步骤1配置 DirectAccess 基础结构Step 1 Configure the DirectAccess Infrastructure

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍如何配置在现有 VPN 部署中启用 DirectAccess 所需的基础结构。This topic describes how to configure the infrastructure required for enabling DirectAccess in an existing VPN deployment. 在开始执行部署步骤之前,请确保已完成步骤1:规划 DirectAccess 基础结构中所述的规划步骤。Before beginning the deployment steps, ensure that you have completed the planning steps described in Step 1: Plan DirectAccess Infrastructure.

任务Task 描述Description
配置服务器网络设置Configure server network settings 配置远程访问服务器上的服务器网络设置。Configure the server network settings on the Remote Access server.
配置企业网络中的路由Configure routing in the corporate network 配置企业网络中的路由以确保正确地路由通信。Configure routing in the corporate network to make sure traffic is appropriately routed.
配置防火墙Configure firewalls 根据需要配置其他防火墙。Configure additional firewalls, if required.
配置 CA 和证书Configure CAs and certificates 启用 DirectAccess 向导将配置使用用户名和密码进行身份验证的内置 Kerberos 代理。The Enable DirectAccess Wizard configures a built in Kerberos proxy that authenticates using user names and passwords. 它还将在远程访问服务器上配置 IP-HTTPS 证书。It also configures an IP-HTTPS certificate on the Remote Access server.
配置 DNS 服务器Configure the DNS server 配置远程访问服务器的 DirectAccess 设置。Configure DNS settings for the Remote Access server.
配置 Active DirectoryConfigure Active Directory 将客户端计算机加入到 Active Directory 域。Join client computers to the Active Directory domain.
配置 GPOConfigure GPOs 如果必要,为部署配置 GPO。Configure GPOs for the deployment, if required.
配置安全组Configure security groups 配置将包含 DirectAccess 客户端计算机的安全组,以及部署中所需的任何其他安全组。Configure security groups that will contain DirectAccess client computers, and any other security groups required in the deployment.
配置网络位置服务器Configure the network location server 启用 DirectAccess 向导将在 DirectAccess 服务器上配置网络位置服务器。The Enable DirectAccess Wizard configures the network location server on the DirectAccess server.

配置服务器网络设置Configure server network settings

在使用 IPv4 和 IPv6 的环境中部署单一服务器需要下面的网络接口设置。The following network interface settings are required for a single server deployment in an environment with IPv4 and IPv6. 可使用****“Windows 网络和共享中心”中的****“更改适配器设置”配置所有 IP 地址。All IP addresses are configured by using Change adapter settings in the Windows Networking and Sharing Center.

  • 边缘拓扑Edge topology

    • 一个面向 Internet 的公共静态 IPv4 或 IPv6 地址。One Internet-facing public static IPv4 or IPv6 address.

    • 单个内部静态 IPv4 或 IPv6 地址。A single internal static IPv4 or IPv6 address.

  • 在 NAT 设备后面(两个网络适配器)Behind NAT device (two network adapters)

    • 单个面向内部网络的静态 IPv4 或 IPv6 地址。A single internal network-facing static IPv4 or IPv6 address.
  • 在 NAT 设备后面(一个网络适配器)Behind NAT device (one network adapter)

    • 单个静态 IPv4 或 IPv6 地址。A single static IPv4 or IPv6 address.

备注

如果远程访问服务器具有两个网络适配器(一个归类于域配置文件,另一个归类于公钥/私钥配置文件),但使用单一的 NIC 拓扑,则推荐的方法如下所示:In the event that the Remote Access server has two network adapters (one classified in the domain profile and the other in a public/private profile), but a single NIC topology will be used, then the recommendation is as follows:

  1. 确保第 2 个 NIC 也归类于域配置文件(推荐)。Ensure that the 2nd NIC is also classified in the domain profile - Recommended.

