Microsoft 365 网络连接原则Microsoft 365 Network Connectivity Principles

本文适用于 Microsoft 365 企业版和 Office 365 企业版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

在开始规划网络以实现 Microsoft 365 网络连接之前,请务必了解安全管理 Microsoft 365 流量和获得最佳性能的连接原则。Before you begin planning your network for Microsoft 365 network connectivity, it is important to understand the connectivity principles for securely managing Microsoft 365 traffic and getting the best possible performance. 本文将帮助您了解有关安全优化 Microsoft 365 网络连接的最新指南。This article will help you understand the most recent guidance for securely optimizing Microsoft 365 network connectivity.

传统的企业网络主要用于向用户提供对公司运营数据中心内托管的应用程序和数据的访问,具有强大的外围安全机制。Traditional enterprise networks are designed primarily to provide users access to applications and data hosted in company operated datacenters with strong perimeter security. 传统模型假定用户将从公司网络外围、来自分支机构的 WAN 链接或通过 VPN 连接的远程访问应用程序和数据。The traditional model assumes that users will access applications and data from inside the corporate network perimeter, over WAN links from branch offices, or remotely over VPN connections.

采用 SaaS 应用程序(如 Microsoft 365)会在网络外围之外移动一些服务和数据组合。Adoption of SaaS applications like Microsoft 365 moves some combination of services and data outside the network perimeter. 如果不进行优化,用户和 SaaS 应用程序之间的流量将受到数据包检查、网络回流、无意连接到地理位置较远的终结点和其他因素所引入的延迟的影响。Without optimization, traffic between users and SaaS applications is subject to latency introduced by packet inspection, network hairpins, inadvertent connections to geographically distant endpoints and other factors. 您可以通过了解和实现关键优化准则来确保最佳的 Microsoft 365 性能和可靠性。You can ensure the best Microsoft 365 performance and reliability by understanding and implementing key optimization guidelines.

在本文中,您将了解以下内容:In this article, you will learn about:

Microsoft 365 体系结构Microsoft 365 architecture

Microsoft 365 是分布式软件即服务(SaaS)云,它通过各种微服务和应用程序(如 Exchange Online、SharePoint Online、Skype for Business Online、Microsoft 团队、Exchange Online Protection、Office 在浏览器中以及其他许多)提供工作效率和协作方案。Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a diverse set of micro-services and applications, such as Exchange Online, SharePoint Online, Skype for Business Online, Microsoft Teams, Exchange Online Protection, Office in a browser, and many others. 虽然特定 Microsoft 365 应用程序可能会将其独特的功能应用于客户网络和与云的连接,但它们都共享一些关键主体、目标和体系结构模式。While specific Microsoft 365 applications may have their unique features as it applies to customer network and connectivity to the cloud, they all share some key principals, goals and architecture patterns. 这些适用于连接的这些主体和体系结构模式对于许多其他 SaaS 云来说是典型的,同时与平台即服务和基础结构即服务云(如 Microsoft Azure)的典型部署模型非常不同。These principals and architecture patterns for connectivity are typical for many other SaaS clouds and at the same time being quite different from the typical deployment models of Platform-as-a-Service and Infrastructure-as-a-Service clouds, such as Microsoft Azure.

Microsoft 365 的最重要的体系结构功能之一(网络规划人员经常错过或误解)是,它是真正的全局分布式服务,在用户连接到它的上下文中。One of the most significant architectural features of Microsoft 365 (that is often missed or misinterpreted by network planners) is that it is a truly global distributed service, in the context of how users connect to it. 目标 Microsoft 365 租户的位置对于了解客户数据在云中的存储位置非常重要,但 Microsoft 365 的用户体验不涉及直接连接到包含数据的磁盘。The location of the target Microsoft 365 tenant is important to understand the locality of where customer data is stored within the cloud, but the user experience with Microsoft 365 doesn't involve connecting directly to disks containing the data. Microsoft 365 中的用户体验(包括性能、可靠性和其他重要质量特征)涉及到跨全球数百个 Microsoft 地区扩展的高分布式服务前盖的连接性。The user experience with Microsoft 365 (including performance, reliability and other important quality characteristics) involves connectivity through a highly distributed service front doors that are scaled out across hundreds of Microsoft locations worldwide. 在大多数情况下,通过允许客户网络将用户请求路由到最近的 Microsoft 365 服务入口点来实现最佳用户体验,而不是通过中心位置或区域中的传出点连接到 Microsoft 365。In the majority of cases, the best user experience is achieved by allowing the customer network to route user requests to the closest Microsoft 365 service entry point, rather than connecting to Microsoft 365 through an egress point in a central location or region.

对于大多数客户,Microsoft 365 用户分布在多个位置。For most customers, Microsoft 365 users are distributed across many locations. 为了获得最佳结果,本文档中概述的原则应从向外扩展(不向上扩展)的角度来看,重点是将连接优化到 Microsoft 全球网络中的最近状态点,而不是 Microsoft 365 租户的地理位置。To achieve the best results, the principles outlined in this document should be looked at from the scale-out (not scale-up) point of view, focusing on optimizing connectivity to the nearest point of presence in the Microsoft Global Network, not to the geographic location of the Microsoft 365 tenant. 实际上,这意味着尽管 Microsoft 365 租户数据可能存储在特定的地理位置,但该租户的 Microsoft 365 体验仍保持分发,并且可以在非常接近(网络)的情况下与租户拥有的每个最终用户位置保持较近。In essence, this means that even though Microsoft 365 tenant data may be stored in a specific geographic location, Microsoft 365 experience for that tenant remains distributed and can be present in very close (network) proximity to every end user location that the tenant has.

