部署 Always On VPNDeploy Always On VPN

适用于: Windows Server (半年通道) ,Windows Server 2016,Windows Server 2012 R2,Windows 10Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows 10

本部分介绍如何为已加入域的 Windows 10 客户端计算机部署 Always On VPN 连接的工作流。In this section, you learn about the workflow for deploying Always On VPN connections for remote domain-joined Windows 10 client computers. 若要配置条件性访问以微调 vpn 用户访问资源的方式,请参阅使用 Azure AD 进行 Vpn 连接的条件性访问If you want to configure conditional access to fine-tune how VPN users access your resources, see Conditional access for VPN connectivity using Azure AD. 若要了解有关使用 Azure AD 进行 VPN 连接的条件性访问的详细信息,请参阅Azure Active Directory 中的条件访问To learn more about conditional access for VPN connectivity using Azure AD, see Conditional access in Azure Active Directory.

下图说明了部署 Always On VPN 时的不同方案的工作流程:The following diagram illustrates the workflow process for the different scenarios when deploying Always On VPN:

Always On VPN 部署工作流的流程图Flow chart of the Always On VPN deployment workflow

重要

对于此部署,不要求您的基础结构服务器(例如运行 Active Directory 域服务、Active Directory 证书服务和网络策略服务器的计算机)运行的是 Windows Server 2016。For this deployment, it is not a requirement that your infrastructure servers, such as computers running Active Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. 对于基础结构服务器以及运行远程访问的服务器,你可以使用 windows server 的早期版本,如 Windows Server 2012 R2。You can use earlier versions of Windows Server, such as Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.

步骤 1.规划始终启用 VPN 部署Step 1. Plan the Always On VPN Deployment

在此步骤中,你将开始规划和准备 Always On VPN 部署。In this step, you start to plan and prepare your Always On VPN deployment. 在打算用作 VPN 服务器的计算机上安装远程访问服务器角色之前,请使用。Before you install the Remote Access server role on the computer you're planning on using as a VPN server. 进行适当规划后,可以部署 Always On VPN,还可以选择使用 Azure AD 配置 VPN 连接的条件性访问。After proper planning, you can deploy Always On VPN, and optionally configure conditional access for VPN connectivity using Azure AD.

步骤 2.配置始终启用 VPN 服务器基础结构Step 2. Configure the Always On VPN Server Infrastructure

在此步骤中,将安装和配置支持 VPN 所需的服务器端组件。In this step, you install and configure the server-side components necessary to support the VPN. 服务器端组件包括配置 PKI 以分发用户、VPN 服务器和 NPS 服务器使用的证书。The server-side components include configuring PKI to distribute the certificates used by users, the VPN server, and the NPS server. 你还可以配置 RRAS 以支持 IKEv2 连接,并配置 NPS 服务器以执行 VPN 连接授权。You also configure RRAS to support IKEv2 connections and the NPS server to perform authorization for the VPN connections.

若要配置服务器基础结构,必须执行以下任务:To configure the server infrastructure, you must perform the following tasks:

  • 在配置了 Active Directory 域服务的服务器上: 在组策略为计算机和用户启用证书自动注册,创建 VPN 用户组、VPN 服务器组和 NPS 服务器组,并向每个组添加成员。On a server configured with Active Directory Domain Services: Enable certificate autoenrollment in Group Policy for both computers and users, create the VPN Users Group, the VPN Servers Group, and the NPS Servers Group, and add members to each group.
  • 在 Active Directory 证书服务器 CA 上: 创建用户身份验证、VPN 服务器身份验证和 NPS 服务器身份验证证书模板。On an Active Directory Certificate Server CA: Create the User Authentication, VPN Server Authentication, and NPS Server Authentication certificate templates.
  • 在已加入域的 Windows 10 客户端上: 注册并验证用户证书。On domain-joined Windows 10 clients: Enroll and validate user certificates.

步骤 3.为始终启用 VPN 配置远程访问服务器Step 3. Configure the Remote Access Server for Always On VPN

在此步骤中,你将配置远程访问 VPN 以允许 IKEv2 VPN 连接,拒绝来自其他 VPN 协议的连接,并分配一个静态 IP 地址池,用于颁发 IP 地址,以便连接授权的 VPN 客户端。In this step, you configure Remote Access VPN to allow IKEv2 VPN connections, deny connections from other VPN protocols, and assign a static IP address pool for the issuance of IP addresses to connecting authorized VPN clients.

