步骤2配置远程访问服务器Step 2 Configure the Remote Access Server

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题介绍如何配置 DirectAccess 客户端的远程管理所需的客户端和服务器设置。This topic describes how to configure the client and server settings that are required for remote management of DirectAccess clients. 在开始执行部署步骤之前,请确保已完成步骤2规划远程访问部署中所述的规划步骤。Before you begin the deployment steps, ensure that you have completed the planning steps that are described in Step 2 Plan the Remote Access Deployment.

任务Task 描述Description
安装远程访问角色Install the Remote Access role 安装远程访问角色。Install the Remote Access role.
配置部署类型Configure the deployment type 将部署类型配置为 DirectAccess 和 VPN、仅 DirectAccess 或者仅 VPN。Configure the deployment type as DirectAccess and VPN, DirectAccess only, or VPN only.
配置 DirectAccess 客户端Configure DirectAccess clients 使用包含 DirectAccess 客户端的安全组配置远程访问服务器。Configure the Remote Access server with the security groups that contain DirectAccess clients.
配置远程访问服务器Configure the Remote Access server 配置远程访问服务器设置。Configure the Remote Access server settings.
配置基础结构服务器Configure the infrastructure servers 配置组织中使用的基础结构服务器。Configure the infrastructure servers that are used in the organization.
配置应用程序服务器Configure application servers 配置应用程序服务器,以要求进行身份验证和加密。Configure the application servers to require authentication and encryption.
配置摘要和备用 GPOConfiguration summary and alternate GPOs 查看远程访问配置摘要,并修改 GPO(如果需要)。View the Remote Access configuration summary, and modify the GPOs if desired.

备注

此主题将介绍一些 Windows PowerShell cmdlet 示例,你可以使用它们来自动执行所述的一些步骤。This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. 有关详细信息,请参阅 使用 cmdletFor more information, see Using Cmdlets.

安装远程访问角色Install the Remote Access role

你必须在将充当远程访问服务器的组织中的服务器上安装远程访问角色。You must install the Remote Access role on a server in your organization that will act as the Remote Access server.

安装远程访问角色To install the Remote Access role

在 DirectAccess 服务器上安装远程访问角色To install the Remote Access role on DirectAccess servers

  1. 在 DirectAccess 服务器上的 "服务器管理器" 控制台的 "仪表板" 中,单击 "添加角色和功能"。On the DirectAccess server, in the Server Manager console, in the Dashboard, click Add roles and features.

  2. 单击 “下一步” 三次以打开服务器角色选择屏幕。Click Next three times to get to the server role selection screen.

  3. 在 "选择服务器角色" 对话框中,选择 "远程访问",然后单击 "下一步"。On the Select Server Roles dialog, select Remote Access, and then click Next.

  4. 单击 "下一步" 三次。Click Next three times.

  5. 在 "选择角色服务" 对话框中,选择 " **DirectAccess 和 VPN (RAS") ** ,然后单击 "**添加功能**"。On the Select role services dialog, select DirectAccess and VPN (RAS) and then click Add Features.

  6. 依次选择 "路由"、" Web 应用程序代理"、"添加功能",然后单击 "下一步"。Select Routing, select Web Application Proxy, click Add Features, and then click Next.

  7. 单击 “下一步”,然后单击 “安装”Click Next, and then click Install.

  8. 在“安装进度”**** 对话框中,验证安装是否成功,然后单击“关闭”****。On the Installation progress dialog, verify that the installation was successful, and then click Close.

Windows PowerShellwindows powershell 等效命令Windows PowerShellWindows PowerShell equivalent commands

下面一个或多个 Windows PowerShell cmdlet 执行的功能与前面的过程相同。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 在同一行输入每个 cmdlet(即使此处可能因格式限制而出现多行换行)。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Install-WindowsFeature RemoteAccess -IncludeManagementTools

配置部署类型Configure the deployment type

有三个选项可用于从远程访问管理控制台部署远程访问:There are three options that you can use to deploy Remote Access from the Remote Access Management console:

  • DirectAccess 和 VPNDirectAccess and VPN

  • 仅 DirectAccessDirectAccess only

  • 仅 VPNVPN only

备注

本指南使用示例过程中的 DirectAccess 部署方法。This guide uses the DirectAccess only method of deployment in the example procedures.

