VPN 云解决方案提供商VPN CSP

VPN 配置服务提供商允许 MDM 服务器配置设备的 VPN 配置文件。The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 支持 IKEv2 VPN 和 SSL VPN 配置文件。Windows 10 supports both IKEv2 VPN and SSL VPN profiles. 有关 IKEv2 的信息,请参阅配置基于 IKEv2 的远程访问For information about IKEv2, see Configure IKEv2-based Remote Access.

注意 VPN CSP 在 Windows 10 中已弃用,并且仅在 Windows 10 移动版中支持,用于向后兼容。Note The VPN CSP is deprecated in Windows 10 and it only supported in Windows 10 Mobile for backward compatibility. 改为使用 VPNv2 CSP。Use VPNv2 CSP instead.

重要注意事项:Important considerations:

  • 对于需要客户端证书的 VPN,服务器必须先注册所需的客户端证书,然后再部署 VPN 配置文件,以确保设备具有正常运行的 VPN 配置文件。For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. 这对强制隧道 VPN 尤为重要。This is particularly critical for forced tunnel VPN.

  • VPN 配置命令必须使用原子命令包装,如下面的示例所示。VPN configuration commands must be wrapped with an Atomic command as shown in the example below.

  • 每个 OMA 请求仅支持一个 VPN 配置文件预配。Only one VPN profile provisioning per one OMA request is supported. 不支持每个 OMA 消息请求多个 VPN 配置文件。Multiple VPN profiles per one OMA message request are not supported.

  • 对于 VPN CSP,除非节点已存在,否则不能使用替换命令。For the VPN CSP, you cannot use the Replace command unless the node already exists.

下图以树格式显示 VPN 配置服务提供程序。The following diagram shows the VPN configuration service provider in tree format.

provisioning-csp-vpnimg

ProfileName 配置文件的唯一字母数字标识符。ProfileName Unique alpha numeric Identifier for the profile. 配置文件名称不得包含正斜杠 (/) 。The profile name must not include a forward slash (/).

值类型为 chr。Value type is chr. 支持的操作包括 Get、Add、Replace 和 Delete。Supported operations include Get, Add, Replace, and Delete.

服务器 必填。Server Required. VPN 网关服务器场的公共或可路由 IP 地址或 DNS 名称。Public or routable IP address or DNS name for the VPN gateway server farm. 它可指向网关的外部 IP 或服务器场的虚拟 IP。It can point to the external IP of a gateway or a virtual IP for a server farm.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

值类型为 chr。Value type is chr. 例如,208.23.45.130 或 vpn.contoso.com。Some examples are 208.23.45.130 or vpn.contoso.com.

TunnelType 可选,但在部署第三方 IKEv2 VPN 配置文件时是必需的。TunnelType Optional, but required when deploying a 3rd party IKEv2 VPN profile. 此版本仅支持 IKEv2 的值。Only a value of IKEv2 is supported for this release.

值类型为 chr。Value type is chr. 支持的操作包括 Get 和 Add。Supported operations are Get and Add.

ThirdParty 可选,但在部署第三方 SSL-VPN 插件配置文件时是必需的。ThirdParty Optional, but required if deploying 3rd party SSL-VPN plugin profile. 定义一组应用于 SSL-VPN 配置文件预配的设置。Defines a group of setting applied to SSL-VPN profile provisioning.

支持的操作包括 Get 和 Add。Supported operations are Get and Add.

ThirdParty/Name 为 SSL-VPN 配置文件设置定义 ThirdParty 时是必需的。ThirdParty/Name Required when ThirdParty is defined for SSL-VPN profile provisioning.

值类型为 chr。Value type is chr. 支持的操作包括 Get 和 Add。Supported operations are Get and Add.

有效值:Valid values:

  • JunOS 脉冲JunOS Pulse

  • SonicWall Mobile ConnectSonicWall Mobile Connect

  • F5 大 IP 边缘客户端F5 Big-IP Edge Client

  • 检查点移动 VPNCheckpoint Mobile VPN

ThirdParty/AppID 可选,但在从专用企业店面部署第三方 SSL-VPN 插件应用时是必需的。ThirdParty/AppID Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. 这是与应用商店应用程序关联的 ProductID。This is the ProductID associated with the store application. 客户端将使用此 ProductID 以确保仅初始化企业批准的插件。The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.

值类型为 chr。Value type is chr. 支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

ThirdParty/CustomStoreURL 可选,但企业从专用企业店面部署第三方 SSL-VPN 插件应用时是必需的。ThirdParty/CustomStoreURL Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. 此节点指定第三方 SSL-VPN 插件应用的 URL。This node specifies the URL of the 3rd party SSL-VPN plugin app.

