使用原生 Azure 憑證驗證設定 VNet 的點對站 VPN 連線: Azure 入口網站Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal

本文可協助您將執行 Windows、Linux 或 Mac OS X 的個別用戶端安全地連線至 Azure VNet。This article helps you securely connect individual clients running Windows, Linux, or Mac OS X to an Azure VNet. 當您想要從遠端位置 (例如當您從住家或會議進行遠距工作) 連線到您的 VNet 時,點對站 VPN 連線很實用。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. 如果您只有少數用戶端必須連線至 VNet,您也可以使用 P2S,而不使用站對站 VPN。You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. 點對站連線不需要 VPN 裝置或公眾對應 IP 位址。Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S 會建立透過 SSTP (安全通訊端通道通訊協定) 或 IKEv2 的 VPN 連線。P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. 如需點對站 VPN 的詳細資訊,請參閱關於點對站 VPNFor more information about Point-to-Site VPN, see About Point-to-Site VPN.

將電腦連接至 Azure VNet - 點對站連線圖表

架構Architecture

點對站原生 Azure 憑證驗證連線須使用下列項目 (您可以在此練習中設定):Point-to-Site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • RouteBased VPN 閘道。A RouteBased VPN gateway.
  • 已上傳至 Azure 之根憑證的公開金鑰 (.cer 檔案)。The public key (.cer file) for a root certificate, which is uploaded to Azure. 一旦上傳憑證,憑證就會被視為受信任的憑證並且用於驗證。Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • 從根憑證產生的用戶端憑證。A client certificate that is generated from the root certificate. 此用戶端憑證須安裝在每部將連線至 VNet 的用戶端電腦上。The client certificate installed on each client computer that will connect to the VNet. 此憑證使用於用戶端憑證。This certificate is used for client authentication.
  • VPN 用戶端組態。A VPN client configuration. VPN 用戶端組態檔包含要讓用戶端連線到 VNet 所需的資訊。The VPN client configuration files contain the necessary information for the client to connect to the VNet. 此檔案會設定作業系統原生的現有 VPN 用戶端。The files configure the existing VPN client that is native to the operating system. 您必須使用組態檔中的設定來設定每個進行連線的用戶端。Each client that connects must be configured using the settings in the configuration files.

範例值Example values

您可以使用下列值來建立測試環境,或參考這些值來進一步了解本文中的範例:You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • VNet 名稱: VNet1VNet Name: VNet1
  • 位址空間: 10.1.0.0/16Address space: 10.1.0.0/16
    在此範例中,我們只使用一個位址空間。For this example, we use only one address space. 您可以針對 VNet 使用一個以上的位址空間。You can have more than one address space for your VNet.
  • 子網名稱: 前端Subnet name: FrontEnd
  • 子網位址範圍: 10.1.0.0/24Subnet address range: 10.1.0.0/24
  • 訂用帳戶: 如果您有一個以上的訂用帳戶,請確認您使用正確的訂用帳戶。Subscription: If you have more than one subscription, verify that you are using the correct one.
  • 資源群組: TestRG1Resource Group: TestRG1
  • 位置: 美國東部Location: East US
  • GatewaySubnet: 10.1.255.0/27GatewaySubnet: 10.1.255.0/27
  • 虛擬網路閘道名稱: VNet1GWVirtual network gateway name: VNet1GW
  • 閘道類型: VpnGateway type: VPN
  • VPN 類型: 以路由為基礎VPN type: Route-based
  • 公用 IP 位址名稱: VNet1GWpipPublic IP address name: VNet1GWpip
  • 連線類型: 點對站Connection type: Point-to-site
  • 用戶端位址集區: 172.16.201.0/24Client address pool: 172.16.201.0/24
    使用這個點對站連線來連線到 VNet 的 VPN 用戶端,會收到來自用戶端位址集區的 IP 位址。VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client address pool.

1. 建立虛擬網路1. Create a virtual network

在開始之前,請確認您有 Azure 訂用帳戶。Before beginning, verify that you have an Azure subscription. 如果您還沒有 Azure 訂用帳戶,您可以啟用 MSDN 訂閱者權益 或註冊 免費帳戶If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

注意

在使用虛擬網路作為用作跨單位結構的一部分時,請確保與內部部署網路系統管理員協調,以切割出此虛擬網路專用的 IP 位址範圍。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 連線的兩端存在重複的位址範圍,流量就會以未預期的方式路由傳送。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,如果要將此虛擬網路連線至另一個虛擬網路,則位址空間不能與其他虛擬網路重疊。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 請據此規劃您的網路組態。Plan your network configuration accordingly.

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 在 [搜尋資源、服務和文件 (G+/)] 中,輸入 [虛擬網路]。In Search resources, service, and docs (G+/), type virtual network.

    尋找虛擬網路資源頁面Locate Virtual Network resource page

  3. Marketplace 結果中選取 [虛擬網路]。Select Virtual Network from the Marketplace results.

    選取虛擬網路Select virtual network

  4. 在 [虛擬網路] 頁面上,選取 [建立]。On the Virtual Network page, select Create.

    虛擬網路頁面virtual network page

  5. 當您選取 [建立] 之後,[建立虛擬網路] 頁面隨即開啟。Once you select Create, the Create virtual network page opens.

  6. 在 [基本] 索引標籤上,設定 [專案詳細資料] 和 VNet 設定的 [執行個體詳細資料]。On the Basics tab, configure Project details and Instance details VNet settings.