配置部署类型To configure the deployment type

  1. 在远程访问服务器上,打开远程访问管理控制台:在 "开始" 屏幕上,键入,键入 "远程访问管理控制台",然后按 enter。On the Remote Access server, open the Remote Access Management console: On the Start screen, type, type Remote Access Management Console, and then press ENTER. 如果出现了“用户帐户控制”**** 对话框,请确认其所显示的操作是你要采取的操作,然后单击“是”****。If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. 在远程访问管理控制台的中间窗格内,单击“运行远程访问设置向导”****。In the Remote Access Management Console, in the middle pane, click Run the Remote Access Setup Wizard.

  3. 在 "配置远程访问" 对话框中,选择 "DIRECTACCESS 和 vpn、仅 DIRECTACCESS 或 vpn"。In the Configure Remote Access dialog box, select DirectAccess and VPN, DirectAccess only, or VPN only.

配置 DirectAccess 客户端Configure DirectAccess clients

对于要设置为使用 DirectAccess 的客户端计算机,它必须属于所选的安全组。For a client computer to be provisioned to use DirectAccess, it must belong to the selected security group. 配置 DirectAccess 后,将配置安全组中的客户端计算机,以接收 DirectAccess 组策略对象 (Gpo) 以便进行远程管理。After DirectAccess is configured, client computers in the security group are provisioned to receive the DirectAccess Group Policy Objects (GPOs) for remote management.

配置 DirectAccess 客户端To configure DirectAccess clients

  1. 在远程访问管理控制台的中间窗格中,在****“步骤 1 远程客户端”区域中单击****“配置”。In the middle pane of the Remote Access Management console, in the Step 1 Remote Clients area, click Configure.

  2. 在 "DirectAccess 客户端设置" 向导的 "部署方案" 页上,单击 "仅部署 DirectAccess 以进行远程管理",然后单击 "下一步"。In the DirectAccess Client Setup Wizard, on the Deployment Scenario page, click Deploy DirectAccess for remote management only, and then click Next.

  3. 在“选择组”**** 页上,单击“添加”****。On the Select Groups page, click Add.

  4. 在 "选择组" 对话框中,选择包含 DirectAccess 客户端计算机的安全组,然后单击 "下一步"。In the Select Groups dialog box, select the security groups that contain the DirectAccess client computers, and then click Next.

  5. 在****“网络连接助手”页上:On the Network Connectivity Assistant page:

    • 在表中,添加将用于确定与内部网络的连接的资源。In the table, add the resources that will be used to determine connectivity to the internal network. 如果未配置任何其他资源,则将自动创建默认 Web 探测。A default web probe is created automatically if no other resources are configured. 当配置 web 探测位置以确定与企业网络的连接时,请确保至少已配置一个基于 HTTP 的探测。When configuring the web probe locations for determining connectivity to the enterprise network, ensure that you have at least one HTTP based probe configured. 仅配置 ping 探测是不够的,它可能会导致连接状态不准确决定。Configuring only a ping probe is not sufficient, and it could lead to an inaccurate determination of connectivity status. 这是因为 ping 是从 IPsec 中免除的。This is because ping is exempted from IPsec. 因此,ping 不会确保正确建立 IPsec 隧道。As a result, ping does not ensure that the IPsec tunnels are properly established.

    • 添加技术支持电子邮件地址,以允许用户在遇到连接问题时发送信息。Add a Help Desk email address to allow users to send information if they experience connectivity issues.

    • 提供 DirectAccess 连接的友好名称。Provide a friendly name for the DirectAccess connection.

    • 如有必要,选中****“允许 DirectAccess 客户端使用本地名称解析”复选框。Select the Allow DirectAccess clients to use local name resolution check box, if required.

      备注

      启用本地名称解析时,运行 NCA 的用户可以通过使用 DirectAccess 客户端计算机上配置的 DNS 服务器来解析名称。When local name resolution is enabled, users who are running the NCA can resolve names by using DNS servers that are configured on the DirectAccess client computer.

  6. 单击“完成”。Click Finish.

