步骤1规划远程访问基础结构Step 1 Plan the Remote Access Infrastructure

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

备注

Windows Server 2016 将 DirectAccess 和路由以及远程访问服务 (RRAS) 组合到单个远程访问角色中。Windows Server 2016 combines DirectAccess and Routing and Remote Access Service (RRAS) into a single Remote Access role.

本主题介绍规划基础结构的步骤,你可以使用这些步骤设置单个远程访问服务器以远程管理 DirectAccess 客户端。This topic describes the steps for planning an infrastructure that you can use to set up a single Remote Access server for remote management of DirectAccess clients. 下表列出了这些步骤,但不需要按特定顺序完成这些规划任务。The following table lists the steps, but these planning tasks do not need to be done in a specific order.

任务Task 描述Description
规划网络拓扑和服务器设置Plan network topology and server settings 确定远程访问服务器 (的位置,或在网络地址转换后 (NAT) 设备或防火墙) ,并规划 IP 寻址和路由。Decide where to place the Remote Access server (at the edge or behind a Network Address Translation (NAT) device or firewall), and plan IP addressing and routing.
规划防火墙要求Plan firewall requirements 规划允许远程访问通过边缘防火墙。Plan for allowing Remote Access through edge firewalls.
规划证书要求Plan certificate requirements 决定是使用 Kerberos 协议还是证书进行客户端身份验证,并规划网站证书。Decide if you will use Kerberos protocol or certificates for client authentication, and plan your website certificates.

IP-HTTPS 是一种转换协议,DirectAccess 客户端使用该协议在 IPv4 网络上对 IPv6 通信进行隧道传送。IP-HTTPS is a transition protocol that is used by DirectAccess clients to tunnel IPv6 traffic over IPv4 networks. 决定是使用证书颁发机构颁发的证书 (CA) ,还是使用远程访问服务器自动颁发的自签名证书对服务器的 ip-https 进行身份验证。Decide whether to authenticate IP-HTTPS for the server by using a certificate that is issued by a certification authority (CA), or by using a self-signed certificate that is issued automatically by the Remote Access server.
规划 DNS 要求Plan DNS requirements 为远程访问服务器、基础结构服务器、本地名称解析选项和客户端连接规划域名系统 (DNS) 设置。Plan the Domain Name System (DNS) settings for the Remote Access server, infrastructure servers, local name resolution options, and client connectivity.
规划网络位置服务器配置Plan the network location server configuration 决定将网络位置服务器网站放置在组织中的哪个位置 (在远程访问服务器上,或选择备用服务器) ,如果网络位置服务器位于远程访问服务器上,则规划证书要求。Decide where to place the network location server website in your organization (on the Remote Access server or an alternative server), and plan the certificate requirements if the network location server will be located on the Remote Access server. 注意: DirectAccess 客户端使用网络位置服务器来确定它们是否位于内部网络上。Note: The network location server is used by DirectAccess clients to determine whether they are located on the internal network.
规划管理服务器的配置Plan management servers' configurations 规划在远程客户端管理过程中使用的管理服务器(如更新服务器)。Plan for management servers (such as update servers) that are used during remote client management. 注意: 管理员可以使用 Internet 远程管理位于企业网络之外的 DirectAccess 客户端计算机。Note: Administrators can remotely manage DirectAccess client computers that are located outside the corporate network by using the Internet.
规划 Active Directory 要求Plan Active Directory requirements 规划你的域控制器、你的 Active Directory 要求、客户端身份验证和多个域结构。Plan your domain controllers, your Active Directory requirements, client authentication, and multiple domain structure.
规划组策略对象创建Plan Group Policy Object creation 确定你的组织中需要哪些 Gpo,以及如何创建和编辑 Gpo。Decide what GPOs are required in your organization and how to create and edit the GPOs.

规划网络拓扑和设置Plan network topology and settings

规划网络时,需要考虑网络适配器拓扑、IP 寻址设置和 ISATAP 要求。When you plan your network, you need to consider the network adapter topology, settings for IP addressing, and requirements for ISATAP.

规划网络适配器和 IP 寻址Plan network adapters and IP addressing

  1. 确定要使用的网络适配器拓扑。Identify the network adapter topology that you want to use. 可以使用下列任一拓扑设置远程访问:Remote Access can be set up with any of the following topologies:

    • 使用两个网络适配器:远程访问服务器安装在边缘,其中一个网络适配器连接到 Internet,另一个网络适配器连接到内部网络。With two network adapters: The Remote Access server is installed at the edge with one network adapter connected to the Internet and the other to the internal network.

    • 使用两个网络适配器:远程访问服务器安装在 NAT 设备、防火墙或路由器后面,其中一个网络适配器连接到外围网络,另一个网络适配器连接到内部网络。With two network adapters: The Remote Access server is installed behind a NAT device, firewall, or router, with one network adapter connected to a perimeter network and the other to the internal network.

    • 使用一个网络适配器:远程访问服务器安装在 NAT 设备的后面,并且单个网络适配器连接到内部网络。With one network adapter: The Remote Access server is installed behind a NAT device, and the single network adapter is connected to the internal network.

  2. 标识 IP 寻址要求:Identify your IP addressing requirements:

    DirectAccess 使用 IPv6 和 IPsec 在 DirectAccess 客户端计算机和内部企业网络之间创建安全连接。DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network. 但是,DirectAccess 不一定需要连接到 IPv6 Internet 或内部网络上的本机 IPv6 支持。However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. 相反,它会自动配置并使用 IPv6 转换技术在 IPv4 Internet 上对 IPv6 通信进行隧道 (6to4、Teredo 或 IP-HTTPS) 并跨仅限 IPv4 的 intranet (NAT64 或 ISATAP) 。Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4, Teredo, or IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP). 有关这些转换技术的概述,请参阅以下资源:For an overview of these transition technologies, see the following resources:

  3. 按下表配置所需的适配器和寻址。Configure required adapters and addressing according to the following table. 对于使用单个网络适配器的 NAT 设备后面的部署,仅使用内部网络适配器列配置 IP 地址。For deployments that are behind a NAT device using a single network adapter, configure your IP addresses by using only the Internal network adapter column.

    描述Description 外部网络适配器External network adapter 内部网络适配器1,以上Internal network adapter1, above 路由要求Routing requirements
    IPv4 Internet 和 IPv4 IntranetIPv4 Internet and IPv4 intranet 配置以下内容:Configure the following:

    -具有相应子网掩码的两个静态连续公用 IPv4 地址 (仅限 Teredo) 。- Two static consecutive public IPv4 addresses with the appropriate subnet masks (required for Teredo only).
    -Internet 防火墙或本地 Internet 服务提供商 (ISP) 路由器的默认网关 IPv4 地址。- A default gateway IPv4 address for your Internet firewall or local Internet service provider (ISP) router. 注意: 远程访问服务器需要两个连续的公用 IPv4 地址,以便它可用作 Teredo 服务器,基于 Windows 的 Teredo 客户端可以使用远程访问服务器来检测 NAT 设备的类型。Note: The Remote Access server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the Remote Access server to detect the type of NAT device.
    配置以下内容:Configure the following:

    -具有相应子网掩码的 IPv4 intranet 地址。- An IPv4 intranet address with the appropriate subnet mask.
    -Intranet 命名空间的特定于连接的 DNS 后缀。- A connection-specific DNS suffix for your intranet namespace. 还应在内部接口上配置 DNS 服务器。A DNS server should also be configured on the internal interface. 警告: 不要在任何 intranet 接口上配置默认网关。Caution: Do not configure a default gateway on any intranet interfaces.
    若要配置远程访问服务器以访问内部 IPv4 网络上的所有子网,请执行以下操作:To configure the Remote Access server to reach all subnets on the internal IPv4 network, do the following:

    -列出 intranet 上所有位置的 IPv4 地址空间。- List the IPv4 address spaces for all the locations on your intranet.
    -使用 route add -pnetsh interface ipv4 add route 命令将 ipv4 地址空间添加为远程访问服务器的 ipv4 路由表中的静态路由。- Use the route add -p or netsh interface ipv4 add route commands to add the IPv4 address spaces as static routes in the IPv4 routing table of the Remote Access server.
    IPv6 Internet 和 IPv6 IntranetIPv6 Internet and IPv6 intranet 配置以下内容:Configure the following:

    -使用 ISP 提供的自动配置地址配置。- Use the autoconfigured address configuration provided by your ISP.
    -使用 route print 命令以确保指向 ISP 路由器的默认 ipv6 路由存在于 IPv6 路由表中。- Use the route print command to ensure that a default IPv6 route that points to the ISP router exists in the IPv6 routing table.
    -确定 ISP 和 intranet 路由器是否使用 RFC 4191 中所述的默认路由器首选项,以及它们使用的默认首选项比本地 intranet 路由器更高。- Determine if the ISP and intranet routers are using default router preferences as described in RFC 4191, and if they are use a higher default preference than your local intranet routers. 如果两个结果都为“是”,则默认路由不需要任何其他配置。If both of these are true, no other configuration for the default route is required. ISP 路由器的更高首选等级可确保远程访问服务器的活动默认 IPv6 路由指向 IPv6 Internet。The higher preference for the ISP router ensures that the active default IPv6 route of the Remote Access server points to the IPv6 Internet.

