規劃從 Office 365 與 SharePoint Server 的連線Plan connectivity from Office 365 to SharePoint Server

摘要:規劃及準備設定 SharePoint Server 混合式環境的 Office 365 的輸入的連線。Summary: Plan and prepare to configure inbound connectivity from Office 365 to SharePoint Server hybrid environment.

本文被設計來協助您規劃及準備設定輸入的連線從 Office 365 企業版至 SharePoint Server 透過反向 proxy 裝置。這是必要的下列的混合式環境:This article is designed to help you plan and prepare to configure inbound connectivity from Office 365 for enterprises to SharePoint Server through a reverse proxy device. This is required for the following hybrid environments:

  • 輸入的混合式搜尋 (顯示 Office 365 中 SharePoint Server 的搜尋結果)Inbound hybrid search (displaying search results from SharePoint Server in Office 365)

  • 混合式 Business Connectivity ServicesHybrid Business Connectivity Services

在本文中,我們提供您必須知道,例如先決條件,以及在工作表以開始設定程序收集必要資訊的資訊。In this article, we give you the information that you need to know, such as prerequisites, and a worksheet to collect necessary information before you begin the configuration process.

本主題協助您完成下列工作:This topic will help you do the following:

  • 了解先決條件和需求的輸入連線Understand the prerequisites and requirements for inbound connectivity

  • 規劃 Web 應用程式架構Plan your web application architecture

  • 規劃 SSL 憑證Plan SSL certificates

  • 記錄重要決策和資訊Record key decisions and information

收集和記錄工作表及建置記錄資訊Gather and record worksheet and build log information

工作表。在規劃過程中,您需要收集資訊及檔案。請務必使用SharePoint 混合式工作表來追蹤規劃及部署資訊的參考 (英文) 以及與其他的部署小組成員資訊共用。我們不能壓力足夠的組織資訊開始設定程序之前使用此工作表的重要性。Worksheet. During the planning process, you have to collect information and files. It is important to use the SharePoint hybrid worksheet to track planning and deployment information for reference and to share with other members of your deployment team. We can't stress enough the importance of using this worksheet to organize your information before you begin the configuration process.

建立組建記錄之任何複雜的實作專案,如同之每一個設計決策、 server 設定、 程序、 命令輸出及錯誤的詳細的記錄會是非常重要的疑難排解、 支援及傳達參照。我們強烈建議您先徹底記錄您的部署程序。Create a build log. As in any complex implementation project, a detailed record of every design decision, server configuration, procedure, command output, and error is a very important reference for troubleshooting, support, and awareness. We highly recommend that you thoroughly document your deployment process.

警告

基於安全理由,請將工作表和建置記錄存放在加強安全保護的地方,例如受保護的安全共用或 SharePoint 文件庫,並只將權限授與參與部署程序且必須知道此資訊的管理員。For security reasons, store the worksheet and the build log in a security-enhanced place, such as a secured file share or SharePoint document library, and grant permissions only to administrators who are involved in the deployment process and must know this information.

收集和記錄 URL 及主機名稱資訊Collect and record URL and host name information

在本節中,您將記錄環境中的 URL 和主機名稱的相關資訊。在部署過程中,將會用到此資訊。In this section, you record information about URLs and host names in your environment. You will use this information during the deployment process.

  • 記錄公司的公用 DNS 網域名稱 (例如 adventureworks.com)。Record your company's public DNS domain name (such as adventureworks.com).

  • 請記下您要使用 SharePoint 混合式的反向 proxy 裝置的公用對向端點 URL。這是外部 URL。如果此端點尚不存在,您必須決定此 URL 會是。Record the URL of the public-facing endpoint of the reverse proxy device that you'll use for SharePoint hybrid. This is the External URL. If this endpoint doesn't exist yet, you'll have to decide what this URL will be.

  • 記錄反向 Proxy 裝置的外部端點的 IP 位址。Record the IP address of the external endpoint of the reverse proxy device.

