使用 RADIUS 驗證設定 VNet 的點對站連線:PowerShellConfigure a Point-to-Site connection to a VNet using RADIUS authentication: PowerShell

本文顯示如何建立具有點對站連線 (使用 RADIUS 驗證) 的 VNet。This article shows you how to create a VNet with a Point-to-Site connection that uses RADIUS authentication. 此組態只適用於 Resource Manager 部署模型。This configuration is only available for the Resource Manager deployment model.

點對站 (P2S) VPN 閘道可讓您建立從個別用戶端電腦到您的虛擬網路的安全連線。A Point-to-Site (P2S) VPN gateway lets you create a secure connection to your virtual network from an individual client computer. 當您想要從遠端位置連線到您的 VNet 時 (例如,當您從住家或會議進行遠距工作時),點對站 VPN 連線很實用。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such as when you are telecommuting from home or a conference. 當您只有少數用戶端必須連線至 VNet 時,P2S VPN 也是很實用的方案 (而不是使用站對站 VPN)。A P2S VPN is also a useful solution to use instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet.

P2S VPN 連線會從 Windows 和 Mac 裝置啟動。A P2S VPN connection is started from Windows and Mac devices. 您可使用下列驗證方法來與用戶端連線:Connecting clients can use the following authentication methods:

  • RADIUS 伺服器RADIUS server
  • VPN 閘道原生憑證驗證VPN Gateway native certificate authentication
  • 原生 Azure Active Directory 驗證只 (Windows 10) Native Azure Active Directory authentication (Windows 10 only)

本文協助您設定具有使用 RADIUS 伺服器進行驗證的 P2S 組態。This article helps you configure a P2S configuration with authentication using RADIUS server. 如果您想要改為使用產生的憑證和 VPN 閘道原生憑證驗證來進行驗證,請參閱 使用 VPN 閘道原生憑證驗證設定 VNet 的點對站 連線,或為 P2S OpenVPN 通訊協定連線建立 Azure Active Directory 租 使用者,以進行 Azure Active Directory 驗證。If you want to authenticate using generated certificates and VPN gateway native certificate authentication instead, see Configure a Point-to-Site connection to a VNet using VPN gateway native certificate authentication or Create an Azure Active Directory tenant for P2S OpenVPN protocol connections for Azure Active Directory authentication.

此圖顯示使用 RADIUS 伺服器進行驗證的 P2S 設定。

點對站連線不需要 VPN 裝置或公眾對應 IP 位址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 會透過 SSTP (安全通訊端通道通訊協定) 、OpenVPN 或 IKEv2 來建立 VPN 連線。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), OpenVPN or IKEv2.

  • SSTP 是僅在 Windows 用戶端平臺上支援的 TLS 型 VPN 通道。SSTP is a TLS-based VPN tunnel that is supported only on Windows client platforms. 它可以穿透防火牆,這是從任何地方連線到 Azure 的理想選項。It can penetrate firewalls, which makes it an ideal option to connect to Azure from anywhere. 我們在伺服器端上支援 SSTP 1.0、1.1 和 1.2 版。On the server side, we support SSTP versions 1.0, 1.1, and 1.2. 用戶端會決定要使用的版本。The client decides which version to use. 若為 Windows 8.1 和更新版本,SSTP 預設使用 1.2。For Windows 8.1 and above, SSTP uses 1.2 by default.

  • OpenVPN®通訊協定,這是以 SSL/TLS 為基礎的 VPN 通訊協定。OpenVPN® Protocol, an SSL/TLS based VPN protocol. TLS VPN 解決方案可以滲透防火牆,因為大部分的防火牆都會開啟 TCP 埠443輸出(TLS 使用的埠)。A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN 可用於從 Android、iOS (11.0 版和更新版本) 、Windows、Linux 和 Mac 裝置, (OSX 10.13 版和更新版本) 。OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).

  • IKEv2 VPN,標準型 IPsec VPN 解決方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用於從 Mac 裝置連線 (OSX 版本 10.11 和更新版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

P2S 連線需要下列各個條件:P2S connections require the following:

  • RouteBased VPN 閘道。A RouteBased VPN gateway. 
  • 用於處理使用者驗證的 RADIUS 伺服器。A RADIUS server to handle user authentication. RADIUS 伺服器可以部署在內部部署環境或 Azure VNet 中。The RADIUS server can be deployed on-premises, or in the Azure VNet. 您也可以設定兩部 RADIUS 伺服器以獲得高可用性。You can also configure two RADIUS servers for high availability.
  • 將連線至 VNet 之 Windows 裝置的 VPN 用戶端組態套件。A VPN client configuration package for the Windows devices that will connect to the VNet. VPN 用戶端組態套件提供 VPN 用戶端透過 P2S 連線所需的設定。A VPN client configuration package provides the settings required for a VPN client to connect over P2S.

