Azure 中 Windows VM 之遠端桌面連線問題的詳細疑難排解步驟Detailed troubleshooting steps for remote desktop connection issues to Windows VMs in Azure

本文章提供診斷和修正複雜的以 Windows 為基礎的 Azure 虛擬機器的遠端桌面錯誤的詳細疑難排解步驟。This article provides detailed troubleshooting steps to diagnose and fix complex Remote Desktop errors for Windows-based Azure virtual machines.

重要

若要消除較常見的「遠端桌面」錯誤,請務必先閱讀 遠端桌面的基本疑難排解文章,再繼續進行。To eliminate the more common Remote Desktop errors, make sure to read the basic troubleshooting article for Remote Desktop before proceeding.

您可能會遇到不像 基本遠端桌面疑難排解指南所涵蓋之任何特定錯誤訊息的「遠端桌面」錯誤訊息。You may encounter a Remote Desktop error message that does not resemble any of the specific error messages covered in the basic Remote Desktop troubleshooting guide. 請依照下列步驟來判斷「遠端桌面」(RDP) 用戶端為何無法連線至 Azure VM 上的 RDP 服務。Follow these steps to determine why the Remote Desktop (RDP) client is unable to connect to the RDP service on the Azure VM.

如果在本文章中有任何需要協助的地方,您可以連絡 MSDN Azure 和 Stack Overflow 論壇上的 Azure 專家。If you need more help at any point in this article, you can contact the Azure experts on the MSDN Azure and the Stack Overflow forums. 或者,您也可以提出 Azure 支援事件。Alternatively, you can also file an Azure support incident. 請移至 Azure 支援網站,然後按一下 [取得支援]。Go to the Azure Support site and click Get Support. 如需使用 Azure 支援的相關資訊,請參閱 Microsoft Azure 支援常見問題For information about using Azure Support, read the Microsoft Azure Support FAQ.

遠端桌面連線的元件Components of a Remote Desktop connection

以下是 RDP 連線相關的元件:The following components are involved in an RDP connection:

此圖表顯示與遠端桌面 (RDP) 連接相關的元件。

在繼續之前,在心裡檢閱最後一個成功的遠端桌面連線至 VM 以來的變更可能有幫助。Before proceeding, it might help to mentally review what has changed since the last successful Remote Desktop connection to the VM. 例如:For example:

  • VM 或包含 VM 之雲端服務的公用 IP 位址 (也稱為虛擬 IP 位址 VIP) 已變更。The public IP address of the VM or the cloud service containing the VM (also called the virtual IP address VIP) has changed. RDP 失敗的原因可能是 DNS 用戶端快取仍然有針對該 DNS 名稱註冊的「舊 IP 位址」 。The RDP failure could be because your DNS client cache still has the old IP address registered for the DNS name. 請清除 DNS 用戶端快取並嘗試再次連接 VM。Flush your DNS client cache and try connecting the VM again. 或嘗試直接與新的 VIP 連接。Or try connecting directly with the new VIP.
  • 您使用協力廠商應用程式來管理「遠端桌面」連線,而不是使用 Azure 入口網站所產生的連線。You are using a third-party application to manage your Remote Desktop connections instead of using the connection generated by the Azure portal. 請確認應用程式組態包含正確的「遠端桌面」流量 TCP 連接埠。Verify that the application configuration includes the correct TCP port for the Remote Desktop traffic. 您可以在 Azure 入口網站中查看傳統虛擬機器的這個連接埠,方法是按一下該 VM 的 [設定] > [端點]。You can check this port for a classic virtual machine in the Azure portal, by clicking the VM's Settings > Endpoints.

預備步驟Preliminary steps

繼續詳細疑難排解之前,Before proceeding to the detailed troubleshooting,

嘗試在完成這些步驟之後透過遠端桌面重新連接至 VM。Try reconnecting to the VM via Remote Desktop after these steps.