    基本索引標籤當您填寫欄位時,若欄位中輸入的字元經過驗證,就會變成綠色核取記號。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 系統會自動填寫某些值,您可使用自己的值加以取代:Some values are autofilled, which you can replace with your own values:

    • 訂用帳戶:確認列出的訂用帳戶是否正確。Subscription: Verify that the subscription listed is the correct one. 您可以使用下拉式清單變更訂用帳戶。You can change subscriptions by using the drop-down.
    • 資源群組:選取現有的資源群組,或按一下 [新建] 來建立新群組。Resource group: Select an existing resource group, or click Create new to create a new one. 如需有關資源群組的詳細資訊,請參閱 Azure Resource Manager 概觀For more information about resource groups, see Azure Resource Manager overview.
    • Name:輸入虛擬網路的名稱。Name: Enter the name for your virtual network.
    • 區域:選取您的 VNet 位置。Region: Select the location for your VNet. 此位置會決定您部署到此 VNet 的資源存留的位置。The location determines where the resources that you deploy to this VNet will live.
  7. 在 [IP 位址] 索引標籤上,設定值。On the IP Addresses tab, configure the values. 下列範例中所顯示的值是供示範之用。The values shown in the examples below are for demonstration purposes. 根據您所需的設定來調整這些值。Adjust these values according to the settings that you require.

    IP 位址索引標籤IP addresses tab

    • IPv4 位址空間:依預設,系統會自動建立位址空間。IPv4 address space: By default, an address space is automatically created. 您可以按一下位址空間來加以調整,以反映自己的值,You can click the address space to adjust it to reflect your own values. 也可以新增其他位址空間。You can also add additional address spaces.
    • 子網路:如果您使用預設的位址空間,則系統會自動建立預設子網路。Subnet: If you use the default address space, a default subnet is created automatically. 如果您變更位址空間,則需要新增子網路。If you change the address space, you need to add a subnet. 選取 [+ 新增子網路] 以開啟 [新增子網路] 視窗。Select + Add subnet to open the Add subnet window. 設定下列設定,然後選取 [新增] 以新增值:Configure the following settings and then select Add to add the values:
      • 子網路名稱:在此範例中,我們將子網路命名為「FrontEnd」。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子網路位址範圍︰此子網路的位址範圍。Subnet address range: The address range for this subnet.
  8. 在 [安全性] 索引標籤上,目前先保留預設值:On the Security tab, at this time, leave the default values:

    • DDoS 保護:基本DDos protection: Basic
    • 防火牆:已停用Firewall: Disabled
  9. 選取 [檢閱 + 建立] 來驗證虛擬網路設定。Select Review + create to validate the virtual network settings.

  10. 在驗證設定之後,請選取 [建立]。After the settings have been validated, select Create.

2. 建立虛擬網路閘道2. Create a virtual network gateway

此步驟將帶您建立 VNet 的虛擬網路閘道。In this step, you create the virtual network gateway for your VNet. 建立閘道通常可能需要 45 分鐘或更久,視選取的閘道 SKU 而定。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

注意

基本閘道 SKU 不支援 IKEv2 或 RADIUS 驗證。The Basic gateway SKU does not support IKEv2 or RADIUS authentication. 如果您計畫讓 Mac 用戶端連線到您的虛擬網路,請不要使用基本 SKU。If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.

虛擬網路閘道會使用稱為閘道子網路的特定子網路。The virtual network gateway uses specific subnet called the gateway subnet. 閘道子網路是您設定虛擬網路時,所指定虛擬網路 IP 位址範圍的一部分。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 其包含虛擬網路閘道資源和服務所使用的 IP 位址。It contains the IP addresses that the virtual network gateway resources and services use.

當您建立閘道子網路時,您可指定子網路包含的 IP 位址數目。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 位址數目取決於您想要建立的 VPN 閘道組態。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些組態需要的 IP 位址比其他組態多。Some configurations require more IP addresses than others. 我們建議您建立使用 /27 或/28 的閘道子網路。We recommend that you create a gateway subnet that uses a /27 or /28.

如果您看到錯誤指出位址空間與子網路重疊,或子網路未包含在虛擬網路的位址空間內,請檢查您的 VNet 位址範圍。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 您為虛擬網路所建立的位址範圍中可能沒有足夠的可用 IP 位址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果您的預設子網路包含整個位址範圍,則沒有剩餘任何 IP 位址可供建立其他子網路。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 您可以調整現有位址空間內的子網路以釋出 IP 位址,也可以指定其他位址範圍並於該處建立閘道子網路。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

  1. Azure 入口網站功能表選取 [建立資源]。From the Azure portal menu, select Create a resource.

    在 Azure 入口網站中建立資源

  2. 在 [搜尋 Marketplace] 欄位中,輸入「虛擬網路閘道」。In the Search the Marketplace field, type 'Virtual Network Gateway'. 在搜尋傳回的結果中找出虛擬網路閘道,然後選取該項目。Locate Virtual network gateway in the search return and select the entry. 在 [虛擬網路閘道] 頁面上,選取 [建立]。On the Virtual network gateway page, select Create. 這會開啟 [建立虛擬網路閘道]**** 頁面。This opens the Create virtual network gateway page.

  3. 在 [基本] 索引標籤中,填入虛擬網路閘道的值。On the Basics tab, fill in the values for your virtual network gateway.

    [建立虛擬網路閘道] 頁面欄位Create virtual network gateway page fields

    [建立虛擬網路閘道] 頁面欄位Create virtual network gateway page fields

    專案詳細資料Project details

    • 訂用帳戶:從下拉式清單選取您想要使用的訂用帳戶。Subscription: Select the subscription you want to use from the dropdown.
    • 資源群組:當您在此頁面上選取您的虛擬網路時,會自動填入此設定。Resource Group: This setting is autofilled when you select your virtual network on this page.