關於適用於 P2S VPN 的 Active Directory (AD) 網域驗證About Active Directory (AD) Domain Authentication for P2S VPNs

AD 網域驗證可讓使用者使用其組織網域認證來登入 Azure。AD Domain authentication allows users to sign in to Azure using their organization domain credentials. 它需要可與 AD 伺服器整合的 RADIUS 伺服器。It requires a RADIUS server that integrates with the AD server. 組織也可利用其現有的 RADIUS 部署。Organizations can also leverage their existing RADIUS deployment.

RADIUS 伺服器可位於內部部署環境或 Azure VNet 中。The RADIUS server can reside on-premises, or in your Azure VNet. 在驗證期間,VPN 閘道可作為 RADIUS 伺服器與連線裝置之間的通道,在兩者間來回轉送驗證訊息。During authentication, the VPN gateway acts as a pass-through and forwards authentication messages back and forth between the RADIUS server and the connecting device. 務必讓 VPN 閘道能夠連線到 RADIUS 伺服器。It's important for the VPN gateway to be able to reach the RADIUS server. 如果 RADIUS 伺服器位於內部部署環境,則需要從 Azure 到內部部署網站的 VPN 站對站連線。If the RADIUS server is located on-premises, then a VPN Site-to-Site connection from Azure to the on-premises site is required.

除了 Active Directory,RADIUS 伺服器也可以與其他外部身分識別系統整合。Apart from Active Directory, a RADIUS server can also integrate with other external identity systems. 這會開啟許多點對站 VPN 的驗證選項,包括 MFA 選項。This opens up plenty of authentication options for Point-to-Site VPNs, including MFA options. 查閱 RADIUS 伺服器廠商文件,以取得與其整合的身分識別系統清單。Check your RADIUS server vendor documentation to get the list of identity systems it integrates with.

連線圖表 - RADIUS

重要

VPN 站對站連線可用來連線到內部部署環境中的 RADIUS 伺服器。Only a VPN Site-to-Site connection can be used for connecting to a RADIUS server on-premises. 無法使用 ExpressRoute 連線。An ExpressRoute connection cannot be used.

開始之前Before beginning

請確認您有 Azure 訂用帳戶。Verify that you have an Azure subscription. 如果您還沒有 Azure 訂用帳戶,您可以啟用 MSDN 訂閱者權益 或註冊 免費帳戶If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

使用 Azure PowerShellWorking with Azure PowerShell

本文使用 PowerShell Cmdlet。This article uses PowerShell cmdlets. 若要執行 Cmdlet,您可以使用 Azure Cloud Shell。To run the cmdlets, you can use Azure Cloud Shell. Azure Cloud Shell 是免費的互動式 Shell,可讓您用來執行本文中的步驟。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account.

若要開啟 Cloud Shell,只要選取程式碼區塊右上角的 [試試看] 即可。To open the Cloud Shell, just select Try it from the upper right corner of a code block. 您也可以移至 https://shell.azure.com/powershell,從另一個瀏覽器索引標籤啟動 Cloud Shell。You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com/powershell. 選取 [複製] 即可複製程式碼區塊,將它貼到 Cloud Shell 中,然後按 enter 鍵加以執行。Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

您也可以在本機電腦上安裝和執行 Azure PowerShell Cmdlet。You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell Cmdlet 會經常更新。PowerShell cmdlets are updated frequently. 如果您尚未安裝最新版本,指示中指定的值可能會失敗。If you have not installed the latest version, the values specified in the instructions may fail. 若要尋找電腦上安裝的 Azure PowerShell 版本,請使用 Get-Module -ListAvailable Az Cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要安裝或更新,請參閱 安裝 Azure PowerShell 模組To install or update, see Install the Azure PowerShell module.

範例值Example values

您可以使用範例值來建立測試環境,或參考這些值來進一步了解本文中的範例。You can use the example values to create a test environment, or refer to these values to better understand the examples in this article. 您可以使用這些步驟做為逐步解說並使用未經變更的值,或變更這些值以反映您的環境。You can either use the steps as a walk-through and use the values without changing them, or change them to reflect your environment.

