Always On VPN 技术概述Always On VPN technology overview

适用于: Windows Server (半年通道) ,Windows Server 2016,Windows Server 2012 R2,Windows 10Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

对于此部署,你必须安装新的远程访问服务器,该服务器运行 Windows Server 2016,并修改部分现有的部署基础结构。For this deployment, you must install a new Remote Access server that is running Windows Server 2016, as well as modify some of your existing infrastructure for the deployment.

下图显示了部署 Always On VPN 所需的基础结构。The following illustration shows the infrastructure that is required to deploy Always On VPN.

Always On VPN 基础结构

此图中描述的连接过程包括以下步骤:The connection process depicted in this illustration is comprised of the following steps:

  1. 使用公共 DNS 服务器,Windows 10 VPN 客户端对 VPN 网关的 IP 地址执行名称解析查询。Using public DNS servers, the Windows 10 VPN client performs a name resolution query for the IP address of the VPN gateway.

  2. 使用 DNS 返回的 IP 地址,VPN 客户端将连接请求发送到 VPN 网关。Using the IP address returned by DNS, the VPN client sends a connection request to the VPN gateway.

  3. VPN 网关还配置为远程身份验证拨入用户服务 (RADIUS) 客户端;VPN RADIUS 客户端将连接请求发送到组织/企业 NPS 服务器进行连接请求处理。The VPN gateway is also configured as a Remote Authentication Dial-In User Service (RADIUS) Client; the VPN RADIUS Client sends the connection request to the organization/corporate NPS server for connection request processing.

  4. NPS 服务器处理连接请求,包括执行授权和身份验证,并确定是允许还是拒绝连接请求。The NPS server processes the connection request, including performing authorization and authentication, and determines whether to allow or deny the connection request.

  5. NPS 服务器会将访问-接受或拒绝访问响应转发给 VPN 网关。The NPS server forwards an Access-Accept or Access-Deny response to the VPN gateway.

  6. 根据 VPN 服务器从 NPS 服务器接收到的响应,启动或终止连接。The connection is initiated or terminated based on the response that the VPN server received from the NPS server.

有关上图所示的每个基础结构组件的详细信息,请参阅以下各节。For more information on each infrastructure component depicted in the illustration above, see the following sections.

备注

如果你已在网络上部署了某些技术,则可以使用本部署指南中的说明来针对此部署目的执行其他技术配置。If you already have some of these technologies deployed on your network, you can use the instructions in this deployment guidance to perform additional configuration of the technologies for this deployment purpose.

域名系统 (DNS)Domain Name System (DNS)

内部和外部域名系统 (DNS) 区域是必需的,这假设内部区域是外部区域 (的委派子域,例如 corp.contoso.com 和 contoso.com) 。Both internal and external Domain Name System (DNS) zones are required, which assumes that the internal zone is a delegated subdomain of the external zone (for example, corp.contoso.com and contoso.com).

详细了解域名系统 (DNS) 核心网络指南Learn more about Domain Name System (DNS) or Core Network Guide.

备注

其他 DNS 设计(如分裂的 DNS)在内部和外部使用同一域名 (在不同的 DNS 区域中,) 或不相关的内部和外部域 (例如,contoso.com) 也是可能的。Other DNS designs, such as split-brain DNS (using the same domain name internally and externally in separate DNS zones) or unrelated internal and external domains (e.g., contoso.local and contoso.com) are also possible. 有关部署裂脑 DNS 的详细信息,请参阅将 Dns 策略用于裂脑 Dns 部署For more information about deploying split-brain DNS, see Use DNS Policy for Split-Brain DNS Deployment.

防火墙Firewalls

请确保防火墙允许 VPN 和 RADIUS 通信所需的流量正常运行。Make sure that your firewalls allow the traffic that is necessary for both VPN and RADIUS communications to function correctly.

有关详细信息,请参阅为RADIUS 流量配置防火墙For more information, see Configure Firewalls for RADIUS Traffic.

