在 Windows 10 中配置 VPN 设备隧道Configure VPN device tunnels in Windows 10

适用于: Windows 10 版本1709Applies to: Windows 10 version 1709

Always On VPN 使你能够为设备或计算机创建专用 VPN 配置文件。Always On VPN gives you the ability to create a dedicated VPN profile for device or machine. Always On VPN 连接包括两种隧道:Always On VPN connections include two types of tunnels:

  • _设备隧道_在用户登录到设备之前连接到指定的 VPN 服务器。Device tunnel connects to specified VPN servers before users log on to the device. 预登录连接方案和设备管理将使用设备隧道。Pre-login connectivity scenarios and device management purposes use device tunnel.

  • _用户隧道_仅在用户登录到设备后进行连接。User tunnel connects only after a user logs on to the device. 用户隧道允许用户通过 VPN 服务器访问组织资源。User tunnel allows users to access organization resources through VPN servers.

与仅在用户登录到设备或计算机之后进行连接的_用户隧道_不同,_设备隧道_允许 VPN 在用户登录之前建立连接。Unlike user tunnel, which only connects after a user logs on to the device or machine, device tunnel allows the VPN to establish connectivity before the user logs on. _设备隧道_和_用户隧道_独立操作其 VPN 配置文件,可以同时连接,并且可以根据需要使用不同的身份验证方法和其他 VPN 配置设置。Both device tunnel and user tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. 用户隧道支持 SSTP 和 IKEv2,而设备隧道仅支持 IKEv2,而不支持 SSTP 回退。User tunnel supports SSTP and IKEv2, and device tunnel supports IKEv2 only with no support for SSTP fallback.

在已加入域、未加入域的 (工作组) 或 Azure AD 加入设备上,支持企业和 BYOD 方案的用户隧道。User tunnel is supported on domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices to allow for both enterprise and BYOD scenarios. 它可在所有 Windows 版本中使用,并且平台功能可通过 UWP VPN 插件支持的方式提供给第三方。It is available in all Windows editions, and the platform features are available to third parties by way of UWP VPN plug-in support.

只能在运行 Windows 10 企业版或教育版1709或更高版本的已加入域的设备上配置设备隧道。Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later. 不支持第三方控制设备隧道。There is no support for third-party control of the device tunnel. 设备隧道不支持使用名称解析策略表 (NRPT) 。Device tunnel does not support using the Name Resolution Policy table (NRPT). 设备隧道不支持强制隧道。Device tunnel does not support Force tunnel. 您必须将其配置为拆分隧道。You must configure it as Split tunnel.

设备隧道要求和功能Device Tunnel Requirements and Features

必须启用 VPN 连接的计算机证书身份验证,并定义根证书颁发机构来验证传入的 VPN 连接。You must enable machine certificate authentication for VPN connections and define a root certification authority for authenticating incoming VPN connections.

$VPNRootCertAuthority = "Common Name of trusted root certification authority"
$RootCACert = (Get-ChildItem -Path cert:LocalMachine\root | Where-Object {$_.Subject -Like "*$VPNRootCertAuthority*" })
Set-VpnAuthProtocol -UserAuthProtocolAccepted Certificate, EAP -RootCertificateNameToAccept $RootCACert -PassThru

设备隧道功能和要求

VPN 设备隧道配置VPN Device Tunnel Configuration

下面的示例配置文件 XML 为仅要求客户端发起的请求通过设备隧道的情况提供了良好的指南。The sample profile XML below provides good guidance for scenarios where only client initiated pulls are required over the device tunnel. 将利用流量筛选器将设备隧道限制为仅管理流量。Traffic filters are leveraged to restrict the device tunnel to management traffic only. 此配置适用于 Windows 更新、典型的组策略 (GP) 和 Microsoft Endpoint Configuration Manager 更新方案,以及用于首次登录而没有缓存凭据的 VPN 连接,或密码重置方案。This configuration works well for Windows Update, typical Group Policy (GP) and Microsoft Endpoint Configuration Manager update scenarios, as well as VPN connectivity for first logon without cached credentials, or password reset scenarios.

对于服务器启动的推送案例(如 Windows 远程管理 (WinRM) 、远程 GPUpdate 和远程 Configuration Manager 更新方案),必须允许设备隧道上的入站流量,因此无法使用流量筛选器。For server-initiated push cases, like Windows Remote Management (WinRM), Remote GPUpdate, and remote Configuration Manager update scenarios – you must allow inbound traffic on the device tunnel, so traffic filters cannot be used. 如果在设备隧道配置文件中打开流量筛选器,则设备隧道将拒绝入站流量。If in the device tunnel profile you turn on traffic filters, then the Device Tunnel denies inbound traffic. 此限制将在未来版本中删除。This limitation is going to be removed in future releases.

示例 VPN profileXMLSample VPN profileXML

下面是示例 VPN profileXML。Following is the sample VPN profileXML.