  2. 如果出于任何原因,不能为域配置文件配置第 2 个 NIC,则必须使用以下 Windows PowerShell 命令手动将 DirectAccess IPsec 策略的作用域覆盖到所有配置文件:If the 2nd NIC cannot be configured for the domain profile for any reason, then the DirectAccess IPsec policy must be manually scoped to all profiles using the following Windows PowerShell commands:

    $gposession = Open-NetGPO -PolicyStore <Name of the server GPO>
    Set-NetIPsecRule -DisplayName <Name of the IPsec policy> -GPOSession $gposession -Profile Any
    Save-NetGPO -GPOSession $gposession
    

配置企业网络中的路由Configure routing in the corporate network

在企业网络中配置路由,如下所示:Configure routing in the corporate network as follows:

  • 在组织中部署本机 IPv6 时,添加一个路由,以便内部网络上的路由器通过远程访问服务器将 IPv6 通信路由回来。When native IPv6 is deployed in the organization, add a route so that the routers on the internal network route IPv6 traffic back through the Remote Access server.

  • 在远程访问服务器上手动配置组织 IPv4 和 IPv6 路由。Manually configure organization IPv4 and IPv6 routes on the Remote Access servers. 添加已发布的路由,以便将所有具有组织 (/48) IPv6 前缀的通信都转发到内部网络。Add a published route so that all traffic with an organization (/48) IPv6 prefix is forwarded to the internal network. 此外,对于 IPv4 通信,请添加显式路由,以便将 IPv4 通信转发到内部网络。In addition, for IPv4 traffic, add explicit routes so that IPv4 traffic is forwarded to the internal network.

配置防火墙Configure firewalls

在部署中使用其他防火墙的情况下,当远程访问服务器位于 IPv4 Internet 上时,应用远程访问通信的以下面向 Internet 的防火墙例外情况:When using additional firewalls in your deployment, apply the following Internet-facing firewall exceptions for Remote Access traffic when the Remote Access server is on the IPv4 Internet:

  • 6to4 流量-IP 协议41入站和出站。6to4 traffic-IP Protocol 41 inbound and outbound.

  • Ip-https-传输控制协议 (TCP) 目标端口443和 TCP 源端口443出站。IP-HTTPS-Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound. 当远程访问服务器配有单一网络适配器,且网络位置服务器位于远程访问服务器上时,还需要 TCP 端口 62000。When the Remote Access server has a single network adapter, and the network location server is on the Remote Access server, then TCP port 62000 is also required.

在使用其他防火墙的情况下,当远程访问服务器位于 IPv6 Internet 上时,应用远程访问通信的以下面向 Internet 的防火墙例外:When using additional firewalls, apply the following Internet-facing firewall exceptions for Remote Access traffic when the Remote Access server is on the IPv6 Internet:

  • IP 协议 50IP Protocol 50

  • UDP 目标端口 500 入站,以及 UDP 源端口 500 出站。UDP destination port 500 inbound, and UDP source port 500 outbound.

当使用其它防火墙时,应用远程访问通信的以下内部网络防火墙例外情况:When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:

  • ISATAP-协议41入站和出站ISATAP-Protocol 41 inbound and outbound

  • 所有 IPv4/IPv6 通信的 TCP/UDPTCP/UDP for all IPv4/IPv6 traffic

配置 CA 和证书Configure CAs and certificates

启用 DirectAccess 向导将配置使用用户名和密码进行身份验证的内置 Kerberos 代理。The Enable DirectAccess Wizard configures a built in Kerberos proxy that authenticates using user names and passwords. 它还将在远程访问服务器上配置 IP-HTTPS 证书。It also configures an IP-HTTPS certificate on the Remote Access server.

配置证书模板Configure certificate templates

当你使用内部 CA 颁发证书时,必须为 IP-HTTPS 证书和网络位置服务器网站证书配置证书模板。When you use an internal CA to issue certificates, you must configure a certificate template for the IP-HTTPS certificate and the network location server website certificate.

配置证书模板的步骤To configure a certificate template
  1. 在内部 CA 中,根据 创建证书模板中所述创建一个证书模板。On the internal CA, create a certificate template as described in Creating Certificate Templates.

  2. 根据 部署证书模板中所述部署该证书模板。Deploy the certificate template as described in Deploying Certificate Templates.

配置 IP-HTTPS 证书Configure the IP-HTTPS certificate

远程访问需要使用 IP-HTTPS 证书对到远程访问服务器的 IP-HTTPS 连接进行身份验证。Remote Access requires an IP-HTTPS certificate to authenticate IP-HTTPS connections to the Remote Access server. 有三个 IP-HTTPS 证书的证书选项:There are three certificate options for the IP-HTTPS certificate:

  • 公开-由第三方提供。Public-Supplied by a 3rd party.