    執行個體詳細資料Instance details

    • 名稱:為您的閘道命名。Name: Name your gateway. 為您的閘道命名與為閘道子網路命名不同。Naming your gateway not the same as naming a gateway subnet. 這是您要建立之閘道物件的名稱。It's the name of the gateway object you are creating.
    • 區域:選取您要在其中建立此資源的區域。Region: Select the region in which you want to create this resource. 閘道的區域必須與虛擬網路相同。The region for the gateway must be the same as the virtual network.
    • 閘道類型****︰選取 [VPN]****。Gateway type: Select VPN. VPN 閘道使用 VPN 虛擬網路閘道類型。VPN gateways use the virtual network gateway type VPN.
    • VPN 類型:選取針對您的組態指定的 VPN 類型。VPN type: Select the VPN type that is specified for your configuration. 大部分組態需要路由式 VPN 類型。Most configurations require a Route-based VPN type.
    • SKU︰從下拉式清單中選取閘道 SKU。SKU: Select the gateway SKU from the dropdown. 下拉式清單中所列的 SKU 取決於您選取的 VPN 類型。The SKUs listed in the dropdown depend on the VPN type you select. 如需閘道 SKU 的詳細資訊,請參閱閘道 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 世代:如需 VPN 閘道世代的詳細資訊,請參閱閘道 SKUGeneration: For information about VPN Gateway Generation, see Gateway SKUs.
    • 虛擬網路:從下拉式清單選擇您要新增此閘道的虛擬網路。Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
    • 閘道子網路位址範圍︰只有當您的 VNet 沒有閘道子網時,才會顯示此欄位。Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. 可行時,請將範圍設為 /27 以上 (/26、/25 等等)。If possible, make the range /27 or larger (/26,/25 etc.). 我們不建議您建立小於 /28 的範圍。We don't recommend creating a range any smaller than /28. 如果您已經有閘道子網路,您可以藉由瀏覽至您的虛擬網路來檢視 GatewaySubnet 詳細資料。If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. 按一下 [子網路] 以檢視範圍。Click Subnets to view the range. 如果您想要變更範圍,可以刪除並重新建立 GatewaySubnet。If you want to change the range, you can delete and recreate the GatewaySubnet.

    公用 IP 位址:此設定可指定會與 VPN 閘道建立關聯的公用 IP 位址物件。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 建立 VPN 閘道時,系統會將公用 IP 位址動態指派給此物件。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公用 IP 位址只會在刪除或重新建立閘道時變更。The only time the Public IP address changes is when the gateway is deleted and re-created. 它不會因為重新調整、重設或 VPN 閘道的其他內部維護/升級而變更。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公用 IP 位址:將 [新建] 保持選取。Public IP address: Leave Create new selected.
    • 公用 IP 位址名稱:在文字方塊中,輸入公用 IP 位址執行個體的名稱。Public IP address name: In the text box, type a name for your public IP address instance.
    • 指派:VPN 閘道僅支援「動態」。Assignment: VPN gateway supports only Dynamic.

    主動-主動模式:只有當您要建立「主動-主動」閘道設定時,才選取 [啟用主動 - 主動模式]。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否則,請不要選取此設定。Otherwise, leave this setting unselected.

    將 [設定 BGP ASN]**** 保持未選取 (除非您的設定特別需要此設定)。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果您需要此設定,預設的 ASN 為 65515,但這可以變更。If you do require this setting, the default ASN is 65515, although this can be changed.

  4. 選取 [檢閱 + 建立] 以執行驗證。Select Review + create to run validation. 驗證通過後,選取 [建立] 以部署 VPN 閘道。Once validation passes, select Create to deploy the VPN gateway. 要完整建立和部署閘道,最多可能需要 45 分鐘的時間。A gateway can take up to 45 minutes to fully create and deploy. 您可以在閘道的 [概觀] 頁面上看到部署狀態。You can see the deployment status on the Overview page for your gateway.

建立閘道之後,您可以查看入口網站中的虛擬網路,來檢視已指派給閘道的 IP 位址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 閘道會顯示為已連接的裝置。The gateway appears as a connected device.

3. 產生憑證3. Generate certificates

憑證是 Azure 用於驗證透過點對站 VPN 連線來連線至 VNet 的用戶端。Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection. 一旦您取得根憑證,您可將公開金鑰資訊上傳至 Azure。Once you obtain a root certificate, you upload the public key information to Azure. 根憑證則會被視為 Azure「信任的」,可供透過 P2S 連線至虛擬網路。The root certificate is then considered 'trusted' by Azure for connection over P2S to the virtual network. 您也可以從受信任的根憑證產生用戶端憑證,然後將它們安裝在每部用戶端電腦上。You also generate client certificates from the trusted root certificate, and then install them on each client computer. 在用戶端初始 VNet 連線時,用戶端憑證用來驗證用戶端。The client certificate is used to authenticate the client when it initiates a connection to the VNet.

1. 根憑證1. Root certificate

使用透過企業解決方案產生的根憑證 (建議),或產生自我簽署憑證。Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 建立根憑證之後,將公開憑證資料 (不是私密金鑰) 匯出為 Base64 編碼的 X.509 .cer 檔案。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 然後,將公開憑證資料上傳至 Azure 伺服器。Then, upload the public certificate data to the Azure server.

  • 企業憑證︰ 如果您是使用企業解決方案,則可以使用現有的憑證鏈結。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 取得您想要使用的根憑證 .cer 檔案。Acquire the .cer file for the root certificate that you want to use.

  • 自我簽署根憑證: 如果您未使用企業憑證解決方案,請建立自我簽署的根憑證。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否則,您所建立的憑證將無法與 P2S 連線相容,而且用戶端會在嘗試連線時收到連線錯誤訊息。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 您可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 下列文章中的步驟將說明如何產生相容的自我簽署根憑證:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 指示:這些指示需要 Windows 10 和 PowerShell,以產生憑證。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 從根憑證產生的用戶端憑證可以安裝於任何支援的 P2S 用戶端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 指示:如果您無法存取 Windows 10 電腦來產生憑證,則可使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 雖然 MakeCert 已被取代,但您仍可用它來產生憑證。Although MakeCert is deprecated, you can still use it to generate certificates. 從根憑證產生的用戶端憑證可以安裝於任何支援的 P2S 用戶端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 指示Linux instructions

2. 用戶端憑證2. Client certificate

每個使用點對站連線來連線至 VNet 的用戶端電腦都必須安裝用戶端憑證。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 您會從根憑證產生用戶端憑證,並將其安裝在每部用戶端電腦上。You generate it from the root certificate and install it on each client computer. 如果您沒有安裝有效的用戶端憑證,用戶端嘗試連線至 VNet 時所進行的驗證將會失敗。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