Microsoft 365 连接原则Microsoft 365 connectivity principles

Microsoft 建议采用以下原则来实现最佳的 Microsoft 365 连接和性能。Microsoft recommends the following principles to achieve optimal Microsoft 365 connectivity and performance. 在连接到 Microsoft 365 时,请使用以下 Microsoft 365 连接原则管理流量并获得最佳性能。Use these Microsoft 365 connectivity principles to manage your traffic and get the best performance when connecting to Microsoft 365.

网络设计中的主要目标是将网络中的往返时间(RTT)从网络中减少到 Microsoft 全局网络中,从而将所有 Microsoft 的数据中心与全球的低延迟和云应用程序入口点进行互连,从而最大限度地减少延迟。The primary goal in the network design should be to minimize latency by reducing the round-trip time (RTT) from your network into the Microsoft Global Network, Microsoft's public network backbone that interconnects all of Microsoft's datacenters with low latency and cloud application entry points spread around the world. 你可以在Microsoft 如何构建其快速可靠的全局网络中了解有关 Microsoft 全球网络的详细信息。You can learn more about the Microsoft Global Network at How Microsoft builds its fast and reliable global network.

识别并区分 Microsoft 365 流量Identify and differentiate Microsoft 365 traffic

确定 Microsoft 365 流量

若要能够区分来自通用 Internet 绑定网络流量的通信,首先要确定 Microsoft 365 网络流量。Identifying Microsoft 365 network traffic is the first step in being able to differentiate that traffic from generic Internet-bound network traffic. 可以通过实现网络路由优化、防火墙规则、浏览器代理设置以及针对特定终结点的网络检查设备旁路等方法的组合来优化 Microsoft 365 连接。Microsoft 365 connectivity can be optimized by implementing a combination of approaches like network route optimization, firewall rules, browser proxy settings, and bypass of network inspection devices for certain endpoints.

以前的 Microsoft 365 优化指南将 Microsoft 365 终结点分为两个类别,"必需" 和 "可选"。Previous Microsoft 365 optimization guidance divided Microsoft 365 endpoints into two categories, Required and Optional. 由于添加了终结点以支持新的 Microsoft 365 服务和功能,我们已将 Microsoft 365 终结点重新组织为三个类别: OptimizeAllowDefaultAs endpoints have been added to support new Microsoft 365 services and features, we have reorganized Microsoft 365 endpoints into three categories: Optimize, Allow and Default. 每个类别的准则适用于类别中的所有终结点,使优化更易于理解和实现。Guidelines for each category applies to all endpoints in the category, making optimizations easier to understand and implement.

有关 Microsoft 365 终结点类别和优化方法的更多详细信息,请参阅 "新建 Office 365 终结点类别" 部分。For more details on Microsoft 365 endpoint categories and optimization methods, see the New Office 365 endpoint categories section.

Microsoft 现在将所有 Microsoft 365 终结点作为 web 服务发布,并提供有关如何使用此数据的最佳指南。Microsoft now publishes all Microsoft 365 endpoints as a web service and provides guidance on how best to use this data. 有关如何提取和使用 Microsoft 365 终结点的详细信息,请参阅文章: Office 365 url 和 IP 地址范围For more information on how to fetch and work with Microsoft 365 endpoints, see the article Office 365 URLs and IP address ranges.

实现本地连接出口Egress network connections locally

实现本地连接出口

本地 DNS 和 Internet 出口对于减少连接延迟和确保将用户连接到 Microsoft 365 服务的最接近入口点非常重要。Local DNS and Internet egress is of critical importance for reducing connection latency and ensuring that user connections are made to the nearest point of entry to Microsoft 365 services. 在复杂的网络拓扑中,一定要将本地 DNS 和本地 Internet 出口同时实现。In a complex network topology, it is important to implement both local DNS and local Internet egress together. 有关 Microsoft 365 如何将客户端连接路由到最近的入口点的详细信息,请参阅客户端连接一文。For more information about how Microsoft 365 routes client connections to the nearest point of entry, see the article Client Connectivity.

在云服务(如 Microsoft 365)出现之前,作为网络体系结构中设计因素的最终用户 Internet 连接相对简单。Prior to the advent of cloud services such as Microsoft 365, end user Internet connectivity as a design factor in network architecture was relatively simple. 在全球范围内分布 Internet 服务和网站时,公司传出点和任何给定目标终结点之间的延迟主要是地理距离的功能。When Internet services and web sites are distributed around the globe, latency between corporate egress points and any given destination endpoint is largely a function of geographical distance.

在传统网络体系结构中,所有出站 Internet 连接都通过公司网络,并从一个中心位置传出。In a traditional network architecture, all outbound Internet connections traverse the corporate network, and egress from a central location. 随着 Microsoft 的云产品产品的成熟,面向 Internet 的分布式网络体系结构已成为支持延迟敏感云服务的关键。As Microsoft's cloud offerings have matured, a distributed Internet-facing network architecture has become critical for supporting latency-sensitive cloud services. Microsoft 全球网络旨在适应分布式服务前端基础结构的延迟要求,这是全局入口点的动态结构,用于将传入的云服务连接路由到最接近的入口点。The Microsoft Global Network was designed to accommodate latency requirements with the Distributed Service Front Door infrastructure, a dynamic fabric of global entry points that routes incoming cloud service connections to the closest entry point. 这旨在通过有效缩短客户与云之间的路线来缩短 Microsoft 云客户的 "last 英里" 的长度。This is intended to reduce the length of the "last mile" for Microsoft cloud customers by effectively shortening the route between the customer and the cloud.