值类型为 chr。Value type is chr. 支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

ThirdParty/CustomConfiguration 可选。ThirdParty/CustomConfiguration Optional. 这是一个 HTML 编码的 XML blob,用于部署到设备的 SSL-VPN 插件特定配置,使其可用于 SSL-VPN 插件。This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.

值类型为 char。Value type is char. 支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

RoleOrGroup 未实现。RoleOrGroup Not Implemented. 可选。Optional.

值类型为 char。Value type is char. 支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

身份验证 ThirdParty VPN 配置文件的可选节点,但对于 IKEv2 是必需的。Authentication Optional node for ThirdParty VPN profiles, but required for IKEv2. 这是一组配置对象,用于确保基于所选 TunnelType 在设备上使用正确的身份验证策略。This is a collection of configuration objects to ensure that the correct authentication policy is used on the device based on the chosen TunnelType.

支持的操作包括 Get 和 Add。Supported operations are Get and Add.

身份验证/方法 对于 IKEv2 配置文件是必需的,对于第三方配置文件是可选的。Authentication/Method Required for IKEv2 profiles and optional for third party profiles. 这指定用于 VPN 客户端身份验证的身份验证提供程序。This specifies the authentication provider to use for VPN client authentication. IKEv2 配置文件仅支持 EAP 方法。Only the EAP method is supported for IKEv2 profiles.

支持的操作包括 Get 和 Add。Supported operations are Get and Add.

值类型为 chr。Value type is chr.

注意 对于 EAP,请改为使用身份验证/EAP。Note For EAP, use Authentication/EAP instead.

身份验证/证书 可选节点。Authentication/Certificate Optional node. 使用 VPN 时为最终用户提供更简单的身份验证体验的节点集合。A collection of nodes that enables simpler authentication experiences for end users when using VPN. 这及其子项不应用于 IKEv2 配置文件。This and its subnodes should not be used for IKEv2 profiles.

支持的操作包括 Get 和 Add。Supported operations are Get and Add.

身份验证/证书/颁发者 可选。Authentication/Certificate/Issuer Optional. 使用存储在注册表或 TPM 中的私钥筛选出已安装的证书。Filters out the installed certificates with private keys stored in registry or TPM. 它可以与 EKU 结合使用,进行更精细的筛选。This can be used in conjunction with EKU for more granular filtering.

值类型为 chr。Value type is chr. 支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

注意 不要对 IKev2 配置文件使用此元素。Note Do not use this element for IKev2 profiles.

身份验证/证书/EKU 可选。Authentication/Certificate/EKU Optional. 此扩展密钥 (EKU) 元素用于筛选出包含存储在注册表或 TPM 中的私钥的已安装证书。This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. 你可以将此方法与 ISSUER 结合使用,进行更精细的筛选。You can use this in conjunction with ISSUER for a more granular filtering.

值类型为 chr。Value type is chr. 支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

注意 不要对 IKev2 配置文件使用此元素。Note Do not use this element for IKev2 profiles.

Authentication/Certificate/CacheLifeTimeForProtectedCert 未实现。Authentication/Certificate/CacheLifeTimeForProtectedCert Not Implemented. 可选。Optional.

值类型为 int。支持的操作包括 Get、Add、Replace 和 Delete。Value type is int. Supported operations are Get, Add, Replace, and Delete.

身份验证/EAP 在选择 IKEv2 时是必需的。Authentication/EAP Required when IKEv2 is selected. 定义用于 IKEv2 身份验证的 EAP blob。Defines the EAP blob to be used for IKEv2 authentication. 可以使用 EAP-MSCHAPv2 EAP-TLS。You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob 是 HTML 编码的 XML,如 EAP 主机配置架构中的定义。EAP blob is HTML encoded XML as defined in EAP Host Config schemas. 您可以在 Microsoft EAP MsChapV2 SchemaMicrosoft EAP TLS Schema 中查找架构You can find the schemas in Microsoft EAP MsChapV2 Schema and Microsoft EAP TLS Schema.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

值类型为 chr。Value type is chr.

代理 可选节点。Proxy Optional node. 配置对象的集合,用于启用 VPN 的连接后代理支持。A collection of configuration objects to enable a post-connect proxy support for VPN. 当此配置文件处于活动状态并连接时,将应用为此配置文件定义的代理。The proxy defined for this profile will be applied when this profile is active and connected.

支持的操作包括添加、删除和替换。Supported operations are Add, Delete, and Replace.

