Microsoft Intune 中的 VPN 连接VPN connections in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

虚拟专用网络 (VPN) 可让你的用户安全远程访问你的公司网络。Virtual private networks (VPNs) give your users secure remote access to your company network. 设备使用 VPN 连接配置文件来初始化与 VPN 服务器的连接。Devices use a VPN connection profile to initiate a connection with the VPN server. 使用 Microsoft Intune 中的 VPN 配置文件将 VPN 设置部署到你组织中的用户和设备,以便它们可以方便且安全地连接到网络。Use VPN profiles in Microsoft Intune to deploy VPN settings to users and devices in your organization, so they can easily and securely connect to the network.

例如,假定你想要用连接到公司网络上的文件共享所需的设置预配所有 iOS 设备。For example, assume that you want to provision all iOS devices with the settings required to connect to a file share on the corporate network. 创建包含连接到公司网络所必需的设置的 VPN 配置文件,然后将此配置文件部署到所有使用 iOS 设备的用户。You create a VPN profile that contains the settings necessary to connect to the corporate network, and then you deploy this profile to all users who have iOS devices. 用户将在可用网络的列表中看到 VPN 连接,并可以轻松连接。The users will see the VPN connection in the list of available networks and can connect with minimal effort.

你可以使用 VPN 配置文件配置下列设备类型:You can configure the following device types by using VPN profiles:

  • 运行 Android 4 和更高版本的设备Devices that run Android 4 and later
  • Android for Work 设备Android for Work devices
  • 运行 iOS 8.0 及更高版本的设备Devices that run iOS 8.0 and later
  • 运行 Max OS X 10.9 和更高版本的设备Devices that run Mac OS X 10.9 and later
  • 运行 Windows 8.1 和更高版本的已注册设备Enrolled devices that run Windows 8.1 and later
  • 运行 Windows Phone 8.1 和更高版本的设备Devices that run Windows Phone 8.1 and later
  • 运行 Windows 10 桌面版和移动版的设备Devices that run Windows 10 desktop and mobile

VPN 配置文件配置选项因你选择的设备类型而有所不同。The VPN profile configuration options differ depending on the device type that you select.

VPN 连接类型VPN connection types

Intune 支持使用以下连接类型创建 VPN 配置文件:Intune supports creating VPN profiles that use the following connection types:

连接类型Connection type iOS 和 Mac OS XiOS and Mac OS X Android 和 Android for WorkAndroid and Android for Work Windows 8.1Windows 8.1 Windows RT 8.1Windows RT 8.1 Windows Phone 8.1Windows Phone 8.1 Windows 10 桌面版和移动版Windows 10 desktop and mobile
Cisco AnyConnectCisco AnyConnect Yes Yes No No No 是(OMA URI,仅限移动版)Yes (OMA-URI, mobile only)
Cisco (IPsec)Cisco (IPsec) Yes Yes No No No No
CitrixCitrix Yes 是(仅 Android)Yes (Android only) No No No No
脉冲安全Pulse Secure Yes Yes Yes Yes Yes Yes
F5 Edge ClientF5 Edge Client Yes Yes Yes Yes Yes Yes
Dell SonicWALL Mobile ConnectDell SonicWALL Mobile Connect Yes Yes Yes Yes Yes Yes
CheckPoint Mobile VPNCheckPoint Mobile VPN Yes Yes Yes Yes Yes Yes
Microsoft SSL (SSTP)Microsoft SSL (SSTP) No No No No No VPNv1 OMA-URIVPNv1 OMA-URI
Microsoft AutomaticMicrosoft Automatic No No No No 是 (OMA-URI)Yes (OMA-URI) Yes
IKEv2IKEv2 iOS 自定义配置文件iOS custom profile No No No 是 (OMA-URI)Yes (OMA-URI) Yes
PPTPPPTP iOS 自定义配置文件iOS custom profile No No No No Yes
L2TPL2TP iOS 自定义配置文件iOS custom profile No No No 是 (OMA-URI)Yes (OMA-URI) Yes

* 没有适用于 Windows 10 的其他设置。* Without additional settings that are otherwise available for Windows 10.