  • 名稱:VNet1Name: VNet1
  • 位址空間:192.168.0.0/1610.254.0.0/16Address space: 192.168.0.0/16 and 10.254.0.0/16
    在此範例中,我們使用一個以上的位址空間來說明此組態可以與多個位址空間搭配使用。For this example, we use more than one address space to illustrate that this configuration works with multiple address spaces. 不過,此組態不需要多個位址空間。However, multiple address spaces are not required for this configuration.
  • 子網名稱:前端Subnet name: FrontEnd
    • 子網位址範圍: 192.168.1.0/24Subnet address range: 192.168.1.0/24
  • 子網路名稱:BackEndSubnet name: BackEnd
    • 子網路位址範圍:10.254.1.0/24Subnet address range: 10.254.1.0/24
  • 子網路名稱:GatewaySubnetSubnet name: GatewaySubnet
    子網路名稱 GatewaySubnet 是 VPN 閘道能夠運作的必要項目。The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
    • 閘道子網路位址範圍:192.168.200.0/24GatewaySubnet address range: 192.168.200.0/24
  • VPN 用戶端位址集區:172.16.201.0/24VPN client address pool: 172.16.201.0/24
    使用這個點對站連線來連線到 VNet 的 VPN 用戶端,會收到來自 VPN 用戶端位址集區的 IP 位址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN client address pool.
  • 訂用帳戶: 如果您有一個以上的訂用帳戶,請確認您使用正確的訂用帳戶。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 資源群組: >testrgResource Group: TestRG
  • 位置:美國東部Location: East US
  • DNS 伺服器: 您想要用於 VNet 名稱解析的 DNS 伺服器的 IP 位址。DNS Server: IP address of the DNS server that you want to use for name resolution for your VNet. (選用)(optional)
  • GW 名稱:Vnet1GWGW Name: Vnet1GW
  • 公用 IP 名稱:VNet1GWPIPPublic IP name: VNet1GWPIP
  • VpnType:RouteBasedVpnType: RouteBased

1. 設定變數1. Set the variables

宣告您想要使用的變數。Declare the variables that you want to use. 使用以下範例,在需要時將該值替換為您自己的值。Use the following sample, substituting the values for your own when necessary. 如果您在練習的任何時刻關閉了 PowerShell/Cloud Shell 工作階段,請再次複製值並貼上,以重新宣告變數。If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to re-declare the variables.

$VNetName  = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "TestRG"
$Location = "East US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

2. 建立資源群組、VNet 和公用 IP 位址2. Create the resource group, VNet, and Public IP address

下列步驟會建立一個資源群組,並在此資源群組中建立具有三個子網路的虛擬網路。The following steps create a resource group and a virtual network in the resource group with three subnets. 替代值時,務必一律將您的閘道子網路特定命名為 GatewaySubnet。When substituting values, it's important that you always name your gateway subnet specifically 'GatewaySubnet'. 如果您將其命名為其他名稱,閘道建立會失敗。If you name it something else, your gateway creation fails;

  1. 建立資源群組。Create a resource group.

    New-AzResourceGroup -Name "TestRG" -Location "East US"
    
  2. 為虛擬網路建立子網路組態,將其命名為 FrontEnd** BackEnd** 和 GatewaySubnet**。Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet. 這些前置詞必須是您宣告的 VNet 位址空間的一部分。These prefixes must be part of the VNet address space that you declared.

    $fesub = New-AzVirtualNetworkSubnetConfig -Name "FrontEnd" -AddressPrefix "192.168.1.0/24"  
    $besub = New-AzVirtualNetworkSubnetConfig -Name "Backend" -AddressPrefix "10.254.1.0/24"  
    $gwsub = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix "192.168.200.0/24"
    
  3. 建立虛擬網路Create the virtual network.

    在此範例中,-DnsServer 伺服器是選擇性的。In this example, the -DnsServer server parameter is optional. 指定一個值並不會建立新的 DNS 伺服器。Specifying a value does not create a new DNS server. 您指定的 DNS 伺服器 IP 位址應該是可以解析您從 VNet 連線之資源名稱的 DNS 伺服器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to from your VNet. 在此範例中,我們使用了私人 IP 位址,但這可能不是您 DNS 伺服器的 IP 位址。For this example, we used a private IP address, but it is likely that this is not the IP address of your DNS server. 請務必使用您自己的值。Be sure to use your own values. 您指定的值是由您部署至 VNet 的資源使用,不是由 P2S 連線使用。The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection.

