步骤2配置 DirectAccess-VPN 服务器Step 2 Configure the DirectAccess-VPN Server

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍如何使用启用 DirectAccess 向导配置基本远程访问部署所需的客户端和服务器设置。This topic describes how to configure the client and server settings required for a basic Remote Access deployment using the Enable DirectAccess Wizard.

下表概述了可通过使用本主题完成的步骤。The following table provides an overview of the steps you can complete by using this topic.

任务Task 描述Description
配置 DirectAccess 客户端Configure DirectAccess clients 使用包含 DirectAccess 客户端的安全组配置远程访问服务器。Configure the Remote Access server with the security groups containing DirectAccess clients.
配置网络拓扑Configure the Network Topology 配置远程访问服务器设置。Configure Remote Access server settings.
配置 DNS 后缀搜索列表Configure the DNS Suffix Search List 如果需要,可修改后缀搜索列表。Modify the Suffix search list if desired.
GPO 配置GPO Configuration 如果需要,可修改 GPO。Modify the GPOs if desired.

启动启用 DirectAcces 向导To Start the Enable DirectAcces Wizard

  1. 在服务器管理器中,单击 "工具",然后单击 "远程访问"。启用 DirectAccess 向导将自动启动,除非你选择了 "不再显示此屏幕"。In Server Manager, click Tools, and then click Remote Access.The Enable DirectAccess Wizard starts automatically unless you have selected Do not show this screen again.

  2. 如果该向导没有自动启动,请右键单击“路由和远程访问” 树中的服务器节点,然后单击“启用 DirectAccess” ****。If the wizard does not start automatically, right-click the server node in the Routing and Remote Access tree, and then click Enable DirectAccess.

  3. 单击“下一步”。Click Next.

配置 DirectAccess 客户端Configure DirectAccess clients

要将客户端计算机设置为使用 DirectAccess,它必须属于所选的安全组。For a client computer to be provisioned to use DirectAccess it must belong to the selected security group. 在配置 DirectAccess 后,将安全组中的客户端计算机设置为接收 DirectAccess 组策略。After DirectAccess is configured, client computers in the security group are provisioned to receive the DirectAccess group policy.

  1. 在“选择组”**** 页上,单击“添加”****。On the Select Groups page, click Add.

  2. “选择组” 对话框中,选择包含 DirectAccess 客户端计算机的安全组。On the Select Groups dialog box, select the security groups containing DirectAccess client computers.

  3. 选中“仅为移动计算机启用 DirectAccess”**** 复选框以仅允许移动计算机访问内部网络。Select the Enable DirectAccess for mobile computers only check box to allow only mobile computers to access the internal network.

  4. 选中“使用强制隧道”**** 复选框,以通过远程访问服务器路由所有客户端通信(到内部网络和 Internet)。Select the Use force tunneling check box to route all client traffic (to the internal network and to the Internet) through the Remote Access server.

  5. 单击“下一步”。Click Next.

配置网络拓扑Configure the Network Topology

若要部署远程访问,你需要配置具有正确网络适配器的远程访问服务器、客户端计算机可以连接到的远程访问服务器的公共 URL(连接到地址),以及使用者匹配连接到地址的 IP-HTTPS 证书。To deploy Remote Access, you need to configure the Remote Access server with the correct network adapters, a public URL for the Remote Access server to which client computers can connect (the connect to address), and an IP-HTTPS certificate whose subject matches the connect to address.

  1. 在“网络拓扑”**** 页上,单击将在你的组织中使用的部署拓扑。On the Network Topology page, click the deployment topology that will be used in your organization. 在“键入客户端用于连接到远程访问服务器的公用名称或 IPv4 地址”**** 中,输入部署的公用名称(此名称与 IP-HTTPS 证书的使用者名称相匹配,例如 edge1.contoso.com),然后单击“下一步”****。In Type the public name or IPv4 address used by clients to connect to the Remote Access server, enter the public name for the deployment (this name matches the subject name of the IP-HTTPS certificate, for example, edge1.contoso.com), and then click Next.

配置 DNS 后缀搜索列表Configure the DNS Suffix Search List

对于 DNS 客户端,你可以配置一个扩展或修改其 DNS 搜索功能的 DNS 域后缀搜索列表。For DNS clients, you can configure a DNS domain suffix search list that extends or revises their DNS search capabilities. 通过将其他后缀添加到列表,你可以在多个指定 DNS 域中搜索较短的、不合格的计算机名称。By adding additional suffixes to the list, you can search for short, unqualified computer names in more than one specified DNS domain. 然后,如果 DNS 查询失败,DNS 客户端服务可以使用该列表,将其他名称后缀结尾附加到原始名称之后,并为这些备选 FQDN 向 DNS 服务器重复 DNS 查询。Then, if a DNS query fails, the DNS Client service can use this list to append other name suffix endings to your original name and repeat DNS queries to the DNS server for these alternate FQDNs.

  1. 选择“配置具有 DNS 客户端后缀搜索列表的 DirectAccess 客户端”**** 以指定用于客户端名称搜索的其他后缀。Select Configure DirectAccess Clients with DNS client suffix search list to specify additional suffixes for client name searches.

  2. 在 "新后缀" 中键入新后缀名称,然后单击 "添加"。Type a new suffix name in New Suffix and then click Add. 此外,你可以更改搜索顺序并从域后缀中删除要使用的后缀。Additionally, you can change the search order and remove suffixes from Domain Suffixes to use.

