增强型 HTTPEnhanced HTTP

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

提示

此功能在版本 1806 中作为预发行功能首次引入。This feature was first introduced in version 1806 as a pre-release feature. 从版本 1810 开始,此功能不再属于预发行功能。Beginning with version 1810, this feature is no longer a pre-release feature.

Microsoft 建议对于所有 Configuration Manager 通信路径使用 HTTPS 通信,但由于管理 PKI 证书的开销,对一些客户来说可能是一个挑战。Microsoft recommends using HTTPS communication for all Configuration Manager communication paths, but it's challenging for some customers due to the overhead of managing PKI certificates.

Configuration Manager 版本 1806 包括对客户端与站点系统之间的通信方式的改进。Configuration Manager version 1806 includes improvements to how clients communicate with site systems. 这些改进有两个主要目标:There are two primary goals for these improvements:

  • 可保护敏感客户端通信,而无需提供 PKI 服务器身份验证证书。You can secure sensitive client communication without the need for PKI server authentication certificates.

  • 客户端可安全地从分发点访问内容,而无需网络访问帐户、客户端 PKI 证书和 Windows 身份验证。Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

所有其他客户端通信均通过 HTTP 进行。All other client communication is over HTTP. 增强型 HTTP 并不等同于为客户端通信或站点系统启用 HTTPS。Enhanced HTTP isn't the same as enabling HTTPS for client communication or a site system.

备注

对于具有以下要求的客户,PKI 证书仍然是有效选项:PKI certificates are still a valid option for customers with the following requirements:

  • 所有客户端通信均通过 HTTPS 进行All client communication is over HTTPS
  • 对签名基础架构的高级控制Advanced control of the signing infrastructure

另外,如果你已在使用 PKI,那么即使启用了增强型 HTTP,也将使用绑定在 IIS 中的 PKI 证书。Also, If you're already using PKI, the PKI cert bound in IIS will be used even if enhanced HTTP is turned on.

方案Scenarios

以下方案受益于这些改进:The following scenarios benefit from these improvements:

方案 1:客户端到管理点Scenario 1: Client to management point

如果为站点启用了增强型 HTTP,则已加入 Azure Active Directory (Azure AD) 的设备和具有 Configuration Manager 颁发的令牌的设备可以与为 HTTP 配置的管理点通信。Azure Active Directory (Azure AD)-joined devices and devices with a Configuration Manager issued token can communicate with a management point configured for HTTP if you enable enhanced HTTP for the site. 启用增强型 HTTP 后,站点服务器会为管理点生成证书,使其能够通过安全通道进行通信。With enhanced HTTP enabled, the site server generates a certificate for the management point allowing it to communicate via a secure channel.

备注

此方案不需要使用启用了 HTTPS 的管理点,但作为一种使用增强型 HTTP 的替代方法,也受到了支持。This scenario does not require using an HTTPS-enabled management point but it is supported as an alternative to using enhanced HTTP. 有关使用启用了 HTTPS 的管理点的详细信息,请参阅为 HTTPS 启用管理点For more information on using an HTTPS-enabled management point, see Enable management point for HTTPS.

方案 2:客户端到分发点Scenario 2: Client to distribution point

工作组或已加入 Azure AD 的客户端可通过安全通道从为 HTTP 配置的分发点进行身份验证及下载内容。A workgroup or Azure AD-joined client can authenticate and download content over a secure channel from a distribution point configured for HTTP. 这些类型的设备还可从为 HTTPS 配置的分发点进行身份验证和下载内容,而无需在客户端上使用 PKI 证书。These types of devices can also authenticate and download content from a distribution point configured for HTTPS without requiring a PKI certificate on the client. 将客户端身份验证证书添加到工作组或已加入 Azure AD 的客户端,这颇具挑战性。It's challenging to add a client authentication certificate to a workgroup or Azure AD-joined client.

此行为包括 OS 部署方案,其中任务序列从启动媒体、PXE 或软件中心运行。This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. 有关详细信息,请参阅网络访问帐户For more information, see Network access account.

方案 3:Azure AD 设备标识Scenario 3: Azure AD device identity

没有 Azure AD 用户登录的已加入 Azure AD 的设备或混合 Azure AD 设备可安全地与其分配的站点进行通信。An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can securely communicate with its assigned site. 现在,对于以设备为中心的方案,基于云的设备标识足以通过 CMG 和管理点进行身份验证。The cloud-based device identity is now sufficient to authenticate with the CMG and management point for device-centric scenarios. (以用户为中心的方案仍然需要用户令牌。)(A user token is still required for user-centric scenarios.)

