雲端管理閘道的安全性和隱私權Security and privacy for the cloud management gateway

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文包含 Configuration Manager 雲端管理閘道 (CMG) 的安全性和隱私權資訊。This article includes security and privacy information for the Configuration Manager cloud management gateway (CMG). 如需詳細資訊,請參閱規劃雲端管理閘道For more information, see Plan for cloud management gateway.

CMG 安全性詳細資料CMG security details

CMG 接受並管理從 CMG 連接點而來的連線。The CMG accepts and manages connections from CMG connection points. 其會使用利用憑證和連線識別碼的相互驗證。It uses mutual authentication using certificates and connection IDs.

CMG 使用下列方法接受並轉送用戶端要求:The CMG accepts and forwards client requests using the following methods:

  • 使用相互 HTTPS,搭配以 PKI 為基礎的用戶端驗證憑證或 Azure AD,預先驗證連線。Pre-authenticates connections using mutual HTTPS with the PKI-based client authentication certificate or Azure AD.

    • CMG VM 執行個體上的 IIS 會根據您上傳至 CMG 的受信任根憑證,驗證憑證路徑。IIS on the CMG VM instances verifies the certificate path based on the trusted root certificates that you upload to the CMG.

    • 如果您啟用憑證撤銷,VM 執行個體上的 IIS 也會驗證用戶端憑證撤銷。If you enable certificate revocation, IIS on the VM instance also verifies client certificate revocation. 如需詳細資訊,請參閱發佈憑證撤銷清單For more information, see Publish the certificate revocation list.

  • 憑證信任清單 (CTL) 會檢查用戶端驗證憑證的根目錄。The certificate trust list (CTL) checks the root of the client authentication certificate. 其同時也會針對用戶端進行與管理點相同的驗證。It also does the same validation as the management point for the client. 如需詳細資訊,請參閱檢閱站台憑證信任清單中的項目For more information, see Review entries in the site's certificate trust list.

  • 驗證並篩選用戶端要求 (URL),以檢查是否有任何 CMG 連接點可以服務此要求。Validates and filters client requests (URLs) to check if any CMG connection point can service the request.

  • 針對每個發佈端點檢查內容長度。Checks content length for each publishing endpoint.

  • 使用循環配置資源行為,負載平衡相同站台中的 CMG 連接點。Uses round-robin behavior to load-balance CMG connection points in the same site.

CMG 連接點使用下列方法:The CMG connection point uses the following methods:

  • 對 CMG 的所有 VM 執行個體,建置一致的 HTTPS/TCP 連線。Builds consistent HTTPS/TCP connections to all VM instances of the CMG. 它會在每分鐘檢查並維護這些連線。It checks and maintains these connections every minute.

  • 使用憑證搭配 CMG 使用相互驗證。Uses mutual authentication with the CMG using certificates.

  • 根據 URL 對應轉送用戶端要求。Forwards client requests based on URL mappings.

  • 報告連線狀態以在主控台中顯示服務健康情況狀態。Reports connection status to show service health status in the console.

  • 每隔五分鐘報告每個端點的流量。Reports traffic per endpoint every five minutes.

設定管理員用戶端面向角色Configuration Manager client-facing roles

管理點和軟體更新點在 IIS 中裝載端點來服務用戶端要求。The management point and software update point host endpoints in IIS to service client requests. CMG 不會公開所有的內部端點。The CMG doesn't expose all internal endpoints. 每個發行至 CMG 的端點都具有 URL 對應。Every endpoint published to the CMG has a URL mapping.

  • 用戶端使用外部 URL 來與 CMG 通訊。The external URL is the one the client uses to communicate with the CMG.

  • 內部 URL 為用來將要求轉送至內部伺服器的 CMG 連接點。The internal URL is the CMG connection point used to forward requests to the internal server.

URL 對應範例URL mapping example

當您在管理點上啟用 CMG 流量時,Configuration Manager 會針對每個管理點伺服器建立一組內部的 URL 對應。When you enable CMG traffic on a management point, Configuration Manager creates an internal set of URL mappings for each management point server. 例如:ccm_system、ccm_incoming 和 sms_mp。For example: ccm_system, ccm_incoming, and sms_mp. 管理點 ccm_system 端點的外部 URL 看起來應該會類似:The external URL for the management point ccm_system endpoint might look like:
https://<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>/CCM_System
每個管理點的 URL 皆會是唯一的。The URL is unique for each management point. 接著,設定管理員用戶端會將已啟用 CMG 的管理點名稱放在其網際網路管理點清單中。The Configuration Manager client then puts the CMG-enabled management point name into its internet management point list. 此名稱看起來像:This name looks like:
<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>
站台會自動將所有已發佈的外部 URL 上傳至 CMG。The site automatically uploads all published external URLs to the CMG. 此行為可讓 CMG 執行 URL 篩選。This behavior allows the CMG to do URL filtering. 所有 URL 對應都會複寫至 CMG 連接點。All URL mappings replicate to the CMG connection point. 然後會根據用戶端要求中的外部 URL,將通訊轉送至內部伺服器。It then forwards the communication to internal servers according to the external URL from the client request.

