service to communicate with the site.

备注

不管客户端是在 Intranet 上还是在 Internet 上,都可以强制它始终使用 CMG。You can force the client to always use the CMG regardless of whether it's on the intranet or internet. 此配置可用于测试目的,或用于你希望强制始终使用 CMG 的客户端。This configuration is useful for testing purposes, or for clients that you want to force to always use the CMG. 请在客户端上设置以下注册表项:Set the following registry key on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

也可以在客户端安装期间使用 CCMALWAYSINF 属性指定此设置。You can also specify this setting during client installation using the CCMALWAYSINF property.

即使客户端漫游到边界组配置将以其他方式利用本地资源的位置,此设置也将始终适用。This setting will always apply, even if the client roams into a location where boundary group configurations would otherwise leverage local resources.

若要验证客户端是否具有指定 CMG 的策略,请在客户端计算机上以管理员身份打开 Windows PowerShell 命令提示符,然后运行以下命令:To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an administrator on the client computer, and run the following command:

Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq "Internet"}`

此命令会显示客户端知道的所有基于 Internet 的管理点。This command displays any internet-based management points the client knows about. 虽然 CMG 在技术上不是基于 Internet 的管理点,但对客户端而言却是如此。While the CMG isn't technically an internet-based management point, clients view it as one.

备注

若要排查 CMG 客户端通信问题,请使用 CMGHttpHandler.logCMGService.logSMS_Cloud_ProxyConnector.logTo troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log. 有关详细信息,请参阅日志文件For more information, see Log files.

使用 CMG 安装外部客户端Install off-premises clients using a CMG

若要在当前未连接到 Intranet 的系统中安装 Configuration Manager 客户端,必须满足以下条件之一。To install the Configuration Manager client on systems not currently connected to your intranet, one of the following conditions must be true. 在所有情况下,都需要目标系统上的本地管理员帐户。In all cases, a local administrator account on the target systems is required.

  1. Configuration Manager 站点已正确配置为使用 PKI 证书进行客户端身份验证。The Configuration Manager site is properly configured to use PKI certificates for client authentication. 此外,每个客户端系统都有一个之前颁发的有效、唯一且受信任的客户端身份验证证书。Additionally, the client systems each have a valid, unique, and trusted client authentication certificate previously issued to them.

  2. 系统已建立 Azure AD 域联接或混合 Azure AD 域联接。The systems are Azure AD domain-joined or hybrid Azure AD domain-joined.

  3. 站点运行的是 Configuration Manager 版本 2002 或更高版本。The site is running Configuration Manager version 2002 or later.

对于选项 1 和 2,在运行 ccmsetup.exe 时使用 /mp 参数来指定 CMG 的 URL。For options 1 and 2, when you run ccmsetup.exe, use the /mp parameter to specify the CMG's URL. 有关详细信息,请参阅关于客户端安装参数和属性For more information, see About client installation parameters and properties.

对于选项 3,自 Configuration Manager 版本 2002 起,可以使用批量注册令牌在未连接到 Intranet 的系统中安装客户端。For option 3, starting in Configuration Manager version 2002, you can install the client on systems not connected to your intranet using a bulk registration token. 若要详细了解这种方法,请参阅创建批量注册令牌For more information on this method, see Create a bulk registration token.

为外部客户端配置 CMGConfigure off-premises clients for CMG

在满足以下条件的情况下,可以将系统连接到最近配置的 CMG:You can connect systems to a recently configured CMG where the following conditions are true:

  • 系统已安装 Configuration Manager 客户端。Systems already have the Configuration Manager client installed.

  • 系统未连接到且无法连接到 Intranet。Systems aren't connected and can't be connected to your intranet.

  • 系统满足以下条件之一:Systems meet one of the following conditions:

    • 每个系统都有之前颁发的有效、唯一且受信任的客户端身份验证证书Each has a valid, unique, and trusted client authentication certificate previously issued to it

    • 已建立 Azure AD 域联接Azure AD domain-joined

    • 已建立混合 Azure AD 域联接Hybrid Azure AD domain-joined

  • 你不希望或无法完全重新安装现有的客户端。You don't want to or can't completely reinstall the existing client.

  • 可以通过一种方法来更改计算机注册表值,并使用本地管理员帐户来重启 SMS Agent Host 服务。You have a method to change a machine registry value and restart the SMS Agent Host service using a local administrator account.