    用于 IP-HTTPS 身份验证的证书。A certificate used for IP-HTTPS authentication. 如果证书使用者名称不是通配符,则它必须是仅用于远程访问服务器 IP-HTTPS 连接的可从外部解析的 FQDN URL。In the case that the certificate subject name is not a wild card, then it must be the externally resolvable FQDN URL used only for the Remote Access server IP-HTTPS connections.

  • Private-需要以下项(如果它们尚不存在):Private-The following are required, if they do not already exist:

    • 用于 IP-HTTPS 身份验证的网站证书。A website certificate used for IP-HTTPS authentication. 证书使用者应该是可从 Internet 访问且可从外部解析的完全限定的域名 (FQDN)。The certificate subject should be an externally resolvable fully qualified domain name (FQDN) reachable from the Internet.

    • 能够从可公开解析的 FQDN 访问的证书吊销列表 (CRL) 分发点。A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable FQDN.

  • 自签名-以下是必需的(如果它们尚不存在):Self-signed-The following are required, if they do not already exist:

    备注

    无法在多站点部署中使用自签名证书。Self-signed certificates cannot be used in multisite deployments.

    • 用于 IP-HTTPS 身份验证的网站证书。A website certificate used for IP-HTTPS authentication. 证书使用者应该是可从 Internet 访问且可从外部解析的 FQDN。The certificate subject should be an externally resolvable FQDN reachable from the Internet.

    • 能够从可公开解析的完全限定的域名 (FQDN) 访问的 CRL 分发点。A CRL distribution point that is reachable from a publicly resolvable fully qualified domain name (FQDN).

确保用于 IP-HTTPS 身份验证的网站证书符合以下要求:Make sure that the website certificate used for IP-HTTPS authentication meets the following requirements:

  • 该证书的公用名应与 IP-HTTPS 站点的名称相匹配。The common name of the certificate should match the name of the IP-HTTPS site.

  • 在“使用者”字段中,指定远程访问服务器面向外部适配器的 IPv4 地址,或 IP-HTTPS URL 的 FQDN。In the subject field, specify either the IPv4 address of the external-facing adapter of the Remote Access server, or the FQDN of the IP-HTTPS URL.

  • 对于“增强型密钥使用”字段,请使用服务器身份验证对象标识符 (OID)。For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

  • 对于“CRL 分发点”字段,请指定已连接到 Internet 的 DirectAccess 客户端可访问的 CRL 分发点。For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

  • IP-HTTPS 证书必须包含私钥。The IP-HTTPS certificate must have a private key.

  • 必须直接将 IP-HTTPS 证书导入到个人存储中。The IP-HTTPS certificate must be imported directly into the personal store.

  • IP-HTTPS 证书的名称中可以包含通配符。IP-HTTPS certificates can have wildcards in the name.

安装内部 CA 颁发的 IP-HTTPS 证书To install the IP-HTTPS certificate from an internal CA
  1. 在远程访问服务器上:在 "开始" 屏幕上,键入mmc.exe,然后按 enter。On the Remote Access server: On the Start screen, typemmc.exe, and then press ENTER.

  2. 在 MMC 控制台的“文件”菜单上,单击“添加/删除管理单元”。In the MMC console, on the File menu, click Add/Remove Snap-in.

  3. 在****“添加或删除管理单元”对话框上,依次单击****“证书”、****“添加”、****“计算机帐户”、****“下一步”、****“本地计算机”和****“完成”,然后单击****“确定”。On the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, click Local computer, click Finish, and then click OK.

  4. 在证书管理单元的控制台树中,依次打开****“证书(本地计算机)\个人\证书”。In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. 右键单击****“证书”,指向****“所有任务”,然后单击****“申请新证书”。Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. 单击“下一步”**** 两次。Click Next twice.

  7. 在 "申请证书" 页上,选中证书模板对应的复选框,如果需要,请单击 "注册此证书需要详细信息"。On the Request Certificates page, select the check box for the certificate template, and if required, click More information is required to enroll for this certificate.

  8. 在****“证书属性”对话框的****“使用者”选项卡上,在****“使用者名称”区域的****“类型”中选择****“公用名”。On the Certificate Properties dialog box, on the Subject tab, in the Subject name area, in Type, select Common Name.

