步骤5从 Internet 和群集测试 DirectAccess 连接STEP 5 Test DirectAccess Connectivity from the Internet and Through the Cluster

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

CLIENT1 现已准备好进行 DirectAccess 测试。CLIENT1 is now ready for DirectAccess testing.

  • 测试来自 Internet 的 DirectAccess 连接。Test DirectAccess connectivity from the Internet. 将 CLIENT1 连接到模拟的 Internet。Connect CLIENT1 to the simulated Internet. 连接到模拟 Internet 时,会为客户端分配公共 IPv4 地址。When connected to the simulated Internet, the client is assigned public IPv4 addresses. 在为 DirectAccess 客户端分配公用 IPv4 地址时,它会尝试使用 IPv6 转换技术建立与远程访问服务器的连接。When a DirectAccess client is assigned a public IPv4 address, it tries to establish a connection to the Remote Access server using an IPv6 transition technology.

  • 通过群集测试 DirectAccess 客户端连接。Test DirectAccess client connectivity through the cluster. 测试群集功能。Test cluster functionality. 开始测试之前,我们建议你将 EDGE1 和 EDGE2 关闭至少五分钟。Before you begin testing, we recommend that you shut down both EDGE1 and EDGE2 for at least five minutes. 出现此问题的原因有很多,其中包括 ARP 缓存超时和与 NLB 相关的更改。There are a number of reasons for this, which include ARP cache timeouts and changes related to NLB. 在测试实验室中验证 NLB 配置时,你将需要患者,因为在一段时间后,配置中的更改将不会立即反映到连接中。When validating NLB configuration in a test lab, you will need to be patient as changes in configuration will not be immediately reflected in connectivity until after a period of time has elapsed. 执行以下任务时,请务必记住这一点。This is important to keep in mind when you carry out the following tasks.


    建议在执行此过程之前清除 Internet Explorer 缓存,并在每次通过不同的远程访问服务器测试连接时,确保测试连接而不是从缓存中检索网页。We recommend that you clear the Internet Explorer cache before performing this procedure and each time you test the connection through a different Remote Access server to make sure that you are testing the connection and not retrieving the webpages from the cache.

从 Internet 测试 DirectAccess 连接Test DirectAccess connectivity from the Internet

  1. 从公司网络交换机中拔下 CLIENT1,并将其连接到 Internet 交换机。Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch. 等待30秒。Wait for 30 seconds.

  2. 在提升的 Windows PowerShell 窗口中,键入ipconfig/flushdns ,然后按 enter。In an elevated Windows PowerShell window, type ipconfig /flushdns and press ENTER. 当客户端计算机连接到公司网络时,此操作会刷新客户端 DNS 缓存中仍存在的名称解析条目。This flushes name resolution entries that may still exist in the client DNS cache from when the client computer was connected to the corpnet.

  3. 在 Windows PowerShell 窗口中,键入get-dnsclientnrptpolicy ,然后按 enter。In the Windows PowerShell window, type Get-DnsClientNrptPolicy and press ENTER.

    该输出显示名称解析策略表 (NRPT) 的当前设置。The output shows the current settings for the Name Resolution Policy Table (NRPT). 这些设置指示,与 corp.contoso.com 的所有连接应由远程访问 DNS 服务器解析,IPv6 地址为2001: db8:1::2。These settings indicate that all connections to .corp.contoso.com should be resolved by the Remote Access DNS server, with the IPv6 address 2001:db8:1::2. 另外,请注意,NRPT 条目表明该值指示名称 nls.corp.contoso.com 存在免除条目;免除列表上的名称不由远程访问 DNS 服务器应答。Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the Remote Access DNS server. 你可以对远程访问 DNS 服务器 IP 地址执行 ping 操作,以确认与远程访问服务器的连接;例如,你可以对2001: db8:1::2执行 ping 操作。You can ping the Remote Access DNS server IP address to confirm connectivity to the Remote Access server; for example, you can ping 2001:db8:1::2.

  4. 在 Windows PowerShell 窗口中,键入ping app1 ,然后按 enter。In the Windows PowerShell window, type ping app1 and press ENTER. 应会看到来自 APP1 的 IPv6 地址的答复,在本例中为2001: db8:1::3。You should see replies from the IPv6 address for APP1, which in this case is 2001:db8:1::3.

  5. 在 Windows PowerShell 窗口中,键入ping app2 ,然后按 enter。In the Windows PowerShell window, type ping app2 and press ENTER. 你应该看到由 EDGE1 分配给 APP2 的来自 NAT64 地址的答复,在本例中为 fdc9:9f4e:eb1b:7777::a00:4。You should see replies from the NAT64 address assigned by EDGE1 to APP2, which in this case is fdc9:9f4e:eb1b:7777::a00:4.

    Ping APP2 的功能非常重要,因为 success 表明你能够使用 NAT64/DNS64 建立连接,因为 APP2 是仅适用于 IPv4 的资源。The ability to ping APP2 is important, because success indicates that you were able to establish a connection using NAT64/DNS64, as APP2 is an IPv4 only resource.

  6. 将 Windows PowerShell 窗口保持打开状态以进行下一过程。Leave the Windows PowerShell window open for the next procedure.

  7. 打开 Internet Explorer,在 Internet Explorer 地址栏中输入, https://app1/ 然后按 enter。Open Internet Explorer, in the Internet Explorer address bar, enter https://app1/ and press ENTER. 在 APP1 上,你将看到默认的 IIS 网站。You will see the default IIS website on APP1.

