Microsoft 365 网络连接原则Microsoft 365 network connectivity principles

本文适用于 Microsoft 365 企业版和 Office 365 企业版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

在开始为 Microsoft 365 网络连接规划网络之前,请务必了解指导安全管理 Microsoft 365 流量并获取最佳性能的连接原则。Before you begin planning your network for Microsoft 365 network connectivity, it is important to understand the connectivity principles for securely managing Microsoft 365 traffic and getting the best possible performance. 本文将帮助你了解有关安全优化 Microsoft 365 网络连接的最新指南。This article will help you understand the most recent guidance for securely optimizing Microsoft 365 network connectivity.

传统的企业网络旨在为用户提供对由企业运营的数据中心中数据的访问权限,这些数据中心会采用强安全外围。Traditional enterprise networks are designed primarily to provide users access to applications and data hosted in company operated datacenters with strong perimeter security. 传统模型假设用户会在企业网络外围内,通过分支机构的广域网链接或通过 VPN 连接远程访问应用程序和数据。The traditional model assumes that users will access applications and data from inside the corporate network perimeter, over WAN links from branch offices, or remotely over VPN connections.

采用诸如 Microsoft 365 之类的 SaaS 应用程序将一部分服务和数据组合移动到网络外围之外。Adoption of SaaS applications like Microsoft 365 moves some combination of services and data outside the network perimeter. 如果不进行优化,用户与 SaaS 应用程序之间的流量将受到包检查、网络环回、无意连接到地理距离遥远的终结点以及其他因素带来的延迟。Without optimization, traffic between users and SaaS applications is subject to latency introduced by packet inspection, network hairpins, inadvertent connections to geographically distant endpoints and other factors. 可通过理解和实现关键优化原则来确保最佳的 Microsoft 365 性能和可靠性。You can ensure the best Microsoft 365 performance and reliability by understanding and implementing key optimization guidelines.

在本文中,你将学习到:In this article, you will learn about:

Microsoft 365 体系结构Microsoft 365 architecture

Microsoft 365 是一款分布式软件即用服务 (SaaS) 云服务,可通过一系列多样服务和应用程序,例如 Exchange Online、SharePoint Online、Skype for Business Online、Microsoft Teams、Exchange Online Protection、浏览器中的 Office 和许多其他服务和应用,提供生产力和协作场景。Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a diverse set of micro-services and applications, such as Exchange Online, SharePoint Online, Skype for Business Online, Microsoft Teams, Exchange Online Protection, Office in a browser, and many others. 虽然当应用于到云服务的客户网络和连接时,特定 Microsoft 365 应用程序可能会有其独特功能,但它们均共享一些关键主体、目标以及体系结构模式。While specific Microsoft 365 applications may have their unique features as it applies to customer network and connectivity to the cloud, they all share some key principals, goals, and architecture patterns. 这些连接原则和体系结构模式也是很多其他 SaaS 云服务的典型模式,并且与平台即服务和基础结构即服务(例如,Microsoft Azure)的典型部署模式。These principles and architecture patterns for connectivity are typical for many other SaaS clouds and at the same time being different from the typical deployment models of Platform-as-a-Service and Infrastructure-as-a-Service clouds, such as Microsoft Azure.

Microsoft 365 最显著的体系结构功能之一(常常被网络架构师忽略或误解)是,在用户连接到该服务的上下文中,它的确是全球分布式服务。One of the most significant architectural features of Microsoft 365 (that is often missed or misinterpreted by network architects) is that it is a truly global distributed service, in the context of how users connect to it. 目标 Microsoft 365 租户的位置对于了解客户数据在云中的存储位置是非常重要的,但 Microsoft 365 的用户体验不涉及直接连接到包含数据的磁盘。The location of the target Microsoft 365 tenant is important to understand the locality of where customer data is stored within the cloud, but the user experience with Microsoft 365 doesn't involve connecting directly to disks containing the data. Microsoft 365 中的用户体验(包括性能、可靠性和其他重要的质量特征)涉及到通过高分布式服务前门实现连接,这些前门通过全球数百个 Microsoft 位置进行横向扩展。The user experience with Microsoft 365 (including performance, reliability, and other important quality characteristics) involves connectivity through highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide. 大多数情况下,可通过允许客户网络路由到位置最近的 Microsoft 365 服务入口点,而不是通过中心位置或区域中的出口点连接到 Microsoft 365 实现最佳用户体验。In the majority of cases, the best user experience is achieved by allowing the customer network to route user requests to the closest Microsoft 365 service entry point, rather than connecting to Microsoft 365 through an egress point in a central location or region.

绝大多数客户的 Microsoft 365 用户分布在多个位置。For most customers, Microsoft 365 users are distributed across many locations. 为实现最佳结果,应从横向扩展(而非纵向扩展)角度看待本文所述原则,重点优化到距离最近的 Microsoft 全球网络服务点的连接,而不是到地理位置最近的 Microsoft 365 租户的连接。To achieve the best results, the principles outlined in this document should be looked at from the scale-out (not scale-up) point of view, focusing on optimizing connectivity to the nearest point of presence in the Microsoft Global Network, not to the geographic location of the Microsoft 365 tenant. 从本质而言,这意味着虽然 Microsoft 365 租户数据可能存储在特定地理位置,但该租户的 Microsoft 365 体验仍然是分布式的,并且可以通过距离该租户中的每个最终用户非常近的(网络)距离提供。In essence, this means that even though Microsoft 365 tenant data may be stored in a specific geographic location, Microsoft 365 experience for that tenant remains distributed, and can be present in very close (network) proximity to every end-user location that the tenant has.