重要

在你能够使用已部署到设备的 VPN 配置文件之前,你必须安装适用于该配置文件的 VPN 应用。Before you can use VPN profiles deployed to a device, you must install the applicable VPN app for the profile. 你可以利用在 Microsoft Intune 中部署应用主题中的信息帮助你使用 Intune 部署适用的应用。You can use the information in the Deploy apps in Microsoft Intune topic to help you deploy the applicable app by using Intune.

了解如何使用 VPN 配置文件的自定义配置中的 URI 设置创建自定义 VPN 配置文件。Learn how to create custom VPN profiles by using URI settings in Custom configurations for VPN profiles.

保护 VPN 配置文件的方法Methods of securing VPN profiles

VPN 配置文件可以使用来自不同制造商的多种不同的连接类型和协议。VPN profiles can use a number of different connection types and protocols from different manufacturers. 这些连接通常通过以下两种方法之一进行保护:These connections are typically secured through one of two methods.

证书Certificates

在创建 VPN 配置文件时,选择之前已在 Intune 中创建的 SCEP 或 PFX 证书配置文件。When you create the VPN profile, you choose a SCEP or PFX certificate profile that you previously created in Intune. 该配置文件又称为身份证书。This is known as the identity certificate. 其用于对你创建的受信任的身份证书配置文件(或根证书)进行身份验证,以确定用户的设备可以连接。It's used to authenticate against a trusted certificate profile (or root certificate) that you created to establish that the user’s device is allowed to connect. 受信任的证书会部署到对 VPN 连接(通常是 VPN 服务器)进行身份验证的计算机。The trusted certificate is deployed to the computer that authenticates the VPN connection, typically, the VPN server.

有关如何在 Intune 中创建和使用配置文件的详细信息,请参阅使用证书配置文件的安全资源访问For more information about how to create and use certificate profiles in Intune, see Secure resource access with certificate profiles.

用户名和密码User name and password

用户通过提供用户名和密码向 VPN 服务器进行身份验证。The user authenticates to the VPN server by providing a user name and password.

创建 VPN 配置文件Create a VPN profile

  1. Microsoft Intune 管理控制台中,选择“策略” > “添加策略”。In the Microsoft Intune administration console, choose Policy > Add Policy.
  2. 展开相关设备类型以选择新策略模板,然后为该设备选择 VPN 配置文件:Select a template for the new policy by expanding the relevant device type, and then choose the VPN profile for that device:

    • VPN 配置文件(Android 4 及更高版本)VPN Profile (Android 4 and later)
    • VPN 配置文件 (Android for Work)VPN Profile (Android for Work)
    • VPN 配置文件(iOS 8.0 及更高版本)VPN Profile (iOS 8.0 and later)
    • VPN 配置文件(Mac OS X 10.9 及更高版本)VPN Profile (Mac OS X 10.9 and later)
    • VPN 配置文件(Windows 8.1 及更高版本)VPN Profile (Windows 8.1 and later)
    • VPN 配置文件(Windows Phone 8.1 及更高版本)VPN Profile (Windows Phone 8.1 and later)
    • VPN 配置文件(Windows 10 桌面版和移动版及更高版本)VPN Profile (Windows 10 Desktop and Mobile and later)

    你可以仅创建和部署自定义 VPN 配置文件策略。You can create and deploy only a custom VPN profile policy. 建议的设置不可用。Recommended settings are not available.

备注

Android for Work 设备的 VPN 配置文件仅针对安装在设备工作配置文件上的应用启用 VPN 连接。A VPN profile for Android for Work devices will enable a VPN connection only for apps that are installed on the device's work profile.

某些 VPN 连接类型支持适用于 Android for Work 设备的每应用 VPN,还可用于通过 Intune 在已分配的应用上启用每应用 VPN。Some VPN connection types support per-app VPN for Android for Work devices, and for enabling per-app VPN on apps distributed through Intune.