  9. 在****“值”中,指定远程访问服务器面向外部的适配器的 IPv4 地址,或 IP-HTTPS URL 的 FQDN,然后单击****“添加”。In Value, specify either the IPv4 address of the external-facing adapter of the Remote Access server, or the FQDN of the IP-HTTPS URL, and then click Add.

  10. 在****“备用名称”区域的****“类型”中,选择****“DNS”。In the Alternative name area, in Type, select DNS.

  11. 在****“值”中,指定远程访问服务器面向外部的适配器的 IPv4 地址,或 IP-HTTPS URL 的 FQDN,然后单击****“添加”。In Value, specify either the IPv4 address of the external-facing adapter of the Remote Access server, or the FQDN of the IP-HTTPS URL, and then click Add.

  12. 在****“常规”选项卡的****“友好名称”中,输入一个有助于标识证书的名称。On the General tab, in Friendly name, you can enter a name that will help you identify the certificate.

  13. 在“扩展”**** 选项卡上,单击“扩展密钥用法”**** 旁边的箭头,并确保“服务器身份验证”出现在“已选选项”**** 列表中。On the Extensions tab, next to Extended Key Usage, click the arrow, and make sure that Server Authentication is in the Selected options list.

  14. 依次单击****“确定”、****“注册”和****“完成”。Click OK, click Enroll, and then click Finish.

  15. 在证书管理单元的详细信息窗格中,通过“服务器身份验证的预期目的”验证是否注册了新证书。In the details pane of the Certificates snap-in, verify that new certificate was enrolled with Intended Purposes of Server Authentication.

配置 DNS 服务器Configure the DNS server

你必须为部署中的内部网络手动配置用于网络位置服务器网站的 DNS 条目。You must manually configure a DNS entry for the network location server website for the internal network in your deployment.

创建网络位置服务器和 Web 探测 DNS 记录To create the network location server and web probe DNS records

  1. 在 "内部网络 DNS 服务器:" 的 "开始" 屏幕上,键入 * * dnsmgmt.msc * *,然后按 enter。On the internal network DNS server: On the Start screen, type** dnsmgmt.msc**, and then press ENTER.

  2. 在****“DNS 管理器”控制台的左窗格中,展开域的前向查找区域。In the left pane of the DNS Manager console, expand the forward lookup zone for your domain. 右键单击该域,然后单击****“新建主机(A 或 AAAA)”。Right click the domain and click New Host (A or AAAA).

  3. 在“新主机”**** 对话框的“名称(如果为空则使用父域名)”**** 框中,输入网络位置服务器网站的 DNS 名称(这是 DirectAccess 客户端用于连接到网络位置服务器的名称)。On the New Host dialog box, in the Name (uses parent domain name if blank) box, enter the DNS name for the network location server website (this is the name the DirectAccess clients use to connect to the network location server). 在“IP 地址”**** 框中,输入网络位置服务器的 IPv4 地址,然后单击“添加主机”****。In the IP address box, enter the IPv4 address of the network location server, and then click Add Host. 在“DNS”**** 对话框中,单击“确定”****。On the DNS dialog box, click OK.

  4. 在“新主机”**** 对话框的“名称(如果为空则使用父域名)”**** 框中,输入 Web 探测的 DNS 名称(默认 Web 探测的名称为 directaccess-webprobehost)。On the New Host dialog box, in the Name (uses parent domain name if blank) box, enter the DNS name for the web probe (the name for the default web probe is directaccess-webprobehost). 在****“IP 地址”框中,输入 Web 探测的 IPv4 地址,然后单击“添加主机”****。In the IP address box, enter the IPv4 address of the web probe, and then click Add Host. 为 directaccess corpconnectivityhost 和任何手动创建的连接性验证程序重复此过程。Repeat this process for directaccess-corpconnectivityhost and any manually created connectivity verifiers. 在“DNS”**** 对话框中,单击“确定”****。On the DNS dialog box, click OK.

  5. 单击“Done”(完成) 。Click Done.