Microsoft 365 连接原则Microsoft 365 connectivity principles

Microsoft 建议按照以下原则获取最佳的 Microsoft 365 连接和性能。Microsoft recommends the following principles to achieve optimal Microsoft 365 connectivity and performance. 使用这些 Microsoft 365 连接原则管理流量,并在连接到 Microsoft 365 时获得最佳性能。Use these Microsoft 365 connectivity principles to manage your traffic and get the best performance when connecting to Microsoft 365.

网络设计中的主要目标是通过减少从您的网络到 Microsoft 全球网络、互连所有低延迟 Microsoft 数据中心的 Microsoft 公共主干网,以及遍布全球的应用程序入口点的往返时间 (RTT),最大程度地降低延迟。The primary goal in the network design should be to minimize latency by reducing the round-trip time (RTT) from your network into the Microsoft Global Network, Microsoft's public network backbone that interconnects all of Microsoft's datacenters with low latency and cloud application entry points spread around the world. 有关 Microsoft 全球网络的详细信息,请参阅 Microsoft 构建其快速可靠的全球网络You can learn more about the Microsoft Global Network at How Microsoft builds its fast and reliable global network.

识别并区分 Microsoft 365 流量Identify and differentiate Microsoft 365 traffic

识别 Microsoft 365 流量

若要从普通的 Internet 绑定网络流量中区分 Microsoft 365 网络流量,第一步需要先识别。Identifying Microsoft 365 network traffic is the first step in being able to differentiate that traffic from generic Internet-bound network traffic. 可通过采用网络路由优化、防火墙规则、浏览器代理设置,以及免验证特定终结点的网络检测设备,来优化 Microsoft 365 连接。Microsoft 365 connectivity can be optimized by implementing a combination of approaches like network route optimization, firewall rules, browser proxy settings, and bypass of network inspection devices for certain endpoints.

以前的 Microsoft 365 优化指南将 Microsoft 365 终结点分为两个类别,分别为“必需”和“可选”。Previous Microsoft 365 optimization guidance divided Microsoft 365 endpoints into two categories, Required and Optional. 为支持新的 Microsoft 365 服务和功能,已添加相应终结点。目前,我们将 Microsoft 365 终结点分为三个类别:“优化”、“允许”和“默认”。As endpoints have been added to support new Microsoft 365 services and features, we have reorganized Microsoft 365 endpoints into three categories: Optimize, Allow, and Default. 每个类别的准则适用于相应类别中的所有终结点,让理解和实施优化变得更加简单。Guidelines for each category applies to all endpoints in the category, making optimizations easier to understand and implement.

有关 Microsoft 365 终结点类别和优化方法的详细信息,请参阅新的 Office 365 终结点类别章节。For more information on Microsoft 365 endpoint categories and optimization methods, see the New Office 365 endpoint categories section.

现在,Microsoft 将所有 Microsoft 365 终结点作为 Web 服务发布,并提供有关如何充分利用这些数据的指南。Microsoft now publishes all Microsoft 365 endpoints as a web service and provides guidance on how best to use this data. 有关如何获取和使用 Microsoft 365 终结点的详细信息,请参阅文章 Office 365 URL 和 IP 地址范围For more information on how to fetch and work with Microsoft 365 endpoints, see the article Office 365 URLs and IP address ranges.

实现本地连接出口Egress network connections locally

实现本地连接出口

本地 DNS 和 Internet 出口对于降低连接延迟和确保将用户连接到 Microsoft 365 服务的最接近进入点至关重要。Local DNS and Internet egress is of critical importance for reducing connection latency and ensuring that user connections are made to the nearest point of entry to Microsoft 365 services. 在复杂的网络拓扑中,请务必同时实现本地 DNS 和本地 Internet 出口。In a complex network topology, it is important to implement both local DNS and local Internet egress together. 有关 Microsoft 365 如何将客户端连接路由到最近的入口点的详细信息,请参阅文章客户端连接For more information about how Microsoft 365 routes client connections to the nearest point of entry, see the article Client Connectivity.

在 Microsoft 365 等云服务还没有出现之前,作为网络体系结构中一项设计要素的最终用户 Internet 连接相对比较简单。Prior to the advent of cloud services such as Microsoft 365, end-user Internet connectivity as a design factor in network architecture was relatively simple. 当 Internet 服务和网站分布在全球各地,公司出口点与任何给定目标终结点之间的延迟基本上就是地理距离的功能。When Internet services and web sites are distributed around the globe, latency between corporate egress points and any given destination endpoint is largely a function of geographical distance.