企业 Wan 通常用于将网络通信 backhaul 到中心公司总部,以便在出口到 Internet 之前进行检查,通常通过一个或多个代理服务器进行检查。Enterprise WANs are often designed to backhaul network traffic to a central company head office for inspection before egress to the Internet, usually through one or more proxy servers. 下图说明了此类网络拓扑。The diagram below illustrates such a network topology.

传统企业网络模型

因为 Microsoft 全球网络(包括世界各地的前端服务器)上运行 365 Microsoft 全球网络,所以通常会有前端服务器靠近用户的位置。Because Microsoft 365 runs on the Microsoft Global Network, which includes front end servers around the world, there will often be a front-end server close to the user's location. 通过提供本地 Internet 出口和配置内部 DNS 服务器以提供 Microsoft 365 终结点的本地名称解析,为 Microsoft 365 发送的网络流量可尽可能接近用户的 Microsoft 365 前端服务器连接。By providing local Internet egress and by configuring internal DNS servers to provide local name resolution for Microsoft 365 endpoints, network traffic destined for Microsoft 365 can connect to Microsoft 365 front end servers as close as possible to the user. 下图显示了一个网络拓扑示例,该网络拓扑允许从主办公室、分支机构和远程位置连接的用户按照最短的路径传递到最近的 Microsoft 365 入口点。The diagram below shows an example of a network topology that allows users connecting from main office, branch office and remote locations to follow the shortest route to the closest Microsoft 365 entry point.

区域出口点的 WAN 网络模型

以这种方式缩短到 Microsoft 365 入口点的网络路径可提高连接性能和 Microsoft 365 中的最终用户体验,还有助于降低对 Microsoft 365 性能和可靠性的网络体系结构的未来更改的影响。Shortening the network path to Microsoft 365 entry points in this way can improve connectivity performance and the end user experience in Microsoft 365, and can also help to reduce the impact of future changes to the network architecture on Microsoft 365 performance and reliability.

此外,如果响应的 DNS 服务器繁忙或繁忙,则 DNS 请求可能会导致延迟。Also, DNS requests can introduce latency if the responding DNS server is distant or busy. 您可以通过在分支位置设置本地 DNS 服务器并确保将其配置为适当地缓存 DNS 记录,从而最大限度地减少名称解析延迟。You can minimize name resolution latency by provisioning local DNS servers in branch locations and making sure they are configured to cache DNS records appropriately.

虽然区域出口可适用于 Microsoft 365,但最佳连接模型是始终提供用户位置的网络出口,无论是在公司网络上还是在家庭、旅馆、咖啡店和机场等远程位置。While regional egress can work well for Microsoft 365, the optimum connectivity model would be to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such as home, hotels, coffee shops and airports. 此本地直接出口模型在下图中表示。This local direct egress model is represented in the diagram below.

本地出口网络体系结构

采用 Microsoft 365 的企业可以利用 Microsoft 全球网络的分布式服务前端体系结构,方法是确保连接到 Microsoft 365 的用户能够以尽可能最短的方式路由到最近的 Microsoft 全局网络入口点。Enterprises who have adopted Microsoft 365 can take advantage of the Microsoft Global Network's Distributed Service Front Door architecture by ensuring that user connections to Microsoft 365 take the shortest possible route to the nearest Microsoft Global Network entry point. 本地出局网络体系结构通过允许将 Microsoft 365 流量路由到最近的传出而不考虑用户位置来实现此功能。The local egress network architecture does this by allowing Microsoft 365 traffic to be routed over the nearest egress, regardless of user location.

与传统模型相比,本地出口体系结构具有以下优点:The local egress architecture has the following benefits over the traditional model:

  • 通过优化路由长度提供最佳的 Microsoft 365 性能。Provides optimal Microsoft 365 performance by optimizing route length. 最终用户连接通过分布式服务前端基础结构动态路由到最接近的 Microsoft 365 入口点。End user connections are dynamically routed to the nearest Microsoft 365 entry point by the Distributed Service Front Door infrastructure.
  • 通过允许本地出口降低公司网络基础结构的负载。Reduces the load on corporate network infrastructure by allowing local egress.
  • 通过利用客户端终结点安全性和云安全功能来保护两端的连接。Secures connections on both ends by leveraging client endpoint security and cloud security features.

避免网络发卡Avoid network hairpins

避免回流

作为一般经验法则,用户与最近的 Microsoft 365 终结点之间最短、最直接的路由将提供最佳性能。As a general rule of thumb, the shortest, most direct route between user and closest Microsoft 365 endpoint will offer the best performance. 当为特定目标绑定的 WAN 或 VPN 流量首先定向到另一个中间位置(例如,基于云的 web 网关的安全堆栈、云访问代理)时,将发生网络发夹,从而引入延迟并可能重定向到地理位置较远的终结点。A network hairpin happens when WAN or VPN traffic bound for a particular destination is first directed to another intermediate location (such as security stack, cloud access broker, of cloud based web gateway), introducing latency and potential redirection to a geographically distant endpoint. 网络回流也可能是由路由/对等低效率或不理想(远程) DNS 查找引起的。Network hairpins can also be caused by routing/peering inefficiencies or suboptimal (remote) DNS lookups.