  • 請確定公用網域,對應到反向 proxy 裝置上網際網路對向端點的 IP 位址的外部 URL 的公用DNS 正向對應區域中存在的記錄(也稱為主機記錄)。如果您沒有尚未此 A 記錄,請立即建立。Ensure that an A record (also known as a host record) exists in the public DNS forward lookup zone for your public domain that maps the External URL to the IP address of the Internet-facing endpoint on the reverse proxy device. If you don't yet have this A record, create it now.

  • 確定 A 記錄存在對應至其 IP 位址的 SharePoint 伺服器陣列的主機名稱的內部網路DNS 正向對應區域。如果您沒有尚未此 A 記錄,請立即建立。Ensure that an A record exists in the intranet DNS forward lookup zone that maps the host name of your SharePoint Server farm to its IP address. If you don't yet have this A record, create it now.

    重要

    如果您在部署過程中設定內部 URL 來存取 Web 應用程式,請記得在內部網路 DNS 正向對應區域中也建立這些 URL 的 A 記錄,並記錄於工作表。If you configure internal URLs to access a web application during the deployment process, make sure that you also create A records for those URLs in the intranet DNS forward lookup zone, and record them on the worksheet.

編輯圖示 請在「SharePoint 混合式」工作表的表格 3 中記錄下列資訊:Record the following information in Table 3 of the SharePoint Hybrid worksheet:
公用對向公司 DNS 網域在 [公用網際網路網域名稱] 列中的網域名稱。The domain name of the public-facing corporate DNS domain in the Public Internet Domain name row.
在 [外部 URL ] 列中反向 proxy 裝置的公用對向端點 URL。The URL of the public-facing endpoint of the reverse proxy device in the External URL row.
[外部端點的 IP 位址] 列中反向 proxy 裝置之外部端點的 IP 位址。The IP address of the external endpoint of the reverse proxy device in the IP Address of the external endpoint row.

如需 Url 和混合式環境中的主機名稱之關係的詳細資訊,請觀看影片了解 Url 和主機名稱。長度: 6 分鐘。For more information about the relationship between URLs and host names in a hybrid environment, watch the video Understanding URLs and host names. Length: 6 minutes.

規劃 Web 應用程式架構Plan your web application architecture

本節將協助您規劃將用於混合式環境的 SharePoint Server web 應用程式的架構。This section helps you plan the architecture of the SharePoint Server web applications that you will use in your hybrid environment.

輸入的連線需要內部部署 SharePoint 伺服器陣列與 SharePoint Online 之間的安全通訊通道。此通訊通道上的 SharePoint Online 網站集合與內部部署 web 應用程式之間交換資料。Inbound connectivity requires a secure communication channel between the on-premises SharePoint Server farm and SharePoint Online. Data is exchanged between a site collection in SharePoint Online and an on-premises web application over this communication channel.

SharePoint Online 將要求傳送給將會針對 SharePoint 混合式內部部署 SharePoint 伺服器陣列中特定的 web 應用程式要求轉送的反向 proxy 伺服器。我們參照此做為主要 web 應用程式。SharePoint Online sends requests to a reverse proxy server that relays the requests to a specific web application in the on-premises SharePoint Server farm that is configured for SharePoint hybrid. We refer to this as the primary web application.

提示

想要設定多少混合式解決方案,不論您通常會使用只有一個主要 web 應用程式。您不需要建立額外主要 web 應用程式的每個額外的混合式方案。Regardless of how many hybrid solutions that you plan to configure, you typically will use only one primary web application. You don't have to create extra primary web applications for each additional hybrid solution.

主要 web 應用程式與單一網站集合內的主要 web 應用程式必須設定為接受來自 SharePoint Online 的輸入的連線。Both the primary web application and a single site collection within the primary web application must be configured to accept inbound connections from SharePoint Online.

SharePoint 管理員將關聯的服務和支援與主要 web 應用程式所要部署的混合式解決方案所需的 connection 物件。內部部署 SharePoint Server 的 web 應用程式可以進行輸出連線使用的特定功能的設定。The SharePoint administrator associates the services and connection objects that are needed to support the hybrid solutions that are being deployed with the primary web application. Outbound connections can be made from any on-premises SharePoint Server web application by using the feature-specific configurations.