    New-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "TestRG" -Location "East US" -AddressPrefix "192.168.0.0/16","10.254.0.0/16" -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
    
  4. VPN 閘道必須具有公用 IP 位址。A VPN gateway must have a Public IP address. 您會先要求 IP 位址資源,然後在建立虛擬網路閘道時參考它。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 建立 VPN 閘道時,系統會將 IP 位址動態指派給此資源。The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN 閘道目前僅支援 動態 公用 IP 位址配置。VPN Gateway currently only supports Dynamic Public IP address allocation. 您無法要求靜態公用 IP 位址指派。You cannot request a Static Public IP address assignment. 不過,這不表示 IP 位址變更之後已被指派至您的 VPN 閘道。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. 公用 IP 位址只會在刪除或重新建立閘道時變更。The only time the Public IP address changes is when the gateway is deleted and re-created. 它不會因為重新調整、重設或 VPN 閘道的其他內部維護/升級而變更。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    指定可要求動態指派之公用 IP 位址的變數。Specify the variables to request a dynamically assigned Public IP address.

    $vnet = Get-AzVirtualNetwork -Name "VNet1" -ResourceGroupName "TestRG"  
    $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet 
    $pip = New-AzPublicIpAddress -Name "VNet1GWPIP" -ResourceGroupName "TestRG" -Location "East US" -AllocationMethod Dynamic 
    $ipconf = New-AzVirtualNetworkGatewayIpConfig -Name "gwipconf" -Subnet $subnet -PublicIpAddress $pip
    

3. 設定您的 RADIUS 伺服器3. Set up your RADIUS server

在建立和設定虛擬網路閘道之前,應正確設定 RADIUS 伺服器以供驗證。Before creating and configuring the virtual network gateway, your RADIUS server should be configured correctly for authentication.

  1. 如果您沒有已部署的 RADIUS 伺服器,請部署一部。If you don’t have a RADIUS server deployed, deploy one. 如需部署步驟,請參閱 RADIUS 廠商所提供的設定指南。For deployment steps, refer to the setup guide provided by your RADIUS vendor.  
  2. 將 VPN 閘道設定為 RADIUS 上的 RADIUS 用戶端。Configure the VPN gateway as a RADIUS client on the RADIUS. 新增此 RADIUS 用戶端時,指定您所建立的虛擬網路 GatewaySubnet。When adding this RADIUS client, specify the virtual network GatewaySubnet that you created. 
  3. 設定 RADIUS 伺服器後,請取得 RADIUS 伺服器的 IP 位址和 RADIUS 用戶端應用來與 RADIUS 伺服器通訊的共用祕密。Once the RADIUS server is set up, get the RADIUS server's IP address and the shared secret that RADIUS clients should use to talk to the RADIUS server. 如果 RADIUS 伺服器位於 Azure VNet 中,請使用 RADIUS 伺服器 VM 的 CA IP。If the RADIUS server is in the Azure VNet, use the CA IP of the RADIUS server VM.

網路原則伺服器 (NPS) 一文提供有關設定 Windows RADIUS 伺服器 (NPS) 以便進行 AD 網域驗證的指引。The Network Policy Server (NPS) article provides guidance about configuring a Windows RADIUS server (NPS) for AD domain authentication.

4. 建立 VPN 閘道4. Create the VPN gateway

設定和建立 VNet 的 VPN 閘道。Configure and create the VPN gateway for your VNet.

  • -GatewayType 必須是 'Vpn',而 -VpnType 必須是 'RouteBased'。The -GatewayType must be 'Vpn' and the -VpnType must be 'RouteBased'.
  • VPN 閘道最多可能需要45分鐘的時間才能完成,視您選取的 閘道 SKU而定   。A VPN gateway can take up to 45 minutes to complete, depending on the gateway SKU you select.
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
-Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1

5. 新增 RADIUS 伺服器和用戶端位址集區5. Add the RADIUS server and client address pool

  • 可以依名稱或依 IP 位址指定 -RadiusServer。The -RadiusServer can be specified by name or by IP address. 如果您指定名稱且伺服器位於內部部署環境,則 VPN 閘道可能無法解析此名稱。If you specify the name and the server resides on-premises, then the VPN gateway may not be able to resolve the name. 如果是這樣,最好是指定伺服器的 IP 位址。If that’s the case, then it's better to specify the IP address of the server. 
  • -RadiusSecret 應符合 RADIUS 伺服器的設定。The -RadiusSecret should match what is configured on your RADIUS server.
  • -VpnClientAddressPool 是連線 VPN 用戶端時從中接收 IP 位址的範圍。The -VpnClientAddressPool is the range from which the connecting VPN clients receive an IP address.使用不會重疊的私人 IP 位址範圍搭配您將從其連線的內部部署位置,或搭配您要連線至的 VNet。 Use a private IP address range that does not overlap with the on-premises location that you will connect from, or with the VNet that you want to connect to. 確定您已設定夠大的位址集區。Ensure that you have a large enough address pool configured.  
  1. 為 Radius 祕密建立安全字串。Create a secure string for the RADIUS secret.