    因为远程访问服务器是一个 IPv6 路由器,所以如果你具有本机 IPv6 基础结构,则 Internet 接口也可以访问 Intranet 上的域控制器。Because the Remote Access server is an IPv6 router, if you have a native IPv6 infrastructure, the Internet interface can also reach the domain controllers on the intranet. 在这种情况下,将数据包筛选器添加到外围网络中的域控制器,阻止连接到远程访问服务器的 Internet 接口的 IPv6 地址。In this case, add packet filters to the domain controller in the perimeter network that prevent connectivity to the IPv6 address of the Internet interface of the Remote Access server.
    配置以下内容:Configure the following:

    如果使用的不是默认首选项级别,请使用命令来配置 intranet 接口 netsh interface ipv6 set InterfaceIndex ignoredefaultroutes=enabledIf you are not using default preference levels, configure your intranet interfaces by using the netsh interface ipv6 set InterfaceIndex ignoredefaultroutes=enabled command. 这一命令可确保不会将指向 Intranet 路由器的其他默认路由添加到 IPv6 路由表。This command ensures that additional default routes that point to intranet routers will not be added to the IPv6 routing table. 你可以从命令的显示中获得 intranet 接口的 InterfaceIndex netsh interface show interfaceYou can obtain the InterfaceIndex of your intranet interfaces from the display of the netsh interface show interface command.
    如果你拥有 IPv6 Intranet,若要配置远程访问服务器以访问所有的 IPv6 位置,请执行以下操作:If you have an IPv6 intranet, to configure the Remote Access server to reach all of the IPv6 locations, do the following:

    -列出 intranet 上所有位置的 IPv6 地址空间。- List the IPv6 address spaces for all the locations on your intranet.
    -使用 netsh interface ipv6 add route 命令将 ipv6 地址空间添加为远程访问服务器的 ipv6 路由表中的静态路由。- Use the netsh interface ipv6 add route command to add the IPv6 address spaces as static routes in the IPv6 routing table of the Remote Access server.
    IPv4 Internet 和 IPv6 IntranetIPv4 Internet and IPv6 intranet 远程访问服务器使用 Microsoft 6to4 适配器接口将默认的 IPv6 路由流量转发到 IPv4 Internet 上的6to4 中继。The Remote Access server forwards default IPv6 route traffic by using the Microsoft 6to4 adapter interface to a 6to4 relay on the IPv4 Internet. 在企业网络中未部署本机 IPv6 时,可以使用以下命令为 IPv4 Internet 上的 Microsoft 6to4 中继的 IPv4 地址配置远程访问服务器: netsh interface ipv6 6to4 set relay name=<ipaddress> state=enabledWhen native IPv6 is not deployed in the corporate network, you can use the following command to configure a Remote Access server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet: netsh interface ipv6 6to4 set relay name=<ipaddress> state=enabled.

    备注

    • 如果已为 DirectAccess 客户端分配公用 IPv4 地址,则它将使用6to4 中继技术连接到 intranet。If the DirectAccess client has been assigned a public IPv4 address, it will use the 6to4 relay technology to connect to the intranet. 如果为客户端分配了专用 IPv4 地址,则它将使用 Teredo。If the client is assigned a private IPv4 address, it will use Teredo. 如果 DirectAccess 客户端无法使用 6to4 或 Teredo 连接到 DirectAccess 服务器,则它将使用 IP-HTTPS。If the DirectAccess client cannot connect to the DirectAccess server with 6to4 or Teredo, it will use IP-HTTPS.
    • 若要使用 Teredo,必须在面向外部的网络适配器上配置两个连续的 IP 地址。To use Teredo, you must configure two consecutive IP addresses on the external facing network adapter.
    • 如果远程访问服务器只有一个网络适配器,则不能使用 Teredo。You cannot use Teredo if the Remote Access server has only one network adapter.
    • 本机 IPv6 客户端计算机可以通过本机 IPv6 连接到远程访问服务器,而无需任何转换技术。Native IPv6 client computers can connect to the Remote Access server over native IPv6, and no transition technology is required.

规划 ISATAP 要求Plan ISATAP requirements

远程管理 DirectAccessclients 需要 ISATAP,以便 DirectAccess 管理服务器可以连接到位于 Internet 上的 DirectAccess 客户端。ISATAP is required for remote management of DirectAccessclients, so that DirectAccess management servers can connect to DirectAccess clients located on the Internet. ISATAP 不需要支持 DirectAccess 客户端计算机启动到企业网络上的 IPv4 资源的连接。ISATAP is not required to support connections that are initiated by DirectAccess client computers to IPv4 resources on the corporate network. 为此,将使用 NAT64/DNS64。NAT64/DNS64 is used for this purpose. 如果你的部署需要 ISATAP,请使用下表来确定你的要求。If your deployment requires ISATAP, use the following table to identify your requirements.

ISATAP 部署方案ISATAP deployment scenario 要求Requirements
现有的本机 IPv6 intranet (不需要 ISATAP) Existing native IPv6 intranet (no ISATAP is required) 使用现有的本机 IPv6 基础结构,可以在远程访问部署过程中指定组织的前缀,远程访问服务器不会将自身配置为 ISATAP 路由器。With an existing native IPv6 infrastructure, you specify the prefix of the organization during Remote Access deployment, and the Remote Access server does not configure itself as an ISATAP router. 请执行以下操作:Do the following:

1. 若要确保可从 intranet 访问 DirectAccess 客户端,必须修改 IPv6 路由,以便将默认路由流量转发到远程访问服务器。1. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing so that default route traffic is forwarded to the Remote Access server. 如果 intranet IPv6 地址空间使用的地址不是单个48位 IPv6 地址前缀,则必须在部署过程中指定相关的组织 IPv6 前缀。If your intranet IPv6 address space uses an address other than a single 48-bit IPv6 address prefix, you must specify the relevant organization IPv6 prefix during deployment.
2. 如果你当前已连接到 IPv6 Internet,则必须配置默认路由流量,使其转发到远程访问服务器,然后在远程访问服务器上配置适当的连接和路由,以便将默认路由流量转发到连接到 IPv6 Internet 的设备。2. If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the Remote Access server, and then configure the appropriate connections and routes on the Remote Access server, so that the default route traffic is forwarded to the device that is connected to the IPv6 Internet.
现有 ISATAP 部署Existing ISATAP deployment 如果你有现有的 ISATAP 基础结构,则在部署过程中,系统会提示你输入组织的48位前缀,并且远程访问服务器不会将自身配置为 ISATAP 路由器。If you have an existing ISATAP infrastructure, during deployment you are prompted for the 48-bit prefix of the organization, and the Remote Access server does not configure itself as an ISATAP router. 若要确保可从 intranet 访问 DirectAccess 客户端,必须修改 IPv6 路由基础结构,以便将默认路由流量转发到远程访问服务器。To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Remote Access server. 需要在要将默认流量转发到 intranet 客户端的现有 ISATAP 路由器上完成此更改。This change needs to be done on the existing ISATAP router to which the intranet clients must already be forwarding the default traffic.
无现有 IPv6 连接No existing IPv6 connectivity 当远程访问设置向导检测到服务器没有基于本机或 ISATAP 的 IPv6 连接时,它会自动为 intranet 派生基于6to4 的48位前缀,并将远程访问服务器配置为 ISATAP 路由器,以提供到 intranet 上的 ISATAP 主机的 IPv6 连接。When the Remote Access setup wizard detects that the server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 48-bit prefix for the intranet, and configures the Remote Access server as an ISATAP router to provide IPv6 connectivity to ISATAP hosts across your intranet. 仅当服务器具有公用地址时才使用基于6to4 的前缀 (否则,将从唯一的本地地址范围自动生成前缀。 ) (A 6to4-based prefix is used only if the server has public addresses, otherwise the prefix is automatically generated from a unique local address range.)

若要使用 ISATAP,请执行以下操作:To use ISATAP do the following:

1. 在 DNS 服务器上为你要启用基于 ISATAP 的连接的每个域注册 ISATAP 名称,以便内部 DNS 服务器可将该 ISATAP 名称解析为远程访问服务器的内部 IPv4 地址。1. Register the ISATAP name on a DNS server for each domain on which you want to enable ISATAP-based connectivity, so that the ISATAP name is resolvable by the internal DNS server to the internal IPv4 address of the Remote Access server.
2. 默认情况下,使用全局查询块列表运行 Windows Server 2012、Windows Server 2008 R2、Windows Server 2008 或 Windows Server 2003 块解析的 DNS 服务器。2. By default, DNS servers running Windows Server 2012 , Windows Server 2008 R2 , Windows Server 2008 , or Windows Server 2003 block resolution of the ISATAP name by using the global query block list. 若要启用 ISATAP,你必须从阻止列表中删除 ISATAP 名称。To enable ISATAP, you must remove the ISATAP name from the block list. 有关详细信息,请参阅从 DNS 全局查询阻止列表中删除 ISATAPFor more information, see Remove ISATAP from the DNS Global Query Block List.

可以解析 ISATAP 名称的基于 Windows 的 ISATAP 主机自动使用远程访问服务器配置一个地址,如下所示:Windows-based ISATAP hosts that can resolve the ISATAP name automatically configure an address with the Remote Access server as following:

1. ISATAP 隧道接口上基于 ISATAP 的 IPv6 地址1. An ISATAP-based IPv6 address on an ISATAP tunneling interface
2. 向 intranet 上的其他 ISATAP 主机提供连接的64位路由2. A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet
3. 指向远程访问服务器的默认 IPv6 路由。3. A default IPv6 route that points to the Remote Access server. 默认路由确保 intranet ISATAP 主机可以访问 DirectAccess 客户端The default route ensures that intranet ISATAP hosts can reach DirectAccess clients

当基于 Windows 的 ISATAP 主机获得基于 ISATAP 的 IPv6 地址时,如果目标也是 ISATAP 主机,则它们会开始使用 ISATAP 封装的流量进行通信。When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate if the destination is also an ISATAP host. 由于 ISATAP 对整个 intranet 使用单个64位子网,因此,通信将从分段的 IPv4 通信模型到使用 IPv6 的单个子网通信模型。Because ISATAP uses a single 64-bit subnet for the entire intranet, your communication goes from a segmented IPv4 model of communication, to a single subnet communication model with IPv6. 这可能会影响依赖于 Active Directory 站点和服务配置的 Active Directory 域服务 (AD DS) 和应用程序的行为。This can affect the behavior of some Active Directory Domain Services (AD DS) and applications that rely on your Active Directory Sites and Services configuration. 例如,如果使用 "Active Directory 站点和服务" 管理单元来配置站点、基于 IPv4 的子网,以及用于将请求转发到站点中的服务器的站点间传输,则 ISATAP 主机不使用此配置。For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and intersite transports for forwarding requests to servers within sites, this configuration is not used by ISATAP hosts.

