步骤13从 NAT 设备后面测试 DirectAccess 连接STEP 13 Test DirectAccess Connectivity from Behind a NAT Device

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

当 DirectAccess 客户端从 NAT 设备或 Web 代理服务器后面连接到 Internet 时,DirectAccess 客户端使用 Teredo 或 IP-HTTPS 连接到远程访问服务器。When a DirectAccess client is connected to the Internet from behind a NAT device or a web proxy server, the DirectAccess client uses either Teredo or IP-HTTPS to connect to the Remote Access server. 如果 NAT 设备对远程访问服务器的公共 IP 地址启用出站 UDP 端口3544,则使用 Teredo。If the NAT device enables outbound UDP port 3544 to the Remote Access server's public IP address, then Teredo is used. 如果 Teredo 访问不可用,则 DirectAccess 客户端通过出站 TCP 端口 443 回退到 IP-HTTPS,从而通过传统的 SSL 端口实现通过防火墙或 Web 代理服务器的访问。If Teredo access is not available, the DirectAccess client falls back to IP-HTTPS over outbound TCP port 443, which enables access through firewalls or web proxy servers over the traditional SSL port. 如果 Web 代理要求身份验证,则 IP-HTTPS 连接将失败。If the web proxy requires authentication, the IP-HTTPS connection will fail. 如果 Web 代理执行出站 SSL 检查,则 IP-HTTPS 连接也会失败,因为是在 Web 代理而不是在远程访问服务器上终止 HTTPS 会话。IP-HTTPS connections also fail if the web proxy performs outbound SSL inspection, due to the fact that the HTTPS session is terminated at the web proxy instead of the Remote Access server.

在这两个客户端计算机上执行下列步骤:The following procedures are performed on both client computers:

  1. 测试 Teredo 连接。Test Teredo connectivity. 当 DirectAccess 客户端配置为使用 Teredo 时,将执行第一组测试。The first set of tests are performed when the DirectAccess client is configured to use Teredo. 当 NAT 设备允许对 UDP 端口 3544 进行出站访问时,这是自动设置。This is the automatic setting when the NAT device allows outbound access to UDP port 3544. 首先在 CLIENT1 上运行测试,然后在 CLIENT2 上运行测试。First run the tests on CLIENT1 and then run the tests on CLIENT2.

  2. 测试 IP-HTTPS 连接。Test IP-HTTPS connectivity. 当 DirectAccess 客户端配置为使用 IP-HTTPS 时,将执行第二组测试。The second set of tests are performed when the DirectAccess client is configured to use IP-HTTPS. 为了演示 IP-HTTPS 连接,在客户端计算机上禁用 Teredo。In order to demonstrate IP-HTTPS connectivity, Teredo is disabled on the client computers. 首先在 CLIENT1 上运行测试,然后在 CLIENT2 上运行测试。First run the tests on CLIENT1 and then run the tests on CLIENT2.

先决条件Prerequisites

启动 EDGE1 和 EDGE1 (如果尚未运行),并确保它们已连接到 Internet 子网。Start EDGE1 and 2-EDGE1 if they are not already running, and make sure they are connected to the Internet subnet.

在执行这些测试之前,将 CLIENT1 和 CLIENT2 从 Internet 交换机中拔出并将其连接到 Homenet 开关。Before performing these tests, unplug CLIENT1 and CLIENT2 from the Internet switch and connect them to the Homenet switch. 如果系统询问你要定义当前网络的网络类型,请选择 "家庭网络"。If asked what type of network you want to define the current network, select Home network.

测试 Teredo 连接Test Teredo connectivity

  1. 在 CLIENT1 上,打开提升的 Windows PowerShell 窗口。On CLIENT1, open an elevated Windows PowerShell window.

  2. 启用 Teredo 适配器,键入netsh interface Teredo set state enterpriseclient,然后按 enter。Enable the Teredo adapter, type netsh interface teredo set state enterpriseclient, and then press ENTER.

  3. 在 Windows PowerShell 窗口中,键入ipconfig/all ,然后按 enter。In the Windows PowerShell window, type ipconfig /all and press ENTER.