    $Secure_Secret=Read-Host -AsSecureString -Prompt "RadiusSecret"
    
  2. 系統會提示您輸入 RADIUS 祕密。You are prompted to enter the RADIUS secret. 您輸入的字元並不會顯示,將由 "*" 字元所取代。The characters that you enter will not be displayed and instead will be replaced by the "*" character.

    RadiusSecret:***
    
  3. 新增 VPN 用戶端位址集區和 RADIUS 伺服器資訊。Add the VPN client address pool and the RADIUS server information.

    對於 SSTP 組態:For SSTP configurations:

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "SSTP" `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    針對 OpenVPN®設定:For OpenVPN® configurations:

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientRootCertificates @()
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "OpenVPN" `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    對於 IKEv2 組態:For IKEv2 configurations:

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol "IKEv2" `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    對於 SSTP + IKEv2For SSTP + IKEv2

    $Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
    -VpnClientAddressPool "172.16.201.0/24" -VpnClientProtocol @( "SSTP", "IkeV2" ) `
    -RadiusServerAddress "10.51.0.15" -RadiusServerSecret $Secure_Secret
    

    若要指定 部 RADIUS 伺服器 ** (預覽) ** 使用下列語法。To specify two RADIUS servers (Preview) use the following syntax. 視需要修改 -VpnClientProtocolModify the -VpnClientProtocol value as needed

    $radiusServer1 = New-AzRadiusServer -RadiusServerAddress 10.1.0.15 -RadiusServerSecret $radiuspd -RadiusServerScore 30
    $radiusServer2 = New-AzRadiusServer -RadiusServerAddress 10.1.0.16 -RadiusServerSecret $radiuspd -RadiusServerScore 1
    
    $radiusServers = @( $radiusServer1, $radiusServer2 )
    
    Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientAddressPool 201.169.0.0/16 -VpnClientProtocol "IkeV2" -RadiusServerList $radiusServers
    

6. 下載 vpn 用戶端設定套件並設定 vpn 用戶端6. Download the VPN client configuration package and set up the VPN client

VPN 用戶端組態可讓裝置透過 P2S 連線來連線至 VNet。The VPN client configuration lets devices connect to a VNet over a P2S connection.若要產生 VPN 用戶端組態套件及設定 VPN 用戶端,請參閱建立 VPN 用戶端組態以便進行 RADIUS 驗證 To generate a VPN client configuration package and set up the VPN client, see Create a VPN Client Configuration for RADIUS authentication.

7. 連接至 Azure7. Connect to Azure

從 Windows VPN 用戶端連線To connect from a Windows VPN client

  1. 若要連接至您的 VNet,在用戶端電腦上瀏覽到 VPN 連線,然後找出所建立的 VPN 連線。To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection that you created. 其名稱會與虛擬網路相同。It is named the same name as your virtual network. 輸入網域認證並按一下 [連線]。Enter your domain credentials and click 'Connect'. 隨即出現要求提高權限的快顯訊息。A pop-up message requesting elevated rights appears. 接受它並然後輸入認證。Accept it and enter the credentials.

    VPN 用戶端連線至 Azure

  2. 已建立您的連線。Your connection is established.

    連線已建立

從 Mac VPN 用戶端連線Connect from a Mac VPN client

從 [網路] 對話方塊,找出您要使用的用戶端設定檔,然後按一下 [連線]****。From the Network dialog box, locate the client profile that you want to use, then click Connect.

Mac 連線

驗證您的連線To verify your connection

  1. 若要驗證您的 VPN 連線為作用中狀態,請開啟提升權限的命令提示字元,並執行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. 檢視結果。View the results. 請注意,您接收到的 IP 位址是您在組態中指定的點對站 VPN 用戶端位址集區中的其中一個位址。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 結果類似於此範例:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................: 172.16.201.3(Preferred)
       Subnet Mask.....................: 255.255.255.255
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled
    

如要針對 P2S 進行疑難排解,請參閱針對 Azure 點對站連線進行疑難排解To troubleshoot a P2S connection, see Troubleshooting Azure point-to-site connections.