您可以為每個用戶端產生唯一的憑證,也可以對多個用戶端使用相同的憑證。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 產生唯一用戶端憑證的優點是能夠撤銷單一憑證。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否則,如果多個用戶端使用相同的用戶端憑證進行驗證,而您要撤銷它時,就必須為每個使用該憑證的用戶端產生並安裝新的憑證。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

您可以使用下列方法來產生用戶端憑證︰You can generate client certificates by using the following methods:

  • 企業憑證︰Enterprise certificate:

    • 如果您使用企業憑證解決方案,請以一般的名稱值格式「名稱@yourdomain.com」產生用戶端憑證。If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 請使用此格式,而不是「網域名稱\使用者名稱」** 的格式。Use this format instead of the domain name\username format.
    • 請確定用戶端憑證所根據的憑證範本,是將「用戶端驗證」** 列為使用者清單中第一個項目的使用者憑證範本。Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 按兩下憑證,然後檢視 [詳細資料]**** 索引標籤中的 [增強金鑰使用方法]****,即可檢查憑證。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.
  • 自我簽署根憑證: 請遵循下列任一 P2S 憑證文章中的步驟,讓您建立的用戶端憑證可與 P2S 連線相容。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections. 這些文章中的步驟都會產生相容的用戶端憑證:The steps in these articles generate a compatible client certificate:

    • Windows 10 PowerShell 指示:這些指示需要 Windows 10 和 PowerShell,以產生憑證。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 產生的憑證可以安裝在任何支援的 P2S 用戶端。The generated certificates can be installed on any supported P2S client.
    • MakeCert 指示:如果您無法存取 Windows 10 電腦來產生憑證,則可以使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 雖然 MakeCert 已被取代,但您仍可用它來產生憑證。Although MakeCert is deprecated, you can still use it to generate certificates. 您可以將產生的憑證安裝在任何支援的 P2S 用戶端。You can install the generated certificates on any supported P2S client.
    • Linux 指示Linux instructions

    當您從自我簽署根憑證產生用戶端憑證時,此憑證會自動安裝在您用來產生它的電腦上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,請將其匯出為 .pfx 檔案 (包含整個憑證鏈結)。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 這麼做將會建立一個 .pfx 檔案,其中包含用戶端進行驗證所需的根憑證資訊。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

匯出憑證To export the certificate

如需匯出憑證的步驟,請參閱使用 PowerShell 來產生並匯出點對站的憑證For steps to export a certificate, see Generate and export certificates for Point-to-Site using PowerShell.

4. 新增用戶端位址集區4. Add the client address pool

用戶端位址集區是您指定的私人 IP 位址範圍。The client address pool is a range of private IP addresses that you specify. 透過點對站 VPN 連線的用戶端會動態收到這個範圍內的 IP 位址。The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range. 使用不會重疊的私人 IP 位址範圍搭配您從其連線的內部部署位置,或搭配您要連線至的 VNet。Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to. 如果您設定多個通訊協定,且 SSTP 是其中一個通訊協定,則設定的位址集區會平均地在設定的通訊協定之間進行分割。If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split between the configured protocols equally.

  1. 一旦建立虛擬網路閘道,請瀏覽至虛擬網路閘道頁面的 [設定] 區段。Once the virtual network gateway has been created, navigate to the Settings section of the virtual network gateway page. 在 [ 設定 ] 區段中,選取 [ 點對站 設定]。In the Settings section, select Point-to-site configuration . 選取 [ 立即設定 ] 以開啟 [設定] 頁面。Select Configure now to open the configuration page.

    點對站頁面Point-to-Site page

  2. 在 [ 點對站 設定] 頁面上,您可以設定各種不同的設定。On the Point-to-site configuration page, you can configure a variety of settings. 如果您在此頁面上未看到通道類型或驗證類型,則您的閘道會使用基本 SKU。If you don't see Tunnel type or Authentication type on this page, your gateway is using the Basic SKU. 基本 SKU 不支援 IKEv2 或 RADIUS 驗證。The Basic SKU does not support IKEv2 or RADIUS authentication. 如果您想要使用這些設定,您必須使用不同的閘道 SKU 來刪除並重新建立閘道。If you want to use these settings, you need to delete and recreate the gateway using a different gateway SKU.

    點對站設定頁面Point-to-site configuration page

  3. 在 [ 位址集區 ] 方塊中,新增您想要使用的私人 IP 位址範圍。In the Address pool box, add the private IP address range that you want to use. VPN 用戶端會動態收到您指定範圍內的 IP 位址。VPN clients dynamically receive an IP address from the range that you specify. 適用于主動/被動的最小子網路遮罩為29位,主動/主動設定為28位。The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.

  4. 移至下一節以設定通道類型。Move to the next section to configure tunnel type.

5. 設定通道類型5. Configure tunnel type

您可以選取通道類型。You can select the tunnel type. 通道選項為 OpenVPN、SSTP 和 IKEv2。The tunnel options are OpenVPN, SSTP and IKEv2.

  • Android 和 Linux 上的 strongSwan 用戶端以及 iOS 和 OSX 上的原生 IKEv2 VPN 用戶端只會使用 IKEv2 通道來進行連線。The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only IKEv2 tunnel to connect.
  • Windows 用戶端會先嘗試 IKEv2,如果未連線,則會回復為 SSTP。Windows clients try IKEv2 first and if that doesn't connect, they fall back to SSTP.
  • 您可以使用 OpenVPN 用戶端連接到 OpenVPN 通道類型。You can use the OpenVPN client to connect to the OpenVPN tunnel type.

通道類型Tunnel type

6. 設定驗證類型6. Configure authentication type

針對 [ 驗證類型 ],選取 [ Azure 憑證 ]。For Authentication type , select Azure certificate .

