Intune 中的 Windows 10 VPN 設定Windows 10 VPN settings in Intune

您可以使用 Intune 設定 VPN 連線。You can configure VPN connections using Intune. 本文說明這些設定、流量規則、條件式存取,以及 DNS 和 Proxy 設定。This article describes these settings, the traffic rules, conditional access, and DNS & proxy settings.

這些設定適用於:These settings apply to:

  • 執行 Windows 10 的裝置Devices running Windows 10
  • 執行 Windows Holographic for Business 的裝置Devices running Windows Holographic for Business

並非全部的值都能設定,須取決於您選擇的設定。Depending on the settings you choose, not all values may be configurable.

基本 VPN 設定Base VPN settings

  • 連線名稱:輸入此連線的名稱。Connection name: Enter a name for this connection. 終端使用者瀏覽其裝置的可用 VPN 連線清單時,使用者會看到此名稱。End users see this name when they browse their device for the list of available VPN connections.

  • 伺服器:新增裝置要連線的一或多部 VPN 伺服器。Servers: Add one or more VPN servers that devices connect to. 當您新增伺服器時,要輸入下列資訊:When you add a server, you enter the following information:

    • 描述:為伺服器輸入描述性名稱,例如 Contoso VPN 伺服器Description: Enter a descriptive name for the server, such as Contoso VPN server
    • IP 位址或 FQDN:輸入裝置所連線之 VPN 伺服器的 IP 位址或完整網域名稱,例如 192.168.1.1vpn.contoso.comIP address or FQDN: Enter the IP address or fully qualified domain name of the VPN server that devices connect to, such as 192.168.1.1 or vpn.contoso.com
    • 預設伺服器:啟用此伺服器作為裝置所要連線的預設伺服器。Default server: Enables this server as the default server that devices use to establish the connection. 只設定一部伺服器為預設。Set only one server as the default.
    • 匯入:瀏覽至內含伺服器清單、以逗點分隔 (格式為:描述、IP 位址或 FQDN、預設伺服器) 的檔案。Import: Browse to a comma-separated file that contains a list of servers in the format: description, IP address or FQDN, Default server. 選擇 [確定],以將這些伺服器匯入伺服器清單。Choose OK to import these servers into the Servers list.
    • 匯出:將伺服器清單匯出成逗點分隔值 (csv) 檔案Export: Exports the list of servers to a comma-separated-values (csv) file
  • 連線類型:從下列廠商清單中選取 VPN 連線類型︰Connection type: Select the VPN connection type from the following list of vendors:

    • Pulse SecurePulse Secure
    • F5 Edge ClientF5 Edge Client
    • SonicWALL Mobile ConnectSonicWALL Mobile Connect
    • Check Point Capsule VPNCheck Point Capsule VPN
    • CitrixCitrix
    • Palo Alto Networks GlobalProtectPalo Alto Networks GlobalProtect
    • 自動Automatic
    • IKEv2IKEv2
    • L2TPL2TP
    • PPTPPPTP

    當您選擇 VPN 連線類型時,可能也會要求您進行下列設定:When you choose a VPN connection type, you may also be asked for the following settings:

    • Always On:啟用以在下列狀況發生時自動連線到 VPN 連線:Always On: Enable to automatically connect to the VPN connection when the following happens:

      • 使用者登入其裝置Users sign into their devices
      • 裝置上的網路發生變更The network on the device changes
      • 裝置上的螢幕在關閉後恢復開啟The screen on the device turns back on after being turned off
    • 驗證方法:選取您要讓 VPN 伺服器驗證使用者的方法。Authentication method: Select how you want users to authenticate to the VPN server. 使用 [憑證] 可提供增強的功能,例如零觸控體驗、隨選 VPN,和個別應用程式的 VPN。Using certificates provides enhanced capabilities, such as zero-touch experience, on-demand VPN, and per-app VPN.

    • 在每次登入時記住認證:選擇此選項以快取驗證認證。Remember credentials at each logon: Choose to cache the authentication credentials.

    • 自訂 XML:輸入可設定 VPN 連線的任何自訂 XML 命令。Custom XML: Enter any custom XML commands that configure the VPN connection.

    • EAP Xml:輸入可設定 VPN 連線的任何 EAP XML 命令EAP Xml: Enter any EAP XML commands that configure the VPN connection

Pulse Secure 範例Pulse Secure example

<pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

F5 Edge Client 範例F5 Edge Client example

<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

SonicWALL Mobile Connect 範例SonicWALL Mobile Connect example

登入群組或網域:無法在 VPN 設定檔中設定此屬性。Login group or domain: This property can't be set in the VPN profile. 相反地,當以 username@domainDOMAIN\username 格式輸入使用者名稱和網域時,Mobile Connect 會剖析此值。Instead, Mobile Connect parses this value when the user name and domain are entered in the username@domain or DOMAIN\username formats.

範例:Example:

<MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>

CheckPoint Mobile VPN 範例CheckPoint Mobile VPN example

<CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

撰寫自訂 XMLWriting custom XML

如需撰寫自訂 XML 命令的詳細資訊,請參閱各製造商的 VPN 文件。For more information about writing custom XML commands, see each manufacturer's VPN documentation.

如需建立自訂 EAP XML 的詳細資訊,請參閱 EAP configuration (EAP 設定)。For more information about creating custom EAP XML, see EAP configuration.