SharePoint Server web 應用程式是做為您建立網站集合的邏輯單位網際網路資訊服務 (IIS) 網站所組成。每個 web 應用程式會以不同的 IIS 網站已具有唯一的公用 URL 與之也可以設定成使用最多可以有五個使用備用存取對應 (AAM) 的內部 Url 的唯一或共用應用程式集區來表示。指定的 web 應用程式相關聯的單一內容資料庫及設定成使用特定的驗證方法來連接至資料庫。多個 web 應用程式可以設定為使用不同的驗證方法,並選擇性地 Aam,提供單一的內容資料庫的存取權。A SharePoint Server web application is composed of an Internet Information Services (IIS) website that acts as a logical unit for the site collections that you create. Each web application is represented by a different IIS website that has a unique or shared application pool, that has a unique public URL, and that can also be configured to use up to five internal URLs using Alternate Access Mapping (AAM). A given web application is associated with a single content database and is configured to use a specific authentication method to connect to the database. Multiple web applications can be configured to use different authentication methods, and optionally AAMs, to provide access to a single content database.

在 web 應用程式的公用 URL 一律會當做中為網站及內容透過 web 應用程式的所有連結的根 URL。考量 web 應用程式的公用 URL 與https://spexternal.adventureworks.com具有內部 URLhttps://sharepoint在 AAM 中設定。當您瀏覽至 [內部 URL https://sharepoint、 SharePoint Server 會傳回之網站的 url https://spexternal.adventureworks.com、 和站台內的所有連結將會都擁有該路徑為基礎的 Url。A web application's public URL is always used as the root URL in all links to sites and content accessed through the web application. Consider a web application with the public URL https://spexternal.adventureworks.com that has an internal URL https://sharepoint configured in AAM. When you browse to the internal URL https://sharepoint, SharePoint Server returns the website with the URL https://spexternal.adventureworks.com, and all links within the site will have URLs based on that path.

備用存取對應 (AAM) 時才需要當您設定公用 url 與外部 URL 不同以使用路徑型網站集合的輸入的連線。AAM 可讓您建立與組織內的 SharePoint 網站的內部 URL 關聯的外部 URL。這讓 SharePoint Server 將要求路由傳送至相對應的主要 web 應用程式在 AAM 中設定的內部 url。Alternate access mapping (AAM) is needed only when you are configuring inbound connectivity using a path-based site collection with a public URL that is different than the external URL. AAM lets you associate the external URL with the internal URL of a SharePoint site inside your organization. This enables SharePoint Server to route requests for internal URLs configured in AAM to the corresponding primary web application.

如需宣告式 web 應用程式的詳細資訊,請參閱 < SharePoint Server 中的建立宣告式 web 應用程式For more information about claims-based web applications, see Create claims-based web applications in SharePoint Server.

如需如何擴充 web 應用程式的詳細資訊,請參閱 <在 SharePoint 中的擴充宣告式 web 應用程式For more information about how to extend a web application, see Extend claims-based web applications in SharePoint.

如需網站集合的詳細資訊,請參閱 < Overview of 網站和 SharePoint Server 中的網站集合For more information about site collections, see Overview of sites and site collections in SharePoint Server.

選擇網站集合策略Choose a site collection strategy

決定使用現有 Web 應用程式或建立新的 Web 應用程式之前,必須了解 Web 應用程式和網站集合必須符合才能支援混合式功能的設定需求。使用本節中的資訊,可以判斷建立新 Web 應用程式和網站集合的策略,或判斷是否可以在混合式環境中使用現有 Web 應用程式中的網站集合。Before you decide to use an existing web application or create a new one, you must understand the configuration requirements that the web application and site collection must meet to support hybrid functionality. Use the information in this section to determine your strategy for creating a new web application and site collection or to determine whether a site collection in an existing web application can be used in your hybrid environment.

下圖顯示用於判斷網站集合策略的決策流程。The following figure shows the decision flow for determining your site collection strategy.