Windows PowerShellwindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-DnsServerResourceRecordA -Name <network_location_server_name> -ZoneName <DNS_zone_name> -IPv4Address <network_location_server_IPv4_address>
Add-DnsServerResourceRecordAAAA -Name <network_location_server_name> -ZoneName <DNS_zone_name> -IPv6Address <network_location_server_IPv6_address>

还必须为以下内容配置 DNS 条目:You must also configure DNS entries for the following:

  • Ip-https服务器-DirectAccess 客户端必须能够从 Internet 解析远程访问服务器的 DNS 名称。The IP-HTTPS server-DirectAccess clients must be able to resolve the DNS name of the Remote Access server from the Internet.

  • CRL 吊销检查-directaccess 使用证书吊销检查来检查 directaccess 客户端与远程访问服务器之间的 ip-https 连接,以及 directaccess 客户端和网络位置服务器之间基于 HTTPS 的连接。CRL revocation checking-DirectAccess uses certificate revocation checking for the IP-HTTPS connection between DirectAccess clients and the Remote Access server, and for the HTTPS-based connection between the DirectAccess client and the network location server. 在这两种情况下,DirectAccess 客户端都必须能够解析和访问 CRL 分发点位置。In both cases, DirectAccess clients must be able to resolve and access the CRL distribution point location.

配置 Active DirectoryConfigure Active Directory

必须将远程访问服务器和所有 DirectAccess 客户端计算机都加入 Active Directory 域。The Remote Access server and all DirectAccess client computers must be joined to an Active Directory domain. DirectAccess 客户端计算机必须是以下域类型之一的成员:DirectAccess client computers must be a member of one of the following domain types:

  • 与远程访问服务器属于同一林的域。Domains that belong in the same forest as the Remote Access server.

  • 属于与远程访问服务器林具有双向信任关系的林的域。Domains that belong to forests with a two-way trust with the Remote Access server forest.

  • 与远程访问服务器域具有双向域信任的域。Domains that have a two-way domain trust to the Remote Access server domain.

将客户端计算机加入域To join client computers to the domain

  1. 在 "开始" 屏幕上,键入explorer.exe,然后按 enter。On the Start screen, type explorer.exe, and then press ENTER.

  2. 右键单击计算机图标,然后单击“属性”****。Right-click the Computer icon, and then click Properties.

  3. 在****“系统”页上,单击****“高级系统设置”。On the System page, click Advanced system settings.

  4. “系统属性” 对话框上的 “计算机名称” 选项卡上,单击 “更改”On the System Properties dialog box, on the Computer Name tab, click Change.

  5. 如果在将服务器加入域时还要更改计算机名,请在“计算机名”中键入计算机的名称****。In Computer name, type the name of the computer if you are also changing the computer name when joining the server to the domain. 在“隶属于”下面单击“域”,键入服务器要加入到的域的名称(例如 corp.contoso.com),然后单击“确定”************。Under Member of, click Domain, and then type the name of the domain to which you want to join the server; for example, corp.contoso.com, and then click OK.

  6. 当系统提示你输入用户名和密码时,请输入有权将计算机加入域的用户的用户名和密码,然后单击“确定”****。When you are prompted for a user name and password, enter the user name and password of a user with rights to join computers to the domain, and then click OK.

  7. 当你看到欢迎你进入域的对话框时,请单击“确定”****。When you see a dialog box welcoming you to the domain, click OK.

  8. 当系统提示你必须重新启动计算机时,请单击“确定”****。When you are prompted that you must restart the computer, click OK.

  9. 在“系统属性”**** 对话框中单击“关闭”。On the System Properties dialog box, click Close. 出现提示时单击“立即重新启动”****。Click Restart Now when prompted.

Windows PowerShellwindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

注意:输入下面的“Add-Computer”命令后,你必须提供域凭据。Note that you must supply domain credentials after entering the Add-Computer command below.

Add-Computer -DomainName <domain_name>
Restart-Computer

配置 GPOConfigure GPOs

若要部署远程访问,需要至少两个组策略对象:一个组策略对象包含远程访问服务器的设置,另一个包含 DirectAccess 客户端计算机的设置。To deploy Remote Access, you require a minimum of two Group Policy Objects: one Group Policy Object contains settings for the Remote Access server and one contains settings for DirectAccess client computers. 配置远程访问时,向导将自动创建所需的组策略对象。When you configure Remote Access, the wizard automatically creates the required Group Policy Objects. 但是,如果你的组织强制使用命名约定,或者你没有创建或编辑组策略对象所需的权限,则必须在配置远程访问之前创建它们。However, if your organization enforces a naming convention, or you do not have the required permissions to create or edit Group Policy Objects, they must be created prior to configuring Remote Access.

