在 Configuration Manager 中進行雲端管理閘道規劃Plan for the cloud management gateway in Configuration Manager

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

雲端管理閘道 (CMG) 可讓您輕鬆管理網際網路上的 Configuration Manager 用戶端。The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients on the internet. 您可以部署 CMG 作為 Microsoft Azure 中的雲端服務,來管理在網際網路上漫遊的傳統用戶端,而不需要額外的內部部署基礎結構。By deploying the CMG as a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without additional on-premises infrastructure. 您也不需要將內部部署基礎結構公開至網際網路。You also don't need to expose your on-premises infrastructure to the internet.

注意

根據預設,Configuration Manager 不會啟用此選擇性功能。Configuration Manager doesn't enable this optional feature by default. 您必須先先啟用這項功能才能使用它。You must enable this feature before using it. 如需詳細資訊,請參閱從更新啟用選擇性功能For more information, see Enable optional features from updates.

建立必要條件之後,建立 CMG 包含 Configuration Manager 主控台中的下列三個步驟:After establishing the prerequisites, creating the CMG consists of the following three steps in the Configuration Manager console:

  1. 將 CMG 雲端服務部署至 Azure。Deploy the CMG cloud service to Azure.
  2. 新增 CMG 連接點角色。Add the CMG connection point role.
  3. 設定服務的站台和站台角色。Configure the site and site roles for the service. 部署並設定之後,用戶端不論是在內部網路或網際網路,都能順利地存取內部部署站台角色。Once deployed and configured, clients seamlessly access on-premises site roles regardless of whether they're on the intranet or internet.

本文所提供的基本知識可讓您了解 CMG、如何設計以符合環境與規劃實作。This article provides the foundational knowledge to learn about the CMG, design how it fits in your environment, and plan the implementation.

案例Scenarios

CMG 有助於以下數種案例。There are several scenarios for which a CMG is beneficial. 以下是一些常見的案例:The following scenarios are some of the more common:

  • 管理具有加入 Active Directory 網域身分識別的傳統 Windows 用戶端。Manage traditional Windows clients with Active Directory domain-joined identity. 這些用戶端包括 Windows 8.1 與 Windows 10。These clients include Windows 8.1 and Windows 10. 它會使用 PKI 憑證來保護通訊通道。It uses PKI certificates to secure the communication channel. 管理活動包括:Management activities include:

    • 軟體更新和 Endpoint ProtectionSoftware updates and endpoint protection
    • 清查和用戶端狀態Inventory and client status
    • 相容性設定Compliance settings
    • 對裝置發佈軟體Software distribution to the device
    • Windows 10 就地升級工作順序Windows 10 in-place upgrade task sequence
  • 管理具有 Azure Active Directory (Azure AD) 混合式或純加入雲端網域新式身分識別的傳統 Windows 10 用戶端。Manage traditional Windows 10 clients with modern identity, either hybrid or pure cloud domain-joined with Azure Active Directory (Azure AD). 用戶端會使用 Azure AD 進行驗證,而不是使用 PKI 憑證。Clients use Azure AD to authenticate rather than PKI certificates. 相較於複雜的 PKI 系統,使用 Azure AD 會更容易設定和維護。Using Azure AD is simpler to set up, configure and maintain than more complex PKI systems. 管理活動與第一個案例相同,再加上:Management activities are the same as the first scenario, as well as:

    • 對使用者發佈軟體Software distribution to the user
  • 透過網際網路在 Windows 10 裝置上安裝 Configuration Manager 用戶端。Install the Configuration Manager client on Windows 10 devices over the internet. 使用 Azure AD 可讓裝置向 CMG 驗證,以進行用戶端註冊和指派。Using Azure AD allows the device to authenticate to the CMG for client registration and assignment. 您可以手動安裝用戶端,或是使用 Microsoft Intune 等其他軟體發佈方法。You can install the client manually, or using another software distribution method, such as Microsoft Intune.

  • 使用共同管理的新裝置佈建。New device provisioning with co-management. 當自動註冊現有的用戶端時,不需要 CMG 來進行共同管理。When auto-enrolling existing clients, CMG isn't required for co-management. 對於涉及 Windows Autopilot、Azure AD、Microsoft Intune 與 Configuration Manager 的新裝置來說,其都是必要的。It is required for new devices involving Windows Autopilot, Azure AD, Microsoft Intune, and Configuration Manager. 如需詳細資訊,請參閱共同管理的路徑For more information, see Paths to co-management.

特定使用案例Specific use cases

下列特定裝置使用案例可能適用於上述案例:Across these scenarios the following specific device use cases may apply:

  • 膝上型電腦之類的漫遊裝置Roaming devices such as laptops

  • 可透過網際網路來管理的遠端或分公司裝置,相較於透過 WAN 或 VPN 來管理,會較為便宜且更有效率。Remote/branch office devices that are less expensive and more efficient to manage over the internet than across a WAN or through a VPN.

  • 在合併和收購的情況下,將裝置加入 Azure AD 並透過 CMG 來管理可能是最簡易的方式。Mergers and acquisitions, where it may be easiest to join devices to Azure AD and manage through a CMG.

  • 工作群組用戶端。Workgroup clients. 這些裝置可能需要額外的設定,例如憑證。These devices may require additional configuration, such as certificates.