詳細的疑難排解步驟Detailed troubleshooting steps

由於下列來源的問題,可能會造成遠端桌面用戶端無法連線到 Azure VM 上的遠端桌面服務:The Remote Desktop client may not be able to reach the Remote Desktop service on the Azure VM due to issues at the following sources:

來源 1:遠端桌面用戶端電腦Source 1: Remote Desktop client computer

請確認您的電腦能夠建立「遠端桌面」連線,來連接到另一部內部部署且以 Windows 為基礎的電腦。Verify that your computer can make Remote Desktop connections to another on-premises, Windows-based computer.

遠端桌面中的元件圖 (RDP) 與已醒目提示 RDP 用戶端的連線,以及指向另一個指出連線的內部部署電腦的箭號。

如果不能,請檢查您電腦上的下列設定:If you cannot, check for the following settings on your computer:

  • 目前封鎖「遠端桌面」流量的本機防火牆設定。A local firewall setting that is blocking Remote Desktop traffic.
  • 目前阻止「遠端桌面」連線的本機安裝用戶端 Proxy 軟體。Locally installed client proxy software that is preventing Remote Desktop connections.
  • 目前阻止「遠端桌面」連線的本機安裝網路監視軟體。Locally installed network monitoring software that is preventing Remote Desktop connections.
  • 目前阻止「遠端桌面」連線的其他類型安全性軟體,這些軟體會監視流量或允許/不允許特定類型的流量。Other types of security software that either monitor traffic or allow/disallow specific types of traffic that is preventing Remote Desktop connections.

在所有這些情況下,請暫時停用軟體,然後嘗試透過「遠端連線」連接到內部部署電腦。In all these cases, temporarily disable the software and try to connect to an on-premises computer via Remote Desktop. 如果這樣即可找出造成這個問題的實際原因,請和網路管理員合作,修正軟體設定以允許遠端桌面連線。If you can find out the actual cause this way, work with your network administrator to correct the software settings to allow Remote Desktop connections.

來源 2:組織內部網路的邊緣裝置Source 2: Organization intranet edge device

請確認直接連接到網際網路的電腦能遠端連線到您的 Azure 虛擬機器。Verify that a computer directly connected to the Internet can make Remote Desktop connections to your Azure virtual machine.

遠端桌面中的元件圖 (RDP) 連線到已反白顯示之網際網路的 RDP 用戶端,以及指向表示連線的 Azure 虛擬機器的箭號。

如果您沒有直接連線到網際網路的電腦,則在資源群組或雲端服務中建立和測試新的 Azure 虛擬機器。If you do not have a computer that is directly connected to the Internet, create and test with a new Azure virtual machine in a resource group or cloud service. 如需詳細資訊,請參閱 在 Azure 中建立執行 Windows 的虛擬機器For more information, see Create a virtual machine running Windows in Azure. 測試完成之後,您可以刪除虛擬機器和資源群組或雲端服務。You can delete the virtual machine and the resource group or the cloud service, after the test.

如果您可以對直接連線到網際網路的電腦建立遠端桌面連線,請檢查組織內部網路的邊緣裝置之下列項目:If you can create a Remote Desktop connection with a computer directly attached to the Internet, check your organization intranet edge device for:

  • 目前封鎖對網際網路之 HTTPS 連線的內部防火牆。An internal firewall blocking HTTPS connections to the Internet.
  • 目前阻止「遠端桌面」連線的 Proxy 伺服器。A proxy server preventing Remote Desktop connections.
  • 目前在邊緣網路中的裝置上執行且阻止「遠端桌面」連線的入侵偵測或網路監視軟體。Intrusion detection or network monitoring software running on devices in your edge network that is preventing Remote Desktop connections.

請和網路管理員合作,修正您組織內部網路的邊緣裝置設定,允許以 HTTPS 為基礎的網際網路遠端桌面連線。Work with your network administrator to correct the settings of your organization intranet edge device to allow HTTPS-based Remote Desktop connections to the Internet.

來源 3:雲端服務端點和 ACLSource 3: Cloud service endpoint and ACL

重要

傳統 VM 將於 2023 年 3 月 1 日淘汰。Classic VMs will be retired on March 1, 2023.

