步骤 2.Step 2. 提供对本地应用和服务的远程访问权限。Provide remote access to on-premises apps and services

如果你的组织使用远程访问 VPN 解决方案(通常通过网络边缘上的 VPN 服务器以及在用户的设备上安装的 VPN 客户端),你的用户可以使用远程访问 VPN 连接来访问本地应用和服务器。If your organization uses a remote access VPN solution, typically with VPN servers on the edge of your network and VPN clients installed on your users' devices, your users can use remote access VPN connections to access on-premises apps and servers. 但是,你可能需要优化与 Microsoft 365 基于云的服务的通信。But you may need to optimize traffic to Microsoft 365 cloud-based services.

如果你的用户未使用 VPN 解决方案,你可以使用 Azure Active Directory (Azure AD) 应用程序代理和 Azure 点到站点 (P2S) VPN 来提供访问权限,具体取决于你的所有应用是否均基于 Web。If your users do not use a VPN solution, you can use Azure Active Directory (Azure AD) Application Proxy and Azure Point-to-Site (P2S) VPN to provide access, depending on whether all your apps are web-based.

下面是用于远程访问的主要配置:Here are the primary configurations for remote access:

  • 你已在使用远程访问 VPN 解决方案。You are already using a remote access VPN solution.
  • 你没有使用远程访问 VPN 解决方案,而是希望远程工作者使用其自己的个人计算机。You are not using a remote access VPN solution and you want your remote workers to use their personal computers.
  • 你使用的不是远程访问 VPN 解决方案,你有混合标识,只需远程访问基于 Web 的本地应用。You are not using a remote access VPN solution, you have hybrid identity, and you need remote access only to on-premises web-based apps.
  • 你使用的不是远程访问 VPN 解决方案,并且你需要访问本地应用,其中一些应用并非基于 Web。You are not using a remote access VPN solution and you need access to on-premises apps, some of which are not web-based.

请参阅此流程图,了解本文中讨论的远程访问配置选项。See this flowchart for the remote access configuration options discussed in this article.

远程访问配置流程图

借助远程访问连接,还可以使用远程桌面将用户连接到本地电脑。With remote access connections, you can also use Remote Desktop to connect your users to an on-premises PC. 例如,远程工作者可使用远程桌面从其 Windows、iOS 或 Android 设备连接到其办公室的电脑。For example, a remote worker can use Remote Desktop to connect to the PC in their office from their Windows, iOS, or Android device. 远程连接后,他们可以像坐在电脑前一样使用它。Once they are remotely connected, they can use it as if they were sitting in front of it.

优化 Microsoft 365 云服务远程访问 VPN 客户端的性能Optimize performance for remote access VPN clients to Microsoft 365 cloud services

如果远程工作者正在使用传统的 VPN 客户端来获取对组织网络的远程访问权限,请验证该 VPN 客户端是否支持拆分隧道。If your remote workers are using a traditional VPN client to obtain remote access to your organization network, verify that the VPN client has split tunneling support.

如果没有拆分隧道,所有远程工作通信都将通过 VPN 连接发送。在这种情况下,必须将其转发到组织的边缘设备、进行处理,然后在 Internet 上发送。Without split tunneling, all of your remote work traffic gets sent across the VPN connection, where it must be forwarded to your organization’s edge devices, get processed, and then sent on the Internet.

来自无隧道的 VPN 客户端的网络流量

Microsoft 365 通信必须通过你的组织获取间接路由,它可能是面向远离 VPN 客户端物理位置的 Microsoft 网络入口点的转发。Microsoft 365 traffic must take an indirect route through your organization, which could be forwarded to a Microsoft network entry point far away from the VPN client’s physical location. 此间接路径会增加网络流量的延迟并降低整体性能。This indirect path adds latency to the network traffic and decreases overall performance.

借助拆分隧道,你可以将 VPN 客户端配置为排除通过 VPN 连接发送到组织网络的特定类型的通信。With split tunneling, you can configure your VPN client to exclude specific types of traffic from being sent over the VPN connection to the organization network.

要优化 Microsoft 365 云资源的访问权限,请将拆分隧道 VPN 客户端配置为排除通过 VPN 连接的流向 优化 类别 Microsoft 365 终结点的流量。To optimize access to Microsoft 365 cloud resources, configure your split tunneling VPN clients to exclude traffic to the Optimize category Microsoft 365 endpoints over the VPN connection. 有关详细信息,请参阅 Office 365 终结点类别For more information, see Office 365 endpoint categories. 请查看此列表,了解如何优化类别终结点。See this list of Optimize category endpoints.

下面是生成的流量流,其中流入 Microsoft 365 云应用的大多数流量都绕过 VPN 连接。Here is the resulting traffic flow, in which most of the traffic to Microsoft 365 cloud apps bypass the VPN connection.

来自有隧道的 VPN 客户端的网络流量

这允许 VPN 客户端直接通过 Internet 发送和接收重要的 Microsoft 365 云服务流量并发送到 Microsoft 网络最近的入口点。This allows the VPN client to send and receive crucial Microsoft 365 cloud service traffic directly over the Internet and to the nearest entry point into the Microsoft network.

有关更多信息和指导,请参阅使用 VPN 拆分隧道为远程用户优化 Office 365 连接For more information and guidance, see Optimize Office 365 connectivity for remote users using VPN split tunneling.