    從 2002 版開始,Configuration Manager 支援權杖型驗證,這可能有助於管理遠端工作群組用戶端。Starting in version 2002, Configuration Manager supports token-based authentication, which may help with management of remote workgroup clients. 如需詳細資訊,請參閱 CMG 的權杖型驗證For more information, see Token-based authentication for CMG.

重要

所有用戶端變成以網際網路為基礎時,預設都會接收並開始使用 CMG 的原則。By default all clients receive policy for a CMG, and start using it when they become internet-based. 依您組織適用的案例與使用案例而定,您可能需要限制 CMG 的使用範圍。Depending upon the scenario and use case that applies to your organization, you may need to scope usage of the CMG. 如需詳細資訊,請參閱讓用戶端使用雲端管理閘道用戶端設定。For more information, see the Enable clients to use a cloud management gateway client setting.

拓撲設計Topology design

CMG 元件CMG components

CMG 的部署和作業包括下列元件:Deployment and operation of the CMG includes the following components:

  • Azure 中的 CMG 雲端服務會向 CMG 連接點驗證並轉送 Configuration Manager 用戶端要求。The CMG cloud service in Azure authenticates and forwards Configuration Manager client requests to the CMG connection point.

  • CMG 連接點站台系統角色可啟用 Azure 中從內部部署網路至 CMG 服務的一致且高效能連線。The CMG connection point site system role enables a consistent and high-performance connection from the on-premises network to the CMG service in Azure. 它也會將設定發佈至 CMG,包括連線資訊和安全性設定。It also publishes settings to the CMG including connection information and security settings. CMG 連接點會根據 URL 對應,將用戶端要求從 CMG 轉送至內部部署角色。The CMG connection point forwards client requests from the CMG to on-premises roles according to URL mappings.

  • 服務連接點站台系統角色會執行雲端服務管理員元件,以處理所有 CMG 部署工作。The service connection point site system role runs the cloud service manager component, which handles all CMG deployment tasks. 此外,它也會從 Azure AD 監視並報告服務健康情況和記錄資訊。Additionally, it monitors and reports service health and logging information from Azure AD. 請確認您的服務連接點處於線上模式Make sure your service connection point is in online mode.

  • 管理點站台系統角色可以回應一般用戶端要求。The management point site system role services client requests per normal.

  • 軟體更新點站台系統角色可以回應一般用戶端要求。The software update point site system role services client requests per normal.

    注意

    管理點和軟體更新點的大小調整指導方針並不會改變,無論其服務對象是內部部署或網際網路型用戶端。Sizing guidance for management points and software update points doesn't change whether they service on-premises or internet-based clients. 如需詳細資訊,請參閱大小和縮放比例For more information, see Size and scale numbers.

  • 以網際網路為基礎的用戶端會連線到 CMG,以存取內部部署的 Configuration Manager 元件。Internet-based clients connect to the CMG to access on-premises Configuration Manager components.

  • CMG 會使用以憑證為基礎的 HTTPS Web 服務,以協助保護與用戶端之間的網路通訊。The CMG uses a certificate-based HTTPS web service to help secure network communication with clients.

  • 以網際網路為基礎的用戶端會使用 PKI 憑證或 Azure AD 於身分識別和驗證。Internet-based clients use PKI certificates or Azure AD for identity and authentication.

  • 雲端發佈點會視需要提供內容給以網際網路為基礎的用戶端。A cloud distribution point provides content to internet-based clients, as needed.

    • CMG 也可將內容提供給用戶端。A CMG can also serve content to clients. 這項功能可減少 Azure VM 所需的憑證和成本。This functionality reduces the required certificates and cost of Azure VMs. 如需詳細資訊,請參閱修改 CMGFor more information, see Modify a CMG.

Azure Resource ManagerAzure Resource Manager

使用 Azure Resource Manager 部署來建立 CMG。Create the CMG using an Azure Resource Manager deployment. Azure Resource Manager 是可將所有解決方案資源當作單一實體 (稱為資源群組) 來管理的新式平台。Azure Resource Manager is a modern platform for managing all solution resources as a single entity, called a resource group. 使用 Azure Resource Manager 部署 CMG 時,站台會使用 Azure Active Directory (Azure AD) 來驗證並建立必要的雲端資源。When deploying CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create the necessary cloud resources. 這個現代化的部署不需要傳統的 Azure 管理憑證。This modernized deployment doesn't require the classic Azure management certificate.

注意

此功能不會啟用對 Azure 雲端服務提供者 (CSP) 的支援。This capability doesn't enable support for Azure Cloud Service Providers (CSP). 含 Azure Resource Manager 的 CMG 部署會繼續使用 CSP 不支援的傳統雲端服務。The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. 如需詳細資訊,請參閱 Azure CSP 中可用的 Azure 服務For more information, see available Azure services in Azure CSP.

從 Configuration Manager 1902 版開始,對於雲端管理閘道的新執行個體,Azure Resource Manager 是唯一的部署機制。Starting in Configuration Manager version 1902, Azure Resource Manager is the only deployment mechanism for new instances of the cloud management gateway. 現有的部署可繼續運作。Existing deployments continue to work.

在 Configuration Manager 1810 版和更早版本中,CMG 精靈仍會使用 Azure 管理憑證來提供傳統服務部署的選項。In Configuration Manager version 1810 and earlier, the CMG wizard still provides the option for a classic service deployment using an Azure management certificate. 若要簡化資源的部署與管理,建議針對所有新的 CMG 執行個體使用 Azure Resource Manager 部署模型。To simplify the deployment and management of resources, the Azure Resource Manager deployment model is recommended for all new CMG instances. 如果可能,請透過 Resource Manager 重新部署現有的 CMG 執行個體。If possible, redeploy existing CMG instances through Resource Manager. 如需詳細資訊,請參閱修改 CMGFor more information, see Modify a CMG.