連線至虛擬機器To connect to a virtual machine

您可以建立 VM 的遠端桌面連線,以連線至已部署至 VNet 的 VM。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 一開始確認您可以連線至 VM 的最佳方法是使用其私人 IP 位址 (而不是電腦名稱) 進行連線。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 這樣一來,您會測試以查看您是否可以連線,而不是否已正確設定名稱解析。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 找出私人 IP 位址。Locate the private IP address. 在 Azure 入口網站中或使用 PowerShell 查看 VM 的屬性,即可找到 VM 的私人 IP 位址。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 入口網站 - 在 Azure 入口網站中尋找您的虛擬機器。Azure portal - Locate your virtual machine in the Azure portal. 檢視 VM 的屬性。View the properties for the VM. 系統會列出私人 IP 位址。The private IP address is listed.

    • PowerShell - 使用範例來檢視資源群組中的 VM 和私人 IP 位址清單。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 使用此範例前,您不需要加以修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 確認您已使用點對站 VPN 連線來連線至 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 在工作列上的搜尋方塊中輸入「RDP」或「遠端桌面連線」以開啟遠端桌面連線,然後選取 [遠端桌面連線]****。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 您也可以使用 PowerShell 中的 'mstsc' 命令開啟遠端桌面連線。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在 [遠端桌面連線] 中,輸入 VM 的私人 IP 位址。In Remote Desktop Connection, enter the private IP address of the VM. 您可以按一下 [顯示選項] 來調整其他設定,然後進行連線。You can click "Show Options" to adjust additional settings, then connect.

針對 VM 的 RDP 連線進行疑難排解To troubleshoot an RDP connection to a VM

如果您無法透過 VPN 連線與虛擬機器連線,請檢查下列各項:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 確認您的 VPN 連線成功。Verify that your VPN connection is successful.
  • 確認您是連線至 VM 的私人 IP 位址。Verify that you are connecting to the private IP address for the VM.
  • 請使用 'ipconfig' 來檢查指派給所連線電腦上的乙太網路介面卡之 IPv4 位址。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果 IP 位址位在您要連線的 VNet 位址範圍內,或在您 VPNClientAddressPool 的位址範圍內,這稱為重疊位址空間。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 當您的位址空間以這種方式重疊時,網路流量不會連線到 Azure,它會保留在本機網路上。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果您可以使用私人 IP 位址 (而非電腦名稱) 來連線至 VM,請確認您已正確設定 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 如需 VM 的名稱解析運作方式的詳細資訊,請參閱 VM 的名稱解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 請確認 VPN 用戶端設定套件是在針對 VNet 指定的 DNS 伺服器 IP 位址之後產生。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果您已更新 DNS 伺服器 IP 位址,請產生並安裝新的 VPN 用戶端設定套件。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
  • 如需 RDP 連線的詳細資訊,請參閱針對 VM 的遠端桌面連線進行疑難排解For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

常見問題集FAQ

此常見問題集適用於使用 RADIUS 驗證的 P2SThis FAQ applies to P2S using RADIUS authentication

在我的點對站台組態中可以有多少個 VPN 用戶端端點?How many VPN client endpoints can I have in my Point-to-Site configuration?

這取決於閘道 SKU。It depends on the gateway SKU. 如需支援連線數量的詳細資訊,請參閱閘道 SKUFor more information on the number of connections supported, see Gateway SKUs.

可以使用哪些用戶端作業系統來搭配點對站?What client operating systems can I use with Point-to-Site?

以下為支援的用戶端作業系統:The following client operating systems are supported:

  • Windows 7 (32 位元和 64 位元)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (僅限 64 位元)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32 位元和 64 位元)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (僅限 64 位元)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (僅限 64 位元)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (僅限 64 位元)Windows Server 2016 (64-bit only)
  • Windows Server 2019 (僅限 64 位元)Windows Server 2019 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 10.11 版或更新版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保有支援,請參閱用以啟用 TLS 1.2 支援的更新To maintain support, see the updates to enable support for TLS1.2.

此外,下列舊版演算法也會在 2018 年 7 月 1 日針對 TLS 取代:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES (資料加密演算法)DES (Data Encryption Algorithm)
  • 3DES (三重資料加密演算法)3DES (Triple Data Encryption Algorithm)
  • MD5 (訊息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中啟用 TLS 1.2 支援?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 以滑鼠右鍵按一下 [命令提示字元]****,然後選取 [以系統管理員身分執行]****,以使用較高的權限開啟命令提示字元。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示字元中執行下列命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安裝下列更新:Install the following updates:

  4. 重新啟動電腦。Reboot the computer.

