設定適用於混合式環境的 Web Application ProxyConfigure Web Application Proxy for a hybrid environment

摘要:了解如何設定具備 Web 應用程式 Proxy (WA-P) 的 Windows Server 2012 R2 成為 SharePoint 混合式環境的反向 proxy 裝置。Summary: Learn how to configure Windows Server 2012 R2 with Web Application Proxy (WA-P) as a reverse proxy device in a SharePoint hybrid environment.

本文說明 Web 應用程式 Proxy 並協助您設定其作為混合式 SharePoint Server 環境的反向 proxy。This article describes Web Application Proxy and helps you set it up to use as a reverse proxy for a hybrid SharePoint Server environment.

開始之前Before you begin

協助工具附註:SharePoint Server 支援可協助您管理部署及存取網站的常見瀏覽器的協助工具功能。如需詳細資訊,請參閱 < SharePoint 2013 的協助工具Accessibility note: SharePoint Server supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see Accessibility for SharePoint 2013.

關於混合式環境中的 Web 應用程式 ProxyAbout Web Application Proxy in a hybrid environment

Web 應用程式 Proxy 已發佈的使用者可以從多種裝置互動的 web 應用程式的 Windows Server 2012 R2 中的遠端存取服務。它也包括 proxy 功能的 Active Directory Federation Services (AD FS)。這有助於提供安全存取 AD FS 伺服器的系統管理員。使用 Web 應用程式 Proxy,系統管理員選擇 [使用者驗證其本身的 web 應用程式和可決定誰已獲得授權,可使用下列一種方式。Web Application Proxy is a Remote Access service in Windows Server 2012 R2 that publishes web applications that users can interact with from many devices. It also includes proxy functionality for Active Directory Federation Services (AD FS). This helps system administrators provide secure access to an AD FS server. By using Web Application Proxy, system administrators choose how users authenticate themselves to a web application and can determine who is authorized to use one.

在混合式 SharePoint Server 環境中的 SharePoint Online 要求提供資料的 SharePoint Server,您可以使用 Windows Server 2012 R2 與 Web 應用程式 Proxy 為反向 proxy 裝置來安全地轉送至內部要求從網際網路SharePoint 伺服器陣列。In hybrid SharePoint Server environments in which SharePoint Online requests data from SharePoint Server, you can use Windows Server 2012 R2 with Web Application Proxy as a reverse proxy device to securely relay requests from the Internet to your on-premises SharePoint Server farm.

重要

若要使用 Web 應用程式 Proxy 作為混合式 SharePoint Server 環境中的反向 proxy 裝置,您也必須部署 AD FS in Windows Server 2012 R2。To use Web Application Proxy as a reverse proxy device in a hybrid SharePoint Server environment, you must also deploy AD FS in Windows Server 2012 R2.

注意

若要安裝並設定 Web 應用程式 Proxy 功能,您必須是 Windows Server 2012 R2 安裝所在之電腦的本機管理員。在執行 Web 應用程式 Proxy 功能的 Windows Server 2012 R2 伺服器可以為網域或工作群組的成員。To install and configure the Web Application Proxy feature, you must be a local administrator on the computer where Windows Server 2012 R2 is installed. The Windows Server 2012 R2 server running the Web Application Proxy feature can be a member of a domain or a workgroup.

步驟 1:安裝 AD FS 和 Web 應用程式 Proxy 功能Step 1: Install AD FS and the Web Application Proxy feature

如需在 Windows Server 2012 R2 安裝 AD FS 的詳細資訊,請參閱Active Directory Federation Services 概觀 (英文)For information about installing AD FS in Windows Server 2012 R2, see Active Directory Federation Services Overview.

如需在 Windows Server 2012 R2 中安裝 Web 應用程式 Proxy 功能的詳細資訊,請參閱安裝伺服器角色和功能的 Server Core 伺服器上For information about installing the Web Application Proxy feature in Windows Server 2012 R2, see Install Server Roles and Features on a Server Core Server.

步驟 2:設定 Web 應用程式 ProxyStep 2: Configure the Web Application Proxy

本節說明如何設定安裝後的 Web 應用程式 Proxy 功能:This section describes how to configure the Web Application Proxy feature after it is installed:

  1. Web 應用程式 Proxy 比對憑證指紋安全通道憑證,指紋必須匯入並安裝在本機電腦的個人憑證存放區的 Web 應用程式 Proxy 伺服器上。Web Application Proxy matches the thumbprint against the secure channel certificate, which must be imported and installed in the local computer's Personal certificate store on the Web Application Proxy server.

  2. 設定發佈的應用程式可以接受您的 SharePoint Online 承租人傳入的要求的 Web 應用程式 Proxy。Configure Web Application Proxy with a published application that can accept inbound requests from your SharePoint Online tenant.