重要

Azure 已淘汰傳統服務部署,不再供 Configuration Manager 使用。The classic service deployment in Azure is deprecated for use in Configuration Manager. 1810 版是支援建立這些 Azure 部署的最後版本。Version 1810 is the last to support creation of these Azure deployments. 此功能將會在未來的 Configuration Manager 版本中移除。This functionality will be removed in a future Configuration Manager version.

階層設計Hierarchy design

在階層的頂層站台建立 CMG。Create the CMG at the top-tier site of your hierarchy. 如果是管理中心網站,請在子主要站台建立 CMG 連接點。If that's a central administration site, then create CMG connection points at child primary sites. 雲端服務管理員元件位於服務連接點上,而服務連接點也位於管理中心網站上。The cloud service manager component is on the service connection point, which is also on the central administration site. 此設計可視需要在不同的主要站台之間共用該服務。This design can share the service across different primary sites if needed.

您可以在 Azure 中建立多個 CMG 服務,且可以建立多個 CMG 連接點。You can create multiple CMG services in Azure, and you can create multiple CMG connection points. 多個 CMG 連接點能在 CMG 和內部部署角色之間提供用戶端流量上的負載平衡。Multiple CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.

從 1902 版開始,您可以將 CMG 關聯至界限群組。Starting in version 1902, you can associate a CMG with a boundary group. 此設定可讓用戶端根據界限群組關聯性來預設或回復為 CMG 以進行用戶端通訊。This configuration allows clients to default or fallback to the CMG for client communication according to boundary group relationships. 此行為在分公司和 VPN 案例中特別有用。This behavior is especially useful in branch office and VPN scenarios. 您可以將用戶端流量從昂貴且緩慢的 WAN 連結導向成改用 Microsoft Azure 中較快的服務。You can direct client traffic away from expensive and slow WAN links to instead use faster services in Microsoft Azure.

從 2006 版開始,內部網路用戶端可於將 CMG 軟體更新點指派至界限群組時加以存取。Starting in version 2006, intranet clients can access a CMG software update point when it's assigned to a boundary group. 如需詳細資訊,請參閱設定界限群組For more information, see Configure boundary groups.

注意

以網際網路為基礎的用戶端不屬於任何界限群組。Internet-based clients don't fall into any boundary group.

在 Configuration Manager 1810 版和更早版本中,CMG 不屬於任何界限群組。In Configuration Manager version 1810 and earlier, the CMG doesn't fall into any boundary group.

其他因素 (例如要管理的用戶端數目) 也會影響您的 CMG 設計。Other factors, such as the number of clients to manage, also impact your CMG design. 如需詳細資訊,請參閱效能和擴充For more information, see Performance and scale.

範例 1:獨立主要站台Example 1: standalone primary site

Contoso 在其紐約市總部的內部部署資料中心具有獨立主要站台。Contoso has a standalone primary site in an on-premises datacenter at their headquarters in New York City.

  • 他們在美國東部 Azure 區域建立 CMG 以減少網路延遲。They create a CMG in the East US Azure region to reduce network latency.
  • 他們建立兩個 CMG 連接點,這兩個連接點皆連結至單一的 CMG 服務。They create two CMG connection points, both linked to the single CMG service.

當用戶端漫遊至網際網路時,它們會與位於美國東部 Azure 區域的 CMG 通訊。As clients roam onto the internet, they communicate with the CMG in the East US Azure region. CMG 會透過上述兩個 CMG 連接點轉送此通訊。The CMG forwards this communication through both of the CMG connection points.

範例 2:階層Example 2: hierarchy

Fourth Coffee 在其西雅圖總部的內部部署資料中心具有管理中心網站。Fourth Coffee has a central administration site in an on-premises datacenter at their headquarters in Seattle. 其中一個主要站台位於相同的資料中心,另一個主要站台則在該公司位於巴黎的主要歐洲辦公室。One primary site is in the same datacenter, and the other primary site is in their main European office in Paris.

  • 在管理中心網站上,他們在美國西部 Azure 區域中建立 CMG 服務。On the central administration site, they create a CMG service in the West US Azure region. 他們根據整個階層中預期的漫遊用戶端負載來調整 VM 數目。They scale the number of VMs for the expected load of roaming clients in the entire hierarchy.
  • 在位於西雅圖的主要站台上,他們建立連結至單一 CMG 的 CMG 連接點。On the Seattle-based primary site, they create a CMG connection point linked to the single CMG.
  • 在位於巴黎的主要站台上,他們建立連結至單一 CMG 的 CMG 連接點。On the Paris-based primary site, they create a CMG connection point linked to the single CMG.

當用戶端漫遊至網際網路時,他們會與位於美國西部 Azure 區域的 CMG 通訊。As clients roam onto the internet, they communicate with the CMG in the West US Azure region. CMG 會將此通訊轉送至用戶端受指派之主要網站中的 CMG 連接點。The CMG forwards this communication to the CMG connection point in the client's assigned primary site.