作为 RAS 网关 VPN 服务器的远程访问Remote Access as a RAS Gateway VPN Server

在 Windows Server 2016 中,远程访问服务器角色旨在同时作为路由器和远程访问服务器执行,因此,它支持多种功能。In Windows Server 2016, the Remote Access server role is designed to perform well as both a router and a remote access server; therefore, it supports a wide array of features. 对于本部署指南,只需一小部分这些功能:支持 IKEv2 VPN 连接和 LAN 路由。For this deployment guidance, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.

IKEv2 是 Internet 工程任务团队请求注释7296中所述的 VPN 隧道协议。IKEv2 is a VPN tunneling protocol described in Internet Engineering Task Force Request for Comments 7296. IKEv2 的主要优点是它不必完全了基础网络连接中的中断。The primary advantage of IKEv2 is that it tolerates interruptions in the underlying network connection. 例如,如果连接暂时丢失或用户将客户端计算机从一个网络移到另一个网络,则在重新建立网络连接后,IKEv2 会自动恢复 VPN 连接,而无需用户干预。For example, if the connection is temporarily lost or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN connection when the network connection is reestablished—all without user intervention.

通过使用 RAS 网关,你可以部署 VPN 连接,以便为最终用户提供对组织网络和资源的远程访问权限。By using RAS Gateway, you can deploy VPN connections to provide end users with remote access to your organization's network and resources. 当远程计算机连接到 Internet 时,部署 Always On VPN 会在客户端与组织网络之间保持持续连接。Deploying Always On VPN maintains a persistent connection between clients and your organization network whenever remote computers are connected to the Internet. 使用 RAS 网关,还可以在两个服务器之间创建站点到站点 VPN 连接,例如在主办公室与分支机构之间,并使用网络地址转换 (NAT) 使网络中的用户可以访问外部资源(如 Internet)。With RAS Gateway, you can also create a site-to-site VPN connection between two servers at different locations, such as between your primary office and a branch office, and use Network Address Translation (NAT) so that users inside the network can access external resources, such as the Internet. 此外,RAS 网关还支持边界网关协议 (BGP) ,当远程办公室位置也有支持 BGP 的边缘网关时,它提供动态路由服务。Also, RAS Gateway supports Border Gateway Protocol (BGP), which provides dynamic routing services when your remote office locations also have edge gateways that support BGP.

你可以通过使用 Windows PowerShell 命令和远程访问 Microsoft 管理控制台 (MMC) 来管理远程访问服务 (RAS) 网关。You can manage Remote Access Service (RAS) Gateways by using Windows PowerShell commands and the Remote Access Microsoft Management Console (MMC).

网络策略服务器 (NPS)Network Policy Server (NPS)

NPS 允许您为连接请求身份验证和授权创建和强制实施组织范围的网络访问策略。NPS allows you to create and enforce organization-wide network access policies for connection request authentication and authorization. 使用 NPS 作为远程身份验证拨入用户服务 (RADIUS) 服务器时,可在 NPS 中将网络访问服务器(如 VPN 服务器)配置为 RADIUS 客户端。When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, you configure network access servers, such as VPN servers, as RADIUS clients in NPS.

也可以配置有关使用 NPS 对连接请求进行授权的网络策略,并且可以配置 RADIUS 记帐,以便 NPS 将记帐信息记录到本地硬盘上或 Microsoft SQL Server 数据库中的日志文件。You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.

有关详细信息,请参阅网络策略服务器 (NPS)For more information, see Network Policy Server (NPS).

Active Directory 证书服务Active Directory Certificate Services

证书颁发机构 (CA) 服务器是运行 Active Directory 证书服务的证书颁发机构。The Certification Authority (CA) Server is a certification authority that is running Active Directory Certificate Services. VPN 配置需要 (PKI) Active Directory 基于的公钥基础结构。The VPN configuration requires an Active Directory-based public key infrastructure (PKI).

组织可以通过将个人、设备或服务的标识绑定到相应的公钥,使用 AD CS 来增强安全性。Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS 还包括允许在各种可伸缩环境中管理证书注册及吊销的功能。AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. 有关详细信息,请参阅Active Directory 证书服务概述公钥基础结构设计指南For more information, see Active Directory Certificate Services Overview and Public Key Infrastructure Design Guidance.