如果您使用來自 ASM 的 IaaS 資源,請在 2023 年 3 月 1 日前完成移轉。If you use IaaS resources from ASM, please complete your migration by March 1, 2023. 我們鼓勵您及早切換,以利用 Azure Resource Manager 的許多功能增強功能。We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

如需詳細資訊,請參閱請於 2023 年 3 月 1 日之前將您的 IaaS 資源遷移至 Azure Resource ManagerFor more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

對於使用傳統部署模型建立的 VM,請確認另一部位於相同雲端服務或虛擬網路中的 Azure VM 能夠對您的 Azure VM 進行「遠端桌面」連線。For VMs created using the Classic deployment model, verify that another Azure VM that is in the same cloud service or virtual network can make Remote Desktop connections to your Azure VM.

遠端桌面中的元件圖表 (RDP) 連線,其中已醒目提示一個 Azure VM,並以箭號指向相同雲端服務內表示連線的另一個 Azure VM。

注意

如果是在資源管理員中建立的虛擬機器,請跳到 來源 4:網路安全性群組For virtual machines created in Resource Manager, skip to Source 4: Network Security Groups.

如果您沒有另一部虛擬機器位於相同的雲端服務或虛擬網路中,請建立一部。If you do not have another virtual machine in the same cloud service or virtual network, create one. 依照 在 Azure 中建立執行 Windows 的虛擬機器中的步驟操作。Follow the steps in Create a virtual machine running Windows in Azure. 測試完成之後,請刪除測試虛擬機器。Delete the test virtual machine after the test is completed.

如果您可以透過「遠端桌面」連線到位於相同雲端服務或虛擬網路中的虛擬機器,請檢查下列設定:If you can connect via Remote Desktop to a virtual machine in the same cloud service or virtual network, check for these settings:

  • 目標 VM 上的遠端桌面流量端點組態:端點的私用 TCP 連接埠必須符合 VM 的遠端桌面服務所接聽的 TCP 連接埠 (預設值為 3389)。The endpoint configuration for Remote Desktop traffic on the target VM: The private TCP port of the endpoint must match the TCP port on which the VM's Remote Desktop service is listening (default is 3389).
  • 目標 VM 上的遠端桌面流量端點的 ACL:ACL 讓您可指定要根據來源 IP 位址允許或拒絕來自網際網路的連入流量。The ACL for the Remote Desktop traffic endpoint on the target VM: ACLs allow you to specify allowed or denied incoming traffic from the Internet based on its source IP address. 設定錯誤的 ACL 會阻止送至端點的連入遠端桌面流量。Misconfigured ACLs can prevent incoming Remote Desktop traffic to the endpoint. 檢查您的 ACL,以確保允許來自您的 Proxy 或其他邊緣伺服器的公用 IP 位址之連入流量。Check your ACLs to ensure that incoming traffic from your public IP addresses of your proxy or other edge server is allowed. 如需詳細資訊,請參閱 什麼是 (ACL) 的網路存取控制清單?For more information, see What is a Network Access Control List (ACL)?

若要檢查端點是否為問題來源,請移除目前的端點,再選擇外部連接埠號碼介於 49152 到 65535 的隨機連接埠來建立新的端點。To check if the endpoint is the source of the problem, remove the current endpoint and create a new one, choosing a random port in the range 49152–65535 for the external port number. 如需詳細資訊,請參閱 如何設定虛擬機器的端點For more information, see How to set up endpoints to a virtual machine.

來源 4:網路安全性群組Source 4: Network Security Groups

網路安全性群組能夠更精確地控制受允許的輸入和輸出流量。Network Security Groups allow more granular control of allowed inbound and outbound traffic. 您可以在 Azure 虛擬網路中建立跨越子網路和雲端服務的規則。You can create rules spanning subnets and cloud services in an Azure virtual network.

