雲端管理閘道的憑證Certificates for the cloud management gateway

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

根據您透過雲端管理閘道 (CMG) 管理網際網路上用戶端所使用的案例,您可能需要下列一或多個數位憑證:Depending upon the scenario you use to manage clients on the internet with the cloud management gateway (CMG), you need one or more of the following digital certificates:

如需不同案例的詳細資訊,請參閱針對雲端管理閘道進行規劃For more information about the different scenarios, see plan for cloud management gateway.

一般資訊General information

雲端管理閘道的憑證支援下列設定:Certificates for the cloud management gateway support the following configurations:

  • 2048 位元或 4096 位元金鑰長度2048-bit or 4096-bit key length

  • 適用於憑證私密金鑰的金鑰儲存提供者。Key storage providers for certificate private keys. 如需詳細資訊,請參閱 CNG 憑證概觀For more information, see CNG certificates overview.

  • 當您使用下列原則設定 Windows 時:系統密碼編譯:使用 FIPS 相容演算法於加密,雜湊,以及簽章When you configure Windows with the following policy: System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing

  • TLS 1.2TLS 1.2. 如需詳細資訊,請參閱如何啟用 TLS 1.2For more information, see How to enable TLS 1.2.

CMG 伺服器驗證憑證CMG server authentication certificate

所有案例都需要此憑證。This certificate is required in all scenarios.

在 Configuration Manager 主控台中建立 CMG 時,您需要提供此憑證。You supply this certificate when creating the CMG in the Configuration Manager console.

CMG 會建立以網際網路為基礎的用戶端連線至的 HTTPS 服務。The CMG creates an HTTPS service to which internet-based clients connect. 伺服器需要伺服器驗證憑證來建立安全通道。The server requires a server authentication certificate to build the secure channel. 從公用提供者取得此用途的憑證,或者從您的公開金鑰基礎結構 (PKI) 發行它。Acquire a certificate for this purpose from a public provider, or issue it from your public key infrastructure (PKI). 如需詳細資訊,請參閱用戶端的 CMG 受信任的根憑證For more information, see CMG trusted root certificate to clients.

注意

CMG 伺服器驗證憑證支援萬用字元。The CMG server authentication certificate supports wildcards. 某些憑證授權單位會發出使用使用萬用字元作為主機名稱的憑證。Some certificate authorities issue certificates using a wildcard character for the hostname. 例如 *.contoso.comFor example, *.contoso.com. 某些組織會使用萬用字元憑證來簡化其 PKI,並降低維護成本。Some organizations use wildcard certificates to simplify their PKI and reduce maintenance costs.

如需如何搭配 CMG 使用萬用字元憑證的詳細資訊,請參閱設定 CMGFor more information on how to use a wildcard certificate with a CMG, see Set up a CMG.

此憑證需要全球唯一名稱來識別 Azure 中的服務。This certificate requires a globally unique name to identify the service in Azure. 要求憑證之前,請確認您想要的 Azure 網域名稱是唯一的。Before requesting a certificate, confirm that the Azure domain name you want is unique. 例如,GraniteFalls.CloudApp.NetFor example, GraniteFalls.CloudApp.Net.

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 選取 [所有資源],然後選取 [新增]。Select All resources, and then select Add.

  3. 搜尋雲端服務Search for Cloud service. 選取 [建立]。Select Create.

  4. 在 [DNS 名稱] 欄位中輸入您想要的前置詞,例如 GraniteFallsIn the DNS name field, type the prefix you want, for example GraniteFalls. 介面將會反映網域名稱可用或已由另一個服務使用。The interface reflects whether the domain name is available or already in use by another service.

    重要

    請勿在入口網站中建立服務,只要使用此程序檢查名稱可用性。Don't create the service in the portal, just use this process to check the name availability.