<VPNProfile>
  <NativeProfile>
<Servers>vpn.contoso.com</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
  <MachineMethod>Certificate</MachineMethod>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
 <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
  </NativeProfile>
  <!-- use host routes(/32) to prevent routing conflicts -->
  <Route>
<Address>10.10.0.2</Address>
<PrefixSize>32</PrefixSize>
  </Route>
  <Route>
<Address>10.10.0.3</Address>
<PrefixSize>32</PrefixSize>
  </Route>
<!-- traffic filters for the routes specified above so that only this traffic can go over the device tunnel -->
  <TrafficFilter>
<RemoteAddressRanges>10.10.0.2, 10.10.0.3</RemoteAddressRanges>
  </TrafficFilter>
<!-- need to specify always on = true -->
  <AlwaysOn>true</AlwaysOn>
<!-- new node to specify that this is a device tunnel -->
 <DeviceTunnel>true</DeviceTunnel>
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
</VPNProfile>

根据每个特定部署方案的需求,可通过设备隧道配置的其他 VPN 功能是受信任的网络检测Depending on the needs of each particular deployment scenario, another VPN feature that can be configured with the device tunnel is Trusted Network Detection.

 <!-- inside/outside detection -->
  <TrustedNetworkDetection>corp.contoso.com</TrustedNetworkDetection>

部署和测试Deployment and Testing

可以使用 Windows PowerShell 脚本并使用 Windows Management Instrumentation (WMI) bridge 来配置设备隧道。You can configure device tunnels by using a Windows PowerShell script and using the Windows Management Instrumentation (WMI) bridge. 必须在本地系统帐户的上下文中配置 Always On VPN 设备隧道。The Always On VPN device tunnel must be configured in the context of the LOCAL SYSTEM account. 若要实现此目的,需要使用PsExec,这是Sysinternals套件中包含的其中一个PsToolsTo accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities.

有关如何部署每个设备 (.\Device) 和每个用户配置文件的指南 (.\User) ,请参阅将POWERSHELL 脚本与 WMI 桥接程序结合使用For guidelines on how to deploy a per device (.\Device) vs. a per user (.\User) profile, see Using PowerShell scripting with the WMI Bridge Provider.

运行以下 Windows PowerShell 命令,以验证是否已成功部署设备配置文件:Run the following Windows PowerShell command to verify that you have successfully deployed a device profile:

Get-VpnConnection -AllUserConnection

输出显示在 - 设备上部署的设备范围 VPN 配置文件的列表。The output displays a list of the device-wide VPN profiles that are deployed on the device.

Windows PowerShell 脚本示例Example Windows PowerShell Script

你可以使用以下 Windows PowerShell 脚本来帮助创建你自己的用于创建配置文件的脚本。You can use the following Windows PowerShell script to assist in creating your own script for profile creation.

Param(
[string]$xmlFilePath,
[string]$ProfileName
)

$a = Test-Path $xmlFilePath
echo $a

$ProfileXML = Get-Content $xmlFilePath

echo $XML

$ProfileNameEscaped = $ProfileName -replace ' ', '%20'

$Version = 201606090004

$ProfileXML = $ProfileXML -replace '<', '&lt;'
$ProfileXML = $ProfileXML -replace '>', '&gt;'
$ProfileXML = $ProfileXML -replace '"', '&quot;'

$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"

$session = New-CimSession

try
{
$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
$newInstance.CimInstanceProperties.Add($property)
$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
$newInstance.CimInstanceProperties.Add($property)

$session.CreateInstance($namespaceName, $newInstance)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [Exception]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
exit
}
$Message = "Complete."
Write-Host "$Message"

其他资源Additional Resources

下面是帮助你进行 VPN 部署的其他资源。The following are additional resources to assist with your VPN deployment.

VPN 客户端配置资源VPN client configuration resources

以下是 VPN 客户端配置资源。The following are VPN client configuration resources.

远程访问服务器网关资源Remote Access Server Gateway resources

以下是远程访问服务器 (RAS) 的网关资源。The following are Remote Access Server (RAS) Gateway resources.

重要

将设备隧道与 Microsoft RAS 网关结合使用时,你需要将 RRAS 服务器配置为支持 IKEv2 计算机证书身份验证,方法是为 IKEv2 身份验证方法启用 "允许计算机证书身份验证",如此处所述。When using Device Tunnel with a Microsoft RAS gateway, you will need to configure the RRAS server to support IKEv2 machine certificate authentication by enabling the Allow machine certificate authentication for IKEv2 authentication method as described here. 启用此设置后,强烈建议将 VpnAuthProtocol PowerShell Cmdlet 与RootCertificateNameToAccept可选参数一起使用,以确保 RRAS IKEv2 连接仅适用于链接到显式定义的内部/专用根证书颁发机构的 VPN 客户端证书。Once this setting is enabled, it is strongly recommended that the Set-VpnAuthProtocol PowerShell cmdlet, along with the RootCertificateNameToAccept optional parameter, is used to ensure that RRAS IKEv2 connections are only permitted for VPN client certificates that chain to an explicitly defined internal/private Root Certification Authority. 另外,应修改 RRAS 服务器上受信任的根证书颁发机构存储,以确保它不包含本文中所述的公共证书颁发机构。Alternatively, the Trusted Root Certification Authorities store on the RRAS server should be amended to ensure that it does not contain public certification authorities as discussed here. 其他 VPN 网关可能还需要考虑类似的方法。Similar methods may also need to be considered for other VPN gateways.