若要配置 RAS,必须执行以下任务:To configure RAS, you must perform the following tasks:

  • 注册并验证 VPN 服务器证书Enroll and validate the VPN server certificate
  • 安装和配置远程访问 VPNInstall and configure Remote Access VPN

步骤 4.安装和配置 NPS 服务器Step 4. Install and Configure the NPS Server

在此步骤中,你将通过使用 Windows PowerShell 或服务器管理器添加角色和功能向导 (NPS) 安装网络策略服务器。In this step, you install Network Policy Server (NPS) by using either Windows PowerShell or the Server Manager Add Roles and Features Wizard. 你还可以将 NPS 配置为处理从 VPN 服务器接收的连接请求的所有身份验证、授权和记帐职责。You also configure NPS to handle all authentication, authorization, and accounting duties for connection request that it receives from the VPN server.

若要配置 NPS,必须执行以下任务:To configure NPS, you must perform the following tasks:

  • 在 Active Directory 中注册 NPS 服务器Register the NPS Server in Active Directory
  • 配置 NPS 服务器的 RADIUS 记帐Configure RADIUS Accounting for your NPS Server
  • 在 NPS 中将 VPN 服务器添加为 RADIUS 客户端Add the VPN Server as a RADIUS Client in NPS
  • 在 NPS 中配置网络策略Configure Network Policy in NPS
  • 自动注册 NPS 服务器证书Autoenroll the NPS Server certificate

步骤5。为 Always On VPN 配置 DNS 和防火墙设置Step 5. Configure DNS and Firewall Settings for Always On VPN

在此步骤中,你将配置 DNS 和防火墙设置。In this step, you configure DNS and Firewall settings. 当远程 VPN 客户端连接时,它们将使用您的内部客户端使用的相同 DNS 服务器,这允许它们以与内部工作站的其余部分相同的方式解析名称。When remote VPN clients connect, they use the same DNS servers that your internal clients use, which allows them to resolve names in the same manner as the rest of your internal workstations.

步骤 6.配置 Windows 10 客户端始终启用 VPN 连接Step 6. Configure Windows 10 Client Always On VPN Connections

在此步骤中,你将 Windows 10 客户端计算机配置为使用 VPN 连接与该基础结构进行通信。In this step, you configure the Windows 10 client computers to communicate with that infrastructure with a VPN connection. 你可以使用多种技术来配置 Windows 10 VPN 客户端,包括 Windows PowerShell、Microsoft Endpoint Configuration Manager 和 Intune。You can use several technologies to configure Windows 10 VPN clients, including Windows PowerShell, Microsoft Endpoint Configuration Manager, and Intune. 所有三个都需要一个 XML VPN 配置文件来配置相应的 VPN 设置。All three require an XML VPN profile to configure the appropriate VPN settings.

步骤7。 (可选) 为 VPN 连接配置条件访问Step 7. (Optional) Configure conditional access for VPN connectivity

在此可选步骤中,你可以微调授权的 VPN 用户访问资源的方式。In this optional step, you can fine-tune how authorized VPN users access your resources. 通过 Azure AD VPN 连接的条件性访问,你可以帮助保护 VPN 连接。With Azure AD conditional access for VPN connectivity, you can help protect the VPN connections. 条件性访问是基于策略的评估引擎,可让你为任何连接 Azure AD 的应用程序创建访问规则。Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure AD connected application. 有关详细信息,请参阅Azure Active Directory (Azure AD) 条件性访问For more information, see Azure Active Directory (Azure AD) conditional access.

后续步骤Next step

步骤1。规划 Always On VPN 部署:在作为 VPN 服务器使用的计算机上安装远程访问服务器角色之前。Step 1. Plan the Always On VPN deployment: Before you install the Remote Access server role on the computer you're planning on using as a VPN server. 进行适当规划后,可以部署 Always On VPN,还可以选择使用 Azure AD 配置 VPN 连接的条件性访问。After proper planning, you can deploy Always On VPN, and optionally configure conditional access for VPN connectivity using Azure AD.