AD FS 2.0 client 存取控制原則Client Access Control policies in AD FS 2.0

在 Active Directory 同盟服務 2.0 client 存取原則可限制或權限授與的使用者資源。A client access policies in Active Directory Federation Services 2.0 allow you to restrict or grant users access to resources. 本文件告訴您如何讓 AD FS 2.0 中的 client 存取原則,以及如何設定最常見的案例。This document describes how to enable client access policies in AD FS 2.0 and how to configure the most common scenarios.

讓 AD FS 2.0 Client 存取原則Enabling Client Access Policy in AD FS 2.0

若要讓 client 存取原則,請依照下列步驟。To enable client access policy, follow the steps below.

步驟 1:安裝 AD FS 伺服器上套件的 AD FS 2.0 的更新彙總套件 2Step 1: Install the Update Rollup 2 for AD FS 2.0 package on your AD FS servers

下載適用於 Active Directory 同盟 Services (AD FS) 更新彙總套件 2 2.0套件,並安裝到所有伺服器聯盟和聯盟的 proxy 伺服器上。Download the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package and install it on all federation server and federation server proxies.

步驟 2:新增五取得 Active Directory 宣告提供者信任規則Step 2: Add five claim rules to the Active Directory Claims Provider trust

一旦上的所有 AD FS 伺服器和 proxy 已經都安裝更新彙總套件 2,使用下列程序新增一組宣告規則,讓原則引擎新型理賠要求。Once Update Rollup 2 has been installed on all of the AD FS servers and proxies, use the following procedure to add a set of claims rules that makes the new claim types available to the policy engine.

若要這樣做,您將會新增五接受轉換規則每個使用下列程序新要求操作宣告類型。To do this, you will be adding five acceptance transform rules for each of the new request context claim types using the following procedure.

在 Active Directory 宣告提供者信任,建立新接受轉換規則通過每個新的要求操作宣告類型。On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

Active directory 新增理賠要求規則宣告提供者信任的五個操作宣告類型:To add a claim rule to the Active Directory claims provider trust for each of the five context claim types:

  1. 按一下 [開始] 畫面,指向 [程式集,指向 [系統管理工具],然後按一下 AD FS 2.0 管理。Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. 主機樹,AD FS 2.0\Trust 關聯性,在按一下宣告提供者信任,Active Directory,以滑鼠右鍵按一下,然後按一下 [編輯理賠要求規則。In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.
  3. 在編輯理賠要求規則 ] 對話方塊中,選取接受轉換規則] 索引標籤,,然後按一下 [新增規則開始規則精靈。In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.
  4. 在選取 [規則範本頁面上,理賠要求規則範本,在傳遞透過選取或篩選從清單中,輸入宣告,然後按一下 [下一步]。On the Select Rule Template page, under Claim rule template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.
  5. 在設定規則頁面上,理賠要求規則名稱底下輸入顯示名稱本規則。在連入宣告類型,輸入下列理賠要求輸入 URL,然後選取 Pass 透過所有理賠要求值。On the Configure Rule page, under Claim rule name, type the display name for this rule; in Incoming claim type, type the following claim type URL, and then select Pass through all claim values.
    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
  6. 若要確認規則,在清單中選取它編輯規則,再按一下 [檢視規則語言。To verify the rule, select it in the list and click Edit Rule, then click View Rule Language. 宣告規則語言應該會顯示如下:The claim rule language should appear as follows: c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip"] => issue(claim = c);
  7. 按一下 [完成]。Click Finish.
  8. 在 [編輯理賠要求規則 ] 對話方塊中,按一下 [確定儲存規則。In the Edit Claim Rules dialog box, click OK to save the rules.
  9. 重複步驟 2 到 6 建立其他理賠要求規則針對每個剩餘的四個宣告類型之前已建立五的所有規則如下所示。Repeat steps 2 through 6 to create an additional claim rule for each of the remaining four claim types shown below until all five rules have been created.

    http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application

`http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent`

`http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy`

`http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path`

步驟 3:更新 Microsoft Office 365 的身分平台廠商信任只依賴Step 3: Update the Microsoft Office 365 Identity Platform relying party trust

選擇其中一項下列設定理賠要求規則 Microsoft Office 365 的身分平台上可以廠商信任最符合您的組織的需求示範案例。Choose one of the example scenarios below to configure the claim rules on the Microsoft Office 365 Identity Platform relying party trust that best meets the needs of your organization.

AD fs 2.0 client 存取原則案例Client access policy scenarios for AD FS 2.0

下列區段會描述存在 AD fs 2.0 案例The following sections will describe the scenarios that exist for AD FS 2.0

案例 1:封鎖所有外部存取 Office 365Scenario 1: Block all external access to Office 365

此 client 存取原則案例可讓您存取所有內部戶端和封鎖所有的外部戶端根據外部 client 的 IP 位址。This client access policy scenario allows access from all internal clients and blocks all external clients based on the IP address of the external client. 預設的 \ [發行授權規則允許所有使用者的存取權是根據規則集。The rule set builds on the default Issuance Authorization rule Permit Access to All Users. 您可以使用下列程序發行授權規則加入派對信任做為基礎的 Office 365。You can use the following procedure to add an Issuance Authorization rule to the Office 365 relying party trust.