如果您也針對內容啟用 CMG,請確認 CMG 服務名稱也是唯一的 Azure 儲存體帳戶名稱。If you also enable the CMG for content, confirm that the CMG service name is also a unique Azure storage account name. 如果 CMG 雲端服務名稱是唯一的,但儲存體帳戶名稱不是,Configuration Manager 就無法在 Azure 中佈建該服務。If the CMG cloud service name is unique, but the storage account name isn't, Configuration Manager fails to provision the service in Azure. 在 Azure 入口網站中,使用下列變更重複執行上述程序:Repeat the above process in the Azure portal with the following changes:

  • 搜尋儲存體帳戶Search for Storage account
  • 在 [儲存體帳戶名稱] 欄位中測試您的名稱Test your name in the Storage account name field

DNS 名稱前置詞 (例如 GraniteFalls) 的長度必須是 3 到 24 個字元,而且只能使用英數位元。The DNS name prefix, for example GraniteFalls, should be 3 to 24 characters long, and only use alphanumeric characters. 請勿使用特殊字元,例如破折號 (-)。Don't use special characters, like a dash (-).

用戶端的 CMG 受信任根憑證CMG trusted root certificate to clients

用戶端必須信任 CMG 伺服器驗證憑證。Clients must trust the CMG server authentication certificate. 有兩種方式可完成此信任:There are two methods to accomplish this trust:

  • 使用來自公用且全球受信任的憑證提供者的憑證。Use a certificate from a public and globally trusted certificate provider. 例如 (但不限於),DigiCert、Thawte 或 VeriSign。For example, but not limited to, DigiCert, Thawte, or VeriSign. Windows 用戶端包含來自這些提供者的受信任的根憑證授權單位 (CA)。Windows clients include trusted root certificate authorities (CAs) from these providers. 使用這些提供者之一發出的伺服器驗證憑證,您的用戶端會自動信任它。By using a server authentication certificate issued by one of these providers, your clients automatically trust it.

  • 使用來自您的公開金鑰基礎結構 (PKI) 的企業 CA 所發出的憑證。Use a certificate issued by an enterprise CA from your public key infrastructure (PKI). 大部分企業 PKI 實作會將信任的根 CA 新增到 Windows 用戶端。Most enterprise PKI implementations add the trusted root CAs to Windows clients. 例如,使用搭配群組原則的 Active Directory 憑證服務。For example, using Active Directory Certificate Services with group policy. 如果您從用戶端未自動信任的 CA 發出 CMG 伺服器驗證憑證,請將 CA 受信任的根憑證新增至以網際網路為基礎的用戶端。If you issue the CMG server authentication certificate from a CA that your clients don't automatically trust, add the CA trusted root certificate to internet-based clients.

公用提供者所發行的伺服器驗證憑證Server authentication certificate issued by public provider

第三方憑證提供者無法建立 CloudApp.net 的憑證,因為該網域為 Microsoft 所擁有。A third-party certificate provider can't create a certificate for CloudApp.net, as that domain is owned by Microsoft. 您只能取得針對您所擁有網域發出的憑證。You can only get a certificate issued for a domain you own. 從第三方提供者取得憑證的主要原因是您的用戶端已信任該提供者的根憑證。The main reason for acquiring a certificate from a third-party provider is that your clients already trust that provider's root certificate.

使用下列程序建立 DNS 別名:Use the following process to create a DNS alias:

  1. 在貴組織的公用 DNS 中建立正式名稱記錄 (CNAME)。Create a canonical name record (CNAME) in your organization's public DNS. 此記錄會為 CMG 建立一個易記名稱的別名 (您在公開憑證中使用)。This record creates an alias for the CMG to a friendly name that you use in the public certificate.

    例如,Contoso 會將其 CMG 命名為 GraniteFallsFor example, Contoso names their CMG GraniteFalls. 在 Azure 中,此名稱會成為 GraniteFalls.CloudApp.NetThis name becomes GraniteFalls.CloudApp.Net in Azure. 在 Contoso 的公用 DNS contoso.com 命名空間中,DNS 系統管理員會針對真實的主機名稱 GraniteFalls.CloudApp.net,為 GraniteFalls.Contoso.com 建立新的 CNAME 記錄。In Contoso's public DNS contoso.com namespace, the DNS administrator creates a new CNAME record for GraniteFalls.Contoso.com for the real host name, GraniteFalls.CloudApp.net.

  2. 使用 CNAME 別名的一般名稱 (CN) 向公用提供者要求伺服器驗證憑證。Request a server authentication certificate from a public provider using the Common Name (CN) of the CNAME alias. 例如,Contoso 使用 GraniteFalls.Contoso.com 做為憑證 CN。For example, Contoso uses GraniteFalls.Contoso.com for the certificate CN.