传统的网络体系结构中,所有出站 Internet 连接都会遍历公司网络,并从中央位置流出。In a traditional network architecture, all outbound Internet connections traverse the corporate network, and egress from a central location. 随着 Microsoft 云产品的成熟,面向 Internet 的分布式网络体系结构,对支持对延迟敏感的云服务变得至关重要。As Microsoft's cloud offerings have matured, a distributed Internet-facing network architecture has become critical for supporting latency-sensitive cloud services. “分布式服务前门”基础结构是一种动态结构,在全球拥有众多入口点,能够将流入的云服务连接路由到最近的入口点。而 Microsoft 全球网络正是采用该基础结构,以满足对于延迟的要求。The Microsoft Global Network was designed to accommodate latency requirements with the Distributed Service Front Door infrastructure, a dynamic fabric of global entry points that routes incoming cloud service connections to the closest entry point. 其目的是通过有效缩短客户和云服务之间的路线,减少 Microsoft 云客户“最后一公里”的长度。This is intended to reduce the length of the "last mile" for Microsoft cloud customers by effectively shortening the route between the customer and the cloud.

企业广域网通常设计为将网络流量回程到企业总部(通常通过一个或多个代理服务器),以便在流出到 Internet前进行检查。Enterprise WANs are often designed to backhaul network traffic to a central company head office for inspection before egress to the Internet, usually through one or more proxy servers. 下图描绘了这样的网络拓扑图。The diagram below illustrates such a network topology.

传统的企业网络模型

由于 Microsoft 全球网络(包括世界各地的前端服务器)均在 Microsoft 365 上运行,因此通常会有靠近用户位置的前端服务器。Because Microsoft 365 runs on the Microsoft Global Network, which includes front-end servers around the world, there will often be a front-end server close to the user's location. 通过提供本地 Internet 出口,以及通过配置内部 DNS 服务器为 Microsoft 365 终结点提供本地名称解析,发往 Microsoft 365 的网络流量可连接到与用户尽可能近的 Microsoft 365 前端服务器。By providing local Internet egress and by configuring internal DNS servers to provide local name resolution for Microsoft 365 endpoints, network traffic destined for Microsoft 365 can connect to Microsoft 365 front end servers as close as possible to the user. 下图显示了一个网络拓扑示例。该示例中,用户可以从主办公室、分支机构和远程位置,以最短路径连接到最近的 Microsoft 365 入口点。The diagram below shows an example of a network topology that allows users connecting from main office, branch office, and remote locations to follow the shortest route to the closest Microsoft 365 entry point.

带有区域出口点的广域网网络模型

通过这种方式缩短 Microsoft 365 入口点的网络路径,可提高连接性能和 Microsoft 365 的最终用户体验,还能帮助减少未来对网络体系结构的更改对 Microsoft 365 性能和可靠性的影响。Shortening the network path to Microsoft 365 entry points in this way can improve connectivity performance and the end-user experience in Microsoft 365, and can also help to reduce the impact of future changes to the network architecture on Microsoft 365 performance and reliability.

此外,如果响应的 DNS 服务器距离太远或忙,则 DNS 请求会导致延迟。Also, DNS requests can introduce latency if the responding DNS server is distant or busy. 通过预配位于分支位置的 DNS 服务器,并确保将其配置为适当缓存 DNS 记录,可最大限度地降低名称解析延迟。You can minimize name resolution latency by provisioning local DNS servers in branch locations and making sure they are configured to cache DNS records appropriately.

虽然区域出口可供 Microsoft 365 正常工作,但最佳连接模型始终是提供用户所在位置的网络出口,无论这是在公司网络上还是在家、旅馆、咖啡店和机场等远程位置。While regional egress can work well for Microsoft 365, the optimum connectivity model would be to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such as homes, hotels, coffee shops, and airports. 下图所示为所述的本地直接出口模型。This local direct egress model is represented in the diagram below.

本地出口网络体系结构

已采用 Microsoft 365 的企业可通过确保用户连接到 Microsoft 365 采用尽可能最短的路线,连接到最近的 Microsoft 全球网络入口点,从而充分利用 Microsoft 全球网络分布式服务前门体系结构的优势。Enterprises who have adopted Microsoft 365 can take advantage of the Microsoft Global Network's Distributed Service Front Door architecture by ensuring that user connections to Microsoft 365 take the shortest possible route to the nearest Microsoft Global Network entry point. 本地出口网络体系结构实现此效果的方式为:无论用户在什么位置,都允许通过最近的出口来路由 Microsoft 365 流量。The local egress network architecture does this by allowing Microsoft 365 traffic to be routed over the nearest egress, regardless of user location.

与传统模型相比,本地出口体系结构具有以下优点:The local egress architecture has the following benefits over the traditional model:

  • 通过优化线路长度,提供最佳 Microsoft 365 性能。Provides optimal Microsoft 365 performance by optimizing route length. 最终用户连接通过分布式服务前端基础结构动态路由到最近的 Microsoft 365 入口点。end-user connections are dynamically routed to the nearest Microsoft 365 entry point by the Distributed Service Front Door infrastructure.
  • 通过允许本地出口,减轻公司网络基础结构负载。Reduces the load on corporate network infrastructure by allowing local egress.
  • 通过利用客户端终结点安全和云安全功能,同时确保两端的连接安全。Secures connections on both ends by leveraging client endpoint security and cloud security features.