使用 IP 流量驗證來確認網路安全性群組中的規則是否會封鎖虛擬機器的輸入或輸出流量。Use IP flow verify to confirm if a rule in a Network Security Group is blocking traffic to or from a virtual machine. 您也可以檢閱有效的安全性群組規則,以確保輸入「允許」NSG 規則存在並已針對 RDP 連接埠 (預設值 3389) 設定優先順序。You can also review effective security group rules to ensure inbound "Allow" NSG rule exists and is prioritized for RDP port(default 3389). 如需詳細資訊,請參閱使用有效安全性規則對 VM 流量流程進行疑難排解For more information, see Using Effective Security Rules to troubleshoot VM traffic flow.

來源 5:以 Windows 為基礎的 Azure VMSource 5: Windows-based Azure VM

遠端桌面中的元件圖 (RDP) 與在雲端服務內反白顯示的 Azure VM 連線,以及可能是「可能的問題來源」的訊息。

請依照本文的指示。Follow the instructions in this article. 這篇文章會重設虛擬機器上的「遠端桌面」服務:This article resets the Remote Desktop service on the virtual machine:

  • 啟用「遠端桌面」 Windows 防火牆預設規則 (TCP 連接埠 3389)。Enable the "Remote Desktop" Windows Firewall default rule (TCP port 3389).
  • 藉由將 HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections 登錄值設為 0 ,啟用遠端桌面連線。Enable Remote Desktop connections by setting the HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry value to 0.

再次嘗試來自您電腦的連線。Try the connection from your computer again. 如果您還是無法透過遠端桌面連線,請檢查下列可能的問題:If you are still not able to connect via Remote Desktop, check for the following possible problems:

  • 遠端桌面服務未在目標 VM 上執行。The Remote Desktop service is not running on the target VM.
  • 遠端桌面服務未在 TCP 連接埠 3389 上接聽。The Remote Desktop service is not listening on TCP port 3389.
  • Windows 防火牆或另一個本機防火牆有阻止遠端桌面流量的輸出規則。Windows Firewall or another local firewall has an outbound rule that is preventing Remote Desktop traffic.
  • 在 Azure 虛擬機器上執行的入侵偵測或網路監視軟體正在阻止遠端桌面連線。Intrusion detection or network monitoring software running on the Azure virtual machine is preventing Remote Desktop connections.

對於使用傳統部署模型所建立的 VM,您可以使用關於 Azure 虛擬機器的遠端 Azure PowerShell 工作階段。For VMs created using the classic deployment model, you can use a remote Azure PowerShell session to the Azure virtual machine. 首先,您需要為虛擬機器的代管雲端服務安裝憑證。First, you need to install a certificate for the virtual machine's hosting cloud service. 移至 設定對 Azure 虛擬機器的安全遠端 PowerShell 存取 ,然後將 InstallWinRMCertAzureVM.ps1 指令檔下載到您的本機電腦。Go to Configure Secure Remote PowerShell Access to Azure Virtual Machines and download the InstallWinRMCertAzureVM.ps1 script file to your local computer.

接下來,如果尚未安裝 Azure PowerShell,則請先安裝。Next, install Azure PowerShell if you haven't already. 請參閱 如何安裝和設定 Azure PowerShellSee How to install and configure Azure PowerShell.

接下來,開啟 Azure PowerShell 命令提示字元,並將目前資料夾變更為 InstallWinRMCertAzureVM.ps1 指令碼檔案的位置。Next, open an Azure PowerShell command prompt and change the current folder to the location of the InstallWinRMCertAzureVM.ps1 script file. 若要執行 Azure PowerShell 指令碼,您必須設定正確的執行原則。To run an Azure PowerShell script, you must set the correct execution policy. 請執行 Get-ExecutionPolicy 命令來判斷您目前的原則層級。Run the Get-ExecutionPolicy command to determine your current policy level. 如需設定適當層級的相關資訊,請參閱 Set-ExecutionPolicyFor information about setting the appropriate level, see Set-ExecutionPolicy.

接下來,請填入您的 Azure 訂用帳戶名稱、雲端服務名稱以及虛擬機器名稱 (移除 "<" 和 ">" 字元),然後再執行這些命令。Next, fill in your Azure subscription name, the cloud service name, and your virtual machine name (removing the < and > characters), and then run these commands.