應用程式與流量規則Apps and Traffic Rules

  • 將 WIP 或應用程式與此 VPN 建立關聯:若您只希望某些應用程式使用 VPN 連線,可啟用此設定。Associate WIP or apps with this VPN: Enable this setting if you only want some apps to use the VPN connection. 選項包括:Your options:

    • 將 WIP 與此連線建立關聯:輸入此連線的 WIP 網域Associate a WIP with this connection: Enter a WIP domain for this connection
    • 將應用程式與此連線建立關聯:您可以限制這些應用程式的 VPN 連線,然後新增相關聯的應用程式Associate apps with this connection: You can Restrict VPN connection to these apps, and then add Associated Apps. 您輸入的應用程式會自動使用 VPN 連線。The apps you enter automatically use the VPN connection. 應用程式類型會決定應用程式識別碼。The type of app determines the app identifier. 若為通用 app,請輸入套件系列名稱。For a universal app, enter the package family name. 若為傳統型應用程式,請輸入應用程式的檔案路徑。For a desktop app, enter the file path of the app.

    重要

    我們建議您為所建立的每個應用程式 VPN 保護所有的應用程式清單。We recommend that you secure all app lists created for per-app VPNs. 如果未經授權的使用者變更這個清單,而您將其匯入到個別應用程式的 VPN 應用程式清單中,則您可能會將 VPN 存取權授權給不應該存取的應用程式。If an unauthorized user changes this list, and you import it into the per-app VPN app list, then you potentially authorize VPN access to apps that shouldn't have access. 保護應用程式清單的方法之一是使用存取控制清單 (ACL)。One way you can secure app lists is using an access control list (ACL).

  • 此 VPN 連線的網路流量規則:選取要為 VPN 連線啟用的通訊協定、本機和遠端連接埠,以及位址範圍。Network traffic rules for this VPN connection: Select which protocols, and which local & remote port and address ranges, are enabled for the VPN connection. 如果您未建立網路流量規則,則會啟用所有通訊協定、連接埠和位址範圍。If you don't create a network traffic rule, then all protocols, ports, and address ranges are enabled. 在您建立規則之後,VPN 連線只會使用您在該項規則中所輸入的通訊協定、連接埠和位址範圍。After you create a rule, the VPN connection uses only the protocols, ports, and address ranges that you enter in that rule.

條件式存取Conditional Access

  • 此 VPN 連線的條件式存取:從用戶端啟用裝置合規性流程。Conditional access for this VPN connection: Enables device compliance flow from the client. 啟用時,VPN 用戶端會嘗試與 Azure Active Directory (AD) 通訊,以取得要用於驗證的憑證。When enabled, the VPN client attempts to communicate with Azure Active Directory (AD) to get a certificate to use for authentication. VPN 應該設定成使用憑證驗證,而且 VPN 伺服器必須信任 Azure AD 所傳回的伺服器。The VPN should be set up to use certificate authentication, and the VPN server must trust the server returned by Azure AD.

  • 使用其他憑證的單一登入 (SSO):針對裝置合規性,使用與 VPN 驗證憑證不同的憑證來進行 Kerberos 驗證。Single sign-on (SSO) with alternate certificate: For device compliance, use a certificate different from the VPN authentication certificate for Kerberos authentication. 輸入具有下列設定的憑證:Enter the certificate with the following settings:

    • 名稱:擴充金鑰使用方法 (EKU) 的名稱Name: Name for extended key usage (EKU)
    • 物件識別碼:EKU 的物件識別碼Object Identifier: Object identifier for EKU
    • 簽發者雜湊:SSO 憑證的指紋Issuer hash: Thumbprint for SSO certificate

DNS 設定DNS Settings

此 VPN 連線的網域和伺服器:新增要使用之 VPN 的網域和 DNS 伺服器。Domain and servers for this VPN connection: Add domain and DNS server for the VPN to use. 您可以選擇連線建立之後,VPN 連線要使用的 DNS 伺服器。You can choose which DNS servers the VPN connection uses after the connection is established. 為每部伺服器輸入:For each server, enter:

  • 網域Domain
  • DNS 伺服器DNS Server
  • ProxyProxy

Proxy 設定Proxy settings

  • 自動設定指令碼:使用檔案設定 Proxy 伺服器。Automatic configuration script: Use a file to configure the proxy server. 輸入 Proxy 伺服器 URL,例如 http://proxy.contoso.com,其中包含設定檔。Enter the Proxy server URL, such as http://proxy.contoso.com, that contains the configuration file.
  • 位址:輸入 Proxy 伺服器位址 (例如 IP 位址或 vpn.contoso.com)Address: Enter the proxy server address, such as an IP address or vpn.contoso.com
  • 連接埠號碼:輸入 Proxy 伺服器使用的 TCP 連接埠號碼Port number: Enter the TCP port number used by your proxy server
  • 本機位址不使用 Proxy 伺服器:如果您不想針對本機位址使用 Proxy 伺服器,則選擇 [啟用]。Bypass proxy for local addresses: If you don't want to use a proxy server for local addresses, then choose Enable. 這項設定適用於您的 VPN 伺服器需要 Proxy 伺服器進行連線時。This setting applies if your VPN server requires a proxy server for the connection.

分割通道Split Tunneling

  • 分割通道啟用停用以讓裝置依據流量決定所要使用的連線。Split tunneling: Enable or Disable to let devices decide which connection to use depending on the traffic. 例如,旅館中的使用者使用 VPN 連線存取工作檔案,但使用旅館的標準網路進行一般的網頁瀏覽。For example, a user in a hotel uses the VPN connection to access work files, but uses the hotel's standard network for regular web browsing.
  • 此 VPN 連線的分割通道路徑:新增協力廠商 VPN 提供者的選擇性路由。Split tunneling routes for this VPN connection: Add optional routes for third-party VPN providers. 為每個連線輸入目的地首碼及首碼大小。Enter a destination prefix, and a prefix size for each connection.