避免网络回流Avoid network hairpins

避免回流

一般来说,用户与最近的 Microsoft 365 终点之间的最短和最佳线路可提供最佳性能。As a general rule of thumb, the shortest, most direct route between user and closest Microsoft 365 endpoint will offer the best performance. 当绑定到特定目标的广域网或 VPN 通信首次定向到另一个中间位置(例如,基于云的 web 网关的安全堆栈、云访问代理)时,会出现网络回流,导致延迟以及潜在重定向到地理位置较远的终结点。A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, of cloud-based web gateway), introducing latency and potential redirection to a geographically distant endpoint. 路由/对等互连效率低下或次优的(远程)DNS 查找也会导致网络回流。Network hairpins can also be caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.

要确保 Microsoft 365 连接不受网络回流的影响(即使是本地出口情况下),请检查用于为用户提供 Internet 出口的 ISP 是否与靠近该位置的 Microsoft 全球网络具有直接对等连接关系。To ensure that Microsoft 365 connectivity is not subject to network hairpins even in the local egress case, check whether the ISP that is used to provide Internet egress for the user location has a direct peering relationship with the Microsoft Global Network in close proximity to that location. 你还可能想要配置出口路由以直接发送受信任的 Microsoft 365 流量,而不是通过处理 Internet 绑定流量的第三方云或基于云的网络安全供应商进行代理或隧道传输。You may also want to configure egress routing to send trusted Microsoft 365 traffic directly, as opposed to proxying or tunneling through a third-party cloud or cloud-based network security vendor that processes your Internet-bound traffic. Microsoft 365 终结点的本地 DNS 名称解析有助于确保除直接路由外,最近的 Microsoft 365 入口点用于用户连接。Local DNS name resolution of Microsoft 365 endpoints helps to ensure that in addition to direct routing, the closest Microsoft 365 entry points are being used for user connections.

如果将基于云的网络或安全服务用于 Microsoft 365 流量,请确保评估回流结果并确保了解其对 Microsoft 365 性能的影响。If you use cloud-based network or security services for your Microsoft 365 traffic, ensure that the result of the hairpin is evaluated and its impact on Microsoft 365 performance is understood. 可通过以下方式实现此操作:检查通过服务提供商位置的数量和位置转发给有关系的分支机构和 Microsoft 全球网络对等连接点的数量、服务提供商与你的 ISP 和 Microsoft 的网络对等连接关系质量,以及服务提供商基础结构中回程的性能影响。This can be done by examining the number and locations of service provider locations through which the traffic is forwarded in relationship to number of your branch offices and Microsoft Global Network peering points, quality of the network peering relationship of the service provider with your ISP and Microsoft, and the performance impact of backhauling in the service provider infrastructure.

由于 Microsoft 365 入口点及其和最终用户之间的距离存在大量分布式位置,如果将 Microsoft 365 流量路由到任何第三方网络或安全服务提供商,并且提供商网络未针对最佳 Microsoft 365 对等连接进行配置,则会对 Microsoft 365 连接造成负面影响。Due to the large number of distributed locations with Microsoft 365 entry points and their proximity to end-users, routing Microsoft 365 traffic to any third-party network or security provider can have an adverse impact on Microsoft 365 connections if the provider network is not configured for optimal Microsoft 365 peering.

评估跳过代理、流量检查设备以及重复安全技术Assess bypassing proxies, traffic inspection devices, and duplicate security technologies

跳过代理、流量检查设备以及重复安全技术

企业客户应查看其网络安全性和风险降低方法,尤其是针对 Microsoft 365 绑定流量,并使用 Microsoft 365 安全功能来降低对 Microsoft 365 网络流量的侵入性、性能影响和昂贵网络安全技术的依赖性。Enterprise customers should review their network security and risk reduction methods specifically for Microsoft 365 bound traffic and use Microsoft 365 security features to reduce their reliance on intrusive, performance impacting, and expensive network security technologies for Microsoft 365 network traffic.

大多数企业网络使用代理、SSL 检查、包检查和数据丢失防护系统等技术手段加强 Internet 流量的网络安全性。Most enterprise networks enforce network security for Internet traffic using technologies like proxies, SSL inspection, packet inspection, and data loss prevention systems. 这些技术为普通的 Internet 请求提供了重要的风险缓解,但在应用到 Microsoft 365 终结点时,可显著降低性能、可扩展性和最终用户体验。These technologies provide important risk mitigation for generic Internet requests but can dramatically reduce performance, scalability, and the quality of end user experience when applied to Microsoft 365 endpoints.

Office 365 终结点 Web 服务Office 365 Endpoints web service

Microsoft 365 管理员可使用脚本或 REST 调用,从 Office 365 终结点 Web 服务中使用终结点的结构化列表,并更新外围防火墙和其他网络设备的 Web 服务。Microsoft 365 administrators can use a script or REST call to consume a structured list of endpoints from the Office 365 Endpoints web service and update the configurations of perimeter firewalls and other network devices. 这将确保识别 Microsoft 365 的绑定流量,并正确对待和管理来自常规以及通常未知的 Internet 网站的绑定网络流量。This will ensure that traffic bound for Microsoft 365 is identified, treated appropriately and managed differently from network traffic bound for generic and often unknown Internet web sites. 有关如何使用 Office 365 终结点 Web 服务的详细信息,请参阅文章 Office 365 URL 和 IP 地址范围For more information on how to use the Office 365 Endpoints web service, see the article Office 365 URLs and IP address ranges.