若要创建组策略对象,请参阅创建和编辑组策略对象To create Group Policy Objects, see Create and Edit a Group Policy Object.

重要

管理员可以使用以下步骤手动将 DirectAccess 组策略对象链接到组织单位:The administrator can manually link the DirectAccess Group Policy Objects to an Organizational Unit using these steps:

  1. 在配置 DirectAccess 之前,请将已创建的 GPO 链接到各自的组织单位。Before configuring DirectAccess, link the created GPOs to the respective Organizational Units.
  2. 要配置 DirectAccess,请为客户端计算机指定安全组。Configure DirectAccess, specifying a security group for the client computers.
  3. 远程访问管理员不一定具有将组策略对象链接到域的权限。The Remote Access administrator may or may not have permissions to link the Group Policy Objects to the domain. 在任一情况下,都将自动配置组策略对象。In either case, the Group Policy Objects will be configured automatically. 如果已将 GPO 链接到 OU,则将不会删除这些链接,并且不会将 GPO 链接到域。If the GPOs are already linked to an OU, the links will not be removed, and the GPOs will not be linked to the domain. 对于服务器 GPO,OU 必须包含该服务器计算机对象,否则该 GPO 将链接到域的根。For a server GPO, the OU must contain the server computer object, or the GPO will be linked to the root of the domain.
  4. 如果在运行 DirectAccess 向导之前尚未完成链接到 OU 的链接,则在配置完成后,域管理员可以将 DirectAccess 组策略对象链接到所需的组织单位。If the linking to the OU has not been done before running the DirectAccess wizard, then after the configuration is complete, the domain administrator can link the DirectAccess Group Policy Objects to the required Organizational Units. 可以删除指向域的链接。The link to the domain can be removed. 可在此处找到将组策略对象链接到组织单位的步骤。Steps for linking a Group Policy Object to an Organization Unit can be found here.

备注

如果组策略对象手动创建,则在 DirectAccess 配置过程中,组策略对象将不可用。If a Group Policy Object was created manually, it is possible during the DirectAccess configuration that the Group Policy Object will not be available. 可能没有将组策略对象复制到最接近管理计算机的域控制器。The Group Policy Object may not have been replicated to the closest Domain Controller to the management computer. 在这种情况下,管理员可以等待复制完成,或者强制进行复制。In this event, the administrator can wait for replication to complete, or force the replication.

配置安全组Configure security groups

客户端计算机组策略对象中包含的 DirectAccess 设置仅应用于配置远程访问时指定的安全组成员的计算机。The DirectAccess settings contained in the client computer Group Policy Object are applied only to computers that are members of the security groups that you specify when configuring Remote Access. 此外,如果要使用安全组管理应用程序服务器,则为这些服务器创建安全组。In addition, if you are using security groups to manage your application servers, create a security group for these servers.

为 DirectAccess 客户端创建安全组To create a security group for DirectAccess clients

  1. 在 "开始" 屏幕上,键入dsa.msc,然后按 enter。On the Start screen, typedsa.msc, and then press ENTER. 在****“Active Directory 用户和计算机”控制台的左窗格中,展开将包含安全组的域,右键单击****“用户”,指向****“新建”,然后单击****“组”。In the Active Directory Users and Computers console, in the left pane, expand the domain that will contain the security group, right-click Users, point to New, and then click Group.

  2. 在****“新建对象 – 组”对话框中的****“组名”下,输入该安全组的名称。On the New Object - Group dialog box, under Group name, enter the name for the security group.

  3. 在****“组范围”下单击****“全局”,在****“组类型”下单击“安全”****,然后单击“确定”****。Under Group scope, click Global, under Group type, click Security, and then click OK.

  4. 双击 DirectAccess 客户端计算机安全组,然后在属性对话框中,单击****“成员”选项卡。Double-click the DirectAccess client computers security group, and on the properties dialog box, click the Members tab.

  5. 在“成员”**** 选项卡上,单击“添加”****。On the Members tab, click Add.