驗證類型Authentication type

7. 上傳根憑證公開憑證資料7. Upload the root certificate public certificate data

您可以上傳其他受信任的根憑證檔案 (最多總計 20 個憑證)。You can upload additional trusted root certificates up to a total of 20. 一旦上傳公開憑證資料,Azure 就可以使用它來驗證已安裝從受信任根憑證產生之用戶端憑證的用戶端。Once the public certificate data is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 將根憑證的公開金鑰資訊上傳至 Azure。Upload the public key information for the root certificate to Azure.

  1. 新增憑證時,是在 [點對站組態] 頁面的 [根憑證] 區段中新增。Certificates are added on the Point-to-site configuration page in the Root certificate section.

  2. 請確定您以 Base-64 編碼 X.509 (.cer) 檔案形式匯出根憑證。Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. 您需要以這種格式匯出憑證,以便可以使用文字編輯器開啟憑證。You need to export the certificate in this format so you can open the certificate with text editor.

  3. 使用文字編輯器 (例如「記事本」) 開啟憑證。Open the certificate with a text editor, such as Notepad. 複製憑證資料時,請確定您是以連續一行的形式複製文字,而不含歸位字元或換行字元。When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. 您可能必須將文字編輯器中的檢視修改成 [顯示符號] 或 [顯示所有字元],才能看到歸位字元和換行字元。You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds. 請只以連續一行的形式複製下列區段:Copy only the following section as one continuous line:

    憑證資料Certificate data

  4. 將憑證資料貼到 [公開憑證資料] 欄位中。Paste the certificate data into the Public Certificate Data field. 為憑證 命名 ,然後選取 [ 儲存 ]。Name the certificate, and then select Save . 您最多可新增 20 個受信任的根憑證。You can add up to 20 trusted root certificates.

    貼上憑證資料Paste certificate data

  5. 選取頁面頂端的 [ 儲存 ],以儲存所有的設定。Select Save at the top of the page to save all of the configuration settings.

    儲存組態Save configuration

8. 安裝匯出的用戶端憑證8. Install an exported client certificate

如果您想要從不同於用來產生用戶端憑證的用戶端電腦建立 P2S 連線,您需要安裝用戶端憑證。If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. 安裝用戶端憑證時,您需要匯出用戶端憑證時所建立的密碼。When installing a client certificate, you need the password that was created when the client certificate was exported.

請確定用戶端憑證已隨著整個憑證鏈結匯出為 .pfx (這是預設值)。Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). 否則,根憑證資訊不存在於用戶端電腦上,而且用戶端將無法正確驗證。Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

如需安裝步驟,請參閱安裝用戶端憑證For install steps, see Install a client certificate.

9. 產生並安裝 VPN 用戶端設定套件9. Generate and install the VPN client configuration package

VPN 用戶端組態檔所包含的設定,可用來將裝置設定為透過 P2S 連線來連線至 VNet。The VPN client configuration files contain settings to configure devices to connect to a VNet over a P2S connection. 如需產生和安裝 VPN 用戶端組態檔的指示,請參閱建立和安裝適用於原生 Azure 憑證驗證 P2S 組態的 VPN 用戶端組態檔For instructions to generate and install VPN client configuration files, see Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.

10. 連接至 Azure10. Connect to Azure

從 Windows VPN 用戶端連線To connect from a Windows VPN client

注意

您必須在您所連線的 Windows 用戶端電腦上具有系統管理員權限。You must have Administrator rights on the Windows client computer from which you are connecting.

  1. 若要連線到您的 VNet,請在用戶端電腦上流覽至 [VPN 設定],並找出您建立的 VPN 連線。To connect to your VNet, on the client computer, navigate to VPN settings and locate the VPN connection that you created. 它會命名為與您的虛擬網路相同的名稱。It's named the same name as your virtual network. 選取 [連接] 。Select Connect . 可能會出現與使用憑證有關的快顯訊息。A pop-up message may appear that refers to using the certificate. 選取 [ 繼續 ] 以使用較高的許可權。Select Continue to use elevated privileges.

  2. 在 [連線] 狀態頁面上,選取 [連線] 以便開始連線。On the Connection status page, select Connect to start the connection. 如果出現 [選取憑證] 畫面,請確認顯示的用戶端憑證是要用來連接的憑證。If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. 如果不是,請使用下拉箭頭來選取正確的憑證,然後選取 [確定]If it is not, use the drop-down arrow to select the correct certificate, and then select OK .

    從 Windows 電腦連接

  3. 已建立您的連線。Your connection is established.

    從電腦連線到 Azure VNet 點對站連接圖

如果您連線時遇到問題,請檢查下列項目︰If you have trouble connecting, check the following items:

  • 如果您已使用憑證匯出精靈來匯出用戶端憑證,請確定您已將其匯出為 .pfx 檔案,並且已選取 [如果可能的話,包含憑證路徑中的所有憑證]****。If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 當您使用此值匯出它時,根憑證資訊也會一併匯出。When you export it with this value, the root certificate information is also exported. 當您在用戶端電腦上安裝憑證後,.pfx 檔案中的根憑證也會一併安裝。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要確認是否已安裝根憑證,可開啟 [管理使用者憑證]****,然後選取 Trusted Root Certification Authorities\CertificatesTo verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 確認其中已列出根憑證,如此才能讓驗證正常運作。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果您使用由企業 CA 解決方案簽發的憑證,但您無法進行驗證,請檢查用戶端憑證上的驗證順序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 按兩下用戶端憑證,依序選取 [詳細資料]**** 索引標籤和 [增強金鑰使用方法]****,即可檢查驗證清單順序。Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 請確定清單中的第一個項目是「用戶端驗證」**。Make sure Client Authentication is the first item in the list. 如果不是,請根據以「用戶端驗證」** 作為清單中第一個項目的「使用者」範本來簽發用戶端憑證。If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需其他 P2S 疑難排解詳細資訊,請參閱針對 P2S 連線進行疑難排解For additional P2S troubleshooting information, see Troubleshoot P2S connections.

從 Mac VPN 用戶端連線To connect from a Mac VPN client

從 [網路] 對話方塊中,找出您要使用的用戶端設定檔,指定 VpnSettings.xml中的設定,然後選取 [連線 ]From the Network dialog box, locate the client profile that you want to use, specify the settings from the VpnSettings.xml, and then select Connect .