  1. 使用下表来帮助你配置 VPN 配置文件设置:Use the following table to help you configure the VPN profile settings:
设置名Setting name 更多信息More information
NameName 输入 VPN 配置文件的唯一名称,以帮助你在 Intune 控制台中识别它。Enter a unique name for the VPN profile to help you identify it in the Intune console.
描述Description 提供相关描述,对 VPN 配置文件以及其他相关的信息的进行概述,这可帮助你找到 VPN 配置文件。Provide a description that gives an overview of the VPN profile and other relevant information that helps you to locate it.
VPN 连接名称(向用户显示)VPN connection name (displayed to users) 指定 VPN 配置文件的名称。Specify a name for the VPN profile. 用户将在其设备上的可用 VPN 连接列表中看到该名称。This is the name that users will see in the list of available VPN connections on their devices.
连接类型Connection type 选择以下连接类型之一以在 VPN 配置文件中使用:Cisco AnyConnect(不适用于 Windows 8.1 或 Windows Phone 8.1)、Pulse SecureCitrixF5 Edge ClientDell SonicWALL Mobile ConnectCheckPoint Mobile VPNSelect one of the following connection types to use in the VPN profile: Cisco AnyConnect (not available for Windows 8.1 or Windows Phone 8.1), Pulse Secure, Citrix, F5 Edge Client, Dell SonicWALL Mobile Connect, CheckPoint Mobile VPN.
VPN 服务器说明VPN server description 指定设备将连接到的 VPN 服务器的说明。Specify a description for the VPN server that devices will connect to. 示例:Contoso VPN 服务器Example: Contoso VPN Server. 当连接类型是“F5 Edge Client”时,使用“服务器列表”字段来指定服务器说明和 IP 地址的列表。When the connection type is F5 Edge Client, use the Server list field to specify a list of server descriptions and IP addresses.
服务器 IP 地址或 FQDNServer IP address or FQDN 提供 IP 地址或设备将连接到的 VPN 服务器的完全限定的域名。Provide the IP address or fully qualified domain name of the VPN server that devices will connect to. 示例:192.168.1.1vpn.contoso.com。当连接类型是“F5 Edge Client”时,使用“服务器列表”字段来指定服务器说明和 IP 地址的列表。Examples: 192.168.1.1, vpn.contoso.com. When the connection type is F5 Edge Client, use the Server list field to specify a list of server descriptions and IP addresses.
服务器列表Server list 选择添加以添加用于 VPN 连接的新 VPN 服务器。Choose Add to add a new VPN server to use for the VPN connection. 你还可以指定哪个服务器将作为连接的默认服务器。You can also specify which server will be the default server for the connection. 此选项仅在连接类型为“F5 Edge Client”时显示。This option is displayed only when the connection type is F5 Edge Client.
通过 VPN 连接发送所有网络流量Send all network traffic through the VPN connection 如果选择此选项,所有网络流量都会通过 VPN 连接发送。If you select this option, all network traffic is sent through the VPN connection. 如果不选择此选项,则在连接到第三方 VPN 服务器时客户端将动态协商拆分隧道的路由。If you do not select this option, the client will dynamically negotiate the routes for split tunneling upon connecting to the third-party VPN server. 仅将通过 VPN 隧道发送与公司网络的连接。Only connections to the company network are sent over a VPN tunnel. 你连接到 Internet 上的资源时,不会使用 VPN 隧道。VPN tunneling is not used when you connect to resources on the Internet.
身份验证方法Authentication method 选择 VPN 连接使用的身份验证方法:“证书”或“用户名和密码”。Select the authentication method that the VPN connection uses: Certificates or Username and Password. (连接类型为“Cisco AnyConnect”时,“用户名和密码”不可用。)“身份验证方法”选项不可用于 Windows 8.1。(Username and Password is not available when the connection type is Cisco AnyConnect.) The Authentication method option is not available for Windows 8.1.
每次登录时记住用户凭据Remember the user credentials at each logon 选择此选项以确保记住用户凭据,使用户不必在每次建立连接时输入凭据。Select this option to ensure that the user credentials are remembered so that the user does not have to enter credentials each time a connection is established.
选择客户端证书用于客户端身份验证(身份证书)Select a client certificate for client authentication (Identity Certificate) 选择之前创建的客户端 SCEP 证书,它将用于对 VPN 连接进行身份验证。Select the client SCEP certificate that you previously created and that will be used to authenticate the VPN connection. 有关如何在 Intune 中使用配置文件的详细信息,请参阅使用证书配置文件的安全资源访问For more information about how to use certificate profiles in Intune, see Secure resource access with certificate profiles. 仅当身份验证方法为“证书”时才会显示此选项。This option is displayed only when the authentication method is Certificates.
角色Role 指定有权访问此连接的用户角色的名称。Specify the name of the user role that has access to this connection. 用户角色用于定义个人设置和选项,并启用或禁用某些访问功能。A user role defines personal settings and options, and it enables or disables certain access features. 此选项仅在连接类型为 Pulse SecureCitrix 时显示。This option is displayed only when the connection type is Pulse Secure or Citrix.
领域Realm 指定你想要使用的身份验证领域的名称。Specify the name of the authentication realm that you want to use. 身份验证领域是“Pulse Secure”或“Citrix”连接类型使用的身份验证资源的分组。An authentication realm is a grouping of authentication resources that the Pulse Secure or Citrix connection type uses. 此选项仅在连接类型为 Pulse SecureCitrix 时显示。This option is displayed only when the connection type is Pulse Secure or Citrix.
登录组或域Login group or domain 指定你想要连接到的登录组或域的名称。Specify the name of the login group or domain that you want to connect to. 此选项仅在连接类型为“Dell SonicWALL Mobile Connect”时显示。This option is displayed only when the connection type is Dell SonicWALL Mobile Connect.