PAC(代理自动配置)脚本PAC (Proxy Automatic Configuration) scripts

Microsoft 365 管理员可以创建 PAC(代理自动配置)脚本,该脚本可通过 WPAD 或 GPO 传送到用户计算机。Microsoft 365 administrators can create PAC (Proxy Automatic Configuration) scripts that can be delivered to user computers via WPAD or GPO. 可使用 PAC 脚本绕过广域网或 VPN 用户提出的 Microsoft 365 代理请求,允许 Microsoft 365 流量使用直接 Internet 连接,而不是遍历公司网络。PAC scripts can be used to bypass proxies for Microsoft 365 requests from WAN or VPN users, allowing Microsoft 365 traffic to use direct Internet connections rather than traversing the corporate network.

Microsoft 365 安全功能Microsoft 365 security features

Microsoft 对数据中心安全、运营安全、Microsoft 365 服务器附近的风险降低及其代表的网络终结点保持透明。Microsoft is transparent about datacenter security, operational security, and risk reduction around Microsoft 365 servers and the network endpoints that they represent. Microsoft 365 内置安全功能可用于减少网络安全风险,如数据丢失防护、防病毒、多重身份验证、客户锁箱、Defender for Office 365、Microsoft 365 威胁情报、Microsoft 365 安全分数、Exchange Online Protection 和网络 DDOS 安全。Microsoft 365 built-in security features are available for reducing network security risk, such as Data Loss Prevention, Anti-Virus, Multi-Factor Authentication, Customer Lock Box, Defender for Office 365, Microsoft 365 Threat Intelligence, Microsoft 365 Secure Score, Exchange Online Protection, and Network DDOS Security.

有关 Microsoft 数据中心和全球网络安全性的详细信息,请参阅 Microsoft 信任中心For more information on Microsoft datacenter and Global Network security, see the Microsoft Trust Center.

新的 Office 365 终结点类别New Office 365 endpoint categories

Office 365 终结点代表一组不同的网络地址和子网。Office 365 endpoints represent a varied set of network addresses and subnets. 终结点可能是 URL、IP 地址或 IP 范围,且某些终结点会与特定的 TCP/UDP 端口一起列出。Endpoints may be URLs, IP addresses or IP ranges, and some endpoints are listed with specific TCP/UDP ports. URL可以是 FQDN,如 account.office.net 或通配符 URL,如 *office365.comURLs can either be an FQDN like account.office.net, or a wildcard URL like *.office365.com.

备注

网络中的 Office 365 终结点的位置与 Microsoft 365 租户数据的位置不直接相关。The locations of Office 365 endpoints within the network are not directly related to the location of the Microsoft 365 tenant data. 因此,客户应将 Microsoft 365 视为分布式全球服务,并且不应尝试根据地理条件阻止到 Office 365 终结点的网络连接。For this reason, customers should look at Microsoft 365 as a distributed and global service and should not attempt to block network connections to Office 365 endpoints based on geographical criteria.

在以前关于如何管理 Microsoft 365 流量的指南中,我们将终结点分为两个类别:“必需”和“可选”。In our previous guidance for managing Microsoft 365 traffic, endpoints were organized into two categories, Required and Optional. 过去,每个类别中的终结点需要不同的优化,具体取决于服务的关键程度,并且很多客户很难将采用相同网络优化的应用调整为适用于所有 Office 365 URL 和 IP 地址。Endpoints within each category required different optimizations depending on the criticality of the service, and many customers faced challenges in justifying the application of the same network optimizations to the full list of Office 365 URLs and IP addresses.

在新模型中,终结点分为三种类别,“优化”、“允许”和“默认”,能够基于优先级帮助客户专注于网络优化工作,从而实现最佳性能改进和投资回报。In the new model, endpoints are segregated into three categories, Optimize, Allow, and Default, providing a priority-based pivot on where to focus network optimization efforts to realize the best performance improvements and return on investment. 根据对网络质量、容量、场景的性能信封以及实现易用程度等方面的有效用户体验,将终结点在上述类别中进行了整合。The endpoints are consolidated in the above categories based on the sensitivity of the effective user experience to network quality, volume, and performance envelope of scenarios and ease of implementation. 可采用相同方式,将推荐优化应用于给定类别中的所有终结点。Recommended optimizations can be applied the same way to all endpoints in a given category.

  • 优化”终结点,连接到每项 Office 365 服务时需要使用这一类别的终结点,并占用超过 75% 的 Office 365 带宽、连接和数据量。Optimize endpoints are required for connectivity to every Office 365 service and represent over 75% of Office 365 bandwidth, connections, and volume of data. 这些终结点代表对网络性能、延迟和可用性最敏感的 Office 365 方案。These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency, and availability. 所在终结点都托管于 Microsoft 数据中心中。All endpoints are hosted in Microsoft datacenters. 此类别中的终结点的更改速率应小于其他两个类别中终结点的更改速率。The rate of change to the endpoints in this category is expected to be much lower than for the endpoints in the other two categories. 此类别包含一小组密钥 URL(按 ~10 排序)和已定义的 IP 子网集合,专用于核心 Office 365 工作负载,例如 Exchange Online、SharePoint Online、Skype for Business Online 和 Microsoft Teams。This category includes a small (on the order of ~10) set of key URLs and a defined set of IP subnets dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online, and Microsoft Teams.