配置远程访问服务器Configure the Remote Access server

若要部署远程访问,需要配置将充当远程访问服务器的服务器,如下所示:To deploy Remote Access, you need to configure the server that will act as the Remote Access server with the following:

  1. 正确的网络适配器Correct network adapters

  2. 客户端计算机可以连接到的远程访问服务器的公共 URL (ConnectTo 地址) A public URL for the Remote Access server to which client computers can connect (the ConnectTo address)

  3. 带有与 ConnectTo 地址匹配的使用者的 ip-https 证书An IP-HTTPS certificate with a subject that matches the ConnectTo address

  4. IPv6 设置IPv6 settings

  5. 客户端计算机身份验证Client computer authentication

配置远程访问服务器To configure the Remote Access server

  1. 在远程访问管理控制台的中间窗格中,在****“步骤 2 远程访问服务器”区域中单击****“配置”。In the middle pane of the Remote Access Management console, in the Step 2 Remote Access Server area, click Configure.

  2. 在远程访问服务器安装向导的****“网络拓扑”页上,单击将在你的组织中使用的部署拓扑。In the Remote Access Server Setup Wizard, on the Network Topology page, click the deployment topology that will be used in your organization. 在“键入客户端用于连接到远程访问服务器的公用名称或 IPv4 地址”**** 中,输入部署的公用名称(此名称与 IP-HTTPS 证书的使用者名称相匹配,例如 edge1.contoso.com),然后单击“下一步”****。In Type the public name or IPv4 address used by clients to connect to the Remote Access server, enter the public name for the deployment (this name matches the subject name of the IP-HTTPS certificate, for example, edge1.contoso.com), and then click Next.

  3. 在 "网络适配器" 页上,向导会自动检测:On the Network Adapters page, the wizard automatically detects:

    • 部署中网络的网络适配器。Network adapters for the networks in your deployment. 如果向导没有检测到正确的网络适配器,则请手动选择正确的适配器。If the wizard does not detect the correct network adapters, manually select the correct adapters.

    • Ip-https 证书。IP-HTTPS certificate. 这取决于您在向导的前一步骤中设置的部署的公用名称。This is based on the public name for the deployment that you set during the previous step of the wizard. 如果向导没有检测到正确的 ip-https 证书,请单击 "浏览" 手动选择正确的证书。If the wizard does not detect the correct IP-HTTPS certificate, click Browse to manually select the correct certificate.

  4. 单击“下一步”。Click Next.

  5. 在 "前缀配置" 页上 (仅当在内部网络) 中检测到 ipv6 时才会显示此页,向导会自动检测内部网络上使用的 ipv6 设置。On the Prefix Configuration page (this page is only visible if IPv6 is detected in the internal network), the wizard automatically detects the IPv6 settings that are used on the internal network. 如果你的部署需要其他前缀,请配置用于内部网络的 IPv6 前缀、要分配给 DirectAccess 客户端计算机的 IPv6 前缀,以及要分配给 VPN 客户端计算机的 IPv6 前缀。If your deployment requires additional prefixes, configure the IPv6 prefixes for the internal network, an IPv6 prefix to assign to DirectAccess client computers, and an IPv6 prefix to assign to VPN client computers.

  6. 在****“身份验证”页上:On the Authentication page:

    • 对于多站点和双重身份验证部署,必须使用计算机证书身份验证。For multisite and two-factor authentication deployments, you must use computer certificate authentication. 选中 "使用计算机证书" 复选框,以使用计算机证书身份验证,并选择 IPsec 根证书。Select the Use computer certificates check box to use computer certificate authentication and select the IPsec root certificate.

    • 要使运行 Windows 7 的客户端计算机能够通过 DirectAccess 进行连接,请选中 "使 Windows 7 客户端计算机能够通过 directaccess 进行连接" 复选框。To enable client computers running Windows 7 to connect via DirectAccess, select the Enable Windows 7 client computers to connect via DirectAccess check box. 在这种类型的部署中,还必须使用计算机证书身份验证。You must also use computer certificate authentication in this type of deployment.

  7. 单击“完成”。Click Finish.