指纹Fingerprint 指定一个将用于验证 VPN 服务器是否可以信任的字符串(例如“Contoso Fingerprint Code”)。Specify a string (for example, "Contoso Fingerprint Code") that will be used to verify that the VPN server can be trusted. 指纹可以:发送到客户端,因此在连接时它知道信任任何提供相同指纹的服务器。A fingerprint can be sent to the client so it knows to trust any server that presents the same fingerprint when connecting. 如果设备还没有指纹,则会提示用户信任正在连接的 VPN 服务器,并显示指纹。If the device doesn’t already have the fingerprint, it will prompt the user to trust the VPN server that they are connecting to while showing the fingerprint. (用户手动验证指纹,并选择“信任”进行连接)。此选项仅在连接类型为“CheckPoint Mobile VPN”时显示。(The user manually verifies the fingerprint and chooses trust to connect.) This option is displayed only when the connection type is CheckPoint Mobile VPN.
Per App VPNPer App VPN 如果你想要将此 VPN 连接与 iOS 或 Mac OS X 应用相关联,以便在运行该应用时打开连接,请选择此选项。Select this option if you want to associate this VPN connection with an iOS or Mac OS X app so that the connection will be opened when the app is run. 可在部署软件时将 VPN 配置文件与应用关联。You can associate the VPN profile with an app when you deploy the software. 有关详细信息,请参阅在 Microsoft Intune 中部署应用For more information, see Deploy apps in Microsoft Intune.
按需 VPNOn-demand VPN 可以为 iOS 8.0 及更高版本的设备设置按需 VPN。You can set up on-demand VPN for iOS 8.0 and later devices. iOS 设备的按需 VPN中提供了进行此设置的说明。Instructions for setting this up are provided in On-demand VPN for iOS devices.
自动检测代理设置”(仅限 iOS、Mac OS X、Windows 8.1 和 Windows Phone 8.1)Automatically detect proxy settings (iOS, Mac OS X, Windows 8.1, and Windows Phone 8.1 only) 如果你的 VPN 服务器要求使用代理服务器进行连接,请指定你是否希望设备自动检测连接设置。If your VPN server requires a proxy server for the connection, specify whether you want devices to automatically detect the connection settings. 有关详细信息,请参阅 Windows Server 文档。For more information, see your Windows Server documentation.
使用自动配置脚本(仅限 iOS、Mac OS X、Windows 8.1 和 Windows Phone 8.1)Use automatic configuration script (iOS, Mac OS X, Windows 8.1, and Windows Phone 8.1 only) 如果你的 VPN 服务器要求使用代理服务器进行连接,请指定是否想要使用自动配置脚本来定义设置,然后指定包含该设置的文件的 URL。If your VPN server requires a proxy server for the connection, specify whether you want to use an automatic configuration script to define the settings, and then specify a URL to the file that contains the settings. 有关详细信息,请参阅 Windows Server 文档。For more information, see your Windows Server documentation.
使用代理服务器(仅限 iOS、Mac OS X、Windows 8.1 和 Windows Phone 8.1)Use proxy server (iOS, Mac OS X, Windows 8.1, and Windows Phone 8.1 only) 如果你的 VPN 服务器要求使用代理服务器进行连接,请选择此选项,然后指定代理服务器的地址和端口号。If your VPN server requires a proxy server for the connection, select this option, and then specify the address and port number of the proxy server. 有关详细信息,请参阅 Windows Server 文档。For more information, see your Windows Server documentation.
绕过本地地址的代理设置(仅限 iOS、Mac OS X、Windows 8.1 和 Windows Phone 8.1)Bypass proxy settings for local addresses (iOS, Mac OS X, Windows 8.1, and Windows Phone 8.1 only) 如果你的 VPN 服务器要求使用代理服务器口进行连接,在你不想对指定的本地地址使用代理服务器时选择此选项。If your VPN server requires a proxy server for the connection, select this option if you do not want to use the proxy server for local addresses that you specify. 有关详细信息,请参阅 Windows Server 文档。For more information, see your Windows Server documentation.
“自定义 XML”(Windows 8.1 及更高版本和 Windows Phone 8.1 及更高版本)Custom XML (Windows 8.1 and later, and Windows Phone 8.1 and later) 指定配置 VPN 连接的自定义 XML 命令。Specify custom XML commands that configure the VPN connection. Pulse Secure 示例:<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>。Example for Pulse Secure: <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>. CheckPoint Mobile VPN”示例:<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />。Example for CheckPoint Mobile VPN: <CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />. Dell SonicWALL Mobile Connect 示例:<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>。Example for Dell SonicWALL Mobile Connect: <MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>. F5 Edge Client 示例:<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>。Example for F5 Edge Client: <f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>. 有关如何编写自定义 XML 命令的详细信息,请参阅每个制造商 VPN 文档。Refer to each manufacturer's VPN documentation for more information about how to write custom XML commands.
“DNS 后缀搜索列表”(仅限 Windows Phone 8.1)DNS Suffix search list (Windows Phone 8.1 only) 在每个行上指定一个 DNS 后缀。Specify one DNS suffix on each line. 通过使用短名称连接到网站时,将搜索你指定的每个 DNS 后缀。Each DNS suffix that you specify will be searched when connecting to a website by using a short name. 例如,指定 DNS 后缀 domain1.contoso.comdomain2.contoso.com,访问 URL http://mywebsite,并且将搜索 URL http://mywebsite.domain1.contoso.comhttp://mywebsite.domain2.contoso.comFor example, specify the DNS suffixes domain1.contoso.com and domain2.contoso.com, visit the URL http://mywebsite, and the URLs http://mywebsite.domain1.contoso.com and http://mywebsite.domain2.contoso.com will be searched.
“连接到公司 Wi-Fi 网络时绕过 VPN”(仅限 Windows Phone 8.1)Bypass VPN when connected to company Wi-Fi network (Windows Phone 8.1 only) 选择此选项指定当设备连接到公司 Wi-Fi 网络时将不使用 VPN 连接。Select this option to specify that the VPN connection will not be used when the device is connected to the company Wi-Fi network.
“连接到家庭 Wi-Fi 网络时绕过 VPN”(仅限 Windows Phone 8.1)Bypass VPN when connected to home Wi-Fi network (Windows Phone 8.1 only) 选择此选项指定当设备连接到家庭 Wi-Fi 网络时将不使用 VPN 连接。Select this option to specify that the VPN connection will not be used when the device is connected to a home Wi-Fi network.