若要确保 Microsoft 365 连接不受网络回流的制约(即使在本地出口情况下),请检查用于为用户位置提供 Internet 出口的 ISP 是否与该位置紧密邻近的 Microsoft 全局网络具有直接的对等关系。To ensure that Microsoft 365 connectivity is not subject to network hairpins even in the local egress case, check whether the ISP that is used to provide Internet egress for the user location has a direct peering relationship with the Microsoft Global Network in close proximity to that location. 您可能还希望将传出路由配置为直接发送受信任的 Microsoft 365 通信,而不是通过处理 Internet 绑定流量的第三方云或基于云的网络安全供应商进行代理或隧道操作。You may also want to configure egress routing to send trusted Microsoft 365 traffic directly, as opposed to proxying or tunneling through a third-party cloud or cloud-based network security vendor that processes your Internet-bound traffic. Microsoft 365 终结点的本地 DNS 名称解析有助于确保除了直接路由,最接近的 Microsoft 365 入口点将用于用户连接。Local DNS name resolution of Microsoft 365 endpoints helps to ensure that in addition to direct routing, the closest Microsoft 365 entry points are being used for user connections.

如果为 Microsoft 365 流量使用基于云的网络或安全服务,请确保已评估 hairpinning 的影响,并且对 Microsoft 365 性能的影响已得到理解。If you use cloud-based network or security services for your Microsoft 365 traffic, ensure that the hairpinning effect is evaluated and its impact on Microsoft 365 performance is understood. 为此,可以检查通过以下方式转发流量的服务提供程序位置的数量和位置:将流量与您的分支机构和 Microsoft 全局网络对等点的数量关联,服务提供程序与您的 ISP 和 Microsoft 的网络对等关系的质量,以及服务提供程序基础结构中回程的性能影响。This can be done by examining the number and locations of service provider locations through which the traffic is forwarded in relationship to number of your branch offices and Microsoft Global Network peering points, quality of the network peering relationship of the service provider with your ISP and Microsoft, and the performance impact of backhauling in the service provider infrastructure.

由于 Microsoft 365 入口点和与最终用户邻近的大量分布式位置,如果未将提供程序网络配置为获得最佳 Microsoft 365 对等连接,则将 Microsoft 365 流量路由到任何第三方网络或安全提供商可能会对 Microsoft 365 连接产生不利影响。Due to the large number of distributed locations with Microsoft 365 entry points and their proximity to end users, routing Microsoft 365 traffic to any third party network or security provider can have an adverse impact on Microsoft 365 connections if the provider network is not configured for optimal Microsoft 365 peering.

评估绕过代理、流量检查设备和重复的安全技术Assess bypassing proxies, traffic inspection devices and duplicate security technologies

绕过代理、流量检查设备和重复的安全技术

企业客户应专门针对 Microsoft 365 绑定的流量检查网络安全和风险降低方法,并使用 Microsoft 365 安全功能降低对 Microsoft 365 网络流量的入侵、性能影响和昂贵网络安全技术的依赖。Enterprise customers should review their network security and risk reduction methods specifically for Microsoft 365 bound traffic and use Microsoft 365 security features to reduce their reliance on intrusive, performance impacting, and expensive network security technologies for Microsoft 365 network traffic.

大多数企业网络使用代理、SSL 检查、数据包检查和数据丢失防护系统等技术强制 Internet 流量的网络安全。Most enterprise networks enforce network security for Internet traffic using technologies like proxies, SSL inspection, packet inspection, and data loss prevention systems. 这些技术为常规 Internet 请求提供了重要风险缓解,但在应用于 Microsoft 365 终结点时,可以显著降低性能、可伸缩性和最终用户体验的质量。These technologies provide important risk mitigation for generic Internet requests but can dramatically reduce performance, scalability and the quality of end user experience when applied to Microsoft 365 endpoints.

Office 365 终结点 web 服务Office 365 Endpoints web service

Microsoft 365 管理员可以使用脚本或 REST 调用从 Office 365 终结点 web 服务使用终结点的结构化列表,并更新外围防火墙和其他网络设备的配置。Microsoft 365 administrators can use a script or REST call to consume a structured list of endpoints from the Office 365 Endpoints web service and update the configurations of perimeter firewalls and other network devices. 这将确保为 Microsoft 365 绑定的流量进行了识别,并进行了适当的处理,并与绑定到一般和通常未知 Internet 网站的网络通信进行了不同的管理。This will ensure that traffic bound for Microsoft 365 is identified, treated appropriately and managed differently from network traffic bound for generic and often unknown Internet web sites. 有关如何使用 Office 365 终结点 web 服务的详细信息,请参阅文章: office 365 url 和 IP 地址范围For more information on how to use the Office 365 Endpoints web service, see the article Office 365 URLs and IP address ranges.