單向輸入或雙向 SharePoint 混合式驗證拓撲的三個可能網站集合策略。

混合式 web 應用程式的需求Requirements for hybrid web applications

用於混合式功能的 Web 應用程式必須符合所有這些需求:Web applications used for hybrid functionality must meet all these requirements:

  • Web 應用程式的公用 URL 必須與外部 URL 相同The public URL of the web application must be identical to the External URL.

    OAuth 通訊協定提供在 SharePoint 混合式解決方案的使用者授權。所有 SharePoint Online 的通訊對 SharePoint 內部部署中的主機要求標頭包含最初發送的要求的 URL。若要驗證傳入的要求的 SharePoint Online、 內部部署 SharePoint 驗證服務必須能夠符合此 URL 的所有流量從 SharePoint Online 的主要 web 應用程式的公用 url。這是外部 URL。使用主機命名型網站集合的 SharePoint 混合式環境的一個優點是您可以設定主機命名型網站集合來作為外部 URL 相同的 URL。這不需要設定備用存取對應。The OAuth protocol provides user authorization in SharePoint hybrid solutions. The Host request header in all SharePoint Online communications to SharePoint on-premises contains the URL to which the request was originally sent. To authenticate inbound requests from SharePoint Online, the on-premises SharePoint Authentication service must be able to match this URL in all traffic from SharePoint Online to the public URL of the primary web application. This is the External URL. One advantage of using a host-named site collection for SharePoint hybrid environments is that you can configure a host-named site collection to use the same URL as the External URL. This eliminates the need to configure Alternate Access Mapping.

  • Web 應用程式必須設定成使用利用 NTLM 的整合式 Windows 驗證The web application must be configured to use Integrated Windows authentication using NTLM.

    使用 NTLM 的整合式的 Windows 驗證,則需要在支援伺服器對伺服器驗證及應用程式驗證的案例中部署的 web 應用程式。如需詳細資訊,請參閱 < Plan for SharePoint Server 中的伺服器對伺服器驗證Integrated Windows authentication using NTLM is required for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. For more information, see Plan for server-to-server authentication in SharePoint Server.

    Claim authentication types for SharePoint hybrid

    針對特定網站集合設定的需求Requirements for specific site collection configurations

用於混合式功能的網站集合必須符合所有這些需求,也必須存在於或建立在符合 Web 應用程式需求的 Web 應用程式中:Site collections used for hybrid functionality must meet all these requirements, and must also either exist in or be created in a web application that meets the web application requirements:

  • 主機命名型網站集合Host-named site collections

    • Web 應用程式必須支援主機命名型網站集合。The web application must support host-named site collections.

      若要建立主機命名型網站集合,必須建立 Web 應用程式來啟用這些網站。建立 Web 應用程式之後就無法啟用此功能。To create a host-named site collection, the web application must be created to enable them. You cannot enable this functionality after the web application has been created.

      如需如何建立主機命名型網站集合的詳細資訊,請參閱主機命名型網站集合架構與部署 SharePoint Server 中For more information about how to create a host-named site collection, see Host-named site collection architecture and deployment in SharePoint Server.

      注意

      雖然這是 Web 應用程式需求,但在這裡列出是因為它只適用於具有主機命名型網站集合的環境。Although this is a web application requirement, it is listed here because it applies only to environments that have host-named site collections.

    • 內部 DNS 伺服器具有設定分割 DNS。您需要建立用於您的公用 URL 和A (主機) 記錄中有 SharePoint Server 伺服器的 IP 位址和外部 URL 的主機名稱的正向對應區域的公用網際網路網域的正向對應區域。Your on-premises DNS server has to be configured with split DNS. You need to create a forward lookup zone for the Public Internet domain that you used for your public URL and an A (host) record in the forward lookup zone that has the IP address of the SharePoint Server server and the host name of your External URL.

      重要

      反向 proxy 裝置必須能夠解析此正向對應區域輸入將要求轉送至 SharePoint 伺服器陣列中的主機名稱。The reverse proxy device must be able to resolve host names in this forward lookup zone to relay inbound requests to the SharePoint Server farm.