以下附加设置适用于 Windows 10 桌面和移动设备。The following additional settings are available for Windows 10 desktop and mobile devices.

设置名Setting name 更多信息More information
网络通信规则Network traffic rules 选择将为 VPN 连接启用的协议、本地和远程端口及地址范围。Select which protocols, and which local and remote port and address ranges, will be enabled for the VPN connection. 如果未创建网络通信规则,则会启用所有协议、端口和地址范围。If you do not create a network traffic rule, all protocols, ports, and address ranges are enabled. 创建规则后,VPN 连接将仅使用该规则指定的协议、端口和地址范围。After you create a rule, the VPN connection will use only the protocols, ports, and address ranges that you specify in that rule.
路由Routes 选择使用 VPN 连接的路由。Select which routes will use the VPN connection.
DNS 服务器DNS servers 创建连接后,选择 VPN 连接将要使用的 DNS 服务器。Select which DNS servers the VPN connection will use after the connection is established.
关联应用Associated apps 提供将自动使用 VPN 连接的应用列表。Provide a list of apps that will automatically use the VPN connection. 应用类型将确定应用的标识符。The type of app will determine the app identifier. 对于通用应用,提供包系列名称。For a universal app, provide the package family name. 对于桌面应用,提供应用的文件路径。For a desktop app, provide the file path of the app.