提示

您不需要為了地理位置而部署多個雲端管理閘道。You don't need to deploy more than one cloud management gateway for the purposes of geolocation. 雲端服務可能發生輕微延遲,但設定管理員用戶端幾乎不會受其影響,即使在地理位置較遠的情況下也是如此。The Configuration Manager client is mostly unaffected by the slight latency that can occur with the cloud service, even when geographically distant.

測試環境Test environments

許多組織都有用於生產、測試、開發或品質保證的個別環境。Many organizations have separate environments for production, test, development, or quality assurance. 當您規劃 CMG 部署時,請考慮下列問題:When you plan your CMG deployment, consider the following questions:

  • 您的組織具有多少個 Azure AD 租用戶?How many Azure AD tenants does your organization have?

    • 是否有用於測試的個別租用戶?Is there a separate tenant for testing?
    • 使用者和裝置身分識別是否位於相同的租用戶?Are user and device identities in the same tenant?
  • 每個租用戶中有多少個訂用帳戶?How many subscriptions are in each tenant?

    • 是否有特別用於測試的訂用帳戶?Are there subscriptions that are specific for testing?

Configuration Manager 適用於雲端管理的 Azure 服務支援多個租用戶。Configuration Manager's Azure service for Cloud management supports multiple tenants. 多個 Configuration Manager 站台可以連線到相同的租用戶。Multiple Configuration Manager sites can connect to the same tenant. 單一站台可以將多個 CMG 服務部署到不同的訂用帳戶。A single site can deploy multiple CMG services into different subscriptions. 多個站台可以將 CMG 服務部署到相同的訂用帳戶。Multiple sites can deploy CMG services into the same subscription. Configuration Manager 能根據您的環境和商務需求提供彈性。Configuration Manager provides flexibility depending upon your environment and business requirements.

如需詳細資訊,請參閱下列常見問題集:使用者帳戶是否必須與裝載 CMG 雲端服務的訂用帳戶所相關聯的租用戶位於相同的 Azure AD 租用戶?For more information, see the following FAQ: Do the user accounts have to be in the same Azure AD tenant as the tenant associated with the subscription that hosts the CMG cloud service?

需求Requirements

  • 裝載 CMG 的 Azure 訂用帳戶An Azure subscription to host the CMG.

    重要

    CMG 不支援具有 Azure 雲端服務提供者 (CSP) 的訂用帳戶。CMG doesn't support subscriptions with an Azure Cloud Service Provider (CSP).

  • 您的使用者帳戶在 Configuration Manager 中必須為系統高權限管理員基礎結構系統管理員Your user account needs to be a Full administrator or Infrastructure administrator in Configuration Manager.

  • 需要 Azure 系統管理員參與部分元件的初始建立 (視您的設計而定)。An Azure administrator needs to participate in the initial creation of certain components, depending upon your design. 此角色與 Configuration Manager 系統管理員可以為相同 (或個別) 角色。This persona can be the same as the Configuration Manager administrator, or separate. 若為個別角色,則不需要 Configuration Manager 中的權限。If separate, it doesn't require permissions in Configuration Manager.

    • 若要部署 CMG,您需要訂用帳戶擁有者To deploy the CMG, you need a Subscription Owner
    • 若要將網站與 Azure AD 整合以使用 Azure Resource Manager 來部署 CMG,您需要全域管理員To integrate the site with Azure AD for deploying the CMG using Azure Resource Manager, you need a Global Admin
  • 至少一個內部部署 Windows 伺服器以裝載 CMG 連接點At least one on-premises Windows server to host the CMG connection point. 您可以搭配另一個 Configuration Manager 站台系統角色共置此角色。You can colocate this role with other Configuration Manager site system roles.

  • 服務連接點必須處於線上模式The service connection point must be in online mode.

  • Azure AD 整合以使用 Azure Resource Manager 來部署服務。Integration with Azure AD for deploying the service with Azure Resource Manager. 如需詳細資訊,請參閱設定 Azure 服務For more information, see Configure Azure services.

  • 供 CMG 使用的伺服器驗證憑證A server authentication certificate for the CMG.

  • 視您用戶端 OS 版本及驗證模型的不同,它可能會需要其他憑證Other certificates may be required, depending upon your client OS version and authentication model. 如需詳細資訊,請參閱 CMG 憑證For more information, see CMG certificates.

    當使用 [為 HTTP 站台系統使用 Configuration Manager 產生的憑證] 站台選項時,HTTP 可作為管理點。When you use the site option to Use Configuration Manager-generated certificates for HTTP site systems, the management point can be HTTP. 如需詳細資訊,請參閱Enhanced HTTP (增強 HTTP)。For more information, see Enhanced HTTP.

  • 在 Configuration Manager 1810 版和更早版本中,如果使用 Azure 傳統部署方法,您必須使用 Azure 管理憑證In Configuration Manager version 1810 or earlier, if using the Azure classic deployment method, you must use an Azure management certificate.

    提示

    使用 Azure Resource Manager 部署模型。Use the Azure Resource Manager deployment model. 它並不需要此管理憑證。It doesn't require this management certificate.

    自 1810 版開始淘汰傳統部署方法。The classic deployment method is deprecated as of version 1810.

  • 用戶端必須使用 IPv4Clients must use IPv4.

規格Specifications

  • 列於用戶端和裝置支援的作業系統中的所有 Windows 版本皆支援 CMG。All Windows versions listed in Supported operating systems for clients and devices are supported for CMG.

  • CMG 僅支援管理點和軟體更新點角色。CMG only supports the management point and software update point roles.

