規劃 SharePoint Server 的備用存取對應Plan alternate access mappings for SharePoint Server

摘要: 了解如何在 SharePoint 2013 中規劃備用存取對應。Summary: Learn how to plan for alternate access mappings in SharePoint 2013.

備用存取對應會在使用者與 SharePoint Server 2016 互動時 (例如,當使用者瀏覽 SharePoint Server 2016 網站的首頁時),將使用者導向正確的 URL。備用存取對應可讓 SharePoint Server 2016 將 Web 要求對應至正確的 Web 應用程式和網站,並可讓 SharePoint Server 2016 將正確的內容提供給使用者。Alternate access mappings direct users to the correct URLs during their interaction with SharePoint Server 2016 (while browsing to the home page of a SharePoint Server 2016 website, for example). Alternate access mappings enable SharePoint Server 2016 to map web requests to the correct web applications and sites, and they enable SharePoint Server 2016 to serve the correct content back to the user.

由於備用存取對應的功能已過時,我們建議您使用主機名稱網站集合來取代備用存取對應。Because the features of alternate access mapping are deprecated, we recommend that you use host-named site collections over alternate access mappings.

如需如何規劃主機命名型網站集合的其他資訊,請參閱已指定主機的網站集合架構與部署 (SharePoint 2013)For additional information about how to plan for host-named site collections, see Host-named site collection architecture and deployment (SharePoint 2013).

由於在一般網際網路部署案例中,Internet Information Services (IIS) 接收的 Web 要求的 URL 不同於使用者輸入的 URL,因此實作了備用存取對應。在包括反向 Proxy 發佈和負載平衡的部署案例中,最可能發生這種情況。Alternate access mappings were implemented because there are common Internet deployment scenarios in which the URL of a web request received by Internet Information Services (IIS) differs from the URL that was typed by a user. This is most likely to occur in deployment scenarios that include reverse proxy publishing and load balancing.

注意

必須針對負載平衡設定備用存取對應,即使它一般不會套用至主機標題網站集合亦然。預設區域公用 URL 應該設定為適合所有使用者查看的網域 URL。除非您這麼做,否則在 SharePoint Server 2016 內部頁面之間所傳遞的參數可能會顯示網頁伺服器的名稱或其 IP 位址。Alternate access mappings must be configured for load balancing, even though it generally does not apply to host header site collections. The default zone public URL should be set to a domain URL that is appropriate for all users to see. Unless you do this, the names of web servers or their IP addresses might be displayed in parameters that were passed between pages within SharePoint Server 2016.

關於備用存取對應About alternate access mappings

備用存取對應可讓在五個區域的其中一個區域接收內部 URL 要求的 Web 應用程式,傳回包含該區域之公用 URL 連結的頁面。您可以使用內部及公用 URL 之間的對應的集合,將 web 應用程式產生關聯。內部指的是 SharePoint Server 2016 接收之 Web 要求的 URL。公用指的是 SharePoint 用來格式化連結的 URL,當 SharePoint 傳回回應時,這些 URL 將對應該區域中的其中一個內部 URL 所符合的要求。公用 URL 是 SharePoint Server 2016 在傳回的頁面中使用的基礎 URL。如果反向 Proxy 裝置變更內部 URL,則該 URL 可能與公用 URL 不同。Alternate access mappings enable a web application that receives a request for an internal URL in one of the five zones to return pages that contain links to the public URL for the zone. You can associate a web application by using a collection of mappings between internal and public URLs. Internal refers to the URL of a web request as it is received by SharePoint Server 2016. Public refers to the URL by which SharePoint will format links that correspond to requests that match one of the internal URLs on that zone when it returns a response. The public URL is the base URL that SharePoint Server 2016 uses in the pages that it returns. If the internal URL was changed by a reverse proxy device, it can differ from the public URL.

注意

主機名稱網站集合無法使用備用存取對應。預設區域會自動考量主機名稱網站集合,且不得變更使用者與伺服器之間的要求之 URL。Host-named site collections can't use alternate access mappings. Host-named site collections are automatically considered in the Default zone, and the URL of the request must not be changed between the user and the server.

多個內部 URL 可以關聯單一公用 URL。對應集合最多可包含五個驗證區域。但每個區域只能具有單一公用 URL。對應集合對應於下列驗證區域:Multiple internal URLs can be associated with a single public URL. Mapping collections can contain up to five authentication zones. But each zone can have only a single public URL. Mapping collections correspond to the following authentication zones:

  • 預設Default

  • 內部網路Intranet

  • 網際網路Internet

  • 自訂Custom

  • 外部網路Extranet

反向 Proxy 發佈Reverse proxy publishing

反向 Proxy 是位於使用者與您的網頁伺服器之間的裝置。反向 Proxy 裝置會先接收您的網頁伺服器的所有要求,如果那些要求傳遞 Proxy 的安全性篩選,則 Proxy 會將要求轉送到您的網頁伺服器。A reverse proxy is a device that sits between users and your web server. All requests to your web server are first received by the reverse proxy device and, if those requests pass the proxy's security filtering, the proxy forwards the requests to your web server.