  6. 在****“选择用户、联系人、计算机或服务帐户”对话框中,选择你希望为 DirectAccess 启用的客户端计算机,然后单击****“确定”。On the Select Users, Contacts, Computers, or Service Accounts dialog box, select the client computers that you want to enable for DirectAccess, and then click OK.

Windows PowerShellWindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADGroup -GroupScope global -Name <DirectAccess_clients_group_name>
Add-ADGroupMember -Identity DirectAccess_clients_group_name -Members <computer_name>

配置网络位置服务器Configure the network location server

网络位置服务器应该位于高可用性服务器上,它应具有 DirectAccess 客户端信任的有效 SSL 证书。The network location server should be on a server with high availability, and a valid SSL certificate trusted by the DirectAccess clients. 对于网络位置服务器证书而言,存在两种证书选择:There are two certificate options for the network location server certificate:

  • Private-需要以下项(如果它们尚不存在):Private-The following are required, if they do not already exist:

    • 用于网络位置服务器的网站证书。A website certificate used for the network location server. 证书使用者应该是网络位置服务器的 URL。The certificate subject should be the URL of the network location server.

    • 在内部网络中高度可用的 CRL 分发点。A CRL distribution point that is highly available from the internal network.

  • 自签名-以下是必需的(如果它们尚不存在):Self-signed-The following are required, if they do not already exist:

    备注

    无法在多站点部署中使用自签名证书。Self-signed certificates cannot be used in multisite deployments.

    • 用于网络位置服务器的网站证书。A website certificate used for the network location server. 证书使用者应该是网络位置服务器的 URL。The certificate subject should be the URL of the network location server.

备注

如果网络位置服务器网站位于远程访问服务器上,则在配置绑定到你提供的服务器证书的远程访问时,将自动创建一个网站。If the network location server website is located on the Remote Access server, a website will be created automatically when configuring Remote Access that is bound to the server certificate that you provide.

安装内部 CA 颁发的网络位置服务器证书To install the network location server certificate from an internal CA

  1. 在将托管网络位置服务器网站的服务器上:在 "开始" 屏幕上,键入mmc.exe,然后按 enter。On the server that will host the network location server website: On the Start screen, typemmc.exe, and then press ENTER.

  2. 在 MMC 控制台的“文件”菜单上,单击“添加/删除管理单元”。In the MMC console, on the File menu, click Add/Remove Snap-in.

  3. 在****“添加或删除管理单元”对话框上,依次单击****“证书”、****“添加”、****“计算机帐户”、****“下一步”、****“本地计算机”和****“完成”,然后单击****“确定”。On the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, click Local computer, click Finish, and then click OK.

  4. 在证书管理单元的控制台树中,依次打开****“证书(本地计算机)\个人\证书”。In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

  5. 右键单击****“证书”,指向****“所有任务”,然后单击****“申请新证书”。Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. 单击“下一步”**** 两次。Click Next twice.

  7. 在 "申请证书" 页上,选中证书模板对应的复选框,如果需要,请单击 "注册此证书需要详细信息"。On the Request Certificates page, select the check box for the certificate template, and if required, click More information is required to enroll for this certificate.

  8. 在****“证书属性”对话框的****“使用者”选项卡上,在****“使用者名称”区域的****“类型”中选择****“公用名”。On the Certificate Properties dialog box, on the Subject tab, in the Subject name area, in Type, select Common Name.

  9. 在****“值”中,输入网络位置服务器网站的 FQDN,然后单击****“添加”。In Value, enter the FQDN of the network location server website, and then click Add.

  10. 在****“备用名称”区域的****“类型”中,选择****“DNS”。In the Alternative name area, in Type, select DNS.

  11. 在****“值”中,输入网络位置服务器网站的 FQDN,然后单击****“添加”。In Value, enter the FQDN of the network location server website, and then click Add.

  12. 在****“常规”选项卡的****“友好名称”中,输入一个有助于标识证书的名称。On the General tab, in Friendly name, you can enter a name that will help you identify the certificate.

  13. 依次单击****“确定”、****“注册”和****“完成”。Click OK, click Enroll, and then click Finish.

  14. 在证书管理单元的详细信息窗格中,通过“服务器身份验证的预期目的”验证是否注册了新证书。In the details pane of the Certificates snap-in, verify that new certificate was enrolled with Intended Purposes of Server Authentication.