匯入安全通道 SSL 憑證Import the Secure Channel SSL certificate

您必須將安全通道 SSL 憑證匯入本機電腦帳戶的個人存放區,然後憑證的私密金鑰來允許 Web 應用程式 Proxy 服務 (appproxysvc) 完全控制的服務帳戶上設定權限。You must import the Secure Channel SSL certificate into the Personal store of the local computer account and then set permissions on the certificate's private key to allow the service account of the Web Application Proxy Service (appproxysvc) Full Control.

注意

Web 應用程式 Proxy 服務的預設帳戶是本機電腦Network ServiceThe default service account of the Web Application Proxy Service is the local computer Network Service.

編輯圖示 安全通道 SSL 憑證的位置會記錄在第 1 列(安全通道 SSL 憑證位置和檔案名稱) 的表 4b: 安全通道 SSL 憑證The location of the Secure Channel SSL certificate is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.
如果憑證含有私密金鑰,您必須提供憑證密碼,會記錄在列 4 (安全通道 SSL 憑證密碼) 的表 4b: 安全通道 SSL 憑證If the certificate contains a private key, you will need to provide the certificate password, which is recorded in Row 4 (Secure Channel SSL Certificate password) of Table 4b: Secure Channel SSL Certificate.

如需如何匯入 SSL 憑證的資訊,請參閱匯入憑證For information about how to import an SSL certificate, see Import a Certificate.

設定發佈的應用程式Configure the published application

注意

本節中的步驟只能透過使用 Windows PowerShell 執行。The steps in this section can be performed only by using Windows PowerShell.

若要設定發佈的應用程式接受並轉送 SharePoint Online 承租人的要求,請輸入下列的 Microsoft PowerShell 命令。To configure a published application to accept and relay requests from your SharePoint Online tenant, type the following Microsoft PowerShell command.

Add-WebApplicationProxyApplication -ExternalPreauthentication ClientCertificate -ExternalUrl <external URL> -BackendServerUrl <bridging URL> -name <friendly name of the published application> -ExternalCertificateThumbprint <certificate thumbprint> -ClientCertificatePreauthenticationThumbprint <certificate thumbprint> -DisableTranslateUrlInRequestHeaders:$False -DisableTranslateUrlInResponseHeaders:$False

其中:Where:

  • <externalUrl>_是 web 應用程式的外部 URL。這是公用 URL 的 SharePoint Online 會傳送的輸入的要求的 SharePoint Server 內容及資源。<externalUrl>_ is the external URL for the web application. This is the public URL to which SharePoint Online will send inbound requests for SharePoint Server content and resources.
編輯圖示 外部 URL 會記錄在第 3 列(外部 URL) 的表格 3: 公用網域資訊SharePoint 混合式工作表中。The external URL is recorded in Row 3 (External URL) of Table 3: Public Domain Info in the SharePoint Hybrid worksheet.
  • <橋接 URL>_是您設定主要 web 應用程式的內部部署 SharePoint 伺服器陣列中的內部 URL。這是 Web 應用程式 Proxy 會將從 SharePoint Online 的輸入的要求轉送至其中的 URL。<bridging URL>_ is the internal URL you configured for the primary web application in your on-premises SharePoint Server farm. This is the URL to which Web Application Proxy will relay inbound requests from SharePoint Online.
編輯圖示 橋接 URL 記錄在「SharePoint 混合式」工作表的下列其中一個位置:The bridging URL is recorded in one the following locations in the SharePoint Hybrid worksheet:
如果主要 web 應用程式已設定主機命名型網站集合,請使用此值在第 1 列(主要 web 應用程式 URL) 的表格 5a: 主要 web 應用程式 (主機命名型網站集合)If your primary web application is configured with a host-named site collection , use the value in Row 1 (Primary web application URL) of Table 5a: Primary web application (host-named site collection).
如果主要 web 應用程式會設定路徑型網站集合,請使用第 1 列(主要 web 應用程式 URL) 中的值表 5b: 主要 web 應用程式 (沒有 AAM 的路徑型網站集合)If your primary web application is configured with a path-based site collection , use the value in Row 1 (Primary web application URL) of Table 5b: Primary web application (path-based site collection without AAM).
如果主要 web 應用程式已設定AAM 路徑型網站集合,請使用列 5 (主要 web 應用程式 URL) 的值表 5c: 主要 web 應用程式 (具有 AAM 路徑型網站集合)If your primary web application is configured with a path-based site collection with AAM , use the value in Row 5 (Primary web application URL) of Table 5c: Primary web application (path-based site collection with AAM).
  • <的已發佈的應用程式的易記名稱>_是您選擇以識別已發佈的應用程式在 Web 應用程式 Proxy 的名稱。<friendly name of the published application>_ is a name you choose to identify the published application in Web Application Proxy.