在所有应用均为 Web 应用且你具有混合标识的情况下部署远程访问Deploy remote access when all your apps are web apps and you have hybrid identity

如果远程工作者没有使用传统的 VPN 客户端,而且你的本地用户帐户和组与 Azure AD 同步,那么你可使用 Azure AD 应用程序代理为本地服务器上托管的基于 Web 的应用程序实现安全的远程访问。If your remote workers are not using a traditional VPN client and your on-premises user accounts and groups are synchronized with Azure AD, you can use Azure AD Application Proxy to provide secure remote access for web-based applications hosted on on-premises servers. 基于 Web 的应用程序包括 SharePoint Server 网站、Outlook Web Access 服务器或其他任何基于 Web 的业务线应用程序。Web-based applications include SharePoint Server sites, Outlook Web Access servers, or any other web-based line of business applications.

下面是 Azure AD 应用程序代理的组件。Here are the components of Azure AD Application Proxy.

Azure AD 应用程序代理的组件

有关详细信息,请参阅此 Azure AD 应用程序代理概述For more information, see this overview of Azure AD Application Proxy.

备注

Microsoft 365 订阅中不包含 Azure AD 应用程序代理。Azure AD Application Proxy is not included with a Microsoft 365 subscription. 你必须使用单独的 Azure 订阅来进行付费。You must pay for usage with a separate Azure subscription.

在并非所有应用均为 Web 应用的情况下部署远程访问Deploy remote access when not all your apps are web apps

如果远程工作者没有使用传统的 VPN 客户端,而且你有应用未基于 Web,那么你可使用 Azure 点到站点 (P2S) VPN。If your remote workers are not using a traditional VPN client and you have apps that are not web-based, you can use an Azure Point-to-Site (P2S) VPN.

P2S VPN 连接通过 Azure 虚拟网络创建从远程工作者的设备到组织网络的安全连接。A P2S VPN connection creates a secure connection from a remote worker’s device to your organization network through an Azure virtual network.

Azure P2S VPN 的组件

有关详细信息,请参阅此 P2S VPN 概述For more information, see this overview of P2S VPN.

备注

Microsoft 365 订阅中不包含 Azure P2S VPN。Azure P2S VPN is not included with a Microsoft 365 subscription. 你必须使用单独的 Azure 订阅来进行付费。You must pay for usage with a separate Azure subscription.

部署 Windows 虚拟桌面,以便为使用个人设备的远程工作者提供远程访问权限Deploy Windows Virtual Desktop to provide remote access for remote workers using personal devices

要为仅可使用自己的个人和非托管设备的远程工作者提供支持,请使用 Azure 中的 Windows 虚拟桌面创建并分配虚拟桌面,以便用户在家中使用。To support remote workers who can only use their personal and unmanaged devices, use Windows Virtual Desktop in Azure to create and allocate virtual desktops for your users to use from home. 虚拟电脑可以像连接到组织网络的电脑一样操作。Virtualized PCs can act just like PCs connected to your organization network.

Azure Windows 虚拟桌面的组件

有关详细信息,请参阅此 Windows 虚拟桌面概述For more information, see this overview of Windows Virtual Desktop.

备注

Microsoft 365 订阅中不包含 Windows 虚拟桌面。Windows Virtual Desktop is not included with a Microsoft 365 subscription. 你必须使用单独的 Azure 订阅来进行付费。You must pay for usage with a separate Azure subscription.

使用远程桌面服务网关保护你的远程桌面服务连接Protect your Remote Desktop Services connections with the Remote Desktop Services Gateway

如果使用远程桌面服务 (RDS) 来允许员工连接到本地网络上基于 Windows 的计算机,则应在边缘网络中使用 Microsoft 远程桌面服务网关。If you are using Remote Desktop Services (RDS) to allow employees to connect into Windows-based computers on your on-premises network, you should use a Microsoft Remote Desktop Services gateway in your edge network. 网关使用传输层安全性 (TLS) 加密通信流,并阻止托管 RDS 本地计算机直接向 Internet 公开。The gateway uses Transport Layer Security (TLS) to encrypt traffic and prevents the on-premises computer hosting RDS from being directly exposed to the Internet.

带远程桌面服务网关的远程桌面服务连接

请参阅这篇文章,了解详细信息。See this article for more information.

用于远程访问的管理员技术资源Admin technical resources for remote access

步骤 2 的结果Results of Step 2

为远程工作者部署远程访问解决方案后:After deployment of a remote access solution for your remote workers:

远程访问配置Remote access configuration 结果Results
远程访问 VPN 解决方案已到位A remote access VPN solution is in place 已经针对拆分隧道和 Microsoft 365 终结点的“优化”类别配置远程访问 VPN 客户端。You have configured your remote access VPN client for split tunneling and for the Optimize category of Microsoft 365 endpoints.
没有远程访问 VPN 解决方案,并且只需远程访问基于 Web 的本地应用No remote access VPN solution and you need remote access only to on-premises web-based apps 已配置 Azure 应用程序代理。You have configured Azure Application Proxy.
没有远程访问 VPN 解决方案,并且需要访问本地应用,其中一些应用并非基于 WebNo remote access VPN solution and you need access to on-premises apps, some of which are not web-based 已配置 Azure P2S VPN。You have configured Azure P2S VPN.
远程工作人员正在家中使用自己的个人设备Remote workers are using their personal devices from home 已配置 Windows 虚拟桌面。You have configured Windows Virtual Desktop.
远程工作者将使用到本地系统的 RDS 连接Remote workers are using RDS connections to on-premises systems 已在边缘网络中部署远程桌面服务网关。You have deployed a Remote Desktop Services gateway in your edge network.

后续步骤Next step

步骤 3:部署 Microsoft 365 安全和合规性服务Step 3: Deploy Microsoft 365 security and compliance services

继续步骤 3,部署 Microsoft 365 安全和合规性服务,以保护你的应用、数据和设备。Continue with Step 3 to deploy Microsoft 365 security and compliance services to protect your apps, data, and devices.