如需詳細指示,請參閱安裝 - Mac (OS X)Check Install - Mac (OS X) for detailed instructions. 如果您在連線時發生問題,請確認虛擬網路閘道不是使用「基本」SKU。If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. 針對 Mac 用戶端不支援「基本」SKU。Basic SKU is not supported for Mac clients.

Mac 連線Mac connection

驗證您的連線To verify your connection

這些指示適用於 Windows 用戶端。These instructions apply to Windows clients.

  1. 若要驗證您的 VPN 連線為作用中狀態,請開啟提升權限的命令提示字元,並執行 ipconfig/allTo verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all .

  2. 檢視結果。View the results. 請注意,您接收到的 IP 位址是您在組態中指定的點對站 VPN 用戶端位址集區中的其中一個位址。Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. 結果類似於此範例:The results are similar to this example:

    PPP adapter VNet1:
       Connection-specific DNS Suffix .:
       Description.....................: VNet1
       Physical Address................:
       DHCP Enabled....................: No
       Autoconfiguration Enabled.......: Yes
       IPv4 Address....................: 172.16.201.3(Preferred)
       Subnet Mask.....................: 255.255.255.255
       Default Gateway.................:
       NetBIOS over Tcpip..............: Enabled
    

連線至虛擬機器To connect to a virtual machine

這些指示適用於 Windows 用戶端。These instructions apply to Windows clients.

您可以建立 VM 的遠端桌面連線,以連線至已部署至 VNet 的 VM。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 一開始確認您可以連線至 VM 的最佳方法是使用其私人 IP 位址 (而不是電腦名稱) 進行連線。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 這樣一來,您會測試以查看您是否可以連線,而不是否已正確設定名稱解析。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 找出私人 IP 位址。Locate the private IP address. 在 Azure 入口網站中或使用 PowerShell 查看 VM 的屬性,即可找到 VM 的私人 IP 位址。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 入口網站 - 在 Azure 入口網站中尋找您的虛擬機器。Azure portal - Locate your virtual machine in the Azure portal. 檢視 VM 的屬性。View the properties for the VM. 系統會列出私人 IP 位址。The private IP address is listed.

    • PowerShell - 使用範例來檢視資源群組中的 VM 和私人 IP 位址清單。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 使用此範例前,您不需要加以修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 確認您已使用點對站 VPN 連線來連線至 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 在工作列上的搜尋方塊中輸入「RDP」或「遠端桌面連線」以開啟遠端桌面連線,然後選取 [遠端桌面連線] 。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 您也可以使用 PowerShell 中的 'mstsc' 命令開啟遠端桌面連線。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在 [遠端桌面連線] 中,輸入 VM 的私人 IP 位址。In Remote Desktop Connection, enter the private IP address of the VM. 您可以按一下 [顯示選項] 來調整其他設定,然後進行連線。You can click "Show Options" to adjust additional settings, then connect.

疑難排解連接Troubleshoot a connection

如果您無法透過 VPN 連線與虛擬機器連線,請檢查下列各項:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 確認您的 VPN 連線成功。Verify that your VPN connection is successful.

  • 確認您是連線至 VM 的私人 IP 位址。Verify that you are connecting to the private IP address for the VM.

  • 如果您可以使用私人 IP 位址 (而非電腦名稱) 來連線至 VM,請確認您已正確設定 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 如需 VM 的名稱解析運作方式的詳細資訊,請參閱 VM 的名稱解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • 如需 RDP 連線的詳細資訊,請參閱針對 VM 的遠端桌面連線進行疑難排解For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

  • 請確認 VPN 用戶端設定套件是在針對 VNet 指定的 DNS 伺服器 IP 位址之後產生。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果您已更新 DNS 伺服器 IP 位址,請產生並安裝新的 VPN 用戶端設定套件。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.

  • 請使用 'ipconfig' 來檢查指派給所連線電腦上的乙太網路介面卡之 IPv4 位址。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果 IP 位址位在您要連線的 VNet 位址範圍內,或在您 VPNClientAddressPool 的位址範圍內,這稱為重疊位址空間。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 當您的位址空間以這種方式重疊時,網路流量不會連線到 Azure,它會保留在本機網路上。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.

新增或移除受信任的根憑證To add or remove trusted root certificates

您可以從 Azure 新增和移除受信任的根憑證。You can add and remove trusted root certificates from Azure. 當您移除根憑證時,從該根憑證產生憑證的用戶端將無法進行驗證,因而無法進行連線。When you remove a root certificate, clients that have a certificate generated from that root won't be able to authenticate, and thus will not be able to connect. 若希望用戶端進行驗證和連線,您需要安裝從 Azure 信任 (已上傳至 Azure) 的根憑證產生的新用戶端憑證。If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

若要新增受信任的根憑證To add a trusted root certificate

您最多可新增 20 個受信任的根憑證 .cer 檔案至 Azure。You can add up to 20 trusted root certificate .cer files to Azure. 如需指示,請參閱這篇文章的上傳受信任的根憑證一節。For instructions, see the section Upload a trusted root certificate in this article.

移除受信任的根憑證To remove a trusted root certificate

  1. 若要移除受信任的根憑證,瀏覽至虛擬網路閘道的 [點對站組態] 頁面。To remove a trusted root certificate, navigate to the Point-to-site configuration page for your virtual network gateway.
  2. 在頁面的 [根憑證] 區段中,找出您想要移除的憑證。In the Root certificate section of the page, locate the certificate that you want to remove.
  3. 選取憑證旁的省略號,然後選取 [移除]。Select the ellipsis next to the certificate, and then select 'Remove'.