  4. 检查 ipconfig 命令的输出。Examine the output of the ipconfig command.

    此计算机现在已从 NAT 设备后面连接到 Internet,并且分配了专用 IPv4 地址。This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. 当 DirectAccess 客户端在 NAT 设备后面并且分配了专用 IPv4 地址时,首选的 IPv6 转换技术是 Teredo。When the DirectAccess client is behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition technology is Teredo. 如果你查看 ipconfig 命令的输出,你应该会看到隧道适配器 Teredo 隧道伪接口部分,然后是说明 Microsoft Teredo 隧道适配器,其中 IP 地址的开头为2001:0,并且是一个 Teredo 地址。If you look at the output of the ipconfig command, you should see a section for Tunnel adapter Teredo Tunneling Pseudo-Interface and then a description Microsoft Teredo Tunneling Adapter, with an IP address that starts with 2001:0 consistent with being a Teredo address. 应会看到为 Teredo 隧道适配器列出的默认网关为 "::"。You should see the default gateway listed for the Teredo tunnel adapter as '::'.

  5. 在 Windows PowerShell 窗口中,键入ipconfig/flushdns ,然后按 enter。In the Windows PowerShell window, type ipconfig /flushdns and press ENTER.

    这将刷新名称解析条目,这些条目可能从客户端计算机连接到 Internet 时开始,一直存在于客户端 DNS 缓存中。This will flush name resolution entries that may still exist in the client DNS cache from when the client computer was connected to the Internet.

  6. 在 Windows PowerShell 窗口中,键入ping app1 ,然后按 enter。In the Windows PowerShell window, type ping app1 and press ENTER. 你应看到来自 APP1 的 IPv6 地址 2001:db8:1::3 的回复。You should see replies from the IPv6 address of APP1, 2001:db8:1::3.

  7. 在 Windows PowerShell 窗口中,键入ping app2 ,然后按 enter。In the Windows PowerShell window, type ping app2 and press ENTER. 应会看到来自 EDGE1 分配给 APP2 的 NAT64 地址的答复,在本例中为 fdc9:9f4e: eb1b:7777:: a00:4。You should see replies from the NAT64 address assigned by EDGE1 to APP2, which in this case is fdc9:9f4e:eb1b:7777::a00:4. 请注意,由于地址的生成方式,粗体值会有所不同。Note that the bold values will vary due to how the address is generated.

  8. 在 Windows PowerShell 窗口中,键入ping app1 ,然后按 enter。In the Windows PowerShell window, type ping 2-app1 and press ENTER. 你应看到来自 APP1,2001: db8:2::3的 IPv6 地址的答复。You should see replies from the IPv6 address of 2-APP1, 2001:db8:2::3.

  9. 打开 Internet Explorer,在 Internet Explorer 地址栏中输入, https://2-app1/ 然后按 enter。Open Internet Explorer, in the Internet Explorer address bar, enter https://2-app1/ and press ENTER. 你将在 APP1 上看到默认的 IIS 网站。You will see the default IIS website on 2-APP1.

  10. 在 Internet Explorer 地址栏中,输入 https://app2/ 并按 enter。In the Internet Explorer address bar, enter https://app2/ and press ENTER. 在 APP2 上,你将看到默认网站。You will see the default website on APP2.

  11. 在 "开始" 屏幕上,键入 \ \APP2\FILES,然后按 enter。On the Start screen, type\\App2\Files, and then press ENTER. 双击“新文本文档”文件。Double-click the New Text Document file. 此示例演示你能够连接到 IPv4 唯一的服务器是使用 SMB 来获取 IPv4 唯一的主机上的资源。This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.

  12. 在 CLIENT2 上重复此过程。Repeat this procedure on CLIENT2.

测试 IP-HTTPS 的连接Test IP-HTTPS connectivity

  1. 在 CLIENT1 上,打开提升的 Windows PowerShell 窗口,键入netsh interface teredo set state disabled ,然后按 enter。On CLIENT1, open an elevated Windows PowerShell window, and type netsh interface teredo set state disabled and press ENTER. 这将禁用客户端计算机上的 Teredo,并使客户端计算机能够将自身配置为使用 IP-HTTPS。This disables Teredo on the client computer and enables the client computer to configure itself to use IP-HTTPS. 命令完成后,会出现“确定”**** 响应。An Ok response appears when the command completes.