配置基础结构服务器Configure the infrastructure servers

若要在远程访问部署中配置基础结构服务器,你必须配置以下各项:To configure the infrastructure servers in a Remote Access deployment, you must configure the following:

  • 网络位置服务器Network location server

  • DNS 设置,包括 DNS 后缀搜索列表DNS settings, including the DNS suffix search list

  • 远程访问不会自动检测到的任何管理服务器Any management servers that are not automatically detected by Remote Access

配置基础结构服务器To configure the infrastructure servers

  1. 在远程访问管理控制台的中间窗格中,在“步骤 3 基础结构服务器”**** 区域中单击****“配置”。In the middle pane of the Remote Access Management console, in the Step 3 Infrastructure Servers area, click Configure.

  2. 在基础结构服务器设置向导的“网络位置服务器”**** 页上,单击与你部署中网络位置服务器的位置相对应的选项。In the Infrastructure Server Setup Wizard, on the Network Location Server page, click the option that corresponds to the location of the network location server in your deployment.

    • 如果网络位置服务器位于远程 web 服务器上,请输入该 URL,然后单击 "验证",然后继续。If the network location server is on a remote web server, enter the URL, and then click Validate before you continue.

    • 如果网络位置服务器位于远程访问服务器上,则单击****“浏览”以查找相关的证书,然后单击****“下一步”。If the network location server is on the Remote Access server, click Browse to locate the relevant certificate, and then click Next.

  3. 在 " DNS " 页上的表中,输入将作为名称解析策略表应用的其他名称后缀, (NRPT) 例外。On the DNS page, in the table, enter additional name suffixes that will be applied as Name Resolution Policy Table (NRPT) exemptions. 选择本地名称解析选项,然后单击“下一步”****。Select a local name resolution option, and then click Next.

  4. 在 " DNS 后缀搜索列表" 页上,远程访问服务器会自动检测部署中的域后缀。On the DNS Suffix Search List page, the Remote Access server automatically detects domain suffixes in the deployment. 使用 "添加" 和 "删除" 按钮创建要使用的域后缀列表。Use the Add and Remove buttons to create the list of domain suffixes that you want to use. 若要添加新的域后缀,请在****“新后缀”中输入该后缀,然后单击****“添加”。To add a new domain suffix, in New Suffix, enter the suffix, and then click Add. 单击“下一步”。Click Next.

  5. 在 "管理" 页上,添加未自动检测到的管理服务器,然后单击 "下一步"。On the Management page, add management servers that are not detected automatically, and then click Next. 远程访问会自动添加域控制器和 Configuration Manager 服务器。Remote Access automatically adds domain controllers and Configuration Manager servers.

  6. 单击“完成”。Click Finish.

配置应用程序服务器Configure application servers

在完全远程访问部署中,配置应用程序服务器是一项可选任务。In a full Remote Access deployment, configuring application servers is an optional task. 在此方案中,将不会使用应用程序服务器来远程管理 DirectAccess 客户端,此步骤将灰显,以指示它处于不活动状态。In this scenario for remote management of DirectAccess clients, application servers are not utilized and this step is greyed out to indicate that it is not active. 单击 "完成" 以应用配置。Click Finish to apply the configuration.

配置摘要和备用 GPOConfiguration summary and alternate GPOs

远程访问配置完成后,将显示****“远程访问审阅”。When the Remote Access configuration is complete, the Remote Access Review is displayed. 你可以审阅之前选择的所有设置,包括:You can review all of the settings that you previously selected, including:

  • GPO 设置GPO Settings

    将列出 DirectAccess 服务器 GPO 名称和客户端 GPO 名称。The DirectAccess server GPO name and Client GPO name are listed. 你可以单击 " Gpo 设置" 标题旁边的 "更改" 链接以修改 gpo 设置。You can click the Change link next to the GPO Settings heading to modify the GPO settings.

  • 远程客户端Remote Clients

    将显示 DirectAccess 客户端配置,包括安全组、连接性验证者和 DirectAccess 连接名称。The DirectAccess client configuration is displayed, including the security group, connectivity verifiers, and DirectAccess connection name.

  • 远程访问服务器Remote Access Server

    将显示 DirectAccess 配置,包括公用名称和地址、网络适配器配置和证书信息。The DirectAccess configuration is displayed, including the public name and address, network adapter configuration, and certificate information.

  • 基础结构服务器Infrastructure Servers

    此列表包括网络位置服务器 URL、DirectAccess 客户端使用的 DNS 后缀和管理服务器信息。This list includes the network location server URL, DNS suffixes that are used by DirectAccess clients, and management server information.

另请参阅See also