  5. 連線至 VPN。Connect to the VPN.

注意

如果您執行較舊版本的 Windows 10 (10240),就必須設定上述登錄機碼。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用點對站台功能周遊 Proxy 和防火牆?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支援三種點對站 VPN 選項:Azure supports three types of Point-to-site VPN options:

  • 安全通訊端通道通訊協定 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 專屬的 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是標準型 IPsec VPN 解決方案,會使用輸出 UDP 連接埠 500 和 4500 以及IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 第 50 號的 IP 通訊協定。50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果我重新啟動針對點對站台設定的用戶端電腦,VPN 將自動重新連線嗎?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

用戶端電腦預設為不會自動重新建立 VPN 連線。By default, the client computer will not reestablish the VPN connection automatically.

在 VPN 用戶端上點對站台支援自動重新連接和 DDNS 嗎?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

點對站台 VPN 目前不支援自動重新連接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

對於相同的虛擬網路,網站間和點對站台組態是否可以同時存在?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是。Yes. 如果是 Resource Manager 部署模型,您的閘道必須是路由式 VPN 類型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 如果是傳統部署模型,則需要動態閘道。For the classic deployment model, you need a dynamic gateway. 靜態路由 VPN 閘道或原則式 VPN 閘道不支援點對站。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路閘道?Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

視所使用的 VPN 用戶端軟體而定,您可以連線到多個虛擬網路閘道,前提是連線的虛擬網路在兩者之間沒有衝突的位址空間,或與用戶端之間的網路連線。Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. 雖然 Azure VPN 用戶端支援許多 VPN 連線,但在任何指定的時間都只能允許一個連線。While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

可以,與其他 VNet 對等互連的 VNet 中所部署之虛擬網路閘道的點對站連線,可能可以存取其他對等互連 VNet。Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. 假設對等互連 VNet 使用 UseRemoteGateway/AllowGatewayTransit 功能,則點對站用戶端將能夠連線到這些對等互連 VNet。Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. 如需詳細資訊,請參閱此文章For more information please reference this article.

透過網站間或點對站台連線可以獲得多少輸送量?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很難維護 VPN 通道的確切輸送量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 為加密嚴謹的 VPN 通訊協定。IPsec and SSTP are crypto-heavy VPN protocols. 輸送量也會受限於內部部署與網際網路之間的延遲和頻寬。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 對於只有 IKEv2 點對站 VPN 連線的 VPN 閘道,您可以預期的總輸送量取決於閘道 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 如需輸送量的詳細資訊,請參閱閘道 SKUFor more information on throughput, see Gateway SKUs.

是否可以對支援 SSTP 和 (或) IKEv2 的點對站使用任何軟體 VPN 用戶端?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 在 Windows 上,您只能對 SSTP 使用原生 VPN 用戶端,而在 Mac 上,則只能對 IKEv2 使用原生 VPN 用戶端。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 不過,您可以在所有平台上使用 OpenVPN 用戶端,透過 OpenVPN 通訊協定進行連線。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 請參閱支援的用戶端作業系統清單。Refer to the list of supported client operating systems.

Azure 支援採用 Windows 的 IKEv2 VPN 嗎?Does Azure support IKEv2 VPN with Windows?

Windows 10 和 Server 2016 都支援 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 不過,若要使用 IKEv2,您必須在本機安裝更新並設定登錄機碼值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的作業系統版本不受支援,且只能使用 SSTP 或 OpenVPN® 通訊協定OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

若要針對 IKEv2 準備 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安裝更新。Install the update.

    作業系統版本OS version DateDate 號碼/連結Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 設定登錄機碼值。Set the registry key value. 在登入中建立 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD 機碼或將其設定為 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

當我設定 SSTP 和 IKEv2 以便進行 P2S VPN 連線時,會發生什麼狀況?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

當您在混合環境 (包含 Windows 和 Mac 裝置) 中設定 SSTP 和 IKEv2 時,Windows VPN 用戶端一律會先嘗試 IKEv2 通道,但如果 IKEv2 連線失敗,則會回復為 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 只可透過 IKEv2 連線。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 還支援哪些其他平台使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支援適用於 P2S VPN 的 Windows、Mac 和 Linux。Azure supports Windows, Mac and Linux for P2S VPN.