  2. 在 Windows PowerShell 窗口中,键入ipconfig/all ,然后按 enter。In the Windows PowerShell window, type ipconfig /all and press ENTER.

  3. 检查 ipconfig 命令的输出。Examine the output of the ipconfig command. 此计算机现在已从 NAT 设备后面连接到 Internet,并且分配了专用 IPv4 地址。This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. Teredo 将禁用,并且 DirectAccess 客户端回退到 IP-HTTPS。Teredo is disabled and the DirectAccess client falls back to IP-HTTPS. 查看 ipconfig 命令的输出时,会看到一个 "隧道适配器 iphttpsinterface" 部分,其中的 IP 地址以 "2001: db8:1: 1000" 或 "2001: db8:1: 1000" 或 "2001: db8:2:2000:When you look at the output of the ipconfig command, you see a section for Tunnel adapter iphttpsinterface with an IP address that starts with 2001:db8:1:1000 or 2001:db8:2:2000 consistent with this being an IP-HTTPS address based on the prefixes that were configured when setting up DirectAccess. 你将看不到为 IPHTTPSInterface 隧道适配器列出的默认网关。You will not see a default gateway listed for the IPHTTPSInterface tunnel adapter.

  4. 在 Windows PowerShell 窗口中,键入ipconfig/flushdns ,然后按 enter。In the Windows PowerShell window, type ipconfig /flushdns and press ENTER. 这将刷新名称解析条目,这些条目在从客户端计算机连接到公司网络时开始,可能仍然存在于客户端 DNS 缓存中。This will flush name resolution entries that may still exist in the client DNS cache from when the client computer was connected to the corpnet.

  5. 在 Windows PowerShell 窗口中,键入ping app1 ,然后按 enter。In the Windows PowerShell window, type ping app1 and press ENTER. 你应看到来自 APP1 的 IPv6 地址 2001:db8:1::3 的回复。You should see replies from the IPv6 address of APP1, 2001:db8:1::3.

  6. 在 Windows PowerShell 窗口中,键入ping app2 ,然后按 enter。In the Windows PowerShell window, type ping app2 and press ENTER. 应会看到来自 EDGE1 分配给 APP2 的 NAT64 地址的答复,在本例中为 fdc9:9f4e: eb1b:7777:: a00:4。You should see replies from the NAT64 address assigned by EDGE1 to APP2, which in this case is fdc9:9f4e:eb1b:7777::a00:4. 请注意,由于地址的生成方式,粗体值会有所不同。Note that the bold values will vary due to how the address is generated.

  7. 在 Windows PowerShell 窗口中,键入ping app1 ,然后按 enter。In the Windows PowerShell window, type ping 2-app1 and press ENTER. 你应看到来自 APP1,2001: db8:2::3的 IPv6 地址的答复。You should see replies from the IPv6 address of 2-APP1, 2001:db8:2::3.

  8. 打开 Internet Explorer,在 Internet Explorer 地址栏中输入, https://2-app1/ 然后按 enter。Open Internet Explorer, in the Internet Explorer address bar, enter https://2-app1/ and press ENTER. 你将在 APP1 上看到默认的 IIS 网站。You will see the default IIS website on 2-APP1.

  9. 在 Internet Explorer 地址栏中,输入 https://app2/ 并按 enter。In the Internet Explorer address bar, enter https://app2/ and press ENTER. 在 APP2 上,你将看到默认网站。You will see the default website on APP2.

  10. 在 "开始" 屏幕上,键入 \ \APP2\FILES,然后按 enter。On the Start screen, type\\App2\Files, and then press ENTER. 双击“新文本文档”文件。Double-click the New Text Document file. 此示例演示你能够连接到 IPv4 唯一的服务器是使用 SMB 来获取 IPv4 唯一的主机上的资源。This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.

  11. 在 CLIENT2 上重复此过程。Repeat this procedure on CLIENT2.