備用存取對應整合驗證提供者Alternate access mapping integration with authentication providers

備用存取對應可讓您在多達五個不同的區域中展示 Web 應用程式,且為每個區域支援一個不同的 IIS 網站。Alternate access mappings allow you to expose a web application in as many as five different zones, with a different IIS website backing each zone.

注意

某些人將此情況誤解為最多有五個共用相同內容資料庫的不同 Web 應用程式。但在現實情況下,只有一個 Web 應用程式。Some people mistakenly refer to this as having up to five different web applications sharing the same content databases. In reality, there is just one web application.

這些區域不僅能讓您使用多個 URL 來存取相同的 Web 應用程式,也能讓您使用多個驗證提供者存取相同的 Web 應用程式。Not only do these zones allow you to use multiple URLs to access the same web application, they also allow you to use multiple authentication providers to access the same web application.

將 Web 應用程式延伸至區域時,您必須使用 IIS 提供的 Windows 驗證。將 Web 應用程式延伸至區域後,您可以將區域變更為使用不同類型的驗證。When extending a web application into a zone, you have to use Windows authentication provided by IIS. After the web application has extended into the zone, you can change the zone to use a different type of authentication.

使用下列程序來變更區域的驗證設定。Use the following procedure to change the authentication configuration for a zone.

變更區域的驗證類型To change the authentication type for a zone

  1. 從 [系統管理工具]**** 中開啟 [管理中心]。From Administrative Tools, open Central Administration.

  2. 在管理中心首頁上,按一下 [應用程式管理]*On the Central Administration Home page, click *Application Management.

  3. 在 [應用程式管理]**** 頁面的 [應用程式安全性]**** 區段中,按一下 [驗證提供者]*On the *Application Management page, in the Application Security section, click Authentication providers.

  4. 在 [驗證提供者]**** 頁面的 [Web 應用程式]**** 方塊中,選取您的 Web 應用程式。On the Authentication Providers page, select your web application, which is listed in the Web Application box.

  5. 按一下您想要變更其驗證設定的區域名稱。Click the name of the zone whose authentication configuration you want to change.

    注意

    您只能從具有支援 IIS 網站的區域中選取。系統會在「擴充現有的 Web 應用程式」程序中,將 IIS 網站指派給這些區域。You'll be able to select only from among zones that have a backing IIS website. These zones were assigned an IIS website during the "Extend an existing web application" procedure.

  6. 在 [編輯驗證]**** 頁面的 [宣告驗證類型]**** 區段中,選取要針對此區域使用的驗證類型:On the Edit Authentication page, in the Claims Authentication Types section, select the authentication type that you want to use for this zone:

    • Windows 驗證 (預設值)Windows authentication (default value)

    • 基本驗證Basic authentication

    • 表單型驗證 (FBA)Forms based authentication (FBA)

    • 信任的身分識別提供者Trusted Identity provider

  7. 變更想要變更的任何其他驗證組態設定,然後按一下 [儲存]*Change any other authentication configuration settings that you want to change, and click *Save.

此時,您可以變更任何其他區域的驗證組態設定。您完全可以為存取相同內容的不同區域設定獨立的驗證設定。例如,您可以設定匿名使用部分內容,其他內容則需要認證。您可以設定某個區域啟用匿名存取,並停用其他所有形式的驗證,以確保只能使用匿名內容。同時,其他區域可在啟用 NTLM 驗證時停用匿名存取,確保只會啟用驗證存取。此外,您可以擁有不同類型的帳戶來存取相同的內容:可在 Windows 中設定一個區域以使用 Active Directory 帳戶,並設定其他區域來使用非 Active Directory 帳戶 (使用 ASP.NET 表單型驗證)。At this point, you can change authentication configuration settings for any other zone. You can configure completely independent authentication settings for different zones accessing the same content. For example, you might configure some content to be anonymously available while other content requires credentials. You could configure one zone to have anonymous access enabled and all other forms of authentication disabled, guaranteeing that only the anonymous content will be available. At the same time, another zone can have anonymous access disabled while NTLM authentication is enabled, guaranteeing that only authenticated access will be enabled. In addition, you can have different types of accounts to access the same content: one zone can be configured to use Active Directory accounts in Windows while another zone can be configured to use non-Active Directory accounts that use ASP.NET forms-based authentication.