  1. 若要配置 Active Directory 站点和服务,以便在 ISATAP 主机内的站点中转发,请为每个 IPv4 子网对象配置一个等效的 IPv6 子网对象,在该对象中,子网的 IPv6 地址前缀表示与 IPv4 子网相同的 ISATAP 主机地址范围。To configure Active Directory Sites and Services for forwarding within sites for ISATAP hosts, for each IPv4 subnet object, you must configure an equivalent IPv6 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet. 例如,对于 IPv4 子网 192.168.99.0/24 和64位 ISATAP 地址前缀2002:836b:1:8000::/64,IPv6 子对象的等效 IPv6 地址前缀为2002:836b:1:8000:0:5efe: 192.168.99.0/120。For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:8000::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:8000:0:5efe:192.168.99.0/120. 对于示例) 中 (设置为24的任意 IPv4 前缀长度,可以从公式 96 + IPv4PrefixLength 确定相应的 IPv6 前缀长度。For an arbitrary IPv4 prefix length (set to 24 in the example), you can determine the corresponding IPv6 prefix length from the formula 96 + IPv4PrefixLength.
  2. 对于 DirectAccess 客户端的 IPv6 地址,请添加以下内容:For the IPv6 addresses of DirectAccess clients, add the following:

    • 对于基于 Teredo 的 DirectAccess 客户端:范围为2001:0: WWXX: YYZZ::/64 的 IPv6 子网,其中 WWXX: YYZZ 是远程访问服务器的第一个面向 Internet 的 IPv4 地址的冒号十六进制版本。For Teredo-based DirectAccess clients: An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the first Internet-facing IPv4 address of the Remote Access server. ..
    • 对于基于 IP-HTTPS 的 DirectAccess 客户端:范围为2002的 IPv6 子网: WWXX: YYZZ:8100::/56,其中 WWXX: YYZZ 是远程访问服务器的第一个面向 Internet 的 IPv4 地址的冒号十六进制版本 (w.x.y.z) 。For IP-HTTPS-based DirectAccess clients: An IPv6 subnet for the range 2002:WWXX:YYZZ:8100::/56, in which WWXX:YYZZ is the colon-hexadecimal version of the first Internet-facing IPv4 address (w.x.y.z) of the Remote Access server. ..
    • 对于基于6to4 的 DirectAccess 客户端:一系列从2002开始的基于6to4 的 IPv6 前缀,它们表示由 Internet 分配的编号机构 (IANA) 和区域注册表管理的区域、公共 IPv4 地址前缀。For 6to4-based DirectAccess clients: A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA) and regional registries. 公用 IPv4 地址前缀的基于6to4 的前缀为2002: WWXX: YYZZ::/[16 + n],其中 WWXX: YYZZ 是的冒号十六进制版本The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z.

      例如,7.0.0.0/8 范围由美国注册表管理,适用于北美的 Internet 号码 (ARIN) 。For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. 此公共 IPv6 地址范围对应的基于6to4 的前缀为2002:700::/24。The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. 有关 IPv4 公用地址空间的信息,请参阅IANA IPv4 地址空间注册表For information about the IPv4 public address space, see IANA IPv4 Address Space Registry. ..

重要

确保 DirectAccess 服务器的内部接口上没有公共 IP 地址。Ensure that you do not have public IP addresses on the internal interface of the DirectAccess server. 如果内部接口上有公共 IP 地址,则通过 ISATAP 的连接可能会失败。If you have public IP address on the internal interface, connectivity through ISATAP may fail.

规划防火墙要求Plan firewall requirements

如果远程访问服务器位于边缘防火墙后面,则当远程访问服务器位于 IPv4 Internet 上时,远程访问通信还需要以下例外:If the Remote Access server is behind an edge firewall, the following exceptions will be required for Remote Access traffic when the Remote Access server is on the IPv4 Internet:

  • 对于 IP-HTTPS:传输控制协议 (TCP) 目标端口443和 TCP 源端口443出站。For IP-HTTPS: Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound.

  • 对于 Teredo 通信:用户数据报协议 (UDP) 目标端口3544入站,以及 UDP 源端口3544出站。For Teredo traffic: User Datagram Protocol (UDP) destination port 3544 inbound, and UDP source port 3544 outbound.

  • 对于6to4 流量: IP 协议41入站和出站。For 6to4 traffic: IP Protocol 41 inbound and outbound.

    备注

    对于 Teredo 和 6to4 通信,这些例外应适用于远程访问服务器上两个面向 Internet 的连续公用 IPv4 地址。For Teredo and 6to4 traffic, these exceptions should be applied for both of the Internet-facing consecutive public IPv4 addresses on the Remote Access server.

    对于 IP-HTTPS,需要将例外应用于在公共 DNS 服务器上注册的地址。For IP-HTTPS the exceptions need to be applied on the address that is registered on the public DNS server.

  • 如果要使用单个网络适配器部署远程访问,并在远程访问服务器上安装网络位置服务器,请使用 TCP 端口62000。If you are deploying Remote Access with a single network adapter and installing the network location server on the Remote Access server, TCP port 62000.

    备注

    此例外位于远程访问服务器上,而以前的免除位于边缘防火墙上。This exemption is on the Remote Access server, and the previous exemptions are on the edge firewall.

当远程访问服务器位于 IPv6 Internet 上时,远程访问通信需要以下例外:The following exceptions are required for Remote Access traffic when the Remote Access server is on the IPv6 Internet:

  • IP 协议 50IP Protocol 50

  • UDP 目标端口 500 入站,以及 UDP 源端口 500 出站。UDP destination port 500 inbound, and UDP source port 500 outbound.

  • 仅当使用 Teredo) 时,ICMPv6 流量入站和出站 (。ICMPv6 traffic inbound and outbound (only when using Teredo).

使用其他防火墙时,请为远程访问通信应用以下内部网络防火墙例外:When you are using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:

  • 对于 ISATAP:协议41入站和出站For ISATAP: Protocol 41 inbound and outbound

  • 对于所有 IPv4/IPv6 通信: TCP/UDFor all IPv4/IPv6 traffic: TCP/UD

  • 对于 Teredo:用于所有 IPv4/IPv6 通信的 ICMPFor Teredo: ICMP for all IPv4/IPv6 traffic

规划证书要求Plan certificate requirements

部署单个远程访问服务器时,有三种方案需要证书。There are three scenarios that require certificates when you deploy a single Remote Access server.

  • Ipsec 身份验证: ipsec 的证书要求包括 DirectAccess 客户端计算机在与远程访问服务器建立 ipsec 连接时使用的计算机证书,以及由远程访问服务器用于与 DirectAccess 客户端建立 ipsec 连接时使用的计算机证书。IPsec authentication: Certificate requirements for IPsec include a computer certificate that is used by DirectAccess client computers when they establish the IPsec connection with the Remote Access server, and a computer certificate that is used by Remote Access servers to establish IPsec connections with DirectAccess clients.

    对于 Windows Server 2012 中的 DirectAccess,不强制使用这些 IPsec 证书。For DirectAccess in Windows Server 2012 , the use of these IPsec certificates is not mandatory. 作为替代方法,远程访问服务器可以充当 Kerberos 身份验证的代理,而无需证书。As an alternative, the Remote Access server can act as a proxy for Kerberos authentication without requiring certificates. 如果使用 Kerberos 身份验证,则它通过 SSL 工作,并且 Kerberos 协议使用为 ip-https 配置的证书。If Kerberos authentication is used, it works over SSL, and the Kerberos protocol uses the certificate that was configured for IP-HTTPS. 某些企业方案 (包括多站点部署和一次性密码客户端身份验证) 需要使用证书身份验证而不是 Kerberos 身份验证。Some enterprise scenarios (including multisite deployment and one-time password client authentication) require the use of certificate authentication, and not Kerberos authentication.

  • Ip-https服务器:配置远程访问时,远程访问服务器将自动配置为充当 ip-https web 侦听器。IP-HTTPS server: When you configure Remote Access, the Remote Access server is automatically configured to act as the IP-HTTPS web listener. IP-HTTPS 站点需要网站证书,并且客户端计算机必须能够联系该证书的证书吊销列表 (CRL) 站点。The IP-HTTPS site requires a website certificate, and client computers must be able to contact the certificate revocation list (CRL) site for the certificate.

  • 网络位置服务器:网络位置服务器是一个用于检测客户端计算机是否位于企业网络中的网站。Network location server: The network location server is a website that is used to detect whether client computers are located in the corporate network. 网络位置服务器需要网站证书。The network location server requires a website certificate. DirectAccess 客户端必须能够联系该证书的 CRL 站点。DirectAccess clients must be able to contact the CRL site for the certificate.

下表总结了每种情况下的证书颁发机构 (CA) 要求。The certification authority (CA) requirements for each of these scenarios is summarized in the following table.