部署完成期间,你将在 CA 上配置以下证书模板。During completion of the deployment, you will configure the following certificate templates on the CA.

  • 用户身份验证证书模板The User Authentication certificate template

  • VPN 服务器身份验证证书模板The VPN Server Authentication certificate template

  • NPS 服务器身份验证证书模板The NPS Server Authentication certificate template

证书模板Certificate Templates

证书模板可以通过允许你颁发为所选任务预配置的证书,大大简化 (CA) 管理证书颁发机构的任务。Certificate templates can greatly simplify the task of administering a certification authority (CA) by allowing you to issue certificates that are preconfigured for selected tasks. 证书模板 MMC 管理单元允许您执行以下任务。The Certificate Templates MMC snap-in allows you to perform the following tasks.

  • 查看每个证书模板的属性。View properties for each certificate template.

  • 复制并修改证书模板。Copy and modify certificate templates.

  • 控制哪些用户和计算机可以读取模板和注册证书。Control which users and computers can read templates and enroll for certificates.

  • 执行与证书模板有关的其他管理任务。Perform other administrative tasks relating to certificate templates.

证书模板是企业证书颁发机构 (CA) 中必不可少的一部分。Certificate templates are an integral part of an enterprise certification authority (CA). 对于环境而言,它们是证书策略的重要元素,是用于证书注册、使用和管理的一组规则和格式。They are an important element of the certificate policy for an environment, which is the set of rules and formats for certificate enrollment, use, and management.

有关详细信息,请参阅证书模板For more information, see Certificate Templates.

数字服务器证书Digital Server Certificates

本部署指南提供了有关使用 Active Directory 证书服务 (AD CS) 注册并自动向远程访问和 NPS 基础结构服务器注册证书的说明。This deployment guidance provides instructions for using Active Directory Certificate Services (AD CS) to both enroll and automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS 使你可以 (PKI) 构建公钥基础结构,并为你的组织提供公钥加密、数字证书和数字签名功能。AD CS allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

当你在网络中的计算机之间使用数字服务器证书进行身份验证时,证书将提供:When you use digital server certificates for authentication between computers on your network, the certificates provide:

  1. 通过加密的机密性。Confidentiality through encryption.

  2. 数字签名的完整性。Integrity through digital signatures.

  3. 通过将证书密钥与计算机网络上的计算机、用户或设备帐户相关联进行身份验证。Authentication by associating certificate keys with a computer, user, or device accounts on a computer network.

有关详细信息,请参阅Active Directory 证书服务概述For more information, see Active Directory Certificate Services Overview.

Active Directory 域服务 (AD DS)Active Directory Domain Services (AD DS)

AD DS 提供了一个分布式数据库,该数据库可以存储和管理有关网络资源的信息,以及启用了目录的应用程序中特定于应用程序的数据。AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. 管理员可以使用 AD DS 将网络元素(如用户、计算机和其他设备)整理到层次内嵌结构。Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. 内嵌层次结构包括 Active Directory 林、林中的域以及每个域中的组织单位 (OU)。The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. 运行 AD DS 的服务器称为域控制器。A server that is running AD DS is called a domain controller.

AD DS 包含受保护的可扩展身份验证协议所需的用户帐户、计算机帐户和帐户属性 (PEAP) 对用户凭据进行身份验证并评估 VPN 连接请求的授权。AD DS contains the user accounts, computer accounts, and account properties that are required by Protected Extensible Authentication Protocol (PEAP) to authenticate user credentials and to evaluate authorization for VPN connection requests. 有关部署 AD DS 的信息,请参阅 Windows Server 2016 Core 网络指南For information about deploying AD DS, see the Windows Server 2016 Core Network Guide.

完成此部署中的步骤后,你将在域控制器上配置以下各项。During completion of the steps in this deployment, you will configure the following items on the domain controller.