若要在这些系统上强制进行连接,请在密钥 HKLM\Software\Microsoft\CCM 中创建 REG_SZ 注册表项 CMGFQDNsTo force the connection on these systems, create the REG_SZ registry entry CMGFQDNs in the key HKLM\Software\Microsoft\CCM. 将此值设置为 CMG 的 URL,例如 https://contoso-cmg.contoso.comSet its value to the URL of the CMG, for example, https://contoso-cmg.contoso.com. 然后重启设备上的 SMS Agent Host Windows 服务。Then restart the SMS Agent Host Windows service on the device.

如果 Configuration Manager 客户端没有在注册表中设置当前 CMG 或面向 Internet 的管理点,它会自动检查 CMGFQDNs 注册表值。If the Configuration Manager client doesn't have a current CMG or internet-facing management point set in the registry, it automatically checks the CMGFQDNs registry value. 当 SMS Agent Host 服务启动或检测到网络更改时,此检查每 25 小时执行一次。This check occurs every 25 hours, when the SMS Agent Host service starts, or when it detects a network change. 如果客户端连接到站点并了解 CMG,它就会自动更新此值。When the client connects to the site and learns of a CMG, it automatically updates this value.

修改 CMGModify a CMG

CMG 属性CMG properties

创建 CMG 之后,可以修改它的某些设置。After creating a CMG, you can modify some of its settings. 在 Configuration Manager 控制台中选择该 CMG,然后选择“属性”。Select the CMG in the Configuration Manager console and select Properties. 配置以下选项卡上的设置:Configure settings on the following tabs:

常规General

  • Azure 管理证书:更改 CMG 的 Azure 管理证书。Azure management certificate: change the Azure management certificate for the CMG. 在证书过期之前更新证书时,此选项很有用。This option is useful when updating the certificate before it expires.

设置Settings

  • 证书文件:更改 CMG 的服务器身份验证证书。Certificate file: change the server authentication certificate for the CMG. 在证书过期之前更新证书时,此选项很有用。This option is useful when updating the certificate before it expires.

    备注

    为 CMG 续订服务器身份验证证书时,为证书的公用名 (CN) 指定的 FQDN 区分大小写。When you renew the server authentication certificate for the CMG, the FQDN specified for the certificate's Common Name (CN) is case-sensitive. 例如,如果当前正在使用的证书的 CN 为 https://contoso-cmg.contoso.com,则创建具有同样小写 CN 的新证书。For example, if the certificate currently in use has a CN of https://contoso-cmg.contoso.com, create the new certificate with the same lowercase CN. 向导不会接受 CN 为 https://CONTOSO-CMG.CONTOSO.COM 的证书。The wizard won't accept a certificate with the CN https://CONTOSO-CMG.CONTOSO.COM.

  • VM 实例:更改该服务在 Azure 中使用的虚拟机数量。VM Instance: change the number of virtual machines that the service uses in Azure. 此设置允许你基于使用情况或成本考虑,以动态方式扩展或缩减该服务。This setting allows you to dynamically scale the service up or down based on usage or cost considerations.

  • 证书:添加或删除受信任的根或中间 CA 证书。Certificates: add or remove trusted root or intermediate CA certificates. 在添加新的 CA 或停用过期证书时,此选项很有用。This option is useful when adding new CAs, or retiring expired certificates.

  • 验证客户端证书吊销:如果最初在创建 CMG 时未启用此设置,可以在发布 CRL 后启用。Verify Client Certificate Revocation: if you didn't originally enable this setting when creating the CMG, you can enable it afterwards once you publish the CRL. 有关详细信息,请参阅发布证书吊销列表For more information, see Publish the certificate revocation list.

  • 允许 CMG 充当云分发点并在 Azure 存储中提供内容:默认情况下启用该选项。Allow CMG to function as a cloud distribution point and serve content from Azure storage: this option is enabled by default. CMG 还可向客户端提供内容。A CMG can also serve content to clients. 此功能减少了所需的证书和 Azure VM 的成本。This functionality reduces the required certificates and cost of Azure VMs.

警报Alerts

可在创建 CMG 后随时重新配置警报。Reconfigure the alerts at any time after you create the CMG.