纪录在非连续命名空间方案中 ( ,一个或多个域计算机具有与计算机所属的 Active Directory 域不匹配的 DNS 后缀 ) ,应确保将搜索列表自定义为包括所有必需的后缀。[NOTE] In a disjoint name space scenario (where one or more domain computers has an DNS suffix that does not match the Active Directory domain to which the computers belong), you should ensure that the search list is customized to include all the required suffixes. 默认情况下,远程访问向导会将 Active Directory DNS 名称配置为客户端上的主 DNS 后缀。The Remote Access wizard will by default configure the Active Directory DNS name as the primary DNS suffix on the client. 管理员应确保添加客户端使用的 DNS 后缀以进行名称解析。Admin should ensure that he adds the DNS suffix used by clients for name resolution.

对于计算机和服务器,以下默认 DNS 搜索行为是预先确定的,并且在完成和解析简短的非限定名称时使用。如果后缀搜索列表为空或未指定,则会将计算机的主 DNS 后缀追加到简短的非限定名称,并使用 DNS 查询来解析产生的 FQDN。For computers and servers, the following default DNS search behavior is predetermined and used when completing and resolving short, unqualified names.When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short unqualified names, and a DNS query is used to resolve the resultant FQDN.

如果此查询失败,计算机可以通过附加为网络连接配置的任何特定于连接的 DNS 后缀来尝试其他 Fqdn 查询。如果未配置连接特定的后缀,或者这些导致连接特定的 Fqdn 的查询失败,则客户端可以开始基于系统的主后缀减少来重试查询, (也称为传递) 。If this query fails, the computer can try additional queries for alternate FQDNs by appending any connection-specific DNS suffix configured for network connections.If no connection-specific suffixes are configured or queries for these resultant connection-specific FQDNs fail, then the client can then begin to retry queries based on systematic reduction of the primary suffix (also known as devolution).

例如,如果主后缀是 "example.microsoft.com",则传递过程可以通过在 "microsoft.com" 和 "com" 域中搜索短名称来重试查询。For example, if the primary suffix is "example.microsoft.com," the devolution process can retry queries for the short name by searching for it in the "microsoft.com" and "com" domains.

如果后缀搜索列表不为空且至少指定了一个 DNS 后缀,则会限制和解析短 DNS 名称,仅搜索指定后缀列表可能会出现的 Fqdn。When the suffix search list is not empty and has at least one DNS suffix specified, attempts to qualify and resolve short DNS names is limited to searching only those FQDNs made possible by the specified suffix list.

如果通过附加和尝试列表中的每个后缀而形成的所有 FQDN 查询未得到解析,则查询过程失败,会产生“找不到名称”的结果。If queries for all FQDNs formed as a result of appending and trying each suffix in the list are not resolved, the query process fails, producing a "name not found" result.

警告

如果使用了域后缀列表,则在查询未得到应答或解析时,客户端将根据不同的 DNS 域名继续发送其他备选查询。If the domain suffix list is used, clients continue to send additional alternate queries based on different DNS domain names when a query is not answered or resolved. 一旦使用后缀列表中的某个条目解析名称,则不会再尝试未使用的列表条目。Once a name is resolved using an entry in the suffix list, unused list entries are not tried. 因此,将最常用的域后缀排在第一位的列表排序方式效率最高。For this reason, it is most efficient to order the list with the most used domain suffixes first.

仅当 DNS 名称条目不是完全限定时,才使用域名后缀搜索。Domain name suffix searches are used only when a DNS name entry is not fully qualified. 若要使 DNS 名称完全合格,请在名称末尾输入结尾句点 (.)。To fully qualify a DNS name, a trailing period (.) is entered at the end of the name.

GPO 配置GPO Configuration

配置远程访问时,DirectAccess 设置将收集到组策略对象 (GPO) 中。When you configure Remote Access, DirectAccess settings are collected into Group Policy Objects (GPO).

在 " GPO 设置" 中,将列出 DIRECTACCESS 服务器 gpo 名称和客户端 GPO 名称。In GPO Settings, the DirectAccess server GPO name and Client GPO name are listed. 此外,你可以修改 GPO 选择设置。Additionally, you can modify the GPO selection settings.

这两个 Gpo 将自动填充 DirectAccess 设置,并以这种方式进行分发:Two GPOs are populated automatically with DirectAccess settings, and distributed in this way:

  1. DirectAccess 客户端 GPODirectAccess client GPO. 此 GPO 包含客户端设置,包括 IPv6 转换技术设置、NRPT 条目和高级安全 Windows 防火墙连接安全规则。This GPO contains client settings, including IPv6 transition technology settings, NRPT entries, and Windows Firewall with Advanced Security connection security rules. 将 GPO 应用于为客户端计算机指定的安全组。The GPO is applied to the security groups specified for the client computers.

  2. DirectAccess 服务器 GPODirectAccess server GPO. 此 GPO 包含的 DirectAccess 配置设置适用于在部署中配置为远程访问服务器的任何服务器。This GPO contains the DirectAccess configuration settings that are applied to any server configured as a Remote Access server in your deployment. 它还包含高级安全 Windows 防火墙连接安全规则。It also contains Windows Firewall with Advanced Security connection security rules.

总结Summary

远程访问配置完成后,将显示摘要Once the Remote Access configuration is complete the Summary is displayed. 您可以更改配置的设置,或单击 "完成" 以应用配置。You can change the configured settings or click Finish to apply the configuration.