Microsoft Intune 中 Windows 10 裝置的 VPN 設定VPN settings for Windows 10 devices in Microsoft Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

以下清單中的值並非全部都能設定,須取決於您選擇的設定。Depending on the settings you choose, not all values in the list below will be configurable.

基本 VPN 設定Base VPN settings

  • 連線名稱 - 輸入此連線的名稱。Connection name - Enter a name for this connection. 當使用者瀏覽其裝置尋找可用 VPN 連線的清單時,使用者會看到此名稱。End users will see this name when they browse their device for the list of available VPN connections.
  • 伺服器 - 新增裝置要連線的一或多部 VPN 伺服器。Servers - Add one or more VPN servers that devices will connect to.
    • 新增- 開啟 [加入資料列] 刀鋒視窗指定下列資訊︰Add - Opens the Add Row blade where you can specify the following information:
      • 描述 - 為伺服器指定描述性名稱,例如 Contoso VPN 伺服器Description - Specify a descriptive name for the server like Contoso VPN server.
      • IP 位或 FQDN - 提供裝置要連線之 VPN 伺服器的 IP 位址或完整網域名稱。IP address or FQDN - Provide the IP address or fully qualified domain name of the VPN server that devices will connect to. 範例:192.168.1.1vpn.contoso.comExamples: 192.168.1.1, vpn.contoso.com.
      • 預設伺服器 - 啟用此伺服器作為裝置所要連線的預設伺服器。Default server - Enables this server as the default server that devices will use to establish the connection. 您只可設定一部預設伺服器。Make sure to set only one server as the default.
    • 匯入 - 瀏覽至內含以逗點分隔之伺服器清單 (格式為:描述、IP 位址或 FQDN、預設伺服器) 的檔案。Import - Browse to a file containing a comma-separated list of servers in the format description, IP address or FQDN, Default server. 選擇 [確定],以匯入這些項目成為伺服器清單。Choose OK to import these into the Servers list.
    • 匯出 - 將伺服器清單匯出成逗點分隔值 (csv) 檔案。Export - Exports the list of servers to a comma-separated-values (csv) file.

連線類型 - 從下列廠商清單中選取 VPN 連線類型︰Connection type - Select the VPN connection type from the following list of vendors:

  • Pulse SecurePulse Secure
  • F5 Edge ClientF5 Edge Client
  • Dell SonicWALL Mobile ConnectDell SonicWALL Mobile Connect
  • Check Point Capsule VPNCheck Point Capsule VPN
  • 自動Automatic
  • IKEv2IKEv2
  • L2TPL2TP
  • PPTPPPTP

登入群組或網域 (僅限 Dell SonicWALL Mobile Connect) - 指定登入群組或您要連線之網域的名稱。Login group or domain (Dell SonicWALL Mobile Connect only) - Specify the name of the login group or domain that you want to connect to.

自訂 XML/EAP XML - 指定任何可用於設定 VPN 連線的自訂 XML 命令。Custom XML/EAP XML - Specify any custom XML commands that configure the VPN connection.

Pulse Secure 的範例:Example for Pulse Secure:

    <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema>

CheckPoint Mobile VPN 的範例:Example for CheckPoint Mobile VPN:

    <CheckPointVPN port="443" name="CheckPointSelfhost" sso="true" debug="3" />

ell SonicWALL Mobile Connect 的範例:Example for Dell SonicWALL Mobile Connect:

    <MobileConnect><Compression>false</Compression><debugLogging>True</debugLogging><packetCapture>False</packetCapture></MobileConnect>

F5 Edge 用戶端的範例︰Example for F5 Edge Client:

    <f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>

如需如何撰寫自訂 XML 命令的詳細資訊,請參閱相關製造商的 VPN 文件。Refer to each manufacturer's VPN documentation for more information about how to write custom XML commands.

分割通道 - 啟用停用此選項可讓裝置依據流量決定所要使用的連線。Split tunneling - Enable or Disable this option which lets devices decide which connection to use depending on the traffic. 例如,旅館中的使用者使用 VPN 連線存取工作檔案,但使用旅館的標準網路進行一般的網頁瀏覽。For example, a user in a hotel will use the VPN connection to access work files, but use the hotel's standard network for regular web browsing.

  • 此 VPN 連線的分割通道路徑 - 新增第三方 VPN 提供者的選擇性路由。Split tunneling routes for this VPN connection - Add optional routes for third-party VPN providers. 為每個路由指定目的地首碼及首碼大小。Specify a destination prefix, and a prefix size for each.

應用程式與流量規則Apps and Traffic Rules

限制這些應用程式使用 VPN 連線 - 若只希望您指定的應用程式使用 VPN 連線,可啟用此選項。Restrict VPN connection to these apps - Enable this option if you only want apps you specify to use the VPN connection. 相關聯的應用程式 - 提供會自動使用 VPN 連線的應用程式清單。Associated Apps - Provide a list of apps that will automatically use the VPN connection. 應用程式類型會決定應用程式識別碼。The type of app will determine the app identifier. 若為通用應用程式,會提供套件系列名稱。For a universal app, provide the package family name. 若為傳統型應用程式,會提供應用程式的檔案路徑。For a desktop app, provide the file path of the app.