若要撤銷用戶端憑證To revoke a client certificate

您可以撤銷用戶端憑證。You can revoke client certificates. 憑證撤銷清單可讓您選擇性地拒絕以個別的用戶端憑證為基礎的點對站連線。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 這與移除受信任的根憑證不同。This is different than removing a trusted root certificate. 若您從 Azure 移除受信任的根憑證 .cer,就會撤銷所有由撤銷的根憑證所產生/簽署的用戶端憑證之存取權。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 撤銷用戶端憑證,而不是根憑證,可以繼續使用從根憑證產生的憑證進行驗證。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

常見的做法是使用根憑證管理小組或組織層級的存取權,然後使用撤銷的用戶端憑證針對個別使用者進行細部的存取控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

撤銷用戶端憑證Revoke a client certificate

您可以藉由將指紋新增至撤銷清單來撤銷用戶端憑證。You can revoke a client certificate by adding the thumbprint to the revocation list.

  1. 擷取用戶端憑證指紋。Retrieve the client certificate thumbprint. 如需詳細資訊,請參閱 如何取出憑證的憑證指紋For more information, see How to retrieve the Thumbprint of a Certificate.
  2. 將資訊複製到文字編輯器,並移除所有的空格,讓它是連續字串。Copy the information to a text editor and remove all spaces so that it is a continuous string.
  3. 瀏覽至虛擬網路閘道 [點對站組態] 頁面。Navigate to the virtual network gateway Point-to-site-configuration page. 這個頁面與您用來上傳受信任根憑證的頁面相同。This is the same page that you used to upload a trusted root certificate.
  4. 在 [撤銷憑證] 區段中,輸入憑證的易記名稱 (它不一定是憑證 CN)。In the Revoked certificates section, input a friendly name for the certificate (it doesn't have to be the certificate CN).
  5. 將指紋字串複製並貼上到 [指紋] 欄位。Copy and paste the thumbprint string to the Thumbprint field.
  6. 指紋會進行驗證,並且自動新增至撤銷清單。The thumbprint validates and is automatically added to the revocation list. 畫面上會出現一則訊息,指出清單正在更新。A message appears on the screen that the list is updating.
  7. 更新完成之後,憑證無法再用於連線。After updating has completed, the certificate can no longer be used to connect. 嘗試使用此憑證進行連線的用戶端會收到訊息,指出憑證不再有效。Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

點對站常見問題集Point-to-Site FAQ

在我的點對站台組態中可以有多少個 VPN 用戶端端點?How many VPN client endpoints can I have in my Point-to-Site configuration?

這取決於閘道 SKU。It depends on the gateway SKU. 如需支援連線數量的詳細資訊,請參閱閘道 SKUFor more information on the number of connections supported, see Gateway SKUs.

可以使用哪些用戶端作業系統來搭配點對站?What client operating systems can I use with Point-to-Site?

以下為支援的用戶端作業系統:The following client operating systems are supported:

  • Windows 7 (32 位元和 64 位元)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (僅限 64 位元)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32 位元和 64 位元)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (僅限 64 位元)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (僅限 64 位元)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (僅限 64 位元)Windows Server 2016 (64-bit only)
  • Windows Server 2019 (僅限 64 位元)Windows Server 2019 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 10.11 版或更新版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

注意

從 2018 年 7 月 1 日起,對 TLS 1.0 和 1.1 的支援將會從 Azure VPN 閘道移除。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 閘道僅支援 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保有支援,請參閱用以啟用 TLS 1.2 支援的更新To maintain support, see the updates to enable support for TLS1.2.

此外,下列舊版演算法也會在 2018 年 7 月 1 日針對 TLS 取代:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES (資料加密演算法)DES (Data Encryption Algorithm)
  • 3DES (三重資料加密演算法)3DES (Triple Data Encryption Algorithm)
  • MD5 (訊息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中啟用 TLS 1.2 支援?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 以滑鼠右鍵按一下 [命令提示字元]****,然後選取 [以系統管理員身分執行]****,以使用較高的權限開啟命令提示字元。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示字元中執行下列命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安裝下列更新:Install the following updates:

  4. 重新啟動電腦。Reboot the computer.

  5. 連線至 VPN。Connect to the VPN.

注意

如果您執行較舊版本的 Windows 10 (10240),就必須設定上述登錄機碼。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用點對站台功能周遊 Proxy 和防火牆?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支援三種點對站 VPN 選項:Azure supports three types of Point-to-site VPN options:

  • 安全通訊端通道通訊協定 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 專屬的 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN。OpenVPN. OpenVPN 是 SSL 型解決方案,因為大部分的防火牆都會開啟 443 SSL 所使用的輸出 TCP 連接埠,所以 SSTP 可以穿透防火牆。OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是標準型 IPsec VPN 解決方案,會使用輸出 UDP 連接埠 500 和 4500 以及IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 第 50 號的 IP 通訊協定。50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果我重新啟動針對點對站台設定的用戶端電腦,VPN 將自動重新連線嗎?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

用戶端電腦預設為不會自動重新建立 VPN 連線。By default, the client computer will not reestablish the VPN connection automatically.

在 VPN 用戶端上點對站台支援自動重新連接和 DDNS 嗎?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

點對站台 VPN 目前不支援自動重新連接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

對於相同的虛擬網路,網站間和點對站台組態是否可以同時存在?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是。Yes. 如果是 Resource Manager 部署模型,您的閘道必須是路由式 VPN 類型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 如果是傳統部署模型,則需要動態閘道。For the classic deployment model, you need a dynamic gateway. 靜態路由 VPN 閘道或原則式 VPN 閘道不支援點對站。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路閘道?Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

視所使用的 VPN 用戶端軟體而定,您可以連線到多個虛擬網路閘道,前提是連線的虛擬網路在兩者之間沒有衝突的位址空間,或與用戶端之間的網路連線。Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. 雖然 Azure VPN 用戶端支援許多 VPN 連線,但在任何指定的時間都只能允許一個連線。While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

是否可以將點對站台用戶端設定為同時連接到多個虛擬網路?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

可以,與其他 VNet 對等互連的 VNet 中所部署之虛擬網路閘道的點對站連線,可能可以存取其他對等互連 VNet。Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. 假設對等互連 VNet 使用 UseRemoteGateway/AllowGatewayTransit 功能,則點對站用戶端將能夠連線到這些對等互連 VNet。Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. 如需詳細資訊,請參閱此文章For more information please reference this article.