    清晰定义的关键终结点的简明列表应有助于更快、更轻松地规划和实现这些目标的高价值网络优化。A condensed list of well-defined critical endpoints should help you to plan and implement high value network optimizations for these destinations faster and easier.

    优化”终结点示例包括 https://outlook.office365.comhttps://<tenant>.sharepoint.comhttps://<tenant>-my.sharepoint.comExamples of Optimize endpoints include https://outlook.office365.com, https://<tenant>.sharepoint.com, and https://<tenant>-my.sharepoint.com.

    优化方法包括:Optimization methods include:

    • 跳过优化网络设备上的“优化”终结点,以及执行通信拦截、SSL 解密、深层包检查和内容筛选的服务。Bypass Optimize endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection, and content filtering.
    • 跳过通常用于普通 Internet 浏览的本地代理设备和基于云的代理服务。Bypass on-premises proxy devices and cloud-based proxy services commonly used for generic Internet browsing.
    • 当这些终结点被网络基础结构和外围系统完全信任后,优先对其进行评估。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 设置广域网回程减少或消除的优先级,并让这些终结点基于 Internet 的直接分布式出口尽可能接近用户/分支的所在位置。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet-based egress for these endpoints as close to users/branch locations as possible.
    • 通过实现拆分隧道,促进 VPN 用户直接连接到这些云终结点。Facilitate direct connectivity to these cloud endpoints for VPN users by implementing split tunneling.
    • 确保 DNS 名称解析返回的 IP 地址与这些终结点的路由出口路径匹配。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 将 SD 广域网集成的这些终结点的优先级设置为直接的最小延迟路由到最近的 Microsoft 全球网络 Internet 对等连接点。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 允许 - 连接到特定 Office365 服务和功能时需要使用“允许”终结点,但不像“优化”类别终结点那样对网络性能和延迟敏感。Allow endpoints are required for connectivity to specific Office 365 services and features, but are not as sensitive to network performance and latency as those in the Optimize category. 从带宽和连接数的角度而言,“允许”终结点的总体网络占用情况也更低。The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is also smaller. 这些终结点为 Office 365 专用并托管在 Microsoft 数据中心中。These endpoints are dedicated to Office 365 and are hosted in Microsoft datacenters. 它们代表一整套 Office 365 微服务及其依赖项(按照 ~ 100 URL 的顺序),且预期更改速度会高于“优化”类别的更改速度。They represent a broad set of Office 365 micro-services and their dependencies (on the order of ~100 URLs) and are expected to change at a higher rate than those in the Optimize category. 此类别中并非所有终结点都与已定义的专用 IP 子网相关联。Not all endpoints in this category are associated with defined dedicated IP subnets.

    对于“允许”终结点的网络优化,可以提升 Office 365 的用户体验,但是某些用户可能选择缩小优化范围,从而在最大程度上减少对其网络的更改。Network optimizations for Allow endpoints can improve the Office 365 user experience, but some customers may choose to scope those optimizations more narrowly to minimize changes to their network.

    允许”终结点示例包括 https://*.protection.outlook.comhttps://accounts.accesscontrol.windows.netExamples of Allow endpoints include https://*.protection.outlook.com and https://accounts.accesscontrol.windows.net.

    优化方法包括:Optimization methods include:

    • 跳过执行通信拦截、SSL 解密、深层包检查和内容筛选的“允许”终结点。Bypass Allow endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection, and content filtering.
    • 当这些终结点被网络基础结构和外围系统完全信任后,优先对其进行评估。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 设置广域网回程减少或消除的优先级,并让这些终结点基于 Internet 的直接分布式出口尽可能接近用户/分支的所在位置。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet-based egress for these endpoints as close to users/branch locations as possible.
    • 确保 DNS 名称解析返回的 IP 地址与这些终结点的路由出口路径匹配。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 将 SD 广域网集成的这些终结点的优先级设置为直接的最小延迟路由到最近的 Microsoft 全球网络 Internet 对等连接点。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 默认”终结点代表不需要任何优化的 Office 365 服务和依赖项,可被客户网络视为正常的 Internet 绑定流量。Default endpoints represent Office 365 services and dependencies that do not require any optimization, and can be treated by customer networks as normal Internet bound traffic. 此类别中的某些终结点可能不托管在 Microsoft 数据中心中。Some endpoints in this category may not be hosted in Microsoft datacenters. 示例包括 https://odc.officeapps.live.comhttps://appexsin.stb.s-msn.comExamples include https://odc.officeapps.live.com and https://appexsin.stb.s-msn.com.

有关 Office 365 网络优化技术的详细信息,请参阅文章管理 Office 365 终结点For more information about Office 365 network optimization techniques, see the article Managing Office 365 endpoints.