我已經部署 Azure VPN 閘道。I already have an Azure VPN Gateway deployed. 可以在其上啟用 RADIUS 及/或 IKEv2 VPN 嗎?Can I enable RADIUS and/or IKEv2 VPN on it?

可以,您可以使用 Powershell 或 Azure 入口網站,在已經部署的閘道上啟用這些新功能,但前提是您使用的閘道 SKU 可支援 RADIUS 及/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 閘道基本 SKU 不支援 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

如何移除 P2S 連線的組態?How do I remove the configuration of a P2S connection?

使用 Azure CLI 和 PowerShell,可以使用下列命令來移除 P2S 組態:A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShellAzure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
$gw.VPNClientConfiguration = $null`  
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLIAzure CLI

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

是否所有的 Azure VPN 閘道 SKU 都可支援 RADIUS 驗證?Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

VpnGw1、VpnGw2 和 VpnGw3 SKU 可支援 RADIUS 驗證。RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. 如果您使用舊版 SKU,則標準和高效能 SKU 可支援 RADIUS 驗證。If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. 基本閘道 SKU 則不支援 RADIUS 驗證。It is not supported on the Basic Gateway SKU. 

傳統部署模型是否支援 RADIUS 驗證?Is RADIUS authentication supported for the classic deployment model?

否。No. 傳統部署模型不支援 RADIUS 驗證。RADIUS authentication is not supported for the classic deployment model.

是否支援第 3 方的 RADIUS 伺服器?Are 3rd-party RADIUS servers supported?

是,可支援第 3 方的 RADIUS 伺服器。Yes, 3rd-party RADIUS servers are supported.

若要確保 Azure 閘道能夠連線到內部部署 RADIUS 伺服器,需符合哪些連線需求?What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

您必須有內部部署站台的 VPN 站對站連線,並已正確設定路由。A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.  

是否可以透過 ExpressRoute 連線來路由傳送從 Azure VPN 閘道流往內部部署 RADIUS 伺服器的流量?Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

否。No. 該流量只能透過站對站連線來路由傳送。It can only be routed over a Site-to-Site connection.

RADIUS 驗證所支援的 SSTP 連線數目是否有變更?Is there a change in the number of SSTP connections supported with RADIUS authentication? 所支援的 SSTP 和 IKEv2 連線數目上限為何?What is the maximum number of SSTP and IKEv2 connections supported?

RADIUS 驗證在閘道上所支援的 SSTP 連線數目上限並未變更。There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. SSTP 的限制數量仍為 128,但取決於 IKEv2 的閘道 SKU。It remains 128 for SSTP, but depends on the gateway SKU for IKEv2.如需支援連線數量的詳細資訊,請參閱閘道 SKU For more information on the number of connections supported, see Gateway SKUs.

使用 RADIUS 伺服器來執行憑證驗證和使用 Azure 原生憑證驗證 (藉由將受信任的憑證上傳至 Azure) 來執行憑證驗證有何差異。What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

在 RADIUS 驗證憑證中,驗證要求會轉送至 RADIUS 伺服器以處理實際的憑證驗證。In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. 如果您想要與您已透過 RADIUS 而擁有的憑證驗證基礎結構整合,這個選項非常有用。This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

在使用 Azure 進行憑證驗證時,Azure VPN 閘道會執行憑證驗證。When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. 您需要將憑證公開金鑰上傳到閘道。You need to upload your certificate public key to the gateway. 您也可以指定不該允許連線的已撤銷憑證清單。You can also specify list of revoked certificates that shouldn’t be allowed to connect.

RADIUS 驗證可以同時與 IKEv2 和 SSTP VPN 搭配運作嗎?Does RADIUS authentication work with both IKEv2, and SSTP VPN?

是,IKEv2 和 SSTP VPN 都支援 RADIUS 驗證。Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN. 

RADIUS 驗證是否可搭配 OpenVPN 用戶端運作?Does RADIUS authentication work with the OpenVPN client?

只有透過 PowerShell,OpenVPN 通訊協定才支援 RADIUS 驗證。RADIUS authentication is supported for the OpenVPN protocol only through PowerShell.

後續步驟Next steps

一旦完成您的連接,就可以將虛擬機器加入您的虛擬網路。Once your connection is complete, you can add virtual machines to your virtual networks. 如需詳細資訊,請參閱虛擬機器For more information, see Virtual Machines. 若要了解網路與虛擬機器的詳細資訊,請參閱 Azure 與 Linux VM 網路概觀To understand more about networking and virtual machines, see Azure and Linux VM network overview.