$subscr="<Name of your Azure subscription>"
$serviceName="<Name of the cloud service that contains the target virtual machine>"
$vmName="<Name of the target virtual machine>"
.\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscr -ServiceName $serviceName -Name $vmName

您可以從 Get-AzureSubscription 命令顯示畫面中的 SubscriptionName 屬性,取得正確的訂用帳戶名稱。You can get the correct subscription name from the SubscriptionName property of the display of the Get-AzureSubscription command. 您可以從 Get-AzureVM 命令顯示畫面中的 ServiceName 欄,取得虛擬機器的雲端服務名稱。You can get the cloud service name for the virtual machine from the ServiceName column in the display of the Get-AzureVM command.

請檢查您是否擁有新憑證。Check if you have the new certificate. 開啟目前使用者的 [憑證] 嵌入式管理單元,然後查看 [受信任的根憑證授權單位\憑證] 資料夾。Open a Certificates snap-in for the current user and look in the Trusted Root Certification Authorities\Certificates folder. 您應該在 Issued To 資料行中查看具有您的雲端服務之 DNS 名稱的憑證 (範例:cloudservice4testing.cloudapp.net)。You should see a certificate with the DNS name of your cloud service in the Issued To column (example: cloudservice4testing.cloudapp.net).

接下來,使用這些命令起始遠端 Azure PowerShell 工作階段。Next, initiate a remote Azure PowerShell session by using these commands.

$uri = Get-AzureWinRMUri -ServiceName $serviceName -Name $vmName
$creds = Get-Credential
Enter-PSSession -ConnectionUri $uri -Credential $creds

輸入有效的系統管理員認證之後,您應該會看到類似下列 Azure PowerShell 提示字元的內容:After entering valid administrator credentials, you should see something similar to the following Azure PowerShell prompt:

[cloudservice4testing.cloudapp.net]: PS C:\Users\User1\Documents>

此提示的第一個部分是您的雲端服務名稱,其中包含目標 VM,這可以與 "cloudservice4testing.cloudapp.net" 不同。The first part of this prompt is your cloud service name that contains the target VM, which could be different from "cloudservice4testing.cloudapp.net". 您現在可以針對此雲端服務發出 Azure PowerShell 命令,以調查所提到的問題並修正組態。You can now issue Azure PowerShell commands for this cloud service to investigate the problems mentioned and correct the configuration.

若要手動更正接聽 TCP 連接埠的遠端桌面服務To manually correct the Remote Desktop Services listening TCP port

針對遠端 Azure PowerShell 工作階段提示字元,請執行此命令。At the remote Azure PowerShell session prompt, run this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

PortNumber 屬性會顯示目前的連接埠號碼。The PortNumber property shows the current port number. 如有需要,請使用此命令,將遠端桌面連接埠號碼變更回預設值 (3389)。If needed, change the Remote Desktop port number back to its default value (3389) by using this command.

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 3389

確認已使用此命令將連接埠變更為 3389。Verify that the port has been changed to 3389 by using this command.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"

使用此命令結束遠端 Azure PowerShell 工作階段。Exit the remote Azure PowerShell session by using this command.

Exit-PSSession

確認 Azure VM 的遠端桌面端點也正在使用 TCP 連接埠 3398 做為其內部連接埠。Verify that the Remote Desktop endpoint for the Azure VM is also using TCP port 3398 as its internal port. 重新啟動 Azure VM,然後再試一次遠端桌面連線。Restart the Azure VM and try the Remote Desktop connection again.

其他資源Additional resources

如何重設 Windows 虛擬機器的密碼或遠端桌面服務How to reset a password or the Remote Desktop service for Windows virtual machines

如何安裝和設定 Azure PowerShellHow to install and configure Azure PowerShell

疑難排解以 Linux 為基礎之 Azure 虛擬機器的安全殼層 (SSH) 連線Troubleshoot Secure Shell (SSH) connections to a Linux-based Azure virtual machine

針對在 Azure 虛擬機器上執行的應用程式存取進行疑難排解Troubleshoot access to an application running on an Azure virtual machine