分支机构注意事项Branch office considerations

适用于: Windows Server 2019、Windows Server (半年频道) 、Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel),

本文介绍了如何在分支机构和其他远程方案中运行受防护的虚拟机的最佳实践,其中 Hyper-v 主机的连接时间可能与 HGS 的连接受限。This article describes best practices for running shielded virtual machines in branch offices and other remote scenarios where Hyper-V hosts may have periods of time with limited connectivity to HGS.

回退配置Fallback configuration

从 Windows Server 版本1709开始,可以在 Hyper-v 主机上配置另一组主机保护者服务 Url,以便在主 HGS 无响应时使用。Starting with Windows Server version 1709, you can configure an additional set of Host Guardian Service URLs on Hyper-V hosts for use when your primary HGS is unresponsive. 这允许您运行作为主服务器使用的本地 HGS 群集,以获得更好的性能,如果本地服务器关闭,则能够回退到您的企业数据中心的 HGS。This allows you to run a local HGS cluster that is used as a primary server for better performance with the ability to fall back to your corporate datacenter's HGS if the local servers are down.

若要使用回退选项,需要设置两个 HGS 服务器。To use the fallback option, you'll need to set up two HGS servers. 它们可以运行 Windows Server 2019 或 Windows Server 2016,也可以是相同或不同群集的一部分。They can run Windows Server 2019 or Windows Server 2016 and either be part of the same or different clusters. 如果它们是不同的群集,你将需要建立操作做法,以确保在两个服务器之间同步认证策略。If they are different clusters, you will want to establish operational practices to ensure the attestation policies are in sync between the two servers. 它们都需要能够正确授权 Hyper-v 主机运行受防护的 Vm,并具有启动受防护的 Vm 所需的密钥材料。They both need to be able to correctly authorize the Hyper-V host to run shielded VMs and have the key material needed to start up the shielded VMs. 你可以选择在两个群集之间具有一对共享加密和签名证书,也可以使用单独的证书并将 HGS 受防护的 VM 配置为在屏蔽数据文件中 (加密/签名证书对) 。You can choose to either have a pair of shared encryption and signing certificates between the two clusters, or use separate certificates and configure the HGS shielded VM to authorize both guardians (encryption/signing certificate pairs) in the shielding data file.

然后,将 Hyper-v 主机升级到 Windows Server 版本1709或 Windows Server 2019,并运行以下命令:Then upgrade your Hyper-V hosts to Windows Server version 1709 or Windows Server 2019 and run the following command:

# Replace https://hgs.primary.com and https://hgs.backup.com with your own domain names and protocols
Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection' -AttestationServerUrl 'https://hgs.primary.com/Attestation' -FallbackKeyProtectionServerUrl 'https://hgs.backup.com/KeyProtection' -FallbackAttestationServerUrl 'https://hgs.backup.com/Attestation'

若要取消配置回退服务器,只需省略这两个回退参数:To unconfigure a fallback server, simply omit both fallback parameters:

Set-HgsClientConfiguration -KeyProtectionServerUrl 'https://hgs.primary.com/KeyProtection' -AttestationServerUrl 'https://hgs.primary.com/Attestation'

为了使 Hyper-v 主机能够通过主服务器和备用服务器传递证明,你需要确保你的证明信息对于这两个 HGS 群集都是最新的。In order for the Hyper-V host to pass attestation with both the primary and fallback servers, you will need to ensure that your attestation information is up to date with both HGS clusters. 此外,用于解密虚拟机的 TPM 的证书需要同时在这两个 HGS 群集中可用。Additionally, the certificates used to decrypt the virtual machine's TPM need to be available in both HGS clusters. 你可以使用不同的证书配置每个 HGS,并将 VM 配置为信任这两者,或将共享的一组证书添加到这两个 HGS 群集。You can configure each HGS with different certificates and configure the VM to trust both, or add a shared set of certificates to both HGS clusters.

若要详细了解如何在分支机构中使用后备 Url 配置 HGS,请参阅博客文章Windows Server 中受防护的 vm (版本1709)的改进分支机构支持For additional information about configuring HGS in a branch office using fallback URLs, see the blog post Improved branch office support for shielded VMs in Windows Server, version 1709.

脱机模式Offline mode

脱机模式允许受防护的 VM 在无法到达 HGS 时启用,只要 Hyper-v 主机的安全配置尚未更改。Offline mode allows your shielded VM to turn on when HGS cannot be reached, so long as the security configuration of your Hyper-V host has not changed. 脱机模式通过在 Hyper-v 主机上缓存 VM TPM 密钥保护程序的特殊版本来运行。Offline mode works by caching a special version of the VM TPM key protector on the Hyper-V host. 使用基于虚拟化的安全标识密钥) ,将密钥保护程序加密为主机 (当前的安全配置。The key protector is encrypted to the current security configuration of the host (using the Virtualization Based Security identity key). 如果主机无法与 HGS 通信,而且其安全配置未更改,它将能够使用缓存的密钥保护程序启动受防护的 VM。If your host is unable to communicate with HGS and its security configuration has not changed, it will be able to use the cached key protector to start up the shielded VM. 当系统上的安全设置发生更改时(例如正在应用的新代码完整性策略或禁用安全启动),缓存的密钥保护程序将无效,并且在任何受防护的 Vm 可以再次脱机启动之前,主机必须使用 HGS 进行证明。When security settings change on the system, such as a new code integrity policy being applied or Secure Boot being disabled, the cached key protectors will be invalidated and the host will have to attest with an HGS before any shielded VMs can be started offline again.

脱机模式要求为主机保护者服务群集和 Hyper-v 主机提供 Windows Server 有问必答 Preview 版本17609或更高版本。Offline mode requires Windows Server Insider Preview build 17609 or newer for both the Host Guardian Service cluster and Hyper-V host. 它由 HGS 上的策略控制,该策略在默认情况下处于禁用状态。It is controlled by a policy on HGS, which is disabled by default. 若要启用对脱机模式的支持,请在 HGS 节点上运行以下命令:To enable support for offline mode, run the following command on an HGS node:

Set-HgsKeyProtectionConfiguration -AllowKeyMaterialCaching:$true

由于可缓存的密钥保护程序对于每个受防护的 VM 都是唯一的,因此你需要完全关闭 (不重新启动) 并启动受防护的 Vm,以便在 HGS 上启用此设置后获取可缓存的密钥保护程序。Since the cacheable key protectors are unique to each shielded VM, you will need to fully shut down (not restart) and start up your shielded VMs to obtain a cacheable key protector after this setting is enabled on HGS. 如果受防护的 VM 迁移到运行较早版本的 Windows Server 的 Hyper-v 主机,或从早期版本的 HGS 获取新的密钥保护程序,则它将不能在脱机模式下启动自身,但可以继续在脱机模式下运行。If your shielded VM migrates to a Hyper-V host running an older version of Windows Server, or obtains a new key protector from an older version of HGS, it will not be able to start itself up in offline mode, but can continue running in online mode when access to HGS is available.