  • 路徑型網站集合Path-based site collections

    • 如果公用 URL 與外部 URL 相同:If the public URL is identical to the External URL:

      必須使用分割 DNS 設定內部 DNS 伺服器。您需要建立所使用的公用 URL 和記錄中有 SharePoint Server 伺服器的 IP 位址和外部 URL 的主機名稱的正向對應區域的公用網際網路網域的正向對應區域。Your on-premises DNS server must be configured with split DNS. You need to create a forward lookup zone for the Public Internet domain you used for your public URL and an A record in the forward lookup zone that has the IP address of the SharePoint Server server and the host name of your External URL.

      重要

      反向 proxy 裝置必須能夠解析此正向對應區域輸入將要求轉送至 SharePoint 伺服器陣列中的主機名稱。The reverse proxy device must be able to resolve host names in this forward lookup zone to relay inbound requests to the SharePoint Server farm.

      這是簡單的方法來設定 SharePoint 混合式的 web 應用程式。是要比對的新 web 應用程式的 url 的公用對向端點上的反向 proxy,又稱為外部 URL [公用 URL ] 欄位。This is an easy way to configure a web application for a SharePoint hybrid. The goal is to match the Public URL field of the new web application to the URL of the public-facing endpoint on the reverse proxy, which is also known as the External URL.

    • 如果公用 URL 與外部 URL 不同:If the public URL is different from the External URL:

      您需要設定備用存取對應 (AAM) 來轉送從 SharePoint Online 的輸入的要求。You need to configure an alternate access mapping (AAM) to relay inbound requests from SharePoint Online.

      擴充主要 web 應用程式並使用外部 URL 為公用 URL。然後在相同的安全性區域為擴充的 web 應用程式作為橋接 URL 中建立內部 URL (透過新增內部 Url)。您也將會設定反向 proxy 裝置以轉送從 SharePoint Online 的輸入的要求變更為此行橋接 URL。Extend the primary web application and use the External URL as the Public URL. Then create an Internal URL (via Add Internal URLs) in the same security zone as the extended web application to use as a bridging URL. You will also configure the reverse proxy device to relay inbound requests from SharePoint Online to this bridging URL.

      請記住,備用存取對應 (AAM) 時才需要當您設定公用 url 與外部 URL 不同以使用路徑型網站集合的輸入的連線。Remember, alternate access mapping (AAM) is needed only when you are configuring inbound connectivity using a path-based site collection with a public URL that is different than the external URL.

注意

請記住外部 URL ] 是反向 proxy 裝置的網際網路對向端點 URL。Remember that the External URL is the URL of the Internet-facing endpoint of the reverse proxy device.

編輯圖示 網站集合策略選擇的工作表上記錄之表格 2 的 [網站集合策略] 列中。Record your site collection strategy choice on the worksheet in the Site collection strategy row of Table 2.

選擇現有的 Web 應用程式或建立新的 Web 應用程式Choose an existing web application or create a new one

您可以使用現有的 Web 應用程式或建立 Web 應用程式,做為主要 Web 應用程式。You can either use an existing web application or create one to use as the primary web application.

如果您偏好以管理分別用於混合式功能的 web 應用程式或現有的 web 應用程式不符合所列的選擇網站集合策略] 區段中的需求,您應建立新的 web應用程式。If you prefer to manage the web application used for hybrid functionality independently or if your existing web application does not meet the requirements that are listed in the Choose a site collection strategy section, you should create a new web application.

編輯圖示 您的決定記錄在表 2 的 [新增或現有 web 應用程式] 列中。Record your decision in the New or existing web application row of Table 2.

計劃使用現有的 Web 應用程式Plan to use an existing web application

如果您決定使用現有 Web 應用程式作為主要 Web 應用程式,則請收集主要 Web 應用程式的 URL 以及最上層網站集合的 URL,並將它列在工作表上。If you decide to use an existing web application as the primary web application, gather the URL of the primary web application and the URL of the top level site collection and list it on the worksheet.

編輯圖示 在工作表上記錄下列資訊:Record the following information on the worksheet:
視您的網站集合策略而定記錄在表 5a、 5b 或 5c 的 [主要 web 應用程式 URL ] 列中的主要 web 應用程式的 URL。Depending on your site collection strategy, record the URL of the primary web application in the Primary web application URL row of Table 5a, 5b, or 5c.
如果您使用現有主機命名型網站集合,請在表格 5a 的 [主機命名型網站集合 URL ] 列中記錄最上層網站集合的 URL。If you are using an existing host-named site collection, record the URL of the top-level site collection in the Host-named site collection URL row in Table 5a.