  • CMG 不支援僅透過 IPv6 位址進行通訊的用戶端。CMG doesn't support clients that only communicate with IPv6 addresses.

  • 使用網路負載平衡器的軟體更新點無法與 CMG 搭配使用。Software update points using a network load balancer don't work with CMG.

  • 使用 Azure 資源模型的 CMG 部署將不會提供對 Azure 雲端服務提供者 (CSP) 的支援。CMG deployments using the Azure Resource Model don't enable support for Azure Cloud Service Providers (CSP). 含 Azure Resource Manager 的 CMG 部署會繼續使用 CSP 不支援的傳統雲端服務。The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. 如需詳細資訊,請參閱 Azure CSP 計畫中可用的 Azure 服務For more information, see Azure services available in the Azure CSP program.

針對 Configuration Manager 功能的支援Support for Configuration Manager features

下表列出針對 Configuration Manager 功能的 CMG 支援:The following table lists CMG support for Configuration Manager features:

功能Feature 支援Support
軟體更新Software updates 支援
Endpoint ProtectionEndpoint protection 已支援 附註 1Supported Note 1
硬體與軟體清查Hardware and software inventory 支援
用戶端狀態和通知Client status and notifications 支援
執行指令碼Run scripts 支援
CMPivotCMPivot 支援
相容性設定Compliance settings 支援
用戶端安裝Client install
(使用 Azure AD 整合)(with Azure AD integration)
支援
用戶端安裝Client install
(使用權杖驗證 )(with token authentication)
支援 (2002)(2002)
軟體發佈 (以裝置為目標)Software distribution (device-targeted) 支援
軟體發佈 (以使用者為目標,必要)Software distribution (user-targeted, required)
(搭配 Azure AD 整合)(with Azure AD integration)
支援
軟體發佈 (以使用者為目標,可用)Software distribution (user-targeted, available)
(所有需求)(all requirements)
支援
Windows 10 就地升級工作順序Windows 10 in-place upgrade task sequence 支援
沒有開機映像,並搭配 [啟動工作順序之前下載所有內容到本機] 選項進行部署的工作順序Task sequence without a boot image, deployed with the option to Download all content locally before starting task sequence 支援
沒有開機映像,並搭配任何一個下載選項進行部署的工作順序Task sequence without a boot image, deployed with either download option 支援 (1910)(1910)
有開機映像,並從軟體中心啟動的工作順序Task sequence with a boot image, started from Software Center 支援 (2006)(2006)
所有其他工作順序案例Any other task sequence scenario 不支援
用戶端推入Client push 不支援
自動站台指派Automatic site assignment 不支援
軟體核准要求Software approval requests 不支援
Configuration Manager 主控台Configuration Manager console 不支援
遠端工具Remote tools 不支援
報告網站Reporting website 不支援
網路喚醒Wake on LAN 不支援
Mac、Linux 及 UNIX 用戶端Mac, Linux, and UNIX clients 不支援
對等快取Peer cache 不支援
內部部署 MDMOn-premises MDM 不支援
BitLocker 管理BitLocker Management 不支援
機碼Key
支援 = 此功能由所有支援的 Configuration Manager 支援搭配 CMG 使用= This feature is supported with CMG by all supported versions of Configuration Manager
支援 (YYMM) = 此功能從 Configuration Manager 的 YYMM 版開始支援搭配 CMG 使用Supported (YYMM) = This feature is supported with CMG starting with version YYMM of Configuration Manager
不支援 = 此功能不支援與 CMG 搭配使用= This feature isn't supported with CMG

附註 1:端點保護支援Note 1: Support for endpoint protection

從 2006 版開始,透過 CMG 進行通訊的用戶端可以立即套用端點保護原則,而無需與 Active Directory 的使用中連線。Starting in version 2006, clients that communicate via a CMG can immediately apply endpoint protection policies without an active connection to Active Directory.

在 2002 版與更早版本中,已加入網域的裝置若要套用端點保護原則,就需要網域存取權。In version 2002 and earlier, for domain-joined devices to apply endpoint protection policy, they require access to the domain. 不常存取內部網路的裝置可能會在套用端點保護原則時遇到延遲。Devices with infrequent access to the internal network may experience delays in applying endpoint protection policy. 如果您要求裝置在收到端點保護原則之後立即加以套用,請考慮下列其中一個選項:If you require that devices immediately apply endpoint protection policy after they receive it, consider one of the following options:

成本Cost

重要

下面的成本資訊僅供評估之用。The following cost information is for estimating purposes only. 您的環境可能有其他變數會影響使用 CMG 的總成本。Your environment may have other variables that affect the overall cost of using CMG.

CMG 會使用下列 Azure 元件,並會針對 Azure 訂用帳戶產生費用:CMG uses the following Azure components, which incur charges to the Azure subscription account:

虛擬機器Virtual machine

  • CMG 使用 Azure 雲端服務作為平台即服務 (PaaS)。CMG uses Azure Cloud Services as platform as a service (PaaS). 此服務使用會產生計算成本的虛擬機器 (VM)。This service uses virtual machines (VMs) that incur compute costs.

  • CMG 會使用標準 A2 V2 VM。CMG uses a Standard A2 V2 VM.