  3. 使用此憑證在 Configuration Manager 主控台中建立 CMG。Create the CMG in the Configuration Manager console using this certificate. 在 [建立雲端管理閘道精靈] 的 [設定] 頁面上:On the Settings page of the Create Cloud Management Gateway Wizard:

    • 當您為此雲端服務新增伺服器憑證時 (從憑證檔案),精靈會從憑證 CN 擷取主機名稱來作為服務名稱。When you add the server certificate for this cloud service (from Certificate file), the wizard extracts the hostname from the certificate CN as the service name.

    • 然後,它會將該主機名稱附加至 cloudapp.net,或者適用於 Azure 美國政府雲端的 usgovcloudapp.net,以作為服務 FQDN 在 Azure 中建立服務。It then appends that hostname to cloudapp.net, or usgovcloudapp.net for the Azure US Government cloud, as the Service FQDN to create the service in Azure.

    • 例如,當 Contoso 建立 CMG 時,Configuration Manager 會從憑證 CN 擷取主機名稱 GraniteFallsFor example, when Contoso creates the CMG, Configuration Manager extracts the hostname GraniteFalls from the certificate CN. Azure 會將實際服務建立為 GraniteFalls.CloudApp.netAzure creates the actual service as GraniteFalls.CloudApp.net.

當您在 Configuration Manager 中建立 CMG 執行個體時,雖然憑證包含 GraniteFalls.Contoso.com,但 Configuration Manager 只會擷取主機名稱,例如:GraniteFalls。When you create the CMG instance in Configuration Manager, while the certificate has GraniteFalls.Contoso.com, Configuration Manager only extracts the hostname, for example: GraniteFalls. 建立雲端服務時,Azure 會要求將此主機名稱附加至 CloudApp.net。It appends this hostname to CloudApp.net, which Azure requires when creating a cloud service. 您網域 (Contoso.com) 中 DNS 命名空間的 CNAME 別名會同時對應至這兩個 FQDN。The CNAME alias in the DNS namespace for your domain, Contoso.com, maps together these two FQDNs. Configuration Manager 提供用戶端存取此 CMG 的原則,並透過 DNS 對應結合在一起,以安全地存取 Azure 中的服務。Configuration Manager gives clients a policy to access this CMG, the DNS mapping ties it together so that they can securely access the service in Azure.

企業 PKI 所發行的伺服器驗證憑證Server authentication certificate issued from enterprise PKI

與雲端發佈點相同,針對 CMG 建立自訂 SSL 憑證。Create a custom SSL certificate for the CMG the same as for a cloud distribution point. 遵循為雲端架構的發佈點部署服務憑證中的指示,但針對下列作業採用不同的做法:Follow the instructions for Deploying the service certificate for cloud-based distribution points but do the following things differently:

  • 當要求自訂 Web 伺服器憑證時,請針對憑證的一般名稱提供 FQDN。When requesting the custom web server certificate, provide an FQDN for the certificate's common name. 此名稱可以是一個您擁有的公用網域名稱,或是您也可以使用 cloudapp.net 網域。This name can be a public domain name you own or you may use the cloudapp.net domain. 如果使用您自己的公用網域,請參考上述程序,在您組織的公用 DNS 中建立一個 DNS 別名。If using your own public domain, refer to the process above for creating a DNS alias in your organization's public DNS.

  • 將 cloudapp.net 公用網域用於 CMG 網頁伺服器憑證時:When using the cloudapp.net public domain for the CMG web server certificate:

    • 在 Azure 公用雲端上,使用以 cloudapp.net 結尾的名稱On the Azure public cloud, use a name that ends in cloudapp.net

    • 針對 Azure 美國政府雲端,使用以 usgovcloudapp.net 結尾的名稱Use a name that ends in usgovcloudapp.net for the Azure US Government cloud

用戶端驗證憑證Client authentication certificate

用戶端驗證憑證需求:Client authentication certificate requirements:

  • 執行 Windows 8.1 的網際網路型用戶端與未加入 Azure Active Directory (Azure AD) 的 Windows 10 裝置需要此憑證。This certificate is required for internet-based clients running Windows 8.1, and Windows 10 devices not joined to Azure Active Directory (Azure AD).
  • CMG 連接點上可能也需要此憑證。It may be required on the CMG connection point. 如需詳細資訊,請參閱 CMG 連接點For more information, see CMG connection point.
  • 已加入 Azure AD 的 Windows 10 用戶端則不需要此憑證。It isn't required for Windows 10 clients joined to Azure AD.
  • 如果您的站台是 2002 版或更新版本,則裝置可以使用由站台所發行的權杖。If your site is version 2002 or later, devices can use a token issued by the site. 如需詳細資訊,請參閱 CMG 的權杖型驗證For more information, see Token-based authentication for CMG.

用戶端會使用此憑證來向 CMG 進行驗證。The clients use this certificate to authenticate with the CMG. 混合式部署或已加入雲端網域的 Windows 10 裝置不需要此憑證,因為它們使用 Azure AD 進行驗證。Windows 10 devices that are hybrid or cloud domain-joined don't require this certificate because they use Azure AD to authenticate.

在 Configuration Manager 環境之外佈建此憑證。Provision this certificate outside of the context of Configuration Manager. 例如,使用 Active Directory 憑證服務和群組原則來發出用戶端驗證憑證。For example, use Active Directory Certificate Services and group policy to issue client authentication certificates. 如需詳細資訊,請參閱部署 Windows 電腦的用戶端憑證For more information, see Deploying the client certificate for Windows computers.

注意

Microsoft 建議將裝置加入至 Azure AD。Microsoft recommends joining devices to Azure AD. 以網際網路為基礎的裝置可以使用 Azure AD 向 Configuration Manager 進行驗證。Internet-based devices can use Azure AD to authenticate with Configuration Manager. 無論該裝置是在網際網路上,或與內部網路連線,Azure AD 都會同時啟用裝置與使用者案例。It also enables both device and user scenarios whether the device is on the internet or connected to the internal network. 如需詳細資訊,請參閱使用 Azure AD 身分識別安裝和註冊用戶端For more information, see Install and register the client using Azure AD identity.

從 2002 版開始,Starting in version 2002, Configuration Manager 已可支援不常連線至內部網路、無法加入 Azure AD,以及沒有方法可安裝 PKI 發行憑證的網際網路型裝置。Configuration Manager extends its support for internet-based devices that don't often connect to the internal network, aren't able to join Azure AD, and don't have a method to install a PKI-issued certificate. 如需詳細資訊,請參閱 CMG 的權杖型驗證For more information, see Token-based authentication for CMG.

CMG 連接點CMG connection point

若要安全地轉送用戶端要求,CMG 連接點需要與管理點之間的安全連線。To securely forward client requests, the CMG connection point requires a secure connection with the management point. 您裝置和管理點的設定方式會決定 CMG 連接點設定。Depending upon how you configure your devices and management points determines the CMG connection point configuration.

  • 管理點是 HTTPSThe management point is HTTPS

    • 用戶端具有用戶端驗證憑證:CMG 連接點需要對應至 HTTPS 管理點上伺服器驗證憑證的用戶端驗證憑證。Clients have a client authentication certificate: The CMG connection point requires a client authentication certificate that corresponds to the server authentication certificate on the HTTPS management point.

    • 用戶端使用 Azure AD 驗證或 Configuration Manager 權杖:不需要此憑證。Clients use Azure AD authentication or a Configuration Manager token: This certificate isn't required.

  • 如果您將管理點設定為使用增強 HTTP:不需要此憑證。If you configure the management point for Enhanced HTTP: This certificate isn't required.

如需詳細資訊,請參閱啟用 HTTPS 的管理點For more information, see Enable management point for HTTPS.

CMG 的用戶端受信任根憑證Client trusted root certificate to CMG

使用用戶端驗證憑證時,需要此憑證。當所有用戶端都使用 Azure AD 進行驗證時,不需要此憑證。This certificate is required when using client authentication certificates. When all clients use Azure AD for authentication, this certificate isn't required.

在 Configuration Manager 主控台中建立 CMG 時,您需要提供此憑證。You supply this certificate when creating the CMG in the Configuration Manager console.