  • 在组策略中为计算机和用户启用证书自动注册Enable certificate autoenrollment in Group Policy for computers and users

  • 创建 VPN 用户组Create the VPN Users Group

  • 创建 VPN 服务器组Create the VPN Servers Group

  • 创建 NPS 服务器组Create the NPS Servers Group

Active Directory 用户和计算机Active Directory Users and Computers

Active Directory 用户和计算机是包含代表物理实体(例如计算机、人员或安全组)的帐户的 AD DS 的组件。Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. 安全组是管理员可以作为单个单元管理的用户或计算机帐户的集合。A security group is a collection of user or computer accounts that administrators can manage as a single unit. 属于特定组的用户帐户和计算机帐户称为组成员。User and computer accounts that belong to a particular group are referred to as group members.

Active Directory 用户和计算机中的用户帐户具有 NPS 在授权过程中评估的拨号属性-除非用户帐户的 "网络访问权限" 属性设置为 "通过 NPS 网络策略控制访问"。User accounts in Active Directory Users and Computers have dial-in properties that NPS evaluates during the authorization process - unless the Network Access Permission property of the user account is set to Control access through NPS Network Policy. 这是所有用户帐户的默认设置。This is the default setting for all user accounts. 但在某些情况下,此设置可能会有不同的配置,阻止用户使用 VPN 进行连接。In some cases, however, this setting might have a different configuration that blocks the user from connecting using VPN. 若要防范这种可能性,可以将 NPS 服务器配置为忽略用户帐户的拨入属性。To protect against this possibility, you can configure the NPS server to ignore user account dial-in properties.

有关详细信息,请参阅将 NPS 配置为忽略用户帐户的拨入属性For more information, see Configure NPS to Ignore User Account Dial-in Properties.

组策略管理Group Policy Management

组策略管理实现了基于目录的更改和配置管理用户和计算机设置,包括安全和用户信息。Group Policy Management enables directory-based change and configuration management of user and computer settings, including security and user information. 使用组策略定义用户和计算机组的配置。You use Group Policy to define configurations for groups of users and computers.

通过组策略,你可以指定注册表项、安全性、软件安装、脚本、文件夹重定向、远程安装服务和 Internet Explorer 维护的设置。With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. 你创建的组策略设置包含在组策略对象 (GPO) 中。The Group Policy settings that you create are contained in a Group Policy object (GPO). 通过将 GPO 与所选 Active Directory 系统容器(站点、域和 Ou)关联,你可以将 GPO 的设置应用于这些 Active Directory 容器中的用户和计算机。By associating a GPO with selected Active Directory system containers — sites, domains, and OUs — you can apply the GPO's settings to the users and computers in those Active Directory containers. 若要跨企业管理组策略对象,可以使用组策略管理编辑器 Microsoft 管理控制台 (MMC) 。To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).

Windows 10 VPN 客户端Windows 10 VPN Clients

除了服务器组件以外,请确保配置为使用 VPN 的客户端计算机正在运行 Windows 10 周年更新 (版本 1607) 。In addition to the server components, ensure that the client computers you configure to use VPN are running Windows 10 Anniversary Update (version 1607). Windows 10 VPN 客户端必须已加入域到 Active Directory 域。The Windows 10 VPN clients must be domain-joined to your Active Directory domain.

Windows 10 VPN 客户端是高度可配置的,并且提供了许多选项。The Windows 10 VPN client is highly configurable and offers many options. 为了更好地说明此方案使用的特定功能,表1标识了此部署引用的 VPN 功能类别和特定配置。To better illustrate the specific features this scenario uses, Table 1 identifies the VPN feature categories and specific configurations that this deployment references. 你将使用 VPNv2 配置服务提供程序配置这些功能的各个设置, (CSP) 稍后将在此部署中进行讨论。You'll configure the individual settings for these features by using the VPNv2 configuration service provider (CSP) discussed later in this deployment.