重要

我們建議您保護所有您為了用於個別應用程式 VPN 設定而編譯的應用程式清單。We recommend that you secure all lists of apps that you compile for use in configuration of per-app VPN. 如果未經授權的使用者修改您的清單,而您將它匯入到個別應用程式的 VPN 應用程式清單中,則您可能會將 VPN 存取權授權給不應該存取的應用程式。If an unauthorized user modifies your list and you import it into the per-app VPN app list, you will potentially authorize VPN access to apps that should not have access. 保護應用程式清單的一種方法是使用存取控制清單 (ACL)。One way you can secure app lists is by using an access control list (ACL).

此 VPN 連線的網路流量規則 - 選取要為 VPN 連線啟用的通訊協定、本機和遠端連接埠,以及位址範圍。Network traffic rules for this VPN connection - Select which protocols, and which local and remote port and address ranges, will be enabled for the VPN connection. 如果您未建立網路流量規則,則會啟用所有通訊協定、連接埠和位址範圍。If you do not create a network traffic rule, all protocols, ports, and address ranges are enabled. 在您建立規則之後,VPN 連線只會使用您在該項規則中所指定的通訊協定、連接埠和位址範圍。After you create a rule, the VPN connection will use only the protocols, ports, and address ranges that you specify in that rule.

條件式存取Conditional Access

此 VPN 連線的條件式存取 - 從用戶端啟用裝置合規性流程。Conditional access for this VPN connection - Enables device compliance flow from the client. 啟用時,VPN 用戶端將嘗試與 Azure Active Directory 通訊,以取得要用於驗證的憑證。When enabled, the VPN client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. VPN 應該設定成使用憑證驗證,而且 VPN 伺服器必須信任 Azure Active Directory 所傳回的伺服器。The VPN should be set up to use certificate authentication, and the VPN server must trust the server returned by Azure Active Directory.

使用其他憑證的單一登入 (SSO) - 針對裝置合規性,使用與 VPN 驗證憑證不同的憑證來進行 Kerberos 驗證。Single sign-on (SSO) with alternate certificate - For device compliance, use a certificate different from the VPN authentication certificate for Kerberos authentication. 指定具有下列設定的憑證:Specify the certificate with the following settings:

  • 擴充金鑰使用方法 - 擴充金鑰使用方法 (EKU) 的名稱。Extended key usage - Name for extended key usage (EKU).
  • 物件識別碼 - EKU 的物件識別碼。Object Identifier - Object identifier for EKU.
  • 簽發者雜湊 - SSO 憑證的指紋。Issuer hash - Thumbprint for SSO certificate.

DNS 設定DNS Settings

此 VPN 連線的 DNS 名稱和伺服器 - 選取連線之後 VPN 連線所要使用的 DNS 伺服器。DNS names and servers for this VPN connection - Select which DNS servers the VPN connection will use after the connection is established. 針對每部伺服器。For each server. 指定:specify:

  • DNS 名稱DNS Name
  • DNS 伺服器DNS Server
  • ProxyProxy

Proxy 設定Proxy settings

  • 自動偵測 Proxy 設定 - 若您的 VPN 伺服器需要 Proxy 伺服器才能連線,請指定您的裝置是否需要自動偵測連線設定。Automatically detect proxy settings - If your VPN server requires a proxy server for the connection, specify whether you want devices to automatically detect the connection settings. 如需詳細資訊,請參閱 Windows Server 文件。For more information, see your Windows Server documentation.
  • 自動設定指令碼 - 使用檔案設定 Proxy 伺服器。Automatic configuration script - Use a file to configure the proxy server. 輸入包含設定檔的 Proxy 伺服器 URL (例如http://proxy.contoso.com)。Enter the Proxy server URL (for example http://proxy.contoso.com) which contains the configuration file.
  • 使用 proxy 伺服器 - 若要手動輸入 Proxy 伺服器設定,可啟用此選項。Use proxy server - Enable this option if you want to manually enter the proxy server settings.
    • 位址 - 輸入 proxy 伺服器位址 (例如 IP 位址)。Address - Enter the proxy server address (as an IP address).
    • 連接埠號碼 - 輸入與 Proxy 伺服器相關聯的連接埠號碼。Port number - Enter the port number associated with the proxy server.
  • 本機位址不要使用 Proxy - 若您的 VPN 伺服器需要 Proxy 伺服器才能連線,但您希望您指定的本機位置不要使用 Proxy 伺服器,可選取此選項。Bypass proxy for local addresses - If your VPN server requires a proxy server for the connection, select this option if you do not want to use the proxy server for local addresses that you specify. 如需詳細資訊,請參閱 Windows Server 文件。For more information, see your Windows Server documentation.