記錄此資訊之後,移至 [] 區段中已過時規劃雙向混合式拓撲After you record this information, go to the section OBSOLETE Plan a two-way hybrid topology.

計劃建立新的 Web 應用程式Plan to create a new web application

如果您決定建立新的 Web 應用程式,我們會在您設定混合式拓撲時指導您怎麼做。If you decide to create a new web application, we will direct you on how to do this when you are configuring the hybrid topology.

規劃 SSL 憑證Plan SSL certificates

SSL 憑證建立伺服器身分識別和憑證驗證提供數個不同的服務與 SharePoint 混合式環境中的連線。您需要有兩個 SSL 憑證:安全通道 SSL 憑證STS 憑證SSL certificates establish server identity and provide certificate authentication for several different services and connections in a SharePoint hybrid environment. You need to have two SSL certificates: a Secure Channel SSL certificate and an STS certificate.

如需如何在 SharePoint 混合式環境中使用 SSL 憑證的詳細資訊,請參閱SharePoint 2013 混合式拓撲: 憑證和驗證模型For more information on how SSL certificates are used in SharePoint hybrid environments, see SharePoint 2013 Hybrid Topology: Certificate and Authentication Model.

注意

如果您選擇協助保護內部部署 SharePoint 伺服器陣列使用 SSL,您也必須 SSL 憑證的主要 web 應用程式。沒有混合特有的考量此憑證,因此您可以遵循設定 SharePoint Server 與 SSL 的一般最佳作法。If you choose to help secure your on-premises SharePoint farm with SSL, you will also need an SSL certificate for the primary web application. There are no hybrid-specific considerations for this certificate, so you can follow the general best practices for configuring SharePoint Server with SSL.

注意

「 安全通道 」 不是憑證 ; 類別我們使用這個字詞來區分此特定憑證與環境中使用的其他 SSL 憑證的方式。"Secure Channel" is not a class of certificate; we use the term as a way to differentiate this particular certificate from other SSL certificates used in the environment.

關於安全通道 SSL 憑證About Secure Channel SSL certificates

安全通道 SSL 憑證提供驗證及加密的反向 proxy 裝置和 Office 365,當成伺服器和用戶端憑證之間的安全通訊通道。它也會驗證用以發佈的內部部署 SharePoint Server 網站集合的反向 proxy 端點的 identity。A Secure Channel SSL certificate provides authentication and encryption for the secure communication channel between the reverse proxy device and Office 365, acting as both a server and a client certificate. It also verifies the identity of the reverse proxy endpoint that's used to publish the on-premises SharePoint Server site collection.

此憑證必須為萬用字元憑證或 SAN 憑證,並由公用根憑證授權單位發行。此憑證的主體欄位必須包含反向 Proxy 伺服器之外部端點的主機名稱,或包含萬用字元 URL 來涵蓋命名空間中所有主機名稱。至少必須使用 2048 位元加密。This certificate must be either a wildcard or a SAN certificate and be issued by a public root certification authority. The subject field of this certificate must contain the host name of the external endpoint of the reverse proxy server or a wildcard URL that covers all host names in the namespace. It must use at least 2048-bit encryption.

重要

萬用字元憑證可安全 DNS 命名空間的單一層級。例如,如果您的外部 url https://spexternal.public.adventureworks.com、 主旨的萬用字元憑證必須是 。 public.adventureworks.com、 不 *。 adventureworks.com。Wildcard certificates can secure only a single level of a DNS namespace. For example, if your external URL is **https://spexternal.public.adventureworks.com*, the subject of your wildcard certificate must be *.public.adventureworks.com, not *.adventureworks.com.

SharePoint Online 設定是為要求來自 SharePoint Server 的資訊的情況下,則 SSL 憑證才能執行下列動作:In scenarios where SharePoint Online is configured to request information from SharePoint Server, an SSL certificate is required to do the following:

  • 加密安全通道上的流量。Encrypt traffic over the security channel.