将网络外围安全与终结点安全进行比较Comparing network perimeter security with endpoint security

传统的网络安全的目标是强化公司网络外围,防范入侵和恶意漏洞。The goal of traditional network security is to harden the corporate network perimeter against intrusion and malicious exploits. 随着组织采用 Microsoft 365,部分网络服务和数据被部分或完全迁移到云。As organizations adopt Microsoft 365, some network services and data are partly or completely migrated to the cloud. 正如对网络体系结构的进行任何基础更改,此过程需考虑到新兴因素,对网络安全进行重新评估:As for any fundamental change to network architecture, this process requires a reevaluation of network security that takes emerging factors into account:

  • 随着采用云服务,网络服务和数据分布在本地数据中心和云之间,而外围安全不再足以满足新的需求。As cloud services are adopted, network services and data are distributed between on-premises datacenters and the cloud, and perimeter security is no longer adequate on its own.
  • 远程用户连接到本地数据中心中的公司资源和云中来自不受控制的位置(如家中、酒店和咖啡店)。Remote users connect to corporate resources both in on-premises datacenters and in the cloud from uncontrolled locations such as homes, hotels, and coffee shops.
  • 专门构建的安全功能越来越多地内置到了云服务中,并可以补充或替换现有安全系统。Purpose-built security features are increasingly built into cloud services and can potentially supplement or replace existing security systems.

Microsoft 提供了一系列 Microsoft 365 安全功能,并提供了采用安全性最佳做法的规范性指南,可帮助你确保 Microsoft 365 的数据和网络安全。Microsoft offers a wide range of Microsoft 365 security features and provides prescriptive guidance for employing security best practices that can help you to ensure data and network security for Microsoft 365. 推荐的最佳做法包括以下内容:Recommended best practices include the following:

  • 使用多重身份验证 (MFA) MFA 向强密码策略中添加一层额外保护,方法是要求用户在正确输入密码后在其智能手机上确认电话呼叫、短信或应用通知。Use multi-factor authentication (MFA) MFA adds an additional layer of protection to a strong password strategy by requiring users to acknowledge a phone call, text message, or an app notification on their smart phone after correctly entering their password.

  • 使用 Microsoft Cloud App Security 配置策略来跟踪反常活动并做出应对。Use Microsoft Cloud App Security Configure policies to track anomalous activity and act on it. 使用 Microsoft Cloud App Security 设置警报,方便管理员查看反常或有风险的用户活动,如下载大量数据、多次登录尝试失败,或者来自未知或危险 IP 地址的连接。Set up alerts with Microsoft Cloud App Security so that admins can review unusual or risky user activity, such as downloading large amounts of data, multiple failed sign-in attempts, or connections from a unknown or dangerous IP addresses.

  • 配置数据丢失防护 (DLP) DLP 可用于识别敏感数据并创建有助于防止用户意外或有意共享数据的策略。Configure Data Loss Prevention (DLP) DLP allows you to identify sensitive data and create policies that help prevent your users from accidentally or intentionally sharing the data. DLP 可跨 Microsoft 365 服务进行工作,包括 Exchange Online、SharePoint Online 和 OneDrive,以便你的用户在不中断工作流的情况下保持合规。DLP works across Microsoft 365 including Exchange Online, SharePoint Online, and OneDrive so that your users can stay compliant without interrupting their workflow.

  • 使用客户密钥箱 作为 Microsoft 365 管理员,你可以使用客户密码箱来控制 Microsoft 技术支持工程师在帮助会话期间访问你数据的方式。Use Customer Lockbox As a Microsoft 365 admin, you can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a help session. 如果工程师需要访问您的数据以进行故障排除和解决问题,那么您可以使用客户锁箱批准或拒绝该访问请求。In cases where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request.

  • 使用 Office 365 安全功能分数 一种安全分析工具,可为你推荐可执行的操作以进一步降低风险。Use Office 365 Secure Score A security analytics tool that recommends what you can do to further reduce risk. 安全功能分数会查看你的 Microsoft 365 设置和活动,并将它们与 Microsoft 建立的基线进行比较。Secure Score looks at your Microsoft 365 settings and activities and compares them to a baseline established by Microsoft. 你将根据与最佳安全做法的一致程度获取分数。You'll get a score based on how aligned you are with best security practices.

要想全面提升安全性,则需要考虑以下方面:A holistic approach to enhanced security should include consideration of the following:

  • 通过应用基于云的和 Office 客户端安全功能,从关注周边安全转向关注终结点安全。Shift emphasis from perimeter security towards endpoint security by applying cloud-based and Office client security features.
    • 将安全外围缩小到数据中心Shrink the security perimeter to the datacenter
    • 为在办公室或远程位置的用户设备启用同等信任Enable equivalent trust for user devices inside the office or at remote locations
    • 重点关注保护数据位置和用户位置Focus on securing the data location and the user location
    • 托管的用户计算机比终结点安全拥有更高的信任级别Managed user machines have higher trust with endpoint security
  • 全面管理所有信息安全,而不只是专注于外围Manage all information security holistically, not focusing solely on the perimeter
    • 通过允许受信任的流量绕过安全设备,并将非托管设备与来宾 Wi-Fi 网络分隔,来重新定义广域网并构建外围网络安全Redefine WAN and building perimeter network security by allowing trusted traffic to bypass security devices and separating unmanaged devices to guest Wi-Fi networks
    • 降低公司广域网边缘的网络安全要求Reduce network security requirements of the corporate WAN edge
    • 仍需要某些网络外围安全设备(例如,防火墙),但负载降低了Some network perimeter security devices such as firewalls are still required, but load is decreased
    • 确保 Microsoft 365 流量的本地出口Ensures local egress for Microsoft 365 traffic
  • 可按照增量优化章节中的说明逐步解决改进。Improvements can be addressed incrementally as described in the Incremental optimization section. 某些优化技术可提供更好的成本/收益率,具体取决于你的网络体系结构,并且应选择最适合你组织的优化。Some optimization techniques may offer better cost/benefit ratios depending on your network architecture, and you should choose optimizations that make the most sense for your organization.