  • 您可以選取支援 CMG 的 VM 執行個體數目。You select how many VM instances support the CMG. 預設值為 1,最大值為 16。One is the default, and 16 is the maximum. 此數字是在建立 CMG 時設定,並可以視需要於未來針對服務規模進行變更。This number is set when creating the CMG, and can be changed afterwards to scale the service as needed.

  • 如需支援用戶端所需之 VM 數目的詳細資訊,請參閱效能和擴充For more information on how many VMs you need to support your clients, see Performance and scale.

  • 請參閱 Azure 價格計算機以利判斷潛在成本。See the Azure pricing calculator to help determine potential costs.

    注意

    虛擬機器的成本隨地區而異。Virtual machine costs vary by region.

輸出資料傳輸Outbound data transfer

  • 費用是根據自 Azure 流出 (輸出或下載) 的資料而定。Charges are based on data flowing out of Azure (egress or download). 流至 Azure (輸入或上傳) 的所有資料皆為免費。Any data flows into Azure are free (ingress or upload). 自 Azure 流出的 CMG 資料包括由 CMG 轉送至站台的用戶端原則、用戶端通知及用戶端回應。CMG data flows out of Azure include policy to the client, client notifications, and client responses forwarded by the CMG to the site. 這些回應包括清查報表、狀態訊息及合規性狀態。These responses include inventory reports, status messages, and compliance status.

  • 就算沒有用戶端正在與 CMG 通訊,某些背景通訊仍會在 CMG 和內部部署站台之間產生網路流量。Even without any clients communicating with a CMG, some background communication causes network traffic between the CMG and the on-premises site.

  • 在 Configuration Manager 主控台中檢視輸出資料傳輸 (GB)View the Outbound data transfer (GB) in the Configuration Manager console. 如需詳細資訊,請參閱監視 CMG 上的用戶端For more information, see Monitor clients on CMG.

  • 請參閱 Azure 頻寬定價詳細資料以利判斷潛在成本。See the Azure bandwidth pricing details to help determine potential costs. 資料傳輸的訂價為階層式。Pricing for data transfer is tiered. 使用的量越多,每 GB 的價格便越低。The more you use, the less you pay per gigabyte.

  • 僅供評估之用,針對以網際網路為基礎的用戶端,預期每個用戶端每月大約為 100-300 MB。For estimating purposes only, expect approximately 100-300 MB per client per month for internet-based clients. 較低的估計是適用於預設的用戶端設定。The lower estimate is for a default client configuration. 較高的估計是適用於較為積極的用戶端設定。The upper estimate is for a more aggressive client configuration. 您實際的使用量可能會因您設定用戶端設定的方式而有所不同。Your actual usage may vary depending upon how you configure client settings.

    注意

    執行其他動作 (例如部署軟體更新或應用程式) 會增加從 Azure 輸出的資料傳輸量。Performing other actions, such as deploying software updates or applications, increases the amount of outbound data transfer from Azure.

  • 以網際網路為基礎的用戶端能免費從 Windows Update 取得 Microsoft 軟體更新內容。Internet-based clients get Microsoft software update content from Windows Update at no charge. 請不要將具有 Microsoft 更新內容的更新套件發佈至雲端發佈點,否則可能會產生儲存和資料輸出成本。Don't distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.

  • 驗證用戶端憑證撤銷的 CMG 選項設定錯誤,可能導致額外流量從用戶端傳送至 CMG。Misconfiguration of the CMG option to Verify client certificate revocation can cause additional traffic from clients to the CMG. 此額外流量可能會增加 Azure 輸出資料,這可能會增加您的 Azure 成本。This additional traffic can increase the Azure egress data, which can increase your Azure costs. 如需詳細資訊,請參閱發佈憑證撤銷清單For more information, see Publish the certificate revocation list.

內容儲存體Content storage

  • 以網際網路為基礎的用戶端能免費從 Windows Update 取得 Microsoft 軟體更新內容。Internet-based clients get Microsoft software update content from Windows Update at no charge. 請不要將具有 Microsoft 更新內容的更新套件發佈至雲端發佈點,否則可能會產生儲存和資料輸出成本。Don't distribute update packages with Microsoft update content to a cloud distribution point, otherwise you may incur storage and data egress costs.

  • 針對所有其他必要內容 (例如應用程式或協力廠商軟體更新),您必須將它發佈至雲端發佈點。For any other necessary content, such as applications or third-party software updates, you must distribute to a cloud distribution point. 目前,CMG 僅支援使用雲端發佈點將內容傳送至用戶端。Currently, the CMG supports only the cloud distribution point for sending content to clients.

    • 使用 CMG 來儲存內容時,如果已啟用 [Download delta content when available] (在提供差異內容時下載) 的用戶端設定,協力廠商更新的內容就不會下載至用戶端。When using a CMG for content storage, the content for third-party updates won't download to clients if the Download delta content when available client setting is enabled.
  • 如需詳細資訊,請參閱使用雲端發佈點的成本。For more information, see the cost of using cloud distribution points.

  • CMG 也可以作為雲端發佈點,以提供內容給用戶端。A CMG can also be a cloud distribution point to serve content to clients. 這項功能可減少 Azure VM 所需的憑證和成本。This functionality reduces the required certificates and cost of Azure VMs. 如需詳細資訊,請參閱修改 CMGFor more information, see Modify a CMG.

  • CMG 使用 Azure 本地備援儲存體 (LRS)。CMG uses Azure locally redundant storage (LRS). 如需詳細資訊,請參閱本地備援儲存體 (部分機器翻譯)。For more information, see Locally redundant storage.