重要

建议保护为配置 per-app VPN 而编制的应用的所有列表。We recommend that you secure all lists of apps that you compile for use in configuration of per-app VPN. 如果将未授权用户修改的列表导入 per-app VPN 应用列表,你将可能向不应具有访问权限的应用授权 VPN 访问权限。If an unauthorized user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN access to apps that should not have access. 保护应用列表的方法之一是使用访问控制列表 (ACL)。One way you can secure app lists is by using an access control list (ACL).

以下是可以使用公司边界设置情形的一个示例。Here's an example of when you might use settings for corporate boundaries. 如果希望仅为远程桌面启用 VPN,请创建一个在外部端口 3996 上允许协议 27 的流量的网络通信规则。If you want to enable VPN only for Remote Desktop, create a network traffic rule that allows traffic for protocol 27 on external port 3996. 其他流量将不使用该 VPN。No other traffic will use the VPN.

当 VPN 连接类型不允你许定义流量在拆分隧道的处理方式时,在公司边界内定义路由非常有用。Defining routes in corporate boundaries is useful when your VPN connection type does not allow you to define how traffic is handled in split tunneling. 在这种情况下,请使用“路由”列出将使用 VPN 的路由。In that case, use Routes to list the routes that will use the VPN.

通过创建自定义的 OMA-URI 设置,可以将 Windows 10 设备的 VPN 使用限于特定应用。You can restrict VPN usage for Windows 10 devices to specific apps by creating a custom OMA-URI setting.

新的策略将在“策略”工作区的“配置策略”节点处显示。The new policy appears in the Configuration Policies node of the Policy workspace.

iOS 设备的按需 VPNOn-demand VPN for iOS devices

可以为 iOS 8.0 及更高版本的设备配置按需 VPN。You can configure on-demand VPN for iOS 8.0 and later devices.

备注

不能在同一个策略中使用每个应用程序 VPN 和按需 VPN。You cannot use per-app VPN and on-demand VPN in the same policy.

  1. 在策略配置页中,找到此 VPN 连接的按需规则On the policy configuration page, find On-demand rules for this VPN connection. 将这些列标记为匹配(这些规则所检查的条件)以及标记为操作条件匹配时策略所触发的操作)。The columns are labeled Match, the condition that the rules check for, and Action, the action that the policy will trigger when the condition is matched.
  2. 选择“添加”创建规则。Choose Add to create a rule. 可以在规则中设置两种类型的匹配项。There are two types of matches that you can set up in the rule. 只能为每个规则配置其中一种类型。You can only configure one of these types per rule.
    • SSID - 表示无线网络。SSIDs - which refer to wireless networks.
    • DNS 搜索域 - 可以使用完全限定的域名,如 team. corp.contoso.com,或者使用域,如 contoso.com,这相当于使用 * .contoso.com。DNS search domains - You can use full-qualified domain names such as team. corp.contoso.com, or use domains such as contoso.com, which is the equivalent of using * .contoso.com.
  3. 可选:提供 URL 字符串探测,这是规则用作测试的 URL。Optional :provide a URL string probe, which is a URL that the rule uses as a test. 如果安装有此配置文件的设备能在不重定向的情况下访问此 URL,则将建立 VPN,且该设备将连接到目标 URL。If the device on which this profile is installed is able to access this URL without redirection, the VPN will be established and the device will connect to the target URL. 用户将看不到该 URL 字符串探测站点。The user will not see the URL string probe site. URL 字符串探测示例是审核 Web 服务器的地址,用于在连接 VPN 前检查设备的相容性。An example of a URL string probe is the address of an auditing Web server that checks device compliance before connecting the VPN. 另一种可能性是 URL 通过 VPN 将设备连接到目标 URL 前,测试 VPN 连接至站点的能力。Another possibility is that the URL tests the ability of the VPN to connect to a site, before connecting the device to the target URL through the VPN.
  4. 选择以下操作之一:Choose one of these actions:

    • 连接Connect
    • 评估连接,具备三个设置 a。Evaluate connection, which has three settings a. 域操作 - 选择“需要时进行连接”或“从不连接” b。Domain action - choose Connect if needed or Never connect b. 逗号分隔的域列表 - 仅当选择“需要时进行连接”的“域操作”,才会对其进行配置 c。Comma-separated list of domains - you configure this only if you choose a Domain action of Connect if needed c. 所需的 URL 字符串探测 - HTTP 或 HTTPS(首选)URL,如 https://vpntestprobe.contoso.com。该规则将进行检查以确认是否有来自此地址的响应。Required URL string probe - an HTTP or HTTPS (preferred) URL, such as https://vpntestprobe.contoso.com. The rule will check to see if there's a response from this address. 如果没有,并且域操作为“需要时进行连接”,则会触发 VPN。If not, and the Domain action is Connect if needed, the VPN will be triggered.

      提示

      举例说明,当公司网络上的某些站点需要直接或 VPN 公司网络连接时,你可能会使用此操作,但其他情况则不需要。An example of when you might use this action is when some sites on your corporate network require a direct or VPN corporate network connection, but others do not. 如果在逗号分隔的 DNS 搜索域列表 corp.contoso.com 中列出,则可以选择“需要时进行连接”,然后列出可能需要 VPN 的网络中的特定站点,如 sharepoint.corp.contoso.com。然后该规则将检查是否可以访问 vpntestprobe.contoso.comIf you list in Comma-separated list of DNS search domains corp.contoso.com, you can choose Connect if needed and then list specific sites within that network that may require VPN, such as sharepoint.corp.contoso.com. The rule will then check if vpntestprobe.contoso.com can be reached. 如果不能,VPN 将会触发 sharepoint 站点。If it can't, the VPN will be triggered for the sharepoint site.

    • 忽略 - 这会导致 VPN 连接不发生更改。Ignore - this causes no change in the VPN connectivity. 如果 VPN 已连接,则保留连接状态,如果未连接,则不要进行连接。If the VPN is connected, leave it connected, if it's not connected, don't connect it. 例如,你可能有一个为所有内部企业网站连接 VPN 的规则,但仅当设备实际连接到公司网络时,才可访问其中一个内部站点。For example, you may have a rule that connects the VPN for all of your internal corporate web sites, but want to make one of those internal sites accessible only when the device is actually connected to the corporate network. 在这种情况下,你将为该站点创建忽略规则。In that case, you would create an ignore rule for that one site.
    • 断开连接 - 当条件匹配时,断开设备与 VPN 的连接。Disconnect - disconnect devices from the VPN when the conditions are matched. 例如,你可以在 SSID 字段中列出公司无线网络,并在设备连接到其中一个网络时,创建一个规则来断开设备与 VPN 的连接。For example, you could list your corporate wireless networks in the SSIDs field, and create a rule that disconnects devices from the VPN when they connect to one of those networks.

在创建所有域规则之前评估特定于域的规则。Domain-specific rules are evaluated before all-domain rules.

部署策略Deploy the policy

  1. 在“策略”工作区中,选择想要部署的策略,然后选择“管理部署”。In the Policy workspace, select the policy that you want to deploy, and then choose Manage Deployment.

  2. 在“管理部署” 对话框中:In the Manage Deployment dialog box:

    • 若要部署策略,选择想要向其部署策略的一个或多个组,然后选择“添加”>“确定”。To deploy the policy, select one or more groups to which you want to deploy the policy, and then choose Add > OK.

    • 若要关闭对话框而不部署,请选择“取消”。To close the dialog box without deploying it, choose Cancel.

成功部署后,用户将在其设备上的 VPN 连接列表中看到你指定的 VPN 连接名称。After successful deployment, users will see the VPN connection name that you specified in the list of VPN connections on their devices.

“策略”工作区“概述”页的状态摘要和警报可识别需要关注的策略问题。A status summary and alerts on the Overview page of the Policy workspace identify issues with the policy that require your attention. 此外,状态摘要会显示在“仪表板”工作区中。Additionally, a status summary appears in the Dashboard workspace.