CMG 必須信任用戶端驗證憑證。The CMG must trust the client authentication certificates. 若要完成這個信任,請提供受信任的根憑證鏈結。To accomplish this trust, provide the trusted root certificate chain. 請務必在信任鏈結中新增所有憑證。Make sure to add all certificates in the trust chain. 例如,如果用戶端驗證憑證是由中繼 CA 所發行的,請同時新增中繼憑證和根 CA 憑證。For example, if the client authentication certificate is issued by an intermediate CA, add both the intermediate and root CA certificates.

注意

當建立 CMG 時,已不再需要於 [設定] 頁面上提供受信任的根憑證。When you create a CMG, you're no longer required to provide a trusted root certificate on the Settings page. 使用 Azure AD 進行用戶端驗證時,不需要此憑證,但以前在精靈中需要此憑證。This certificate isn't required when using Azure AD for client authentication, but used to be required in the wizard. 如果您要使用 PKI 用戶端驗證憑證,則仍然必須將受信任的根憑證新增至 CMG。If you're using PKI client authentication certificates, then you still must add a trusted root certificate to the CMG.

在 1902 版和更早版本中,您只能指定兩個信任的根 CA,以及四個中繼 (從屬) CA。In version 1902 and earlier, you can only add two trusted root CAs and four intermediate (subordinate) CAs.

匯出用戶端憑證的受信任的根目錄Export the client certificate's trusted root

將用戶端驗證憑證發出到電腦後,請在該電腦上使用此程序匯出受信任的根目錄。After issuing a client authentication certificate to a computer, use this process on that computer to export the trusted root.

  1. 開啟 [開始] 功能表。Open the Start menu. 輸入「執行」以開啟 [執行] 視窗。Type "run" to open the Run window. 開啟 mmcOpen mmc.

  2. 從 [檔案] 功能表中,選擇 [新增/移除嵌入式管理單元...]。From the File menu, choose Add/Remove Snap-in....

  3. 在 [新增或移除嵌入式管理單元] 對話方塊中,選取 [憑證],然後選取 [新增]。In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.

    1. 在 [憑證嵌入式管理單元] 對話方塊中,選取 [電腦帳戶],然後選取 [下一步]。In the Certificates snap-in dialog box, select Computer account, then select Next.

    2. 在 [選取電腦] 對話方塊中,選取 [本機電腦],然後選取 [完成]。In the Select Computer dialog box, select Local computer, then select Finish.

    3. 在 [新增或移除嵌入式管理單元] 對話方塊中,選取 [確定]。In the Add or Remove Snap-ins dialog box, select OK.

  4. 依序展開 [憑證] 和 [個人],然後選取 [憑證]。Expand Certificates, expand Personal, and select Certificates.

  5. 選取使用目的為用戶端驗證的憑證。Select a certificate whose Intended Purpose is Client Authentication.

    1. 從 [動作] 功能表中,選取 [開啟]。From the Action menu, select Open.

    2. 移至 [憑證路徑] 索引標籤。Go to the Certification Path tab.

    3. 選取鏈結中下一個憑證,然後選取 [檢視憑證]。Select the next certificate up the chain, and select View Certificate.

  6. 在這個新的 [憑證] 對話方塊上,移至 [詳細資料] 索引標籤。選取 [複製到檔案...]。On this new Certificate dialog box, go to the Details tab. Select Copy to File....

  7. 使用預設憑證格式 DER 編碼二進位 X.509 (.CER) 完成 [憑證匯出精靈]。Complete the Certificate Export Wizard using the default certificate format, DER encoded binary X.509 (.CER). 記下您所匯出之憑證的名稱和位置。Make note of the name and location of the exported certificate.

  8. 匯出原始用戶端驗證憑證之憑證路徑中的所有憑證。Export all of the certificates in the certification path of the original client authentication certificate. 請記下哪些匯出的憑證為中繼 CA,以及哪些是受信任的根 CA。Make note of which exported certificates are intermediate CAs, and which ones are trusted root CAs.

啟用 HTTPS 的管理點Enable management point for HTTPS

在 Configuration Manager 環境之外佈建此憑證。Provision this certificate outside of the context of Configuration Manager. 例如,使用 Active Directory 憑證服務和群組原則來發出 Web 伺服器憑證。For example, use Active Directory Certificate Services and group policy to issue a web server certificate. 如需詳細資訊,請參閱 PKI 憑證需求為執行 IIS 的站台系統部署 Web 伺服器憑證For more information, see PKI certificate requirements and Deploy the web server certificate for site systems that run IIS.