PAC (代理自动配置)脚本PAC (Proxy Automatic Configuration) scripts

Microsoft 365 管理员可以创建可通过 WPAD 或 GPO 传递给用户计算机的 PAC (代理自动配置)脚本。Microsoft 365 administrators can create PAC (Proxy Automatic Configuration) scripts that can be delivered to user computers via WPAD or GPO. PAC 脚本可用于绕过来自 WAN 或 VPN 用户的 Microsoft 365 请求的代理,从而使 Microsoft 365 通信能够使用直接 Internet 连接,而不是遍历公司网络。PAC scripts can be used to bypass proxies for Microsoft 365 requests from WAN or VPN users, allowing Microsoft 365 traffic to use direct Internet connections rather than traversing the corporate network.

Microsoft 365 安全功能Microsoft 365 security features

Microsoft 对数据中心安全性、操作安全和在 Microsoft 365 服务器及其代表的网络终结点的风险降低造成了透明性。Microsoft is transparent about datacenter security, operational security and risk reduction around Microsoft 365 servers and the network endpoints that they represent. Microsoft 365 内置安全功能可用于减少网络安全风险,例如数据丢失防护、反病毒、多重身份验证、客户锁定框、高级威胁防护、Microsoft 365 威胁智能、Microsoft 365 安全分数、Exchange Online Protection 和网络 DDOS 安全性。Microsoft 365 built-in security features are available for reducing network security risk, such as Data Loss Prevention, Anti-Virus, Multi-Factor Authentication, Customer Lock Box, Advanced Threat Protection, Microsoft 365 Threat Intelligence, Microsoft 365 Secure Score, Exchange Online Protection, and Network DDOS Security.

有关 Microsoft 数据中心和全局网络安全性的详细信息,请参阅Microsoft 信任中心For more information on Microsoft datacenter and Global Network security, see the Microsoft Trust Center.

新的 Office 365 终结点类别New Office 365 endpoint categories

Office 365 端点代表一组不同的网络地址和子网。Office 365 endpoints represent a varied set of network addresses and subnets. 终结点可以是 Url、IP 地址或 IP 范围,并且有些终结点是与特定 TCP/UDP 端口一起列出的。Endpoints may be URLs, IP addresses or IP ranges, and some endpoints are listed with specific TCP/UDP ports. Url 可以是 FQDN (如account.office.net ),也可以是通配符 URL (如* * office365.com*)。URLs can either be a FQDN like account.office.net , or a wildcard URL like *.office365.com.

备注

网络中的 Office 365 终结点的位置并不直接与 Microsoft 365 租户数据的位置相关。The locations of Office 365 endpoints within the network are not directly related to the location of the Microsoft 365 tenant data. 出于此原因,客户应将 Microsoft 365 作为分布式和全局服务进行查看,不应尝试根据地理条件阻止与 Office 365 终结点的网络连接。For this reason, customers should look at Microsoft 365 as a distributed and global service and should not attempt to block network connections to Office 365 endpoints based on geographical criteria.

在我们关于管理 Microsoft 365 流量的前一指南中,终结点分为两个类别,"必需" 和 "可选"。In our previous guidance for managing Microsoft 365 traffic, endpoints were organized into two categories, Required and Optional. 每个类别中的终结点需要不同的优化,具体取决于服务的关键程度,而许多客户在论证对 Office 365 Url 和 IP 地址的完整列表中的相同网络优化的应用程序时面临的挑战。Endpoints within each category required different optimizations depending on the criticality of the service, and many customers faced challenges in justifying the application of the same network optimizations to the full list of Office 365 URLs and IP addresses.

在新模型中,终结点分为三个类别: "优化"、"允许" 和 "默认",提供基于优先级的数据透视,以实现最佳性能改进和投资回报,从而集中执行网络优化工作。In the new model, endpoints are segregated into three categories, Optimize, Allow and Default, providing a priority-based pivot on where to focus network optimization efforts to realize the best performance improvements and return on investment. 根据有效用户体验对应用场景的有效用户体验、容量和性能信封以及易于实现的敏感度,在上述类别中整合终结点。The endpoints are consolidated in the above categories based on the sensitivity of the effective user experience to network quality, volume and performance envelope of scenarios and ease of implementation. 对于给定类别中的所有终结点,推荐的优化可以采用相同的方式。Recommended optimizations can be applied the same way to all endpoints in a given category.

  • 优化终结点是与每个 Office 365 服务的连接所必需的,并表示超过75% 的 office 365 带宽、连接和数据量。Optimize endpoints are required for connectivity to every Office 365 service and represent over 75% of Office 365 bandwidth, connections and volume of data. 这些终结点代表最敏感网络性能、延迟和可用性的 Office 365 方案。These endpoints represent Office 365 scenarios that are the most sensitive to network performance, latency and availability. 所有终结点都托管在 Microsoft 数据中心中。All endpoints are hosted in Microsoft datacenters. 此类别中的终结点的更改速率应小于其他两个类别中的终结点的大小。The rate of change to the endpoints in this category is expected to be much lower than for the endpoints in the other two categories. 此类别包括一组非常小(约为 ~ 10)的密钥 Url 和一组专用于核心 Office 365 工作负荷(如 Exchange Online、SharePoint Online、Skype for Business Online 和 Microsoft 团队)的已定义 IP 子网。This category includes a very small (on the order of ~10) set of key URLs and a defined set of IP subnets dedicated to core Office 365 workloads such as Exchange Online, SharePoint Online, Skype for Business Online and Microsoft Teams.

    明确定义的关键终结点的简明列表应有助于您更快、更轻松地规划和实现这些目标的高价值网络优化。A condensed list of well defined critical endpoints should help you to plan and implement high value network optimizations for these destinations faster and easier.