其他成本Other costs

  • 每個雲端服務都具有動態 IP 位址。Each cloud service has a dynamic IP address. 每個相異 CMG 都會使用新的動態 IP 位址。Each distinct CMG uses a new dynamic IP address. 針對每個 CMG 新增額外的 VM 將不會增加這些位址。Adding additional VMs per CMG doesn't increase these addresses.

效能和擴充Performance and scale

如需 CMG 擴充的詳細資訊,請參閱大小和縮放比例For more information on CMG scale, see Size and scale numbers.

下列建議可協助您改善 CMG 效能:The following recommendations can help you improve CMG performance:

  • Configuration Manager 用戶端和 CMG 之間的連線並無法感知區域。The connection between the Configuration Manager client and the CMG isn't region-aware. 用戶端通訊不太會受到延遲/地理分隔的影響。Client communication is largely unaffected by latency / geographic separation. 不需要針對地理位置的接近而部署多個 CMG。It's not necessary to deploy multiple CMG for the purposes of geo-proximity. 將 CMG 部署在您階層中的頂層網站,並新增執行個體以增加規模。Deploy the CMG at the top-level site in your hierarchy and add instances to increase scale.

  • 若要取得服務的高可用性,請針對每個站台建立具有至少兩個 CMG 執行個體與兩個 CMG 連接點的 CMG。For high availability of the service, create a CMG with at least two CMG instances and two CMG connection points per site.

  • 透過新增更多 VM 執行個體來調整 CMG,以支援更多用戶端。Scale the CMG to support more clients by adding more VM instances. Azure 負載平衡器會控制針對服務的用戶端連線。The Azure load balancer controls client connections to the service.

  • 建立更多 CMG 連接點以將負載分散於它們之間。Create more CMG connection points to distribute the load among them. CMG 會透過循環配置資源的方式,將流量發佈至其正在連線的 CMG 連接點。The CMG distributes the traffic to its connecting CMG connection points in a round-robin fashion.

  • 當 CMG 處於用戶端數目超過支援數目的高負載狀態時,它仍會處理要求,但可能出現延遲。When the CMG is under high load with more than the supported number of clients, it still handles requests but there may be delay.

注意

雖然 Configuration Manager 針對 CMG 連接點沒有嚴格的用戶端數目限制,Windows Server 預設的 TCP 動態連接埠範圍上限為 16,384。While Configuration Manager has no hard limit on the number of clients for a CMG connection point, Windows Server has a default maximum TCP dynamic port range of 16,384. 若 Configuration Manager 站台搭配單一 CMG 連接點管理超過 16,384 個用戶端,您必須提升該 Windows Server 限制。If a Configuration Manager site manages more than 16,384 clients with a single CMG connection point, you must increase the Windows Server limit. 所有的用戶端都會針對用戶端通知維持一個通道,這會在 CMG 連接點上持續開啟一個連接埠。All clients maintain a channel for client notifications, which holds a port open on the CMG connection point. 如需如何使用 netsh 命令來提升此限制的詳細資訊,請參閱 Microsoft 支援服務文章 929851 (機器翻譯)。For more information on how to use the netsh command to increase this limit, see Microsoft Support article 929851.

連接埠和資料流程Ports and data flow

您不需要針對內部部署網路開啟任何輸入連接埠。You don't need to open any inbound ports to your on-premises network. 服務連接點和 CMG 連接點會起始與 Azure 和 CMG 的所有通訊。The service connection point and CMG connection point initiate all communication with Azure and the CMG. 這兩個站台系統角色必須能夠建立與 Microsoft 雲端的輸出連線。These two site system roles need to create outbound connections to the Microsoft cloud. 服務連接點會在 Azure 中部署及監視該服務,因此它必須處於線上模式。The service connection point deploys and monitors the service in Azure, thus must be online mode. CMG 連接點會連線至 CMG 以管理 CMG 和內部部署站台系統角色之間的通訊。The CMG connection point connects to the CMG to manage communication between the CMG and on-premises site system roles.

下表為 CMG 的基礎概念資料流程:The following diagram is a basic, conceptual data flow for the CMG:

CMG 資料流程CMG data flow

  1. 服務連接點會透過 HTTPS 連接埠 443 連線至 Azure。The service connection point connects to Azure over HTTPS port 443. 它會使用 Azure AD 或 Azure 管理憑證進行驗證。It authenticates using Azure AD or the Azure management certificate. 服務連接點會在 Azure 中部署 CMG。The service connection point deploys the CMG in Azure. CMG 會使用伺服器驗證憑證建立 HTTPS 雲端服務。The CMG creates the HTTPS cloud service using the server authentication certificate.

  2. CMG 連接點會透過 TCP-TLS 或 HTTPS 連線至 Azure 中的 CMG。The CMG connection point connects to the CMG in Azure over TCP-TLS or HTTPS. 它會將連線保持開啟,並建置通道以供未來的雙向通訊使用。It holds the connection open, and builds the channel for future two-way communication.

  3. 用戶端會透過 HTTPS 連接埠 443 連線至 CMG。The client connects to the CMG over HTTPS port 443. 它會使用 Azure AD 或用戶端驗證憑證進行驗證。It authenticates using Azure AD or the client authentication certificate.