IPsec 身份验证IPsec authentication IP-HTTPS 服务器IP-HTTPS server 网络位置服务器Network location server
当你未使用 Kerberos 协议进行身份验证时,需要内部 CA 向远程访问服务器和客户端颁发计算机证书,以进行 IPsec 身份验证。An internal CA is required to issue computer certificates to the Remote Access server and clients for IPsec authentication when you don't use the Kerberos protocol for authentication. 内部 CA:可以使用内部 CA 颁发 ip-https 证书;但是,必须确保 CRL 分发点在外部可用。Internal CA: You can use an internal CA to issue the IP-HTTPS certificate; however, you must make sure that the CRL distribution point is available externally. 内部 CA:可以使用内部 CA 颁发网络位置服务器网站证书。Internal CA: You can use an internal CA to issue the network location server website certificate. 请确保 CRL 分发点在内部网络中高度可用。Make sure that the CRL distribution point is highly available from the internal network.
自签名证书:可以对 ip-https 服务器使用自签名证书。Self-signed certificate: You can use a self-signed certificate for the IP-HTTPS server. 无法在多站点部署中使用自签名证书。A self-signed certificate cannot be used in a multisite deployment. 自签名证书:可为网络位置服务器网站使用自签名证书;但是,不能在多站点部署中使用自签名证书。Self-signed certificate: You can use a self-signed certificate for the network location server website; however, you cannot use a self-signed certificate in multisite deployments.
公共 CA:建议使用公共 CA 颁发 IP-HTTPS 证书,这可确保 CRL 分发点在外部可用。Public CA: We recommend that you use a public CA to issue the IP-HTTPS certificate, this ensures that the CRL distribution point is available externally.

规划用于 IPsec 身份验证的计算机证书Plan computer certificates for IPsec authentication

如果你使用的是基于证书的 IPsec 身份验证,则需要使用远程访问服务器和客户端来获取计算机证书。If you are using certificate-based IPsec authentication, the Remote Access server and clients are required to obtain a computer certificate. 若要安装证书,最简单的方法是使用组策略来配置计算机证书的自动注册。The simplest way to install the certificates is to use Group Policy to configure automatic enrollment for computer certificates. 此方法将确保所有域成员都从企业 CA 获取证书。This ensures that all domain members obtain a certificate from an enterprise CA. 如果你的组织中未设置企业 CA,请参阅 Active Directory 证书服务If you do not have an enterprise CA set up in your organization, see Active Directory Certificate Services.

此证书具有以下要求:This certificate has the following requirements:

  • 证书应具有客户端身份验证扩展密钥用法 (EKU) 。The certificate should have client authentication extended key usage (EKU).

  • 客户端和服务器证书应关联到相同的根证书。The client and the server certificates should relate to the same root certificate. 必须在 DirectAccess 配置设置中选择该根证书。This root certificate must be selected in the DirectAccess configuration settings.

规划 IP-HTTPS 的证书Plan certificates for IP-HTTPS

远程访问服务器充当 IP-HTTPS 侦听器,而且你必须在服务器上手动安装 HTTPS 网站证书。The Remote Access server acts as an IP-HTTPS listener, and you must manually install an HTTPS website certificate on the server. 规划时,请考虑以下内容:Consider the following when you are planning:

  • 建议使用公共 CA,以便可以随时使用 CRL。Using a public CA is recommended, so that CRLs are readily available.

  • 在 "使用者" 字段中,指定远程访问服务器的 Internet 适配器的 IPv4 地址,或 (ConnectTo address) 的 IP-HTTPS URL 的 FQDN。In the subject field, specify the IPv4 address of the Internet adapter of Remote Access server or the FQDN of the IP-HTTPS URL (the ConnectTo address). 如果远程访问服务器位于 NAT 设备后面,则应指定 NAT 设备的公用名或地址。If the Remote Access server is located behind a NAT device, the public name or address of the NAT device should be specified.

  • 该证书的公用名应与 IP-HTTPS 站点的名称相匹配。The common name of the certificate should match the name of the IP-HTTPS site.

  • 对于 "增强型密钥用法" 字段,请使用服务器身份验证对象标识符 (OID) 。For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

  • 对于“CRL 分发点”**** 字段,请指定已连接到 Internet 的 DirectAccess 客户端可访问的 CRL 分发点。For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

    备注

    这仅适用于运行 Windows 7 的客户端。This is only required for clients running Windows 7.

  • IP-HTTPS 证书必须包含私钥。The IP-HTTPS certificate must have a private key.

  • 必须直接将 IP-HTTPS 证书导入到个人存储中。The IP-HTTPS certificate must be imported directly into the personal store.

  • IP-HTTPS 证书可以在名称中包含通配符符。IP-HTTPS certificates can have wildcard characters in the name.

规划用于网络位置服务器的网站证书Plan website certificates for the network location server

在规划网络位置服务器网站时,请注意以下事项:Consider the following when you are planning the network location server website:

  • 在****“使用者”字段中,指定网络位置服务器的 Intranet 接口的 IP 地址,或网络位置 URL 的 FQDN。In the Subject field, specify an IP address of the intranet interface of the network location server or the FQDN of the network location URL.

  • 对于 "增强型密钥用法" 字段,请使用服务器身份验证 OID。For the Enhanced Key Usage field, use the Server Authentication OID.

  • 对于 " CRL 分发点" 字段,请使用连接到 Intranet 的 DirectAccess 客户端可访问的 crl 分发点。For the CRL Distribution Points field, use a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. 不应从内部网络之外访问此 CRL 分发点。This CRL distribution point should not be accessible from outside the internal network.

备注

确保 ip-https 和网络位置服务器的证书具有使用者名称。Ensure that the certificates for IP-HTTPS and network location server have a subject name. 如果证书使用备用名称,则远程访问向导将不接受该证书。If the certificate uses an alternative name, it will not be accepted by the Remote Access Wizard.

规划 DNS 要求Plan DNS requirements

本部分介绍远程访问部署中的客户端和服务器的 DNS 要求。This section explains the DNS requirements for clients and servers in a Remote Access deployment.

DirectAccess 客户端请求DirectAccess client requests

DNS 用于解析来自不位于内部网络上的 DirectAccess 客户端计算机的请求。DNS is used to resolve requests from DirectAccess client computers that are not located on the internal network. DirectAccess 客户端尝试连接到 DirectAccess 网络位置服务器,以确定它们是位于 Internet 上还是位于企业网络上。DirectAccess clients attempt to connect to the DirectAccess network location server to determine whether they are located on the Internet or on the corporate network.

  • 如果连接成功,则确定客户端在 intranet 上,不会使用 DirectAccess,并且通过使用在客户端计算机的网络适配器上配置的 DNS 服务器解析客户端请求。If the connection is successful, clients are determined to be on the intranet, DirectAccess is not used, and client requests are resolved by using the DNS server that is configured on the network adapter of the client computer.

  • 如果该连接不成功,则假定客户端在 Internet 上。If the connection does not succeed, clients are assumed to be on the Internet. DirectAccess 客户端将使用名称解析策略表 (NRPT) 来确定在解析名称请求时使用哪个 DNS 服务器。DirectAccess clients will use the name resolution policy table (NRPT) to determine which DNS server to use when resolving name requests. 你可以指定客户端应使用 DirectAccess DNS64 或备用的内部 DNS 服务器来解析名称。You can specify that clients should use DirectAccess DNS64 to resolve names, or an alternative internal DNS server.

在执行名称解析时,将由 DirectAccess 客户端使用 NRPT 来确定如何处理请求。When performing name resolution, the NRPT is used by DirectAccess clients to identify how to handle a request. 客户端请求 FQDN 或单标签名称,例如 https://internalClients request an FQDN or single-label name such as https://internal. 如果请求单标签名称,则将追加 DNS 后缀以产生 FQDN。If a single-label name is requested, a DNS suffix is appended to make an FQDN. 如果 DNS 查询与 NRPT 和并且了 DNS4 中的条目相匹配,或者为该条目指定了 intranet DNS 服务器,则通过使用指定的服务器为该查询发送名称解析。If the DNS query matches an entry in the NRPT and DNS4 or an intranet DNS server is specified for the entry, the query is sent for name resolution by using the specified server. 如果存在匹配项,但未指定 DNS 服务器,则应用免除规则和正常名称解析。If a match exists but no DNS server is specified, an exemption rule and normal name resolution is applied.

在远程访问管理控制台中将新的后缀添加到 NRPT 时,可通过单击 "检测" 按钮自动发现该后缀的默认 DNS 服务器。When a new suffix is added to the NRPT in the Remote Access Management console, the default DNS servers for the suffix can be automatically discovered by clicking the Detect button. 自动检测的工作原理如下所示:Automatic detection works as follows:

  • 如果企业网络基于 IPv4,或者使用 IPv4 和 IPv6,则默认地址是远程访问服务器上内部适配器的 DNS64 地址。If the corporate network is IPv4-based, or it uses IPv4 and IPv6, the default address is the DNS64 address of the internal adapter on the Remote Access server.

  • 如果企业网络基于 IPv6,则默认地址是企业网络中 DNS 服务器的 IPv6 地址。If the corporate network is IPv6-based, the default address is the IPv6 address of DNS servers in the corporate network.