功能Features

以下 Configuration Manager 功能支持或要求增强型 HTTP:The following Configuration Manager features support or require enhanced HTTP:

备注

软件更新点和相关方案始终支持与客户端以及云管理网关的安全 HTTP 通信。The software update point and related scenarios have always supported secure HTTP traffic with clients as well as the cloud management gateway. 它使用的管理点机制与基于证书或令牌的身份验证不同。It uses a mechanism with the management point that's different from certificate- or token-based authentication.

必备条件Prerequisites

  • 针对 HTTP 客户端连接配置的管理点。A management point configured for HTTP client connections. 在管理点角色属性的“常规”选项卡上设置此选项。Set this option on the General tab of the management point role properties.

  • 针对 HTTP 客户端连接配置的分发点。A distribution point configured for HTTP client connections. 在管理点角色属性的“通信”选项卡上设置此选项。Set this option on the Communication tab of the distribution point role properties. 请勿启用选项“允许客户端进行匿名连接”。Don't enable the option to Allow clients to connect anonymously.

  • 将站点载入 Azure AD 以便进行云管理。Onboard the site to Azure AD for cloud management.

  • 仅适用于方案 3:运行 Windows 10 版本 1803 或更高版本且已加入 Azure AD 的客户端。For Scenario 3 only: A client running Windows 10 version 1803 or later, and joined to Azure AD. 客户端需要此配置来进行 Azure AD 设备身份验证。The client requires this configuration for Azure AD device authentication.

配置站点Configure the site

  1. 在 Configuration Manager 控制台中,转到“管理”工作区,展开“站点配置”,然后选择“站点”节点 。In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. 选择一个站点,然后选择功能区中的“属性”。Select the site and choose Properties in the ribbon.

  2. 切换到“客户端计算机通信”选项卡。Switch to the Client Computer Communication tab.

    备注

    从版本 1906 开始,此选项卡称为“通信安全”。Starting in version 1906, this tab is called Communication Security.

    选择“HTTPS 或 HTTP”的选项。Select the option for HTTPS or HTTP. 然后启用“将 Configuration Manager 生成的证书用于 HTTP 站点系统”选项。Then enable the option to Use Configuration Manager-generated certificates for HTTP site systems.

提示

请等待 30 分钟以便管理点从站点接收并配置新证书。Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.

从版本 1902 开始,还可以启用管理中心站点的增强型 HTTP。Starting in version 1902, you can also enable enhanced HTTP for the central administration site. 使用此相同流程,并打开管理中心站点的属性。Use this same process, and open the properties of the central administration site. 此操作仅为管理中心站点上的 SMS 提供程序角色启用增强型 HTTP。This action only enables enhanced HTTP for the SMS Provider roles at the central administration site. 它不是适用于层次结构中所有站点的全局设置。It's not a global setting that applies to all sites in the hierarchy.

可以在 Configuration Manager 控制台中查看这些证书。You can see these certificates in the Configuration Manager console. 转到“管理”工作区,展开“安全”,然后选择“证书”节点。Go to the Administration workspace, expand Security, and select the Certificates node. 查找“SMS 发证”根证书,以及由 SMS 发证根颁发的站点服务器角色证书。Look for the SMS Issuing root certificate, as well as the site server role certificates issued by the SMS Issuing root.

有关客户端如何使用此配置与管理点和分发点进行通信的详细信息,请参阅从客户端到站点系统和服务的通信For more information on how the client communicates with the management point and distribution point with this configuration, see Communications from clients to site systems and services.

验证证书Validate the certificate

如果你启用增强型 HTTP,站点服务器会生成名为“SMS 角色 SSL 证书”的自签名证书。When you enable enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate. 此证书由根“SMS 颁发”证书颁发。This certificate is issued by the root SMS Issuing certificate. 管理点将此证书添加到与端口 443 绑定的 IIS 默认网站。The management point adds this certificate to the IIS default web site bound to port 443.

若要查看配置的状态,请查阅 mpcontrol.log。To see the status of the configuration, review mpcontrol.log.

另请参阅See also