    优化终结点的示例 https://outlook.office365.com 包括https:// <tenant> https:// <tenant> -my.sharepoint.comExamples of Optimize endpoints include https://outlook.office365.com , https://<tenant>.sharepoint.com and https://<tenant>-my.sharepoint.com .

    优化方法包括:Optimization methods include:

    • 绕过或白名单可优化网络设备和服务上执行通信拦截、SSL 解密、深入数据包检查和内容筛选的终结点。Bypass or whitelist Optimize endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection and content filtering.
    • 绕过本地代理设备和通常用于常规 Internet 浏览的基于云的代理服务。Bypass on-premises proxy devices and cloud-based proxy services commonly used for generic Internet browsing.
    • 将这些终结点的评估优先级设置为受网络基础结构和外围系统的完全信任。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 对 WAN 回程的降低或消除优先级进行优先级划分,并为这些终结点提供尽可能接近用户/分支位置的直接分布式 Internet 出口。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet based egress for these endpoints as close to users/branch locations as possible.
    • 通过实现拆分隧道,促进与 VPN 用户的这些云终结点的直接连接。Facilitate direct connectivity to these cloud endpoints for VPN users by implementing split tunneling.
    • 确保由 DNS 名称解析返回的 IP 地址与这些终结点的路由传出路径相匹配。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 将这些终结点的优先级设置为 SD-WAN 集成,以实现直接的最小延迟(路由到 Microsoft 全局网络的最近 Internet 对等点)。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 允许终结点连接到特定的 Office 365 服务和功能,但不像 "优化" 类别中的那样对网络性能和延迟敏感。Allow endpoints are required for connectivity to specific Office 365 services and features, but are not as sensitive to network performance and latency as those in the Optimize category. 这些终结点在带宽和连接计数方面的总体网络占用率也大大减小。The overall network footprint of these endpoints from the standpoint of bandwidth and connection count is also significantly smaller. 这些终结点专门用于 Office 365,并托管在 Microsoft 数据中心中。These endpoints are dedicated to Office 365 and are hosted in Microsoft datacenters. 它们代表一组广泛的 Office 365 微服务及其依赖项(顺序为 ~ 100 个 Url),并且预期以高于 "优化" 类别中的比率进行更改。They represent a broad set of Office 365 micro-services and their dependencies (on the order of ~100 URLs) and are expected to change at a higher rate than those in the Optimize category. 并非此类别中的所有终结点都与定义的专用 IP 子网相关联。Not all endpoints in this category are associated with defined dedicated IP subnets.

    允许终结点的网络优化可以改进 Office 365 的用户体验,但有些客户可能会选择将这些优化的作用范围更窄,以最大限度地减少对其网络所做的更改。Network optimizations for Allow endpoints can improve the Office 365 user experience, but some customers may choose to scope those optimizations more narrowly to minimize changes to their network.

    允许终结点的示例包括https://和 * protection.outlook.com https://accounts.accesscontrol.windows.netExamples of Allow endpoints include https://*.protection.outlook.com and https://accounts.accesscontrol.windows.net.

    优化方法包括:Optimization methods include:

    • 旁路或白名单允许网络设备和服务上的终结点,这些终结点可执行流量截取、SSL 解密、深入数据包检查和内容筛选。Bypass or whitelist Allow endpoints on network devices and services that perform traffic interception, SSL decryption, deep packet inspection and content filtering.
    • 将这些终结点的评估优先级设置为受网络基础结构和外围系统的完全信任。Prioritize the evaluation of these endpoints as fully trusted by your network infrastructure and perimeter systems.
    • 对 WAN 回程的降低或消除优先级进行优先级划分,并为这些终结点提供尽可能接近用户/分支位置的直接分布式 Internet 出口。Prioritize reduction or elimination of WAN backhauling, and facilitate direct distributed Internet based egress for these endpoints as close to users/branch locations as possible.
    • 确保由 DNS 名称解析返回的 IP 地址与这些终结点的路由传出路径相匹配。Ensure that IP addresses returned by DNS name resolution match the routing egress path for these endpoints.
    • 将这些终结点的优先级设置为 SD-WAN 集成,以实现直接的最小延迟(路由到 Microsoft 全局网络的最近 Internet 对等点)。Prioritize these endpoints for SD-WAN integration for direct, minimal latency routing into the nearest Internet peering point of the Microsoft global network.
  • 默认终结点代表不需要进行任何优化的 Office 365 服务和依赖项,并且可由客户网络作为正常的 Internet 绑定流量进行处理。Default endpoints represent Office 365 services and dependencies that do not require any optimization, and can be treated by customer networks as normal Internet bound traffic. 请注意,此类别中的某些终结点可能不会托管在 Microsoft 数据中心中。Note that some endpoints in this category may not be hosted in Microsoft datacenters. 示例包括 https://odc.officeapps.live.comhttps://appexsin.stb.s-msn.comExamples include https://odc.officeapps.live.com and https://appexsin.stb.s-msn.com.

有关 Office 365 网络优化技术的详细信息,请参阅管理 Office 365 终结点一文。For more information about Office 365 network optimization techniques, see the article Managing Office 365 endpoints.