基础结构服务器Infrastructure servers
  • 网络位置服务器Network location server

    DirectAccess 客户端尝试访问网络位置服务器,以确定它们是否位于内部网络上。DirectAccess clients attempt to reach the network location server to determine if they are on the internal network. 内部网络上的客户端必须能够解析网络位置服务器的名称,并且在这些客户端位于 Internet 上时,必须阻止它们解析该名称。Clients on the internal network must be able to resolve the name of the network location server, and they must be prevented from resolving the name when they are located on the Internet. 为了确保这一点,默认情况下,将网络位置服务器的 FQDN 作为免除规则添加到 NRPT。To ensure that this occurs, by default, the FQDN of the network location server is added as an exemption rule to the NRPT. 此外,在配置远程访问时,将自动创建以下规则:In addition, when you configure Remote Access, the following rules are created automatically:

    • 根域或远程访问服务器的域名的 DNS 后缀规则,以及与远程访问服务器上配置的 intranet DNS 服务器相对应的 IPv6 地址。A DNS suffix rule for root domain or the domain name of the Remote Access server, and the IPv6 addresses that correspond to the intranet DNS servers that are configured on the Remote Access server. 例如,如果远程访问服务器是 corp.contoso.com 域的成员,则会为 corp.contoso.com DNS 后缀创建一条规则。For example, if the Remote Access server is a member of the corp.contoso.com domain, a rule is created for the corp.contoso.com DNS suffix.

    • 用于网络位置服务器的 FQDN 的免除规则。An exemption rule for the FQDN of the network location server. 例如,如果网络位置服务器 URL 为 https://nls.corp.contoso.com ,则会为 FQDN nls.corp.contoso.com 创建例外规则。For example, if the network location server URL is https://nls.corp.contoso.com, an exemption rule is created for the FQDN nls.corp.contoso.com.

  • IP-HTTPS 服务器IP-HTTPS server

    远程访问服务器充当 ip-https 侦听器,并使用其服务器证书对 ip-https 客户端进行身份验证。The Remote Access server acts as an IP-HTTPS listener and uses its server certificate to authenticate to IP-HTTPS clients. Ip-https 名称必须可由使用公用 DNS 服务器的 DirectAccess 客户端解析。The IP-HTTPS name must be resolvable by DirectAccess clients that use public DNS servers.

连接性验证程序Connectivity verifiers

远程访问将创建可由 DirectAccess 客户端计算机用来验证到内部网络的连接的默认 Web 探测。Remote Access creates a default web probe that is used by DirectAccess client computers to verify connectivity to the internal network. 若要确保探测按预期方式运行,必须在 DNS 中手动注册以下名称:To ensure that the probe works as expected, the following names must be registered manually in DNS:

  • directaccess-directaccess-webprobehost应解析为远程访问服务器的内部 IPv4 地址,或解析为仅限 ipv6 的环境中的 ipv6 地址。directaccess-webprobehost should resolve to the internal IPv4 address of the Remote Access server, or to the IPv6 address in an IPv6-only environment.

  • directaccess-directaccess-corpconnectivityhost应解析为本地主机 (环回) 地址。directaccess-corpconnectivityhost should resolve to the local host (loopback) address. 你应创建 A 和 AAAA 记录。You should create A and AAAA records. A 记录的值为127.0.0.1,AAAA 记录的值从带有最后32位的 NAT64 前缀构建为127.0.0.1。The value of the A record is 127.0.0.1, and the value of the AAAA record is constructed from the NAT64 prefix with the last 32 bits as 127.0.0.1. 可以通过运行Get-netnattransitionconfiguration 来Windows PowerShell cmdlet 来检索 NAT64 前缀。The NAT64 prefix can be retrieved by running the Get-netnatTransitionConfiguration Windows PowerShell cmdlet.

    备注

    这仅在仅适用于 IPv4 的环境中有效。This is valid only in IPv4-only environments. 在 IPv4 + IPv6 或仅使用 IPv6 的环境中,仅创建具有环回 IP 地址::1的 AAAA 记录。In an IPv4 plus IPv6 or an IPv6-only environment, create only a AAAA record with the loopback IP address ::1.

可以通过 HTTP 或 PING 使用其他 web 地址来创建其他连接性验证程序。You can create additional connectivity verifiers by using other web addresses over HTTP or PING. 对于每个连接性验证程序,都必须存在 DNS 条目。For each connectivity verifier, a DNS entry must exist.

DNS 服务器要求DNS server requirements
  • 对于 DirectAccess 客户端,必须使用运行 Windows Server 2012、Windows Server 2008 R2、Windows Server 2008、Windows Server 2003 或支持 IPv6 的任何 DNS 服务器的 DNS 服务器。For DirectAccess clients, you must use a DNS server running Windows Server 2012 , Windows Server 2008 R2 , Windows Server 2008 , Windows Server 2003, or any DNS server that supports IPv6.

  • 应使用支持动态更新的 DNS 服务器。You should use a DNS server that supports dynamic updates. 你可以使用不支持动态更新的 DNS 服务器,但必须手动更新条目。You can use DNS servers that do not support dynamic updates, but then entries must be manually updated.

  • CRL 分发点的 FQDN 必须可以通过使用 Internet DNS 服务器解析。The FQDN for your CRL distribution points must be resolvable by using Internet DNS servers. 例如,如果 URL https://crl.contoso.com/crld/corp-DC1-CA.crl 位于远程访问服务器的 ip-https 证书的 " CRL 分发点" 字段中,则必须确保可以使用 Internet DNS 服务器解析 FQDN crld.contoso.com。For example, if URL https://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS certificate of the Remote Access server, you must ensure that the FQDN crld.contoso.com is resolvable by using Internet DNS servers.

规划本地名称解析Plan for local name resolution

在规划本地名称解析时,请考虑以下事项:Consider the following when you are planning for local name resolution:

NRPTNRPT

在以下情况下,你可能需要创建其他名称解析策略表 (NRPT) 规则:You may need to create additional name resolution policy table (NRPT) rules in the following situations:

  • 需要为 intranet 命名空间添加更多的 DNS 后缀。You need to add more DNS suffixes for your intranet namespace.

  • 如果你的 CRL 分发点的 Fqdn 基于你的 intranet 命名空间,则你必须为 CRL 分发点的 Fqdn 添加例外规则。If the FQDNs of your CRL distribution points are based on your intranet namespace, you must add exemption rules for the FQDNs of the CRL distribution points.

  • 如果使用的是裂脑 DNS 环境,则必须为要在 Internet 上访问 Internet 版本的资源的名称(而不是 intranet 版本)添加例外规则。If you have a split-brain DNS environment, you must add exemption rules for the names of resources for which you want DirectAccess clients that are located on the Internet to access the Internet version, rather than the intranet version.

  • 如果要通过 intranet web 代理服务器将流量重定向到外部网站,则仅可从 intranet 访问外部网站。If you are redirecting traffic to an external website through your intranet web proxy servers, the external website is available only from the intranet. 它使用 web 代理服务器的地址以允许入站请求。It uses the addresses of your web proxy servers to permit the inbound requests. 在这种情况下,请为外部网站的 FQDN 添加例外规则,并指定规则使用 intranet web 代理服务器,而不是 intranet DNS 服务器的 IPv6 地址。In this situation, add an exemption rule for the FQDN of the external website, and specify that the rule uses your intranet web proxy server rather than the IPv6 addresses of intranet DNS servers.

    例如,假设要测试名为 test.contoso.com 的外部网站。For example, let's say that you are testing an external website named test.contoso.com. 此名称不可通过 Internet DNS 服务器解析,但 Contoso web 代理服务器知道如何解析该名称,以及如何将网站请求定向到外部 web 服务器。This name is not resolvable through Internet DNS servers, but the Contoso web proxy server knows how to resolve the name and how to direct requests for the website to the external web server. 为了阻止非 Contoso Intranet 上的用户访问该站点,外部网站将仅允许来自 Contoso Web 代理的 IPv4 Internet 地址的请求。To prevent users who are not on the Contoso intranet from accessing the site, the external website allows requests only from the IPv4 Internet address of the Contoso web proxy. 因为 intranet 用户使用 Contoso web 代理,所以他们可以访问该网站,但因为 DirectAccess 用户不使用 Contoso web 代理,所以他们无法访问该网站。Thus, intranet users can access the website because they are using the Contoso web proxy, but DirectAccess users cannot because they are not using the Contoso web proxy. 通过为使用 Contoso Web 代理的 test.contoso.com 配置 NRPT 免除规则,可在 IPv4 Internet 上将 test.contoso.com 的网页请求路由到 Intranet Web 代理服务器。By configuring an NRPT exemption rule for test.contoso.com that uses the Contoso web proxy, webpage requests for test.contoso.com are routed to the intranet web proxy server over the IPv4 Internet.

单标签名称Single label names

单个标签名称(例如 https://paycheck )有时用于 intranet 服务器。Single label names, such as https://paycheck, are sometimes used for intranet servers. 如果请求单标签名称并配置了 DNS 后缀搜索列表,则列表中的 DNS 后缀将追加到单标签名称。If a single label name is requested and a DNS suffix search list is configured, the DNS suffixes in the list will be appended to the single label name. 例如,当用户在 web 浏览器中是 corp.contoso.com 域类型的成员的计算机上时 https://paycheck ,作为名称构造的 FQDN 为 paycheck.corp.contoso.com。For example, when a user on a computer that is a member of the corp.contoso.com domain types https://paycheck in the web browser, the FQDN that is constructed as the name is paycheck.corp.contoso.com. 默认情况下,附加的后缀基于客户端计算机的主 DNS 后缀。By default, the appended suffix is based on the primary DNS suffix of the client computer.

备注

在不相互连接的命名空间方案中 (其中一台或多台域计算机具有与计算机) 成员的 Active Directory 域不匹配的 DNS 后缀,则应确保将搜索列表自定义为包括所有必需的后缀。In a disjointed name space scenario (where one or more domain computers has a DNS suffix that does not match the Active Directory domain to which the computers are members), you should ensure that the search list is customized to include all the required suffixes. 默认情况下,远程访问向导会将 Active Directory DNS 名称配置为客户端上的主 DNS 后缀。By default, the Remote Access Wizard, configures the Active Directory DNS name as the primary DNS suffix on the client. 请确保添加客户端用于名称解析的 DNS 后缀。Make sure to add the DNS suffix that is used by clients for name resolution.