  8. 在 Internet Explorer 地址栏中,输入 https://app2/ 并按 enter。In the Internet Explorer address bar, enter https://app2/ and press ENTER. 在 APP2 上,你将看到默认网站。You will see the default website on APP2.

  9. 在 "开始" 屏幕上,键入 \ \APP2\FILES,然后按 enter。On the Start screen, type\\App2\Files, and then press ENTER. 双击“新文本文档”文件。Double-click the New Text Document file.

    这说明你能够使用 SMB 连接到仅 IPv4 服务器,以获取资源域中的资源。This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource in the resource domain.

  10. 在 "开始" 屏幕上,键入 "services.msc",然后按 enter。On the Start screen, typewf.msc, and then press ENTER.

  11. 请注意,在 "高级安全 Windows 防火墙" 控制台中,只有专用公用配置文件处于活动状态。In the Windows Firewall with Advanced Security console, notice that only the Private or Public Profile is active. 若要正常运行,必须启用 Windows 防火墙。The Windows Firewall must be enabled for DirectAccess to work correctly. 如果禁用了 Windows 防火墙,则 DirectAccess 连接将不起作用。If the Windows Firewall is disabled, DirectAccess connectivity does not work.

  12. 在控制台的左窗格中,展开 "监视" 节点,然后单击 "连接安全规则" 节点。In the left pane of the console, expand the Monitoring node, and click the Connection Security Rules node. 应会看到 "活动连接安全规则: Directaccess 策略-ClientToCorpDirectaccess 策略-ClientToDNS64NAT64PrefixExemptiondirectaccess 策略-ClientToInfra" 和 " directaccess 策略-ClientToNlaExempt"。You should see the active connection security rules: DirectAccess Policy-ClientToCorp, DirectAccess Policy-ClientToDNS64NAT64PrefixExemption, DirectAccess Policy-ClientToInfra, and DirectAccess Policy-ClientToNlaExempt. 向右滚动中间窗格以显示第一身份验证方法第二身份验证方法列。Scroll the middle pane to the right to show the 1st Authentication Methods and 2nd Authentication Methods columns. 请注意,第一条规则 (ClientToCorp) 使用 Kerberos V5 建立 intranet 隧道,第三条规则 (ClientToInfra) 使用 NTLMv2 建立基础结构隧道。Notice that the first rule (ClientToCorp) uses Kerberos V5 to establish the intranet tunnel and the third rule (ClientToInfra) uses NTLMv2 to establish the infrastructure tunnel.

  13. 在控制台的左窗格中,展开 "安全关联" 节点,然后单击 "主模式" 节点。In the left pane of the console, expand the Security Associations node, and click the Main Mode node. 请注意,基础结构使用 NTLMv2 和 intranet 隧道安全关联(使用 Kerberos V5)建立隧道安全关联。Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. 右键单击显示User (Kerberos V5) 第二身份验证方法的条目,然后单击 "属性"。Right-click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. 在 "常规" 选项卡上,请注意第二个 "身份验证本地 ID " 为CORP\User1,表示 User1 能够使用 Kerberos 成功地向公司域进行身份验证。On the General tab, notice the Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully authenticate to the CORP domain using Kerberos.

通过群集测试 DirectAccess 客户端连接Test DirectAccess client connectivity through the cluster

  1. 在 EDGE2 上执行正常关闭。Perform a graceful shutdown on EDGE2.

    运行这些测试时,可以使用 "网络负载平衡管理器" 查看服务器的状态。You can use the Network Load Balancing Manager to view the status of the servers when running these tests.

  2. 在 CLIENT1 上的 "Windows PowerShell" 窗口中,键入ipconfig/flushdns ,然后按 enter。On CLIENT1, in the Windows PowerShell window, type ipconfig /flushdns and press ENTER. 这会刷新客户端 DNS 缓存中仍存在的名称解析条目。This flushes name resolution entries that may still exist in the client DNS cache.

  3. 在 Windows PowerShell 窗口中,ping APP1 和 APP2。In the Windows PowerShell window, ping APP1, and APP2. 应该会收到来自这两个资源的答复。You should receive replies from both of these resources.

  4. 在 "开始" 屏幕上,键入 " \ \app2\files"。On the Start screen, type\\app2\files. 你应看到 APP2 计算机上的共享文件夹。You should see the shared folder on the APP2 computer. 在 APP2 上打开文件共享的功能表明,需要用户的 Kerberos 身份验证的第二个隧道工作正常。The ability to open the file share on APP2 indicates that the second tunnel, which requires Kerberos authentication for the user, is working correctly.

  5. 打开 "Internet Explorer",然后打开网站 https://app1/ 和 https://app2/ 。Open Internet Explorer, and then open the websites https://app1/ and https://app2/. 打开这两个网站的功能可确认第一个和第二个隧道都已启动并正常运行。The ability to open both websites confirms that both the first and second tunnels are up and functioning. 关闭 Internet Explorer。Close Internet Explorer.

  6. 启动 EDGE2 计算机。Start the EDGE2 computer.

  7. 在 EDGE1 上,执行正常关闭。On EDGE1 perform a graceful shutdown.

  8. 等待5分钟,然后返回到 CLIENT1。Wait for 5 minutes, and then return to CLIENT1. 执行步骤2-5。Perform steps 2-5. 这会确认 CLIENT1 在 EDGE1 变为不可用后能够以透明方式故障转移到 EDGE2。This confirms that CLIENT1 was able to transparently fail over to EDGE2 after EDGE1 became unavailable.