  • 讓反向 Proxy 裝置能夠使用憑證驗證來驗證輸入連線。Enable the reverse proxy device to authenticate inbound connections using Certificate Authentication.

  • 允許 SharePoint Online 先識別並信任外部端點。Allow SharePoint Online to identify and trust the external endpoint.

在部署時您將在反向 proxy 裝置和 SharePoint Online 安全認證儲存目標應用程式在安裝 SSL 憑證。您要設定此設定混合式環境基礎結構時。During deployment, you'll install the SSL certificate both on the reverse proxy device and in a SharePoint Online Secure Store target application. You will configure this when you configure the hybrid environment infrastructure.

取得安全通道 SSL 憑證Get a Secure Channel SSL certificate

針對內部部署公用網域,取得來自已知憑證授權單位 (例如 DigiCert、VeriSign、Thawte 或 GeoTrust) 的安全通道 SSL 萬用字元或 SAN (主體別名) 憑證。Get a Secure Channel SSL wildcard or SAN (Subject Alternative Name) certificate for your on-premises public domain from a well-known certificate authority, such as DigiCert, VeriSign, Thawte, or GeoTrust.

注意

此憑證必須支援多個名稱而且必須至少 2048 位元。> 憑證的 [主旨] 或 [主體名稱] 欄位必須包含網域名稱格式為外部 URL 的萬用字元項的目。例如,如果您的外部 url https://spexternal.public.adventureworks.com,應該是萬用字元憑證的主體*。 public.adventureworks.com。> 一年間隔通常過期憑證。因此務必預先規劃以避免服務中斷憑證續訂。SharePoint 管理員應排程可讓您以避免工時停止的時間足以導引的憑證取代的提醒。This certificate must support multiple names and must be at least 2048 bits. > The Subject or Subject Name field of the certificate must contain a wildcard entry of the domain name in the External URL. For example, if your external URL is https://spexternal.public.adventureworks.com, the subject of your wildcard certificate should be *.public.adventureworks.com. > Certificates typically expire at one-year intervals. So it's important to plan in advance for certificate renewals to avoid service interruptions. SharePoint Administrators should schedule a reminder for certificate replacement that gives you enough lead-in time to prevent a work stoppage.

編輯圖示 在工作表中記錄下列資訊表 4b: 安全通道 SSL 憑證Record the following on the worksheet in Table 4b: Secure Channel SSL Certificate:
此憑證和在 [安全通道憑證位置和檔案名稱] 列中您儲存的所在位置的名稱。The name of this certificate and the location where you stored it in the Secure Channel Certificate location and file name row.
在 [安全通道 SSL 憑證好記名稱] 列中此憑證的易記名稱。The friendly name of this certificate in the Secure Channel SSL Certificate Friendly Name row.
在 [憑證類型] 列中指定憑證 (萬用字元或 SAN) 的類型。Specify the type of certificate (wildcard or SAN) in the Type of certificate row.
[到期日] 列中憑證的到期日。The expiration date of the certificate in the Expiration date row.
如果將此憑證具有.pfx 副檔名,記錄 [安全通道 SSL 憑證密碼] 列的憑證密碼。請記住,協助保護使用密碼保護工作表如果您的密碼資訊來更新它。If this certificate has a .pfx file name extension, record the certificate's password in the Secure Channel SSL Certificate Password row. Remember to help secure the worksheet with password protection if you update it with password information.

關於 STS 憑證About STS certificates

內部部署 SharePoint 伺服器陣列的 STS 憑證要求預設憑證來驗證傳入的 token。在 SharePoint 混合式環境中,Azure Active Directory 做為受信任權杖簽署服務和使用的 STS 憑證的簽署憑證。Azure Active Directory 不能作為從 SharePoint Server 的預設 STS 憑證的簽署憑證因為它無法驗證信任鏈結。The STS certificate of the on-premises SharePoint farm requires a default certificate to validate incoming tokens. In a SharePoint hybrid environment, Azure Active Directory acts as a trusted token signing service and uses the STS certificate as the signing certificate. Azure Active Directory cannot use the default STS certificate from SharePoint Server as a signing certificate because it cannot verify the trust chain.