如果在你的组织中部署了多个域和 Windows Internet 名称服务 (WINS) ,并且你远程连接,则可以按如下方式解析单个名称:If multiple domains and Windows Internet Name Service (WINS) are deployed in your organization, and you are connecting remotely, single-names can be resolved as follows:

  • 在 DNS 中部署 WINS 前向查找区域。By deploying a WINS forward lookup zone in the DNS. 尝试解析 computername.dns.zone1.corp.contoso.com 时,请求会定向到仅使用计算机名称的 WINS 服务器。When trying to resolve computername.dns.zone1.corp.contoso.com, the request is directed to the WINS server that is only using the computer name. 客户端认为它正在发出常规 DNS A 记录请求,但它实际上是 NetBIOS 请求。The client thinks it is issuing a regular DNS A records request, but it is actually a NetBIOS request.

    有关详细信息,请参阅管理正向查找区域For more information, see Managing a Forward Lookup Zone.

  • 通过添加 DNS 后缀 (例如,dns.zone1.corp.contoso.com) 到默认域 GPO。By adding a DNS suffix (for example, dns.zone1.corp.contoso.com) to the default domain GPO.

拆分式 DNSSplit-brain DNS

拆分式 DNS 指的是对 Internet 和 intranet 名称解析使用同一个 DNS 域。Split-brain DNS refers to the use of the same DNS domain for Internet and intranet name resolution.

对于拆分式 DNS 部署,你必须列出 Internet 和 intranet 上重复的 Fqdn,并确定 DirectAccess 客户端应访问的资源-intranet 或 Internet 版本。For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet, and decide which resources the DirectAccess client should reach-the intranet or the Internet version. 当你希望 DirectAccess 客户端访问 Internet 版本时,必须将相应的 FQDN 作为免除规则添加到每个资源的 NRPT 中。When you want DirectAccess clients to reach the Internet version, you must add the corresponding FQDN as an exemption rule to the NRPT for each resource.

在拆分式 DNS 环境中,如果希望资源的两个版本都可用,请使用与 Internet 上使用的名称不重复的名称配置 intranet 资源。In a split-brain DNS environment, if you want both versions of the resource to be available, configure your intranet resources with names that do not duplicate the names that are used on the Internet. 然后,当用户访问 intranet 上的资源时,指示用户使用替代名称。Then instruct your users to use the alternate name when they access the resource on the intranet. 例如,将 www . internal.contoso.com 配置为 www contoso.com 的内部名称 . 。For example, configure www.internal.contoso.com for the internal name of www.contoso.com.

在非拆分式 DNS 环境中,Internet 命名空间不同于 Intranet 命名空间。In a non-split-brain DNS environment, the Internet namespace is different from the intranet namespace. 例如,Contoso 公司在 Internet 上使用 contoso.com,在 Intranet 上使用 corp.contoso.com。For example, the Contoso Corporation uses contoso.com on the Internet and corp.contoso.com on the intranet. 因为所有 Intranet 资源都使用 corp.contoso.com DNS 后缀,所以 corp.contoso.com 的 NRPT 规则会将针对所有 Intranet 资源的 DNS 名称查询都路由到 Intranet DNS 服务器。Because all intranet resources use the corp.contoso.com DNS suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to intranet DNS servers. 具有 contoso.com 后缀的名称的 DNS 查询与 NRPT 中的 corp.contoso.com intranet 命名空间规则不匹配,并将其发送到 Internet DNS 服务器。DNS queries for names with the contoso.com suffix do not match the corp.contoso.com intranet namespace rule in the NRPT, and they are sent to Internet DNS servers. 对于非拆分式 DNS 部署,由于 Intranet 和 Internet 资源的 FQDN 互不重复,因此无需对 NRPT 进行其他配置。With a non-split-brain DNS deployment, because there is no duplication of FQDNs for intranet and Internet resources, there is no additional configuration needed for the NRPT. DirectAccess 客户端可以访问其组织的 Internet 和 intranet 资源。DirectAccess clients can access both Internet and intranet resources for their organization.

规划 DirectAccess 客户端的本地名称解析行为Plan local name resolution behavior for DirectAccess clients

如果无法使用 DNS 解析名称,Windows Server 2012、Windows 8、Windows Server 2008 R2 和 Windows 7 中的 DNS 客户端服务可以使用本地名称解析,本地名称解析 (LLMNR) 和 TCP/IP 上的 NetBIOS 协议)来解析本地子网上的名称。If a name cannot be resolved with DNS, the DNS Client service in Windows Server 2012 , Windows 8, Windows Server 2008 R2 , and Windows 7 can use local name resolution, with the Link-Local Multicast Name Resolution (LLMNR) and NetBIOS over TCP/IP protocols, to resolve the name on the local subnet. 当计算机位于专用网络(如单个子网家庭网络)上时,对等连接通常需要使用本地名称解析。Local name resolution is typically needed for peer-to-peer connectivity when the computer is located on private networks, such as single subnet home networks.

当 DNS 客户端服务对 intranet 服务器名称执行本地名称解析,并且计算机连接到 Internet 上的共享子网时,恶意用户可以捕获 LLMNR 和 TCP/IP 上的 NetBIOS 消息来确定 intranet 服务器名称。When the DNS Client service performs local name resolution for intranet server names, and the computer is connected to a shared subnet on the Internet, malicious users can capture LLMNR and NetBIOS over TCP/IP messages to determine intranet server names. 在基础结构服务器安装向导的 "DNS" 页上,你可以根据从 intranet DNS 服务器收到的响应类型来配置本地名称解析行为。On the DNS page of the Infrastructure Server Setup Wizard, you can configure the local name resolution behavior based on the types of responses received from intranet DNS servers. 提供了以下选项:The following options are available:

  • 如果 DNS 中不存在该名称,则使用本地名称解析:此选项是最安全的,因为 DirectAccess 客户端仅对 intranet DNS 服务器无法解析的服务器名称执行本地名称解析。Use local name resolution if the name does not exist in DNS: This option is the most secure because the DirectAccess client performs local name resolution only for server names that cannot be resolved by intranet DNS servers. 如果可以访问 Intranet DNS 服务器,则将解析 Intranet 服务器的名称。If the intranet DNS servers can be reached, the names of intranet servers are resolved. 如果无法访问 Intranet DNS 服务器,或者存在其他类型的 DNS 错误,则不会通过本地名称解析将 Intranet 服务器名称泄漏到子网中。If the intranet DNS servers cannot be reached, or if there are other types of DNS errors, the intranet server names are not leaked to the subnet through local name resolution.

  • **如果 dns 中不存在该名称,或者在客户端计算机位于专用网络上时无法访问 dns 服务器,则使用本地名称解析 (建议的) **:建议使用此选项,因为仅当无法访问 intranet DNS 服务器时,此选项才允许在专用网络上使用本地名称解析。Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended): This option is recommended because it allows the use of local name resolution on a private network only when the intranet DNS servers are unreachable.

  • **对任何类型的 DNS 解析错误使用本地名称解析 (最不安全的) **:这是最不安全的选项,因为 intranet 网络服务器的名称可能会通过本地名称解析泄漏到本地子网。Use local name resolution for any kind of DNS resolution error (least secure): This is the least secure option because the names of intranet network servers can be leaked to the local subnet through local name resolution.

规划网络位置服务器配置Plan the network location server configuration

网络位置服务器是一个用于检测 DirectAccess 客户端是否位于企业网络中的网站。The network location server is a website that is used to detect whether DirectAccess clients are located in the corporate network. 企业网络中的客户端不使用 DirectAccess 访问内部资源;而是直接连接。Clients in the corporate network do not use DirectAccess to reach internal resources; but instead, they connect directly.

网络位置服务器网站可以托管在远程访问服务器上,也可以托管在组织中的另一个服务器上。The network location server website can be hosted on the Remote Access server or on another server in your organization. 如果将网络位置服务器托管在远程访问服务器上,则部署远程访问时将自动创建该网站。If you host the network location server on the Remote Access server, the website is created automatically when you deploy Remote Access. 如果将网络位置服务器托管在另一台运行 Windows 操作系统的服务器上,则必须确保在该服务器上安装 Internet Information Services (IIS) ,并创建该网站。If you host the network location server on another server running a Windows operating system, you must make sure that Internet Information Services (IIS) is installed on that server, and that the website is created. 远程访问不会在网络位置服务器上配置设置。Remote Access does not configure settings on the network location server.

请确保网络位置服务器网站满足以下要求:Make sure that the network location server website meets the following requirements:

  • 具有 HTTPS 服务器证书。Has an HTTPS server certificate.

  • 内部网络上的计算机具有高可用性。Has high availability to computers on the internal network.

  • 在 Internet 上,DirectAccess 客户端计算机无法访问。Is not accessible to DirectAccess client computers on the Internet.

此外,在设置网络位置服务器网站时,请考虑客户端的以下要求:In addition, consider the following requirements for clients when you are setting up your network location server website:

  • DirectAccess 客户端计算机必须信任将服务器证书颁发给网络位置服务器网站的 CA。DirectAccess client computers must trust the CA that issued the server certificate to the network location server website.

  • 内部网络上的 DirectAccess 客户端计算机必须能够解析网络位置服务器网站的名称。DirectAccess client computers on the internal network must be able to resolve the name of the network location server site.