透過網站間或點對站台連線可以獲得多少輸送量?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很難維護 VPN 通道的確切輸送量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 為加密嚴謹的 VPN 通訊協定。IPsec and SSTP are crypto-heavy VPN protocols. 輸送量也會受限於內部部署與網際網路之間的延遲和頻寬。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 對於只有 IKEv2 點對站 VPN 連線的 VPN 閘道,您可以預期的總輸送量取決於閘道 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 如需輸送量的詳細資訊,請參閱閘道 SKUFor more information on throughput, see Gateway SKUs.

是否可以對支援 SSTP 和 (或) IKEv2 的點對站使用任何軟體 VPN 用戶端?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 在 Windows 上,您只能對 SSTP 使用原生 VPN 用戶端,而在 Mac 上,則只能對 IKEv2 使用原生 VPN 用戶端。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 不過,您可以在所有平台上使用 OpenVPN 用戶端,透過 OpenVPN 通訊協定進行連線。However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. 請參閱支援的用戶端作業系統清單。Refer to the list of supported client operating systems.

Azure 支援採用 Windows 的 IKEv2 VPN 嗎?Does Azure support IKEv2 VPN with Windows?

Windows 10 和 Server 2016 都支援 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 不過,若要使用 IKEv2,您必須在本機安裝更新並設定登錄機碼值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 之前的作業系統版本不受支援,且只能使用 SSTP 或 OpenVPN® 通訊協定OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

若要針對 IKEv2 準備 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安裝更新。Install the update.

    作業系統版本OS version DateDate 號碼/連結Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 設定登錄機碼值。Set the registry key value. 在登入中建立 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD 機碼或將其設定為 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

當我設定 SSTP 和 IKEv2 以便進行 P2S VPN 連線時,會發生什麼狀況?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

當您在混合環境 (包含 Windows 和 Mac 裝置) 中設定 SSTP 和 IKEv2 時,Windows VPN 用戶端一律會先嘗試 IKEv2 通道,但如果 IKEv2 連線失敗,則會回復為 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 只可透過 IKEv2 連線。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 還支援哪些其他平台使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支援適用於 P2S VPN 的 Windows、Mac 和 Linux。Azure supports Windows, Mac and Linux for P2S VPN.

我已經部署 Azure VPN 閘道。I already have an Azure VPN Gateway deployed. 可以在其上啟用 RADIUS 及/或 IKEv2 VPN 嗎?Can I enable RADIUS and/or IKEv2 VPN on it?

可以,您可以使用 Powershell 或 Azure 入口網站,在已經部署的閘道上啟用這些新功能,但前提是您使用的閘道 SKU 可支援 RADIUS 及/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 閘道基本 SKU 不支援 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

如何移除 P2S 連線的組態?How do I remove the configuration of a P2S connection?

使用 Azure CLI 和 PowerShell,可以使用下列命令來移除 P2S 組態:A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShellAzure PowerShell

$gw=Get-AzVirtualNetworkGateway -name <gateway-name>`  
$gw.VPNClientConfiguration = $null`  
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`

Azure CLIAzure CLI

az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"

如果我在使用憑證驗證連線時發生憑證不符的情況,該怎麼辦?What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?

取消核取 [驗證憑證以確認伺服器的身分識別] 或在手動建立設定檔時新增伺服器 FQDN 和憑證Uncheck "Verify the server's identity by validating the certificate" or add the server FQDN along with the certificate when creating a profile manually. 若要這麼做,您可以從命令提示字元執行 rasphone,然後從下拉式清單中挑選設定檔。You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.

一般不建議略過伺服器身分識別驗證,但進行 Azure 憑證驗證時,會使用相同的憑證來進行 VPN 通道通訊協定 (IKEv2/SSTP) 和 EAP 通訊協定中的伺服器驗證。Bypassing server identity validation is not recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. 因為伺服器憑證和 FQDN 已經由 VPN 通道通訊協定驗證,所以在 EAP 中再次驗證相同項目是多餘的。Since the server certificate and FQDN is already validated by the VPN tunneling protocol, it is redundant to validate the same again in EAP.

點對站point-to-site

是否可以使用自己的內部 PKI 根 CA 來產生點對站連線的憑證?Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

是。Yes. 先前只能使用自我簽署的根憑證。Previously, only self-signed root certificates could be used. 您仍然可以上傳 20 個根憑證。You can still upload 20 root certificates.

是否可以使用來自 Azure Key Vault 的憑證?Can I use certificates from Azure Key Vault?

否。No.

我可以使用哪些工具來建立憑證?What tools can I use to create certificates?

您可以使用 Enterprise PKI 解決方案 (您的內部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有憑證設定及參數的指示?Are there instructions for certificate settings and parameters?

  • 內部 PKI/Enterprise PKI 解決方案: 請參閱步驟來產生憑證Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 請參閱 Azure PowerShell 文章以了解步驟。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 請參閱 MakeCert 文章以了解步驟。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 匯出憑證時,請務必將根憑證轉換為 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 針對用戶端憑證:For the client certificate:

      • 建立私密金鑰時,請將長度指定為 4096。When creating the private key, specify the length as 4096.
      • 建立憑證時,針對 -extensions** 參數,請指定 usr_cert**。When creating the certificate, for the -extensions parameter, specify usr_cert.

後續步驟Next steps

一旦完成您的連接,就可以將虛擬機器加入您的虛擬網路。Once your connection is complete, you can add virtual machines to your virtual networks. 如需詳細資訊,請參閱虛擬機器For more information, see Virtual Machines. 若要了解網路與虛擬機器的詳細資訊,請參閱 Azure 與 Linux VM 網路概觀To understand more about networking and virtual machines, see Azure and Linux VM network overview.

如需有關為 P2S 疑難排解的資訊,請參閱針對 Azure 點對站連線進行疑難排解For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.