表 1.Table 1. 此部署中讨论的 VPN 功能和配置VPN Features and Configurations Discussed in this Deployment

VPN 功能VPN feature 部署方案配置Deployment scenario configuration
连接类型Connection type 本机 IKEv2Native IKEv2
路由Routing 拆分隧道Split tunneling
名称解析Name resolution 域名信息列表和 DNS 后缀Domain Name Information List and DNS suffix
触发器Triggering Always On 和受信任的网络检测Always On and Trusted Network Detection
AuthenticationAuthentication 具有 TPM 保护的 PEAP-GTC 用户证书PEAP-TLS with TPM–protected user certificates

备注

PEAP-GTC 和 TPM 分别是 "受保护的可扩展身份验证协议和传输层安全性" 和 "受信任的平台模块"。PEAP-TLS and TPM are "Protected Extensible Authentication Protocol with Transport Layer Security" and "Trusted Platform Module," respectively.

VPNv2 CSP 节点VPNv2 CSP Nodes

在此部署中,你将使用 ProfileXML VPNv2 CSP 节点创建传递到 Windows 10 客户端计算机的 VPN 配置文件。In this deployment, you use the ProfileXML VPNv2 CSP node to create the VPN profile that is delivered to Windows 10 client computers. (Csp) 的配置服务提供程序是在 Windows 客户端中公开各种管理功能的接口;从概念上讲,Csp 的工作方式类似于组策略的工作方式。Configuration Service Providers (CSPs) are interfaces that expose various management capabilities within the Windows client; conceptually, CSPs work similar to how Group Policy works. 每个 CSP 都包含表示单个设置的配置节点。Each CSP has configuration nodes that represent individual settings. 与组策略设置一样,你可以将 CSP 设置与注册表项、文件、权限等关联。Also like Group Policy settings, you can tie CSP settings to registry keys, files, permissions, and so on. 与使用组策略管理编辑器来配置 Gpo) 组策略 (对象的方式类似,可以使用移动设备管理 (MDM) 解决方案(例如 Microsoft Intune)来配置 CSP 节点。Similar to how you use the Group Policy Management Editor to configure Group Policy objects (GPOs), you configure CSP nodes by using a mobile device management (MDM) solution such as Microsoft Intune. Intune 等 MDM 产品提供了一个用户友好的配置选项,可在操作系统中配置 CSP。MDM products like Intune offer a user-friendly configuration option that configures the CSP in the operating system.

将移动设备管理配置为 CSP

但是,不能通过用户界面直接配置某些 CSP 节点 (UI) 例如 Intune 管理控制台。However, you can't configure some CSP nodes directly through a user interface (UI) like the Intune Admin Console. 在这些情况下,你必须手动配置开放移动联盟统一资源标识符 (OMA-URI) 设置。In these cases, you must configure the Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings manually. 您可以使用 OMA 设备管理协议 (OMA) ,这是大多数新式 Apple、Android 和 Windows 设备支持的通用设备管理规范来配置 OMA-URI。You configure OMA-URIs by using the OMA Device Management protocol (OMA-DM), a universal device management specification that most modern Apple, Android, and Windows devices support. 只要它们遵循 OMA 规范,所有 MDM 产品都应以相同的方式与这些操作系统交互。As long as they adhere to the OMA-DM specification, all MDM products should interact with these operating systems in the same way.

Windows 10 提供了许多 Csp,但此部署侧重于使用 VPNv2 CSP 来配置 VPN 客户端。Windows 10 offers many CSPs, but this deployment focuses on using the VPNv2 CSP to configure the VPN client. VPNv2 CSP 允许通过唯一 CSP 节点配置 Windows 10 中的每个 VPN 配置文件设置。The VPNv2 CSP allows configuration of each VPN profile setting in Windows 10 through a unique CSP node. VPNv2 CSP 中还包含一个名为ProfileXML的节点,它允许您在一个节点中配置所有设置,而不是单独配置。Also contained in the VPNv2 CSP is a node called ProfileXML, which allows you to configure all the settings in one node rather than individually. 有关 ProfileXML 的详细信息,请参阅本部署后面的 "ProfileXML 概述" 部分。For more information about ProfileXML, see the section "ProfileXML overview" later in this deployment. 有关每个 VPNv2 CSP 节点的详细信息,请参阅VPNV2 cspFor details about each VPNv2 CSP node, see the VPNv2 CSP.