  • <憑證指紋>_是憑證指紋,以任何空格、 憑證用於_ExternalUrl_參數所指定的地址的字串。此值必須輸入兩次,一次的_ExternalCertificateThumbprint_參數並再次_ClientCertificatePreauthenticationThumbprint_參數。<certificate thumbprint> is the certificate thumbprint, as a string with no spaces, of the certificate to use for the address specified by the _ExternalUrl parameter. This value should be entered twice, once for the ExternalCertificateThumbprint parameter and again for the ClientCertificatePreauthenticationThumbprint parameter.

編輯圖示 這是安全通道 SSL 憑證的指紋。此憑證檔案的位置會記錄在第 1 列(安全通道 SSL 憑證位置和檔案名稱) 的表 4b: 安全通道 SSL 憑證This is the thumbprint of the Secure Channel SSL certificate. The location of this certificate file is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.

如需Add-webapplicationproxyapplication cmdlet 的其他資訊,請參閱Add-webapplicationproxyapplicationFor additional information about the Add-WebApplicationProxyApplication cmdlet, see Add-WebApplicationProxyApplication.

驗證發佈的應用程式Validate the published application

若要驗證已發佈的應用程式,請使用Get WebApplicationProxyApplication指令程式。輸入下列的 Microsoft PowerShell 命令。To validate the published application, use the Get-WebApplicationProxyApplication cmdlet. Type the following Microsoft PowerShell command.

Get-WebApplicationProxyApplication |fl

輸出應該類似下列表格中的內容。The output should resemble the content in the following table.

ADFSRelyingPartyIDADFSRelyingPartyID
:<填入在執行階段>:<populated at run time>
ADFSRelyingPartyNameADFSRelyingPartyName
:<信賴憑證者名稱>:<relying party name>
BackendServerAuthenticationModeBackendServerAuthenticationMode
:ADFS:ADFS
BackendServerAuthenticationSPNBackendServerAuthenticationSPN
:無: None
BackendServerCertificateValidationBackendServerCertificateValidation
:無: None
BackendServerUrlBackendServerUrl
: https://<橋接 URL>/: https://<bridging URL>/
ClientCertificateAuthenticationBindingModeClientCertificateAuthenticationBindingMode
:無: None
ClientCertificatePreauthenticationThumbprint:ClientCertificatePreauthenticationThumbprint :
:<憑證指紋>: <certificate thumbprint>
DisableTranslateUrlInRequestHeadersDisableTranslateUrlInRequestHeaders
:False: False
DisableTranslateUrlInResponseHeadersDisableTranslateUrlInResponseHeaders
:False: False
ExternalCertificateThumbprintExternalCertificateThumbprint
:<憑證指紋>: <certificate thumbprint>
ExternalPreauthenticationExternalPreauthentication
: 傳遞: PassThrough
ExternalUrlExternalUrl
: https://<外部 URL>/: https://<external URL>/
識別碼ID
:91CFE805-44FB-A8A6-41E9-6197448BEA72: 91CFE805-44FB-A8A6-41E9-6197448BEA72
InactiveTransactionsTimeoutSecInactiveTransactionsTimeoutSec
: 300: 300
NameName
:<的已發佈的應用程式的易記名稱>: <friendly name of the published application>
UseOAuthAuthenticationUseOAuthAuthentication
:False: False
PSComputerNamePSComputerName
:

疑難排解Troubleshooting

Web 應用程式 Proxy 至應用程式與遠端存取 Windows Server 事件記錄檔中記錄事件與錯誤。記錄扮演重要角色中疑難排解的連線能力與 SharePoint Server 與 SharePoint Online 之間的驗證問題。用來識別導致連線失敗的元件可以是面對、 和反向 proxy 記錄是您應尋找線索的第一個位置。疑難排解時,可能涉及比較從 Web 應用程式 Proxy 的事件記錄、 SharePoint Server ULS 記錄檔、 Windows Server 事件記錄檔、 記錄事件和多部伺服器上的網際網路資訊服務 (IIS) 記錄檔。Web Application Proxy logs events and errors to the Application and Remote Access Windows Server event logs. Logging plays an important role in troubleshooting issues with connectivity and authentication between SharePoint Server and SharePoint Online. Identifying the component that is causing a connection failure can be challenging, and reverse proxy logs are the first place you should look for clues. Troubleshooting can involve comparing log events from Web Application Proxy event logs, SharePoint Server ULS logs, Windows Server event logs, and Internet Information Services (IIS) logs on multiple servers.

如需有關疑難排解技巧和工具的 SharePoint Server 混合式環境的詳細資訊,請參閱疑難排解混合式環境For more information on troubleshooting techniques and tools for SharePoint Server hybrid environments, see Troubleshooting hybrid environments.

另請參閱See also

概念Concepts

SharePoint Server 的混合Hybrid for SharePoint Server

設定 SharePoint Server 混合式的反向 proxy 裝置Configure a reverse proxy device for SharePoint Server hybrid