规划网络位置服务器的证书Plan certificates for the network location server

获取用于网络位置服务器的网站证书时,请考虑以下事项:When you obtain the website certificate to use for the network location server, consider the following:

  • 在****“使用者”字段中,指定网络位置服务器的 Intranet 接口的 IP 地址,或网络位置 URL 的 FQDN。In the Subject field, specify the IP address of the intranet interface of the network location server or the FQDN of the network location URL.

  • 对于 "增强型密钥用法" 字段,请使用服务器身份验证 OID。For the Enhanced Key Usage field, use the Server Authentication OID.

  • 必须根据证书吊销列表 (CRL) 检查网络位置服务器证书。The network location server certificate must be checked against a certificate revocation list (CRL). 对于 " CRL 分发点" 字段,请使用连接到 Intranet 的 DirectAccess 客户端可访问的 crl 分发点。For the CRL Distribution Points field, use a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. 不应从内部网络之外访问此 CRL 分发点。This CRL distribution point should not be accessible from outside the internal network.

规划网络位置服务器的 DNSPlan DNS for the network location server

DirectAccess 客户端尝试访问网络位置服务器,以确定它们是否位于内部网络上。DirectAccess clients attempt to reach the network location server to determine if they are on the internal network. 内部网络上的客户端必须能够解析该网络位置服务器的名称,但当它们位于 Internet 上时,必须阻止它们解析该名称。Clients on the internal network must be able to resolve the name of the network location server, but must be prevented from resolving the name when they are located on the Internet. 为了确保这一点,默认情况下,网络位置服务器的 FQDN 将作为免除规则添加到 NRPT。To ensure this occurs, by default, the FQDN of the network location server is added as an exemption rule to the NRPT.

规划管理服务器的配置Plan management servers' configuration

DirectAccess 客户端启动与管理服务器的通信,这些服务器提供 Windows 更新和防病毒更新等服务。DirectAccess clients initiate communication with management servers that provide services such as Windows Update and antivirus updates. DirectAccess 客户端还使用 Kerberos 协议对域控制器进行身份验证,然后才能访问内部网络。DirectAccess clients also use the Kerberos protocol to authenticate to domain controllers before they access the internal network. 在 DirectAccess 客户端的远程管理期间,管理服务器与客户端计算机进行通信以执行管理功能,例如,软件或硬件清单评估。During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments. 远程访问可以自动发现某些管理服务器,包括:Remote Access can automatically discover some management servers, including:

  • 域控制器:对包含客户端计算机的域以及与远程访问服务器位于同一林中的所有域执行自动发现域控制器。Domain controllers: Automatic discovery of domain controllers is performed for the domains that contain client computers and for all domains in the same forest as the Remote Access server.

  • Microsoft 端点 Configuration Manager 服务器Microsoft Endpoint Configuration Manager servers

首次配置 DirectAccess 时,会自动检测域控制器和 Configuration Manager 服务器。Domain controllers and Configuration Manager servers are automatically detected the first time DirectAccess is configured. 检测到的域控制器不会显示在控制台中,但可以使用 Windows PowerShell cmdlet 来检索设置。The detected domain controllers are not displayed in the console, but settings can be retrieved using Windows PowerShell cmdlets. 如果修改了域控制器或 Configuration Manager 服务器,请单击控制台中的 "更新管理服务器" 将刷新管理服务器列表。If domain controller or Configuration Manager servers are modified, clicking Update Management Servers in the console refreshes the management server list.

管理服务器要求Management server requirements

  • 必须可通过基础结构隧道访问管理服务器。Management servers must be accessible over the infrastructure tunnel. 在你配置远程访问时,将服务器添加到管理服务器列表将自动使它们可以通过此隧道进行访问。When you configure Remote Access, adding servers to the management servers list automatically makes them accessible over this tunnel.

  • 启动与 DirectAccess 客户端的连接的管理服务器必须完全支持 IPv6,方法是使用本机 IPv6 地址或使用由 ISATAP 分配的地址。Management servers that initiate connections to DirectAccess clients must fully support IPv6, by means of a native IPv6 address or by using an address that is assigned by ISATAP.

规划 Active Directory 要求Plan Active Directory requirements

远程访问使用 Active Directory,如下所示:Remote Access uses Active Directory as follows:

  • 身份验证:基础结构隧道对连接到远程访问服务器的计算机帐户使用 NTLMv2 身份验证,并且该帐户必须位于 Active Directory 域中。Authentication: The infrastructure tunnel uses NTLMv2 authentication for the computer account that is connecting to the Remote Access server, and the account must be in an Active Directory domain. Intranet 隧道使用 Kerberos 身份验证,以便用户创建 intranet 隧道。The intranet tunnel uses Kerberos authentication for the user to create the intranet tunnel.

  • 组策略对象:远程访问将配置设置收集到 gpo) 组策略对象 (,这些对象将应用于远程访问服务器、客户端和内部应用程序服务器。Group Policy Objects: Remote Access gathers configuration settings into Group Policy Objects (GPOs), which are applied to Remote Access servers, clients, and internal application servers.

  • 安全组:远程访问使用安全组来收集和标识 DirectAccess 客户端计算机。Security groups: Remote Access uses security groups to gather and identify DirectAccess client computers. Gpo 应用于所需的安全组。GPOs are applied to the required security groups.

规划远程访问部署的 Active Directory 环境时,请考虑以下要求:When you plan an Active Directory environment for a Remote Access deployment, consider the following requirements:

  • Windows Server 2012、Windows Server 2008 R2 Windows Server 2008 或 Windows Server 2003 操作系统上至少安装了一个域控制器。At least one domain controller is installed on the Windows Server 2012 , Windows Server 2008 R2 Windows Server 2008 , or Windows Server 2003 operating system.

    如果域控制器位于外围网络上 (因此可从远程访问服务器的面向 Internet 的网络适配器) 访问它,则阻止远程访问服务器访问它。If the domain controller is on a perimeter network (and therefore reachable from the Internet-facing network adapter of Remote Access server), prevent the Remote Access server from reaching it. 你需要在域控制器上添加数据包筛选器,以防止连接到 Internet 适配器的 IP 地址。You need to add packet filters on the domain controller to prevent connectivity to the IP address of the Internet adapter.

  • 远程访问客户端必须使用 V.90 调制解调器。The Remote Access server must be a domain member.

  • DirectAccess 客户端必须是域成员。DirectAccess clients must be domain members. 客户端可以属于:Clients can belong to:

    • 与远程访问服务器位于同一林中的任何域。Any domain in the same forest as the Remote Access server.

    • 与远程访问服务器域具有双向信任的任何域。Any domain that has a two-way trust with the Remote Access server domain.

    • 林中与远程访问服务器域的林有双向信任关系的任何域。Any domain in a forest that has a two-way trust with the forest of the Remote Access server domain.

备注

  • 远程访问服务器不可以是域控制器。The Remote Access server cannot be a domain controller.
  • 无法从远程访问服务器的外部 Internet 适配器访问用于远程访问的 Active Directory 域控制器 (该适配器不得位于 Windows 防火墙) 的域配置文件中。The Active Directory domain controller that is used for Remote Access must not be reachable from the external Internet adapter of the Remote Access server (the adapter must not be in the domain profile of Windows Firewall).

规划客户端身份验证Plan client authentication

在 Windows Server 2012 中的远程访问中,可以选择使用内置 Kerberos 身份验证(使用用户名和密码),也可以选择使用证书进行 IPsec 计算机身份验证。In Remote Access in Windows Server 2012 , you can choose between using built-in Kerberos authentication, which uses user names and passwords, or using certificates for IPsec computer authentication.

Kerberos 身份验证:选择使用 Active Directory 凭据进行身份验证时,DirectAccess 首先将 kerberos 身份验证用于计算机,然后使用用户的 kerberos 身份验证。Kerberos authentication: When you choose to use Active Directory credentials for authentication, DirectAccess first uses Kerberos authentication for the computer, and then it uses Kerberos authentication for the user. 使用这种身份验证模式时,DirectAccess 使用单个安全隧道,该隧道提供对 DNS 服务器、域控制器和内部网络上的任何其他服务器的访问权限。When using this mode of authentication, DirectAccess uses a single security tunnel that provides access to the DNS server, the domain controller, and any other server on the internal network

IPsec 身份验证:选择使用双因素身份验证或网络访问保护时,DirectAccess 将使用两个安全隧道。IPsec authentication: When you choose to use two-factor authentication or Network Access Protection, DirectAccess uses two security tunnels. 远程访问设置向导配置高级安全 Windows 防火墙中的连接安全规则。The Remote Access Setup Wizard configures connection security rules in Windows Firewall with Advanced Security. 在将 IPsec 安全协商到远程访问服务器时,这些规则将指定以下凭据:These rules specify the following credentials when negotiating IPsec security to the Remote Access server:

  • 基础结构隧道使用计算机证书凭据进行第一次身份验证,使用用户 (NTLMv2) 凭据进行第二次身份验证。The infrastructure tunnel uses computer certificate credentials for the first authentication and user (NTLMv2) credentials for the second authentication. 用户凭据强制使用已验证 Internet 协议 (AuthIP) ,并提供对 DNS 服务器和域控制器的访问权限,然后 DirectAccess 客户端才能使用 intranet 隧道的 Kerberos 凭据。User credentials force the use of Authenticated Internet Protocol (AuthIP), and they provide access to a DNS server and domain controller before the DirectAccess client can use Kerberos credentials for the intranet tunnel.

  • Intranet 隧道使用计算机证书凭据进行第一次身份验证,使用用户 (Kerberos V5) 凭据进行第二次身份验证。The intranet tunnel uses computer certificate credentials for the first authentication and user (Kerberos V5) credentials for the second authentication.