CMG 的安全性指引Security guidance for CMG

發佈憑證撤銷清單Publish the certificate revocation list

發佈您的 PKI 憑證撤銷清單 (CRL),供以網際網路為基礎的用戶端存取。Publish your PKI's certificate revocation list (CRL) for internet-based clients to access. 使用 PKI 部署 CMG 時,請在 [設定] 索引標籤上設定服務以驗證用戶端憑證撤銷。此設定會設定服務使用已發佈的憑證撤銷清單 (CRL)。When deploying a CMG using PKI, configure the service to Verify client certificate revocation on the Settings tab. This setting configures the service to use a published certificate revocation list (CRL). 如需詳細資訊,請參閱規劃 PKI 憑證撤銷For more information, see Plan for PKI certificate revocation.

此 CMG 選項會驗證用戶端驗證憑證。This CMG option verifies the client authentication certificate.

  • 如果用戶端使用 Azure AD 驗證,那麼,CRL 並不重要。If the client is using Azure AD authentication, the CRL doesn't matter.

  • 如果您使用 PKI 並在外部發佈 CRL,則要啟用此選項 (建議使用)。If you use PKI, and externally publish the CRL, then enable this option (recommended).

  • 如果您使用 PKI,請不要發佈 CRL,接著停用此選項。If you use PKI, don't publish the CRL, then disable this option.

  • 如果您誤設此選項,可能導致將額外流量從用戶端傳送至 CMG。If you misconfigure this option, it can cause additional traffic from clients to the CMG. 此額外流量可能會增加 Azure 輸出資料,這可能會增加您的 Azure 成本。This additional traffic can increase the Azure egress data, which can increase your Azure costs.

檢閱站台憑證信任清單中的項目Review entries in the site's certificate trust list

每個 Configuration Manager 站台都包含一份受信任的根憑證授權單位清單,也就是憑證信任清單 (CTL)。Each Configuration Manager site includes a list of trusted root certification authorities, the certificate trust list (CTL). 移至 [系統管理] 工作區,展開 [站台設定],然後選取 [站台] 來檢視和修改清單。View and modify the list by going to the Administration workspace, expand Site Configuration, and select Sites. 選取站台,然後在功能區中選取 [內容]。Select a site, and then select Properties in the ribbon. 切換至 [通訊安全性] 索引標籤,然後在 [受信任的根憑證授權單位] 下方選取 [設定]。Switch to the Communication Security tab, and then select Set under Trusted Root Certification Authorities.

注意

在 1902 版和更舊版本中,此索引標籤名為 [用戶端電腦通訊]。In version 1902 and earlier, this tab is called Client Computer Communication.

針對站台使用更嚴格的 CTL,搭配使用 PKI 用戶端驗證的 CMG。Use a more restrictive CTL for a site with a CMG using PKI client authentication. 否則,用戶端只要擁有由管理點上已經存在的任何受信任根所發出的用戶端驗證憑證,就會自動接受而進行用戶端註冊。Otherwise, clients with client authentication certificates issued by any trusted root that already exists on the management point are automatically accepted for client registration.

此子集提供系統管理員對安全性有更多的控制。This subset provides administrators with more control over security. CTL 會限制伺服器只接受由 CTL 中憑證授權單位所發出的用戶端憑證。The CTL restricts the server to only accept client certificates that are issued from the certification authorities in the CTL. 例如,Windows 出貨時隨附數個著名的協力廠商憑證授權單位 (CA) 憑證,如 VeriSign 與 Thawte。For example, Windows ships with a number of well-known third-party certification authority (CA) certificates, such as VeriSign and Thawte. 根據預設,執行 IIS 的電腦會信任鏈結至這些著名 CA 的憑證。By default, the computer running IIS trusts certificates that chain to these well-known CAs. 如果沒有使用 CTL 設定 IIS,擁有由這些 CA 所發出之用戶端憑證的任何電腦,都會被視為是有效的設定管理員用戶端。Without configuring IIS with a CTL, any computer that has a client certificate issued from these CAs are accepted as a valid Configuration Manager client. 如果您使用未包含這些 CA 的 CTL 來設定 IIS,若憑證鏈結至這些 CA,就會拒絕用戶端連線。If you configure IIS with a CTL that didn't include these CAs, client connections are refused if the certificate chained to these CAs.

強制使用 TLS 1.2Enforce TLS 1.2

從 1906 版開始,請使用 CMG 設定來強制使用 TLS 1.2Starting in version 1906, use the CMG setting to Enforce TLS 1.2. 此設定僅適用於 Azure 雲端服務 VM。It only applies to the Azure cloud service VM. 它不適用於任何內部部署 Configuration Manager 站台伺服器或用戶端。It doesn't apply to any on-premises Configuration Manager site servers or clients. 如需 TLS 1.2 的詳細資訊,請參閱如何啟用 TLS 1.2For more information on TLS 1.2, see How to enable TLS 1.2.

使用權杖型驗證Use token-based authentication

從 2002 版開始,Starting in version 2002, Configuration Manager 已可支援不常連線至內部網路、無法加入 Azure AD,以及沒有方法可安裝 PKI 發行憑證的網際網路型裝置。Configuration Manager extends its support for internet-based devices that don't often connect to the internal network, aren't able to join Azure AD, and don't have a method to install a PKI-issued certificate. 站台會針對在內部網路上註冊的裝置自動發行權杖。The site automatically issues tokens for devices that register on the internal network. 您可以為網際網路型裝置建立大量註冊權杖。You can create a bulk registration token for internet-based devices. 如需詳細資訊,請參閱 CMG 的權杖型驗證For more information, see Token-based authentication for CMG.

後續步驟Next steps