将网络外围安全性与终结点安全性进行比较Comparing network perimeter security with endpoint security

传统网络安全的目标是强化公司网络外围,以防受到入侵和恶意攻击。The goal of traditional network security is to harden the corporate network perimeter against intrusion and malicious exploits. 在组织采用 Microsoft 365 时,某些网络服务和数据将部分或完全迁移到云。As organizations adopt Microsoft 365, some network services and data are partly or completely migrated to the cloud. 与对网络体系结构的任何基本更改一样,此过程需要重新评估需要考虑的新兴因素的网络安全:As does any fundamental change to network architecture, this process requires a reevaluation of network security that takes emerging factors into account:

  • 随着云服务的采用,网络服务和数据在内部部署数据中心和云之间分布,而外围安全不再充分。As cloud services are adopted, network services and data are distributed between on-premises datacenters and the cloud, and perimeter security is no longer adequate on its own.
  • 远程用户从内部部署数据中心和云中的公司资源中连接到不受控制的位置,如住宅、旅馆和咖啡店。Remote users connect to corporate resources both in on-premises datacenters and in the cloud from uncontrolled locations such as homes, hotels and coffee shops.
  • 专门构建的安全功能已越来越多地内置到云服务中,并且可能会补充或替换现有的安全系统。Purpose-built security features are increasingly built into cloud services and can potentially supplement or replace existing security systems.

Microsoft 提供了一系列 Microsoft 365 安全功能,并提供了用于确保 Microsoft 365 的数据和网络安全性的安全最佳做法的说明性指导。Microsoft offers a wide range of Microsoft 365 security features and provides prescriptive guidance for employing security best practices that can help you to ensure data and network security for Microsoft 365. 建议的最佳实践包括以下各项:Recommended best practices include the following:

  • 使用多重身份验证(MFA) 通过在正确输入密码后,通过请求用户在智能手机上确认电话呼叫、短信或应用程序通知,MFA 向强密码策略添加了一层额外的保护。Use multi-factor authentication (MFA) MFA adds an additional layer of protection to a strong password strategy by requiring users to acknowledge a phone call, text message, or an app notification on their smart phone after correctly entering their password.

  • 使用 Microsoft 云应用安全设置策略以跟踪异常活动并对其执行操作。Use Microsoft Cloud App Security Set up policies to track anomalous activity and act on it. 使用 Microsoft 云应用安全设置通知,以便管理员可以查看异常或风险的用户活动,如下载大量数据、多个失败的登录尝试或来自未知或危险的 IP 地址的连接。Set up alerts with Microsoft Cloud App Security so that admins can review unusual or risky user activity, such as downloading large amounts of data, multiple failed sign-in attempts, or connections from a unknown or dangerous IP addresses.

  • 配置数据丢失防护(DLP) DLP 允许您标识敏感数据,并创建有助于防止用户意外或有意地共享数据的策略。Configure Data Loss Prevention (DLP) DLP allows you to identify sensitive data and create policies that help prevent your users from accidentally or intentionally sharing the data. DLP 在 Microsoft 365 中工作,包括 Exchange Online、SharePoint Online 和 OneDrive,以便您的用户在不中断其工作流的情况下保持合规性。DLP works across Microsoft 365 including Exchange Online, SharePoint Online, and OneDrive so that your users can stay compliant without interrupting their workflow.

  • 使用客户密码箱作为 Microsoft 365 管理员,你可以使用客户密码箱控制 Microsoft 支持工程师在帮助会话过程中访问你的数据的方式。Use Customer Lockbox As an Microsoft 365 admin, you can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a help session. 如果工程师需要访问您的数据以进行故障排除和解决问题,那么您可以使用客户锁箱批准或拒绝该访问请求。In cases where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request.

  • 使用 Office 365 安全分数安全得分是一种安全分析工具,它建议您可以执行哪些操作以进一步降低风险。Use Office 365 Secure Score Secure Score is a security analytics tool that recommends what you can do to further reduce risk. 安全分数查看 Microsoft 365 设置和活动并将它们与 Microsoft 建立的基准进行比较。Secure Score looks at your Microsoft 365 settings and activities and compares them to a baseline established by Microsoft. 你将根据最佳安全实践的对齐方式获得分数。You'll get a score based on how aligned you are with best security practices.

增强安全性的一种整体方法应包括以下注意事项:A holistic approach to enhanced security should include consideration of the following:

  • 通过应用基于云和 Office 的客户端安全功能,将重点从周边安全转到端点安全性。Shift emphasis from perimeter security towards endpoint security by applying cloud-based and Office client security features.
    • 将安全外围环境缩减为数据中心Shrink the security perimeter to the datacenter
    • 为 office 内部或远程位置的用户设备启用等效信任Enable equivalent trust for user devices inside the office or at remote locations
    • 重点保护数据位置和用户位置Focus on securing the data location and the user location
    • 托管用户计算机具有更高的与终结点安全性的信任Managed user machines have higher trust with endpoint security
  • 管理所有信息安全 holistically,而不只是集中在外围环境中Manage all information security holistically, not focusing solely on the perimeter
    • 通过允许受信任的流量绕过安全设备并将非托管设备分离到来宾 Wlan 网络,来重新定义 WAN 和构建外围网络安全性。Redefine WAN and building perimeter network security by allowing trusted traffic to bypass security devices and separating unmanaged devices to guest Wi-Fi networks.
    • 降低企业 WAN 边缘的网络安全要求Reduces network security requirements of the corporate WAN edge
    • 有些网络外围安全设备(例如防火墙)仍是必需的,但负载降低了Some network perimeter security devices such as firewalls are still required, but load is decreased
    • 确保 Microsoft 365 流量的本地出口Ensures local egress for Microsoft 365 traffic
  • 改进可以按照 "增量优化" 一节中的说明以增量方式解决。Improvements can be addressed incrementally as described in the Incremental optimization section. 根据您的网络体系结构,一些优化技术可能会提供更好的成本/收益率,并且应选择最适合您的组织的优化。Some optimization techniques may offer better cost/benefit ratios depending on your network architecture, and you should choose optimizations that make the most sense for your organization.