因此,您必須在內部部署 SharePoint 伺服器陣列中每一個伺服器上,將預設 STS 憑證取代為下列憑證:Therefore, you must replace the default STS certificate on each server in the on-premises SharePoint farm with one of the following:

  • Azure Active Directory 所信任公用憑證授權單位 (CA) 所發出的憑證A certificate issued by a public certification authority (CA) that's trusted by Azure Active Directory

  • 自我簽署憑證A self-signed certificate

稍後當您設定身分識別管理基礎結構時,就會取代預設 STS 憑證。The default STS certificate is replaced later when you configure the identify management infrastructure.

重要

此憑證必須至少 2048 位元。> 您必須取代 SharePoint 伺服器陣列中的每部網頁伺服器和應用程式伺服器上的 STS 憑證。> 一年間隔通常過期憑證。因此務必預先規劃以避免服務中斷憑證續訂。This certificate must be at least 2048 bits. > You'll have to replace the STS certificate on each web and application server in the SharePoint Server farm. > Certificates typically expire at one-year intervals. So it's important to plan in advance for certificate renewals to avoid service interruptions.

如果您選擇使用自我簽署的憑證,您將部署設定期間建立它。設定伺服器對伺服器驗證 SharePoint server 與 SharePoint Online主題中會包含 sharepoint 中建立新的自我簽署的憑證的步驟。If you choose to use a self-signed certificate, you'll create it during the deployment configuration. The steps for creating a new self-signed certificate for SharePoint are included in the Configure server-to-server authentication from SharePoint Server to SharePoint Online topic.

取得 STS 憑證Obtain an STS certificate

請先取得 STS 憑證,再開始設定程序。Get your STS certificate before you begin the configuration process.

編輯圖示 在工作表中的下列項目記錄表 4a: STS 憑證Record the following on the worksheet in in Table 4a: STS Certificate:
STS 憑證易記名稱STS Certificate Friendly Name
STS 憑證路徑 \ 檔案名稱 (*.pfx 檔案)STS Certificate path\file name (*.pfx file)
STS 憑證密碼STS Certificate Password
STS 憑證路徑 \ 檔案名稱 (*.cer 檔案)STS Certificate path\file name (*.cer file)
主體名稱Subject Name
STS 憑證開始日期STS Certificate Start Date
STS 憑證結束日期STS Certificate End Date

記錄設定和測試所需的帳戶Record the accounts needed for configuration and testing

SharePoint 混合式環境安裝程序需要您在內部部署 Active Directory 與 Office 365 目錄 (Azure Active Directory 的 Office 365 目錄中所呈現的) 的數個使用者帳戶。這些帳戶會有不同的權限及群組或角色的成員資格。部分的帳戶可用來部署及設定軟體,有些不需要修改測試特定的功能有助於確保該安全性和驗證系統已如預期般運作。A SharePoint hybrid environment setup requires several user accounts in both your on-premises Active Directory and the Office 365 directory (Azure Active Directory that is surfaced in the Office 365 directory). These accounts have different permissions and group or role memberships. Some of the accounts are used to deploy and configure software, and some are needed to test specific functionality to help guarantee that security and authentication systems are working as expected.

  • 請移至帳戶所需的混合式設定和測試所需的使用者帳戶,包括有關角色和身分識別提供者的附註的完整說明。Go to Accounts needed for hybrid configuration and testing for a complete explanation of the required user accounts, including notes about roles and identity providers.

  • 記錄在工作表依指示中必要的帳戶的資訊。Record the required account information in the worksheet as instructed.

  • 完成此步驟後,請回到本規劃文件。Return to this planning article after you complete this step.

後續步驟Next steps

此時,您應已完成的填寫 [必要] 工作表輸入連線並準備好可開始設定程序。下一步是選擇設定藍圖At this point, you should have completed filling out the required worksheet for inbound connectivity and be ready to start the configuration process. Your next step is to choose a configuration roadmap.