后续步骤Next steps

  • 适用于 Microsoft Azure 虚拟机的 microsoft 服务器软件支持:本文讨论在 Microsoft Azure 虚拟机环境中运行 Microsoft 服务器软件的支持策略 (基础结构即服务) 。Microsoft server software support for Microsoft Azure virtual machines: This article discusses the support policy for running Microsoft server software in the Microsoft Azure virtual machine environment (infrastructure-as-a-service).

  • 远程访问:本主题概述了 Windows server 2016 中的远程访问服务器角色。Remote Access: This topic provides an overview of the Remote Access server role in Windows Server 2016.

  • Windows 10 VPN 技术指南:本指南将指导你完成在企业 VPN 解决方案中针对 Windows 10 客户端做出的决策,以及如何配置你的部署。Windows 10 VPN Technical Guide: This guide walks you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. 本指南引用 VPNv2 配置服务提供程序 (CSP),并提供使用 Microsoft Intune 和用于 Windows 10 的 VPN 配置文件模板的移动设备管理 (MDM) 配置说明。This guide references the VPNv2 Configuration Service Provider (CSP) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.

  • 核心网络指南:本指南提供了有关如何在新林中规划和部署完全正常运行的网络和新的 Active Directory 域所需的核心组件的说明。Core Network Guide: This guide provides instructions on how to plan and deploy the core components required for a fully functioning network and a new Active Directory domain in a new forest.

  • 域名系统 (dns) :本主题提供 (DNS) 的域名系统的概述。Domain Name System (DNS): This topic provides an overview of Domain Name Systems (DNS). 在 Windows Server 2016 中,DNS 是可以使用服务器管理器或 Windows PowerShell 命令安装的服务器角色。In Windows Server 2016, DNS is a server role that you can install by using Server Manager or Windows PowerShell commands. 如果要安装新的 Active Directory 林和域,则 DNS 会自动安装 Active Directory 作为林和域的全局目录服务器。If you are installing a new Active Directory forest and domain, DNS is automatically installed with Active Directory as the Global Catalogue server for the forest and domain.

  • Active Directory 证书服务概述:本文档概述了 Windows Server 2012 中 (AD CS) Active Directory 证书服务 ® 。Active Directory Certificate Services Overview: This document provides an overview of Active Directory Certificate Services (AD CS) in Windows Server® 2012. AD CS 是允许你构建公钥基础机构 (PKI) 并为你的组织提供公钥加密、数字证书和数字签名功能的服务器角色。AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.

  • 公钥基础结构设计指南:此论坛提供有关 (pki) 设计公钥基础结构的指南。Public Key Infrastructure Design Guidance: This forum provides guidance on designing Public Key Infrastructures (PKIs). 在 (CA) 层次结构配置 PKI 和证书颁发机构之前,应了解组织的安全策略和证书实行声明 (CPS) 。Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organization's security policy and certificate practice statement (CPS).

  • Active Directory 证书服务概述:此循序渐进指南介绍了 ® 在实验室环境中设置 Active Directory 证书服务 (AD CS) 所需的步骤。Active Directory Certificate Services Overview: This step-by-step guide describes the steps needed to set up a basic configuration of Active Directory® Certificate Services (AD CS) in a lab environment. Windows Server ® 2008 R2 中的 AD CS 提供可自定义的服务,用于创建和管理在采用公钥技术的软件安全系统中使用的公钥证书。AD CS in Windows Server® 2008 R2 provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies.

  • 网络策略服务器 (NPS) :本主题概述了 Windows Server 2016 中的网络策略服务器。Network Policy Server (NPS): This topic provides an overview of Network Policy Server in Windows Server 2016. 通过网络策略服务器 (NPS),你可以针对连接请求身份验证和授权创建并实施组织级网络访问策略。Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for connection request authentication and authorization.