有关 Microsoft 365 安全性和合规性的详细信息,请参阅文章security and 合规性在 Office 365 中的概述For more information on Microsoft 365 security and compliance, see the article Overview of security and compliance in Office 365.

增量优化Incremental optimization

我们已经为本文前面的 SaaS 提供了理想的网络连接模型,但对于许多具有传统复杂网络体系结构的大型组织,直接进行所有这些更改并不可行。We have represented the ideal network connectivity model for SaaS earlier in this article, but for many large organizations with historically complex network architectures, it will not be practical to directly make all of these changes. 在本节中,我们将讨论大量可帮助改进 Microsoft 365 性能和可靠性的增量更改。In this section, we discuss a number of incremental changes that can help to improve Microsoft 365 performance and reliability.

用于优化 Microsoft 365 流量的方法将根据网络拓扑和已实现的网络设备的不同而不同。The methods you will use to optimize Microsoft 365 traffic will vary depending on your network topology and the network devices you have implemented. 具有多个位置和复杂网络安全实践的大型企业需要制定一种策略,其中包括Microsoft 365 连接原则一节中列出的大部分或全部原则,而小型组织可能只需要考虑一两个方面。Large enterprises with many locations and complex network security practices will need to develop a strategy that includes most or all of the principles listed in the Microsoft 365 connectivity principles section, while smaller organizations might only need to consider one or two.

您可以采用增量过程进行优化,从而连续应用每个方法。You can approach optimization as an incremental process, applying each method successively. 下表列出了关键优化方法,这些方法按对最大用户数的延迟和可靠性的影响顺序排列。The following table lists key optimization methods in order of their impact on latency and reliability for the largest number of users.

优化方法Optimization method 说明Description 影响Impact
本地 DNS 解析和 Internet 出口Local DNS resolution and Internet egress
在每个位置预配本地 DNS 服务器,并确保 Microsoft 365 以尽可能接近的方式将 Internet 传出到用户的位置。Provision local DNS servers in each location and ensure that Microsoft 365 connections egress to the Internet as close as possible to the user's location.
最小化延迟Minimize latency
改进与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
添加区域出口积分Add regional egress points
如果企业网络有多个位置,但只有一个出口点,请添加区域出口点,以使用户能够连接到最接近的 Microsoft 365 入口点。If your corporate network has multiple locations but only one egress point, add regional egress points to enable users to connect to the closest Microsoft 365 entry point.
最小化延迟Minimize latency
改进与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
绕过代理和检查设备Bypass proxies and inspection devices
使用将 Microsoft 365 请求直接发送给出局点的 PAC 文件配置浏览器。Configure browsers with PAC files that send Microsoft 365 requests directly to egress points.
配置边缘路由器和防火墙以允许不进行检查的 Microsoft 365 流量。Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection.
最小化延迟Minimize latency
减少网络设备上的负载Reduce load on network devices
为 VPN 用户启用直接连接Enable direct connection for VPN users
对于 VPN 用户,启用 Microsoft 365 连接以直接从用户网络进行连接,而不是通过实现拆分隧道的方式连接到 VPN 隧道。For VPN users, enable Microsoft 365 connections to connect directly from the user's network rather than over the VPN tunnel by implementing split tunneling.
最小化延迟Minimize latency
改进与最近的 Microsoft 365 入口点的可靠连接Improve reliable connectivity to the closest Microsoft 365 entry point
从传统 WAN 迁移到 SD-WANMigrate from traditional WAN to SD-WAN
SD-Wan (软件定义的广域网络)简化了 WAN 管理,并通过将传统 WAN 路由器替换为虚拟设备来提高性能,类似于使用虚拟机(Vm)计算资源的虚拟化。SD-WANs (Software Defined Wide Area Networks) simplify WAN management and improve performance by replacing traditional WAN routers with virtual appliances, similar to the virtualization of compute resources using virtual machines (VMs).
改进 WAN 流量的性能和可管理性Improve performance and manageability of WAN traffic
减少网络设备上的负载Reduce load on network devices

Microsoft 365 网络连接概述Microsoft 365 Network Connectivity Overview

管理 Office 365 终结点Managing Office 365 endpoints

Office 365 URL 和 IP 地址范围Office 365 URLs and IP address ranges

Office 365 IP 地址和 URL Web 服务Office 365 IP Address and URL Web service

评估 Microsoft 365 网络连接Assessing Microsoft 365 network connectivity

Microsoft 365 网络计划和性能优化Network planning and performance tuning for Microsoft 365

使用基线和性能历史记录优化 Office 365 性能Office 365 performance tuning using baselines and performance history

Office 365 性能疑难解答计划Performance troubleshooting plan for Office 365

内容分发网络Content Delivery Networks

Microsoft 365 连接测试Microsoft 365 connectivity test

Microsoft 如何构建其快速可靠的全局网络How Microsoft builds its fast and reliable global network

Office 365 网络博客Office 365 Networking blog