備用存取對應整合 Web 應用程式原則Alternate access mapping integration with web application policies

Web 應用程式原則允許管理員針對區域所公開的所有網站,授與或拒絕帳戶和安全性群組的存取權。這種作法對許多案例而言非常實用。Web application policies allow administrators to grant or deny access to accounts and security groups for all sites exposed through a zone. This can be useful for many scenarios.

例如,SharePoint Server 2016 搜尋編目程式必須與任何其他使用者使用相同的授權基礎結構:它只能編目有權存取的內容。但使用者仍習慣搜尋編目限制的內容,讓授權的使用者可在搜尋結果中找到該內容。搜尋服務在 Web 應用程式上使用「完全讀取」原則,提供其編目程式權限以讀取該 Web 應用程式的所有內容。如此一來,即可編目和索引所有現有和未來的內容,即使網站管理員沒有明確授與該目錄的存取權亦然。For example, the SharePoint Server 2016 search crawler must undergo the same authorization infrastructure as any other user: it can only crawl content that it has access to. But users would still like search to crawl restricted content so that authorized users can find that content in search results. The search service uses a Full Read policy on the web applications to give its crawler permission to read all content on that web application. That way, it can crawl and index all existing and future content, even content to which the site administrator had not explicitly given it access.

另一個例子是服務台人員需要擁有 SharePoint Server 2016 網站的管理存取權才能協助使用者。若要執行這項操作,您可以建立 Web 應用程式原則,將「完全控制」權限授與服務台人員帳戶,讓他們在 Web 應用程式上擁有所有目前和未來網站的完全管理存取權。Another example would be helpdesk personnel who need administrative access to SharePoint Server 2016 sites so that they can help users. To do this, you can create a web application policy that grants the helpdesk staff accounts Full Control permission so that they have full administrative access to all current and future sites on the web application.

由於原則會繫結至 Web 應用程式及其區域,因此可確保套用至某個區域的原則不會影響其他區域。如果您擁有在公司網路和網際網路公開的內容,則這種作法可能非常實用。例如,假設您已透過指派給公司網路的 Web 應用程式區域,將「完全控制」權限授與服務台人員帳戶。如果某個人嘗試透過網際網路與該帳戶存取網站,則無法套用「完全控制」原則,因為它會辨識不同區域中的 URL。因此,不會將網站的管理存取權自動授與該帳戶。Because policies are tied to both web applications and their zones, you can guarantee that the policy that you have applied to one zone does not affect other zones. This can be useful if you have content exposed both on the corporate network and to the Internet. For example, suppose that you have given a helpdesk staff account Full Control permission over a web application's zone that is assigned to the corporate network. If someone were to try to use that account to access the site over the Internet, that Full Control policy wouldn't apply because it would recognize that the URL is in a different zone. Therefore, the account wouldn't automatically be given administrative access to the site.

備用存取對應和外部資源對應Alternate access mapping and external resource mapping

SharePoint Server 2016 可讓您將備用存取對應功能延伸至 SharePoint Server 2016 伺服器陣列中未主控的內容。若要設定此功能,請瀏覽至 [備用存取對應]**** 頁面,然後按一下 [對應至外部資源]****。之後,系統會要求您建立外部資源的項目,您可以考量其他 Web 應用程式。擁有外部資源後,可將不同的 URL 和區域指派給該資源,如同您對 Web 應用程式所進行的操作一般。SharePoint Server 2016 無法使用此功能,但 SharePoint Server 2016 內建的協力廠商產品可使用它。SharePointAll_2nd_CurrentVer allows you to extend the alternate access mapping functionality to content that is not hosted within the SharePointAll_2nd_CurrentVer farm. To configure this functionality, browse to the Alternate Access Mappings page, and then click Map to External Resource. You'll then be asked to create an entry for an external resource, which you can think of as another web application. After you have an external resource, you can assign different URLs and zones to it in the same manner that you do for web applications. This feature is not used in SharePointAll_2nd_CurrentVer, but third-party products that build onto SharePointAll_2nd_CurrentVer can use it.

例如,SharePoint Server 2016 中的搜尋技術可編目伺服器陣列的外部內容,例如檔案共用和網站。若是在不同網路的不同 URL 中使用該內容,您可能希望搜尋作業利用使用者目前網路的適當 URL 來傳回結果。藉由使用備用存取對應的外部資源對應技術,搜尋作業可重新對應其結果中的外部 URL,以符合使用者的區域。For example, the search technology in SharePoint Server 2016 can crawl content external to the farm, such as file shares and websites. If that content is available at different URLs on different networks, you would want search to return results by using the appropriate URLs for the user's current network. By using alternate access mapping's external resource mapping technology, search can remap the external URLs in its results to match the user's zone.

另請參閱See also

概念Concepts

設定 SharePoint 2013 的備用存取對應Configure alternate access mappings for SharePoint 2013