在使用 [為 HTTP 站台系統使用 Configuration Manager 產生的憑證] 站台選項時,HTTP 可作為管理點。When using the site option to Use Configuration Manager-generated certificates for HTTP site systems, the management point can be HTTP. 如需詳細資訊,請參閱Enhanced HTTP (增強 HTTP)。For more information, see Enhanced HTTP.

提示

如果您未使用增強式 HTTP,而且您的環境具有多個管理點,您不需要針對 CMG 全部啟用 HTTPS。If you aren't using Enhanced HTTP, and your environment has multiple management points, you don't have to HTTPS-enable them all for CMG. 將啟用 CMG 的管理點設定為僅限網際網路Configure the CMG-enabled management points as Internet only. 之後,您的內部部署用戶端就不會嘗試使用它們。Then your on-premises clients don't try to use them.

管理點的增強型 HTTP 憑證Enhanced HTTP certificate for management points

當您啟用增強型 HTTP 時,站台伺服器會產生名為 SMS 角色 SSL 憑證的自我簽署憑證,發行自根 SMS 發行憑證。When you enable Enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL Certificate, issued by the root SMS Issuing certificate. 管理點會將此憑證新增到繫結至連接埠 443 的 IIS 預設網站。The management point adds this certificate to the IIS Default Web site bound to port 443.

管理點用戶端連線模式摘要Management point client connection mode summary

這些表格摘要說明根據用戶端和站台版本的類型,管理點是否需要 HTTP 或 HTTPS。These tables summarize whether the management point requires HTTP or HTTPS, depending upon the type of client and site version.

以網際網路為基礎的用戶端與雲端管理閘道通訊For internet-based clients communicating with the cloud management gateway

使用下列用戶端連線模式設定內部部署管理點,以允許來自 CMG 的連線:Configure an on-premises management point to allow connections from the CMG with the following client connection mode:

用戶端類型Type of client 管理點Management point
工作群組Workgroup E HTTP附註 1、HTTPSE-HTTPNote 1, HTTPS
加入 AD 網域AD domain-joined E HTTP附註 1、HTTPSE-HTTPNote 1, HTTPS
加入 Azure ADAzure AD-joined E-HTTP、HTTPSE-HTTP, HTTPS
混合式加入Hybrid-joined E-HTTP、HTTPSE-HTTP, HTTPS

注意

附註 1:此設定要求用戶端必須有用戶端驗證憑證,而且僅支援以裝置為主的案例。Note 1: This configuration requires the client has a client authentication certificate, and only supports device-centric scenarios.

內部部署用戶端與內部部署管理點通訊For on-premises clients communicating with the on-premises management point

使用下列用戶端連線模式設定內部部署管理點:Configure an on-premises management point with the following client connection mode:

用戶端類型Type of client 管理點Management point
工作群組Workgroup HTTP、HTTPSHTTP, HTTPS
加入 AD 網域AD domain-joined HTTP、HTTPSHTTP, HTTPS
加入 Azure ADAzure AD-joined HTTPSHTTPS
混合式加入Hybrid-joined HTTP、HTTPSHTTP, HTTPS

注意

加入 AD 網域的用戶端同時支援使用 HTTP 或 HTTPS 管理點來通訊的以裝置及使用者為中心案例。AD domain-joined clients support both device- and user-centric scenarios communicating with an HTTP or HTTPS management point.

加入 Azure AD 和混合式加入的用戶端可針對以裝置為主的案例透過 HTTP 來通訊,但需要使用 E-HTTP 或 HTTPS 才能進行以使用者為主的案例。Azure AD-joined and hybrid-joined clients can communicate via HTTP for device-centric scenarios, but need E-HTTP or HTTPS to enable user-centric scenarios. 否則他們的行為會與工作群組用戶端相同。Otherwise they behave the same as workgroup clients.

字詞說明Legend of terms

  • 工作群組:裝置未加入網域或 Azure AD,但有用戶端驗證憑證Workgroup: The device isn't joined to a domain or Azure AD, but has a client authentication certificate.