    注意

    如果您啟用 CMG 以提供內容或使用雲端發佈點,用戶端會透過 HTTPS 連接埠 443 直接連線到 Azure Blob 儲存體。If you enable the CMG to serve content or use a cloud distribution point, the client connects directly to Azure blob storage over HTTPS port 443. 如需詳細資訊,請參閱使用雲端式發佈點For more information, see Use a cloud-based distribution point.

  4. CMG 會透過針對內部部署 CMG 連接點的現有連線轉送用戶端通訊。The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. 您不需要開啟任何輸入防火牆連接埠。You don't need to open any inbound firewall ports.

  5. CMG 連接點會將用戶端通訊轉送至內部部署管理點和軟體更新點。The CMG connection point forwards the client communication to the on-premises management point and software update point.

如需您在 Azure 中裝載內容時的詳細資訊,請參閱使用雲端式發佈點For more information when you host content in Azure, see Use a cloud-based distribution point.

必要的連接埠Required ports

此表列出必要的網路連接埠和通訊協定。This table lists the required network ports and protocols. [用戶端] 是起始連線的裝置,需要輸出連接埠。The Client is the device initiating the connection, requiring an outbound port. [伺服器] 是接受連線的裝置,需要輸入連接埠。The Server is the device accepting the connection, requiring an inbound port.

用戶端Client 通訊協定Protocol PortPort 伺服器Server 說明Description
服務連接點Service connection point HTTPSHTTPS 443443 AzureAzure CMG 部署CMG deployment
CMG 連接點CMG connection point TCP-TLSTCP-TLS 10140-1015510140-10155 CMG 服務CMG service 建置 CMG 通道的偏好通訊協定 附註 1Preferred protocol to build CMG channel Note 1
CMG 連接點CMG connection point HTTPSHTTPS 443443 CMG 服務CMG service 僅針對單一 VM 執行個體建置 CMG 通道的後援通訊協定附註 2Fallback protocol to build CMG channel to only one VM instance Note 2
CMG 連接點CMG connection point HTTPSHTTPS 10124-1013910124-10139 CMG 服務CMG service 針對兩個或多個 VM 執行個體建置 CMG 通道的後援通訊協定附註 3Fallback protocol to build CMG channel to two or more VM instances Note 3
用戶端Client HTTPSHTTPS 443443 CMGCMG 一般用戶端通訊General client communication
用戶端Client HTTPSHTTPS 443443 Blob 儲存體Blob storage 下載雲端式內容Download cloud-based content
CMG 連接點CMG connection point HTTPS 或 HTTPHTTPS or HTTP 443 或 80443 or 80 管理點Management point 內部部署流量,連接埠會因管理點設定而有所不同On-premises traffic, port depends upon management point configuration
CMG 連接點CMG connection point HTTPS 或 HTTPHTTPS or HTTP 443 或 80443 or 80 軟體更新點Software update point 內部部署流量,連接埠會因軟體更新點設定而有所不同On-premises traffic, port depends upon software update point configuration

附註 1:CMG 連接點 TCP-TLS 連接埠Note 1: CMG connection point TCP-TLS ports

CMG 連接點會先針對每個 CMG VM 執行個體嘗試建立長時間執行的 TCP-TLS 連線。The CMG connection point first tries to establish a long-lived TCP-TLS connection with each CMG VM instance. 它會透過連接埠 10140 連線至第一個 VM 執行個體。It connects to the first VM instance on port 10140. 第二個 VM 執行個體會使用連接埠 10141,依此類推,直到使用連接埠 10155 連線至第 16 個 VM 執行個體為止。The second VM instance uses port 10141, up to the 16th on port 10155. TCP-TLS 連線的執行效能最佳,但不支援網際網路 Proxy。A TCP-TLS connection performs the best, but it doesn't support internet proxy. 若 CMG 連接點無法透過 TCP-TLS 連線,則會退為使用 HTTPS附註 2If the CMG connection point can't connect via TCP-TLS, then it falls back to HTTPSNote 2.

附註 2:單一 VM 的 CMG 連接點 HTTPS 連接埠Note 2: CMG connection point HTTPS ports for one VM

若 CMG 連接點無法透過 TCP-TLS 連線至 CMG附註 1,則在只有單一 VM 執行個體的情況下,其會透過 HTTPS 443 連線至 Azure 網路負載平衡器。If the CMG connection point can't connect to the CMG via TCP-TLSNote 1, it connects to the Azure network load balancer over HTTPS 443 only for one VM instance.

附註 3:兩部 (或以上) VM 的 CMG 連接點 HTTPS 連接埠Note 3: CMG connection point HTTPS ports for two or more VMs

若存在兩個 (或以上) VM 執行個體,則 CMG 連接點會針對第一個 VM 執行個體使用 HTTPS 10124,而非 HTTPS 443。If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to the first VM instance, not HTTPS 443. 它會透過 HTTPS 10125 連線至第二個 VM 執行個體,依此類推,直到使用 HTTPS 連接埠 10139 連線至第 16 個 VM 執行個體為止。It connects to the second VM instance on HTTPS 10125, up to the 16th on HTTPS port 10139.

網際網路存取需求Internet access requirements

如果貴組織禁止使用防火牆或 Proxy 裝置來與網際網路網路通訊,則您需要允許 CMG 連接點和服務連接點存取網際網路端點。If your organization restricts network communication with the internet using a firewall or proxy device, you need to allow CMG connection point and service connection point to access internet endpoints.

如需詳細資訊,請參閱網際網路存取需求For more information, see Internet access requirements.

後續步驟Next steps