规划多个域Plan multiple domains

管理服务器列表应包括来自所有域的域控制器,这些域所包含的安全组中具有 DirectAccess 客户端计算机。The management servers list should include domain controllers from all domains that contain security groups that include DirectAccess client computers. 它应包含所有域,其中包含可能使用配置为 DirectAccess 客户端的计算机的用户帐户。It should contain all domains that contain user accounts that might use computers configured as DirectAccess clients. 这可确保通过用户域中的域控制器,可以对未与用户使用的客户端计算机位于同一域中的用户进行身份验证。This ensures that users who are not located in the same domain as the client computer they are using are authenticated with a domain controller in the user domain.

如果域在同一林中,则此身份验证是自动进行的。This authentication is automatic if the domains are in the same forest. 如果有一个安全组具有不同林中的客户端计算机或应用程序服务器,则不会自动检测这些林的域控制器。If there is a security group with client computers or application servers that are in different forests, the domain controllers of those forests are not detected automatically. 也不会自动检测林。Forests are also not detected automatically. 你可以在远程访问管理中运行任务更新管理服务器,以检测这些域控制器。You can run the task Update Management Servers in the Remote Access Management to detect these domain controllers.

如果可能,应在远程访问部署过程中将公用域名后缀添加到 NRPT。Where possible, common domain name suffixes should be added to the NRPT during Remote Access deployment. 例如,如果你有两个域(domain1.corp.contoso.com 和 domain2.corp.contoso.com),你可以添加一个常见的 DNS 后缀条目(其中域名后缀是 corp.contoso.com),而不是将两个条目都添加到 NRPT 中。For example, if you have two domains, domain1.corp.contoso.com and domain2.corp.contoso.com, instead of adding two entries into the NRPT, you can add a common DNS suffix entry, where the domain name suffix is corp.contoso.com. 对于同一根中的域,会自动发生这种情况。This happens automatically for domains in the same root. 必须手动添加不在同一根中的域。Domains that are not in the same root must be added manually.

规划组策略对象创建Plan Group Policy Object creation

配置远程访问时,DirectAccess 设置将收集到组策略对象 (Gpo) 中。When you configure Remote Access, DirectAccess settings are collected into Group Policy Objects (GPOs). 两个 Gpo 都是用 DirectAccess 设置填充的,它们的分发方式如下:Two GPOs are populated with DirectAccess settings, and they are distributed as follows:

  • DirectAccess 客户端 gpo:此 gpo 包含客户端设置,包括 IPv6 转换技术设置、NRPT 条目和高级安全 Windows 防火墙连接安全规则。DirectAccess client GPO: This GPO contains client settings, including IPv6 transition technology settings, NRPT entries, and connection security rules for Windows Firewall with Advanced Security. 此 GPO 将应用于为客户端计算机指定的安全组。The GPO is applied to the security groups that are specified for the client computers.

  • Directaccess 服务器 gpo:此 gpo 包含的 directaccess 配置设置适用于在部署中配置为远程访问服务器的任何服务器。DirectAccess server GPO: This GPO contains the DirectAccess configuration settings that are applied to any server that you configured as a Remote Access server in your deployment. 它还包含高级安全 Windows 防火墙的连接安全规则。It also contains connection security rules for Windows Firewall with Advanced Security.

备注

远程管理 DirectAccess 客户端不支持应用程序服务器的配置,因为客户端无法访问应用程序服务器所在的 DirectAccess 服务器的内部网络。Configuration of application servers is not supported in remote management of DirectAccess clients because clients cannot access the internal network of the DirectAccess server where the application servers reside. 远程访问设置配置屏幕中的步骤4不适用于此类型的配置。Step 4 in the Remote Access Setup configuration screen is unavailable for this type of configuration.

你可以自动或手动配置 Gpo。You can configure GPOs automatically or manually.

自动:指定自动创建 gpo 时,将为每个 GPO 指定默认名称。Automatically: When you specify that GPOs are created automatically, a default name is specified for each GPO.

手动:你可以使用已由 Active Directory 管理员预定义的 gpo。Manually: You can use GPOs that have been predefined by the Active Directory administrator.

配置 Gpo 时,请考虑以下警告:When you configure your GPOs, consider the following warnings:

  • 将 DirectAccess 配置为使用特定的 GPO 后,无法将它配置为使用不同的 GPO。After DirectAccess is configured to use specific GPOs, it cannot be configured to use different GPOs.

  • 运行 DirectAccess cmdlet 之前,请使用以下过程备份所有远程访问组策略对象:Use the following procedure to back up all Remote Access Group Policy Objects before you run DirectAccess cmdlets:

    备份和还原远程访问配置Back up and Restore Remote Access Configuration.

  • 无论你使用的是自动还是手动配置的 Gpo,如果你的客户端将使用3G,则需要添加用于慢速链接检测的策略。Whether you are using automatically or manually configured GPOs, you need to add a policy for slow link detection if your clients will use 3G. "策略:配置组策略慢速链接检测" 的路径为:The path for Policy: Configure Group Policy slow link detection is:

    “计算机配置”/“策略”/“管理模板”/“系统”/“组策略”****。Computer configuration/Polices/Administrative Templates/System/Group Policy.

  • 如果链接 Gpo 的正确权限不存在,则会发出警告。If the correct permissions for linking GPOs do not exist, a warning is issued. 远程访问操作将继续,但不会出现链接。The Remote Access operation will continue, but linking will not occur. 如果发出此警告,则不会自动创建链接,即使稍后添加了权限也是如此。If this warning is issued, links will not be created automatically, even if the permissions are added later. 相反,管理员必须手动创建链接。Instead the administrator needs to create the links manually.

自动创建的 GpoAutomatically created GPOs

使用自动创建的 Gpo 时,请注意以下事项:Consider the following when using automatically created GPOs:

将根据位置和链接目标应用自动创建的 GPO,如下所示:Automatically created GPOS are applied according to the location and link target, as follows:

  • 对于 DirectAccess 服务器 GPO,位置和链接目标指向包含远程访问服务器的域。For the DirectAccess server GPO, the location and link target point to the domain that contains the Remote Access server.

  • 在创建客户端和应用程序服务器 Gpo 时,该位置将设置为单一域。When client and application server GPOs are created, the location is set to a single domain. 将在每个域中查找 GPO 名称,如果存在,则用 DirectAccess 设置填充域。The GPO name is looked up in each domain, and the domain is filled with DirectAccess settings if it exists.

  • 将链接目标设置为在其中创建了 GPO 的域的根。The link target is set to the root of the domain in which the GPO was created. 为每个包含客户端计算机或应用程序服务器的域创建一个 GPO,并将该 GPO 链接到其各自域的根。A GPO is created for each domain that contains client computers or application servers, and the GPO is linked to the root of its respective domain.

当使用自动创建的 Gpo 应用 DirectAccess 设置时,远程访问服务器管理员需要以下权限:When using automatically created GPOs to apply DirectAccess settings, the Remote Access server administrator requires the following permissions:

  • 为每个域创建 Gpo 的权限。Permissions to create GPOs for each domain.

  • 用于链接到所有选定客户端域根的权限。Permissions to link to all the selected client domain roots.

  • 链接到服务器 GPO 域根的权限。Permissions to link to the server GPO domain roots.

  • 用于创建、编辑、删除和修改 Gpo 的安全权限。Security permissions to create, edit, delete, and modify the GPOs.

  • 每个所需的域的 GPO 读取权限。GPO read permissions for each required domain. 此权限不是必需的,但建议使用它,因为它允许远程访问以验证在创建 Gpo 时不存在具有相同名称的 Gpo。This permission is not required, but it is recommended because it enables Remote Access to verify that GPOs with duplicate names do not exist when GPOs are being created.

手动创建的 GpoManually created GPOs

使用手动创建的 GPO 时,请考虑以下内容:Consider the following when using manually created GPOs:

  • 在运行远程访问安装向导之前,这些 GPO 应存在。The GPOs should exist before running the Remote Access Setup Wizard.

  • 若要应用 DirectAccess 设置,远程访问服务器管理员需要完全安全权限才能创建、编辑、删除和修改手动创建的 Gpo。To apply DirectAccess settings, the Remote Access server administrator requires full security permissions to create, edit, delete, and modify the manually created GPOs.

  • 在整个域中对 GPO 的链接进行搜索。A search is made for a link to the GPO in the entire domain. 如果未在域中链接 GPO,将在域的根中自动创建链接。If the GPO is not linked in the domain, a link is automatically created in the domain root. 如果未提供创建链接所需的权限,则会发出警告。If the required permissions to create the link are not available, a warning is issued.

从已删除的 GPO 中恢复Recovering from a deleted GPO

如果远程访问服务器、客户端或应用程序服务器上的 GPO 已被意外删除,将显示以下错误消息: ) 找不到 gpo (gpo 名称If a GPO on a Remote Access server, client, or application server has been deleted by accident, the following error message will appear: GPO (GPO name) cannot be found.

如果有可用的备份,则可以从备份中还原 GPO。If a backup is available, you can restore the GPO from the backup. 如果没有可用的备份,则必须删除配置设置并重新配置它们。If there is no backup available, you must remove the configuration settings and configure them again.

删除配置设置To remove configuration settings
  1. 运行 Windows PowerShell cmdlet UninstallRun the Windows PowerShell cmdlet Uninstall-RemoteAccess.

  2. 打开 "远程访问管理"。Open Remote Access Management.

  3. 你将看到关于未找到 GPO 的错误消息。You will see an error message that the GPO is not found. 单击“删除配置设置”****。Click Remove configuration settings. 完成后,服务器将还原到未配置状态,你可以重新配置这些设置。After completion, the server will be restored to an unconfigured state, and you can reconfigure the settings.