  • 加入 AD 網域:您將裝置加入了內部部署 Active Directory 網域。AD domain-joined: You join the device to an on-premises Active Directory domain.

  • 加入 Azure AD:也稱為「已加入雲端網域」,您將裝置加入 Azure AD 租用戶。Azure AD-joined: Also known as cloud domain-joined, you join the device to an Azure AD tenant. 如需詳細資訊,請參閱 Azure AD 加入裝置 (部分機器翻譯)。For more information, see Azure AD joined devices.

  • 混合式加入:您將裝置加入您的內部部署 Active Directory,並向您的 Azure AD 加以註冊。Hybrid-joined: You join the device to your on-premises Active Directory and register it with your Azure AD. 如需詳細資訊,請參閱混合式 Azure AD 加入裝置 (部分機器翻譯)。For more information, see Hybrid Azure AD joined devices.

  • HTTP:在管理點屬性上,您將用戶端連線設定為 HTTPHTTP: On the management point properties, you set the client connections to HTTP.

  • HTTPS:在管理點屬性上,您將用戶端連線設定為 HTTPSHTTPS: On the management point properties, you set the client connections to HTTPS.

  • E-HTTP:在站台屬性的 [通訊安全性] 索引標籤上,您要將站台系統設定設為 [HTTPS 或 HTTP],並啟用 [為 HTTP 站台系統使用 Configuration Manager 產生的憑證] 選項。E-HTTP: On the site properties, Communication Security tab, you set the site system settings to HTTPS or HTTP, and you enable the option to Use Configuration Manager-generated certificates for HTTP site systems. 您會設定 HTTP 的管理點,HTTP 管理點已就緒,可供 HTTP 與 HTTPS 通訊使用 (權杖驗證案例)。You configure the management point for HTTP, the HTTP management point is ready for both HTTP and HTTPS communication (token auth scenarios).

    注意

    在 1902 版和更舊版本中,此索引標籤名為 [用戶端電腦通訊]。In version 1902 and earlier, this tab is called Client Computer Communication.

Azure 管理憑證Azure management certificate

傳統服務部署需要此憑證。Azure Resource Manager 部署則不需要。This certificate is required for classic service deployments. It's not required for Azure Resource Manager deployments.

重要

從 1810 版開始,Configuration Manager 已淘汰 Azure 的傳統服務部署。Starting in version 1810, classic service deployments in Azure are deprecated in Configuration Manager. 針對雲端管理閘道,會開始使用 Azure Resource Manager 部署。Start using Azure Resource Manager deployments for the cloud management gateway. 如需詳細資訊,請參閱規劃 CMGFor more information, see Plan for CMG.

從 Configuration Manager 1902 版開始,對於雲端管理閘道的新執行個體,Azure Resource Manager 是唯一的部署機制。Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. Configuration Manager 1902 版或更新版本中不需要此憑證。This certificate isn't required in Configuration Manager version 1902 or later.

您會在 Azure 入口網站中提供此憑證,以及在於 Configuration Manager 主控台中建立 CMG 時提供。You supply this certificate in the Azure portal, and when creating the CMG in the Configuration Manager console.

若要在 Azure 中建立 CMG,Configuration Manager 服務連接點必須先向您的 Azure 訂用帳戶驗證。To create the CMG in Azure, the Configuration Manager service connection point needs to first authenticate to your Azure subscription. 當使用傳統服務部署時,它會使用 Azure 管理憑證進行此驗證。When using a classic service deployment, it uses the Azure management certificate for this authentication. Azure 系統管理員會將此憑證上傳至您的訂用帳戶。An Azure administrator uploads this certificate to your subscription. 當您在 Configuration Manager 主控台中建立 CMG 時,請提供此憑證。When you create the CMG in the Configuration Manager console, provide this certificate.

如需如何上傳管理憑證的詳細資訊和指示,請參閱 Azure 文件中的下列文章:For more information and instructions for how to upload a management certificate, see the following articles in the Azure documentation:

重要

請務必複製與管理憑證相關聯的訂用帳戶 ID。Make sure to copy the subscription ID associated with the management certificate. 您將使用此憑證在 Configuration Manager 主控台中建立 CMG。You use it for creating the CMG in the Configuration Manager console.

後續步驟Next steps