有关 Microsoft 365 安全性和合规性的详细信息,请参阅文章 Microsoft 365 安全中心Microsoft 365 合规中心For more information on Microsoft 365 security and compliance, see the articles Microsoft 365 security and Microsoft 365 compliance.

增量优化Incremental optimization

我们已在本文前面介绍了适用于 SaaS 的理想网络连接模型,但对于过去的网络体系结构复杂的许多大型组织而言,直接进行所有这些更改并不可行。We have represented the ideal network connectivity model for SaaS earlier in this article, but for many large organizations with historically complex network architectures, it will not be practical to directly make all of these changes. 在本节中,我们将讨论大量的增量更改,这些更改可有助于改进 Microsoft 365 的性能和可靠性。In this section, we discuss a number of incremental changes that can help to improve Microsoft 365 performance and reliability.

用于优化 Microsoft 365 流量的方法将因你的网络拓扑和你实施的网络设备而异。The methods you will use to optimize Microsoft 365 traffic will vary depending on your network topology and the network devices you have implemented. 拥有许多地点和复杂网络安全做法的大型企业需要开发一整套战略,其中包括 Microsoft 365 连接原则部分中列出的大部分或全部原则,而小型组织可能只需考虑一或两条原则。Large enterprises with many locations and complex network security practices will need to develop a strategy that includes most or all of the principles listed in the Microsoft 365 connectivity principles section, while smaller organizations might only need to consider one or two.

可采用递增的方式进行优化,即依次应用每个方法。You can approach optimization as an incremental process, applying each method successively. 下表按照列出了主要的优化方法,并按照它们对最大数量用户的延迟和可靠性影响进行排序。The following table lists key optimization methods in order of their impact on latency and reliability for the largest number of users.

优化方法Optimization method 说明Description 影响Impact
本地 DNS 解析和 Internet 出口Local DNS resolution and Internet egress
预配每个位置中的本地 DNS 服务器,并确保 Microsoft 365 连接出口到 Internet 心可能靠近用户位置。Provision local DNS servers in each location and ensure that Microsoft 365 connections egress to the Internet as close as possible to the user's location.
最小化延迟Minimize latency
提升与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
添加区域出口点Add regional egress points
如果公司网络有多个位置,但仅有一个出口点,则添加区域出口点可让用户能够连接到最近的 Microsoft 365 入口点。If your corporate network has multiple locations but only one egress point, add regional egress points to enable users to connect to the closest Microsoft 365 entry point.
最小化延迟Minimize latency
提升与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
跳过代理和检查设备Bypass proxies and inspection devices
将带 PAC 文件的浏览器配置为直接向出口点发送 Microsoft 365 请求。Configure browsers with PAC files that send Microsoft 365 requests directly to egress points.
配置边缘路由器和防火墙,无需检查即可允许 Microsoft 365 流量。Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection.
最小化延迟Minimize latency
减少网络设备负载Reduce load on network devices
为 VPN 用户启用直接连接Enable direct connection for VPN users
对于 VPN 用户,可通过实现拆分隧道来启用 Microsoft 365 连接,直接从用户的网络进行连接,而不是通过 VPN 隧道。For VPN users, enable Microsoft 365 connections to connect directly from the user's network rather than over the VPN tunnel by implementing split tunneling.
最小化延迟Minimize latency
提升与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
从传统广域网迁移到 SD 广域网Migrate from traditional WAN to SD-WAN
SD 广域网(软件定义的广域网)通过将传统广域网路由器替换为虚拟设备(类似于使用虚拟机 (VM) 实现计算资源的虚拟化),简化广域网管理并提高性能。SD-WANs (Software Defined Wide Area Networks) simplify WAN management and improve performance by replacing traditional WAN routers with virtual appliances, similar to the virtualization of compute resources using virtual machines (VMs).
改善广域网流量的性能和可管理性Improve performance and manageability of WAN traffic
减少网络设备负载Reduce load on network devices

Microsoft 365 网络连接概述Microsoft 365 Network Connectivity Overview

管理 Office 365 终结点Managing Office 365 endpoints

Office 365 URL 和 IP 地址范围Office 365 URLs and IP address ranges

Office 365 IP 地址和 URL Web 服务Office 365 IP Address and URL Web service

评估 Microsoft 365 网络连接Assessing Microsoft 365 network connectivity

Microsoft 365 网络计划和性能优化Network planning and performance tuning for Microsoft 365

使用基线和性能历史记录优化 Office 365 性能Office 365 performance tuning using baselines and performance history

Office 365 性能疑难解答计划Performance troubleshooting plan for Office 365

内容分发网络Content Delivery Networks

Microsoft 365 连接测试Microsoft 365 connectivity test

Microsoft 如何构建其快速可靠的全球网络How Microsoft builds its fast and reliable global network

Office 365 网络工作博客Office 365 Networking blog