重新部署服务Redeploy the service

较重大的更改(例如以下配置)需要重新部署服务:More significant changes, such as the following configurations, require redeploying the service:

  • 经典部署方法改为 Azure 资源管理器部署方法Classic deployment method to Azure Resource Manager
  • 订阅Subscription
  • 服务名称Service name
  • 专用于公有 PKIPrivate to public PKI
  • 区域Region

为基于 Internet 的客户端始终保留至少一个活动的 CMG,以便接收更新的策略。Always keep at least one active CMG for internet-based clients to receive updated policy. 基于 Internet 的客户端无法与已删除的 CMG 通信。internet-based clients can't communicate with a removed CMG. 除非漫游回到 Intranet,否则客户端不知道有新的 CMG。Clients don't know about a new one until they roam back to the intranet. 在创建第二个 CMG 实例以删除第一个 CMG 实例时,还要创建另一个 CMG 连接点。When creating a second CMG instance to delete the first, also create another CMG connection point.

默认情况下,客户端每 24 小时刷新一次策略,因此,在创建新的 CMG 后至少要等一天才能删除旧的 CMG。Clients refresh policy by default every 24 hours, so wait at least one day after creating a new CMG before you delete the old one. 如果客户端处于关闭状态或未连接到 Internet,你可能需要等待更长时间。If clients are turned off or without an internet connection, you may need to wait longer.

如果经典部署方法上已有 CMG,则必须部署新的 CMG 才能使用 Azure 资源管理器部署方法。If you have an existing CMG on the classic deployment method, you must deploy a new CMG to use the Azure Resource Manager deployment method. 共有两个选项:There are two options:

  • 如果要重新使用相同的服务名称:If you want to reuse the same service name:

    1. 首先删除经典 CMG,删除时应考虑为基于 Internet 的客户端始终保留至少一个活动的 CMG 的指导原则。First delete the classic CMG, taking into account the guidance to always have at least one active CMG for internet-based clients.

    2. 使用资源管理器部署创建新的 CMG。Create a new CMG using a Resource Manager deployment. 重新使用相同的服务器身份验证证书。Reuse the same server authentication certificate.

    3. 将 CMG 连接点重新配置为使用新的 CMG 实例。Reconfigure the CMG connection point to use the new CMG instance.

  • 如果要使用新的服务名称:If you want to use a new service name:

    1. 使用资源管理器部署创建新的 CMG。Create a new CMG using a Resource Manager deployment. 使用新的服务器身份验证证书。Use a new server authentication certificate.

    2. 创建新的 CMG 连接点并与新的 CMG 链接。Create a new CMG connection point and link with the new CMG.

    3. 等待至少一天,以便基于 Internet 的客户端接收有关新 CMG 的策略。Wait at least one day for internet-based clients to receive policy about the new CMG.

    4. 删除经典 CMG。Delete the classic CMG.

提示

确定 CMG 的当前部署模型:To determine the current deployment model of a CMG:

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“云服务”,然后选择“云管理网关”节点 。In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Cloud Management Gateway node.
  2. 选择 CMG 实例。Select the CMG instance.
  3. 在窗口底部的“详细信息”窗格中,查找“部署模型”属性。In the Details pane at the bottom of the window, look for the Deployment Model attribute. 对于资源管理器部署,该属性为“Azure 资源管理器”。For a Resource Manager deployment, this attribute is Azure Resource Manager. 具有 Azure 管理证书的旧版部署模型显示为 Azure Service Manager。The legacy deployment model with the Azure management certificate displays as Azure Service Manager.

还可将“部署模型”属性作为列添加到列表视图中。You can also add the Deployment Model attribute as a column to the list view.

在 Azure 门户中进行修改Modifications in the Azure portal

只能从 Configuration Manager 控制台修改 CMG。Only modify the CMG from the Configuration Manager console. 不支持直接在 Azure 中修改该服务或基础 VM。Making modifications to the service or underlying VMs directly in Azure isn't supported. 任何更改都有可能在不预先通知的情况下丢失。Any changes may be lost without notice. 与所有 PaaS 一样,该服务可以随时重新生成 VM。As with any PaaS, the service can rebuild the VMs at any time. 在进行后端硬件维护或向 VM OS 应用更新时,可能会发生这些重新生成操作。These rebuilds can happen for backend hardware maintenance, or to apply updates to the VM OS.

删除服务Delete the service

如果需要删除 CMG,也从 Configuration Manager 控制台执行此操作。If you need to delete the CMG, also do so from the Configuration Manager console. 手动删除 Azure 中的任何组件都会导致系统不一致。Manually removing any components in Azure causes the system to be inconsistent. 此状态会留下孤立的信息,并且可能发生意外的行为。This state leaves orphaned information, and unexpected behaviors may occur.

后续步骤Next steps