代理/手动/服务器 可选。Proxy/Manual/Server Optional. 将此元素与 PORT 一起设置。Set this element together with PORT. 该值是作为完全限定主机名或 IP 地址的代理服务器地址,例如 proxy.constoso.com。The value is the proxy server address as a fully qualified hostname or an IP address, for example, proxy.constoso.com.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

代理/手动/端口 可选。Proxy/Manual/Port Optional. 将此元素与 Server 一起设置。Set this element together with Server. 该值是 1-65535 范围中的代理服务器端口号,例如 8080。The value is the proxy server port number in the range of 1-65535, for example, 8080.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 int。Value type is int.

Proxy/BypassForLocal 可选。Proxy/BypassForLocal Optional. 启用此设置后,对 Intranet 区域中资源的任何 Web 请求将不会发送到代理。When this setting is enabled, any web requests to resources in the intranet zone will not be sent to the proxy. 如果为 false,则应该禁用该设置,并且所有请求都应转到代理。When this is false, the setting should be disabled and all requests should go to the proxy. 如果为 true,则启用该设置,Intranet 请求将不会转到代理。When this is true, the setting is enabled and intranet requests will not go to the proxy.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 bool。Value type is bool.

默认值为 False。Default is False.

SecuredResources 可选节点。SecuredResources Optional node. 配置对象的集合,这些对象定义可通过 VPN 保护的项的包含资源列表。A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. 只有在 Policies/SplitTunnel 元素设置为 True 时,才应用允许的列表。Allowed lists are applied only when Policies/SplitTunnel element is set to True. 不支持 VPN 排除项。VPN exclusions are not supported..

SecuredResources/AppAllowedList/AppAllowedList 可选。SecuredResources/AppAllowedList/AppAllowedList Optional. 为为 Windows 构建的企业业务线应用程序指定一个或多个 ProductID。Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. 定义此元素后,来自指定应用的所有流量都将通过 VPN 进行保护,前提是 (受保护的网络允许访问) 。When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). 他们将无法直接绕过 VPN 连接进行连接。They will not be able to connect directly bypassing the VPN connection. 当自动触发配置文件时,这些应用会自动触发 VPN。When the profile is auto-triggered, VPN is triggered automatically by these apps.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace and Delete.

值类型为 chr。Value type is chr.

示例包括 {F05DC613-E223-40AD-ABA9-CCCE04277CD9} 和 ContosoApp.ContosoCorp_jlsnulm3s397u。Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp_jlsnulm3s397u.

SecuredResources/NetworkAllowedList/NetworkAllowedList 可选,但在 IKEv2 配置文件的 Policies/SplitTunnel 设置为 true 时是必需的。SecuredResources/NetworkAllowedList/NetworkAllowedList Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. 指定要通过 VPN 进行保护的一个或多个 IP 范围。Specifies one or more IP ranges that you want secured over VPN. 连接到与此列表匹配的受保护资源的应用程序将受 VPN 保护。Applications connecting to protected resources that match this list will be secured over VPN. 否则,他们将继续直接连接。Otherwise, they’ll continue to connect directly. IP 范围以 10.0.0.0/8 格式定义。The IP ranges are defined in the format 10.0.0.0/8. 当自动触发配置文件时,这些受保护的网络会自动触发 VPN。When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

例如,172.31.0.0/16。An example is 172.31.0.0/16.

SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList 可选。SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList Optional. 指定要通过 VPN 进行保护的一个或多个命名空间。Specifies one or more namespaces that you want secured over VPN. 对指定命名空间的所有请求都通过 VPN 进行保护。All requests to the specified namespaces are secured over VPN. 连接到命名空间的应用程序通过 VPN 进行保护。Applications connecting to namespaces are secured over VPN. 否则,他们将继续直接连接。Otherwise, they’ll continue to connect directly. 命名空间以 *.corp.contoso.com 格式定义。Namespaces are defined in the format *.corp.contoso.com. 不允许使用 * 或 *.* 或 *.com.* 等限制。Restrictions such as * or *.* or *.com.* are not allowed. IKEv2 配置文件需要 NetworkAllowedList 才能通过拆分隧道正确路由流量。NetworkAllowedList is required for IKEv2 profiles for routing the traffic correctly over split tunnel.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

例如 *.corp.contoso.com。An example is *.corp.contoso.com.

SecuredResources/ExcluddedAppList/ExcludedAppList 可选。SecuredResources/ExcluddedAppList/ExcludedAppList Optional. 为为 Windows 构建的企业业务线应用程序指定一个或多个 ProductID。Specifies one or more ProductIDs for enterprise line of business applications built for Windows. 定义 元素后,这些应用将永远不会使用 VPN。When the element is defined, these apps will never use VPN. 他们将直接连接并绕过 VPN 连接。They will connect directly and bypass the VPN connection.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

示例包括 {F05DC613-E223-40AD-ABA9-CCCE04277CD9} 和 ContosoApp.ContosoCorp_jlsnulm3s397u。Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp_jlsnulm3s397u.

SecuredResources/ExcludedNetworkList/ExcludedNetworkList 可选。SecuredResources/ExcludedNetworkList/ExcludedNetworkList Optional. 指定一个或多个从不使用 VPN 的 IP 地址。Specifies one or more IP addresses that will never use VPN. 连接到已配置的已排除 IP 列表的任何应用都将直接使用 Internet 并绕过 VPN。Any app connecting to the configured excluded IP list will use the internet directly and bypass VPN. 值以 10.0.0.0/8 格式定义。Values are defined in the format 10.0.0.0/8.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

例如,172.31.0.0/16。An example is 172.31.0.0/16.

SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList 可选。SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList Optional. 指定一个或多个从不使用 VPN 的主机命名空间。Specifies one or more namespaces of hosts that will never use VPN. 连接到已配置的已排除主机列表的任何应用都将使用 Internet 并绕过 VPN。Any app connecting to the configured excluded host list will use the internet and bypass VPN. 不允许使用 * 或 *.* 或 *.com.* 等限制。Restrictions such as * or *.* or *.com.* are not allowed.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

例如 *.corp.contoso.com。An example is *.corp.contoso.com.

SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList 可选。SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList Optional. 指定将附加到短名称 URL 的一个或多个 DNS 后缀,用于 DNS 解析和连接。Specifies one or many DNS suffixes that will be appended to shortname URLs for DNS resolution and connectivity.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 chr。Value type is chr.

例如,.corp.contoso.com。An example is .corp.contoso.com.

策略 可选节点。Policies Optional node. 可用于强制实施特定于配置文件的限制的配置对象的集合。A collection of configuration objects you can use to enforce profile-specific restrictions.

Policies/SplitTunnel 可选。Policies/SplitTunnel Optional. 如果为 False,则所有流量均以强制隧道模式进入 VPN 网关。When this is False, all traffic goes to the VPN gateway in force tunnel mode. 如果为 True,则只有定义的安全资源的特定流量会发至 VPN 网关。When this is True, only the specific traffic to defined secured resources goes to the VPN gateway.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 bool。Value type is bool.

默认值为 True。Default value is True.

Policies/ByPassForLocal 可选。Policies/ByPassForLocal Optional. 当此设置为 True 时,对与 VPN 客户端Wi-Fi网络可用的本地资源的请求可以绕过 VPN。When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. 例如,如果 VPN 的企业策略需要 VPN 强制隧道,但企业打算允许远程用户在本地连接到其家庭中的媒体中心,则此选项应设置为 True。For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. 用户可以绕过本地子网流量的 VPN。The user can bypass VPN for local subnet traffic. 如果设置为 False,则禁用该设置,并且不允许任何子网异常。When this is set to False, the setting is disabled and no subnet exceptions are allowed.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 bool。Value type is bool.

默认值为 False。Default value is False.

Policies/TrustedNetworkDetection 可选。Policies/TrustedNetworkDetection Optional. 当此设置设置为 True 时,当用户位于其公司无线网络(设备可直接访问受保护的资源)上时,VPN 无法连接。When this setting is set to True, the VPN cannot connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. 如果为 False,则 VPN 通过公司无线网络进行连接。When this is False, the VPN connects over corporate wireless network. 此节点依赖 DNSSuffix 节点设置来检测企业无线网络。This node has a dependency on the DNSSuffix node setting to detect the corporate wireless network.

支持的操作包括 Get、Add、Replace 和 Delete。Supported operations are Get, Add, Replace, and Delete.

值类型为 bool。Value type is bool.

默认值为 False。Default value is False.

Policies/ConnectionType 可选。Policies/ConnectionType Optional. 有效值包括:Valid values are:

  • 触发:当应用程序需要连接到受保护的资源时,VPN 会自动连接。Triggering: A VPN automatically connects as applications require connectivity to protected resources. VPN 的生命周期基于使用 VPN 的应用程序。The life cycle of the VPN is based on applications using the VPN. 用于优化电源资源的使用的建议设置。Recommended setting for optimizing usage of power resources.

  • 手动:用户必须手动连接/断开 VPN。Manual: User must manually connect / disconnect VPN.

支持的操作包括 Get、Add 和 Replace。Supported operations are Get, Add, and Replace.

值类型为 chr。Value type is chr.

默认值为 Triggering。Default value is Triggering.

DNSSuffix 可选,但需要设置主连接的特定 DNS 后缀。DNSSuffix Optional, but it is required to set the specific DNS suffix of the primary connection. 支持的操作包括 Get、Add、Delete 和 Replace。Supported operations are Get, Add, Delete, and Replace.

值类型为 chr。Value type is chr.

例如,corp.contoso.com。An example is corp.contoso.com.

配置服务提供程序参考Configuration service provider reference