若要建立封鎖所有外部存取 Office 365 規則To create a rule to block all external access to Office 365

  1. 按一下 [開始] 畫面,指向 [程式集,指向 [系統管理工具],然後按一下 AD FS 2.0 管理。Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. 主機樹,AD FS 2.0\Trust 關聯性,在按一下可以信任派對、Microsoft Office 365 的身分平台信任,以滑鼠右鍵按一下,然後按一下編輯理賠要求規則。In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.
  3. 在編輯理賠要求規則 ] 對話方塊中,選取 \ [發行授權規則] 索引標籤,,然後按一下 [新增規則開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.
  4. 在下理賠要求規則範本,選取 [規則範本頁面上,選取 [傳送主張使用自訂規則,,然後按一下 [下一步]。On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.
  5. 在設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱本規則。On the Configure Rule page, under Claim rule name, type the display name for this rule. 自訂規則,在輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax: exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
  6. 按一下 [完成]。Click Finish. 請確認新規則會立即出現下方發行授權規則清單中的所有使用者規則允許存取。Verify that the new rule appears immediately below the Permit Access to All Users rule in the Issuance Authorization Rules list.
  7. 若要儲存規則,在 [編輯理賠要求規則 ] 對話方塊中,按一下 [確定]。To save the rule, in the Edit Claim Rules dialog box, click OK.

注意

您必須更換上方的值為「公用 ip 位址 regex」的有效的 IP 運算式;查看建置 IP 位址範圍運算式如需詳細資訊。You will have to replace the value above for “public ip address regex” with a valid IP expression; see Building the IP address range expression for more information.

案例 2:封鎖所有外部存取 Exchange ActiveSync 以外的 Office 365Scenario 2: Block all external access to Office 365 except Exchange ActiveSync

下列範例可讓存取所有的 Office 365 應用程式,包括 Online 換貨,從內部包含 Outlook。The following example allows access to all Office 365 applications, including Exchange Online, from internal clients including Outlook. 它會封鎖從位於以外的公司網路的存取(如同指示)client IP 位址,除了 Exchange ActiveSync 戶端,例如智慧型手機。It blocks access from clients residing outside the corporate network, as indicated by the client IP address, except for Exchange ActiveSync clients such as smart phones. 規則集的組建要介紹標題為 [允許所有使用者存取預設發行授權規則。The rule set builds on the default Issuance Authorization rule titled Permit Access to All Users. 使用下列步驟來新增授權發行規則與可以使用理賠要求規則精靈廠商信任 Office 365:Use the following steps to add an Issuance Authorization rule to the Office 365 relying party trust using the Claim Rule Wizard:

若要建立封鎖所有外部存取 Office 365 規則To create a rule to block all external access to Office 365

  1. 按一下 [開始] 畫面,指向 [程式集,指向 [系統管理工具],然後按一下 AD FS 2.0 管理。Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. 主機樹,AD FS 2.0\Trust 關聯性,在按一下可以信任派對、Microsoft Office 365 的身分平台信任,以滑鼠右鍵按一下,然後按一下編輯理賠要求規則。In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.
  3. 在編輯理賠要求規則 ] 對話方塊中,選取 \ [發行授權規則] 索引標籤,,然後按一下 [新增規則開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.
  4. 在下理賠要求規則範本,選取 [規則範本頁面上,選取 [傳送主張使用自訂規則,,然後按一下 [下一步]。On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.
  5. 在設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱本規則。On the Configure Rule page, under Claim rule name, type the display name for this rule. 自訂規則,在輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax: exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
  6. 按一下 [完成]。Click Finish. 請確認新規則會立即出現下方發行授權規則清單中的所有使用者規則允許存取。Verify that the new rule appears immediately below the Permit Access to All Users rule in the Issuance Authorization Rules list.
  7. 若要儲存規則,在 [編輯理賠要求規則 ] 對話方塊中,按一下 [確定]。To save the rule, in the Edit Claim Rules dialog box, click OK.

注意

您必須更換上方的值為「公用 ip 位址 regex」的有效的 IP 運算式;查看建置 IP 位址範圍運算式如需詳細資訊。You will have to replace the value above for “public ip address regex” with a valid IP expression; see Building the IP address range expression for more information.

案例 3:封鎖所有外部存取 Office 365 以外的瀏覽器為基礎的應用程式Scenario 3: Block all external access to Office 365 except browser-based applications

規則集的組建要介紹標題為 [允許所有使用者存取預設發行授權規則。The rule set builds on the default Issuance Authorization rule titled Permit Access to All Users. 加入 Microsoft Office 365 的身分平台可以使用理賠要求規則精靈廠商信任發行授權規則使用下列步驟:Use the following steps to add an Issuance Authorization rule to the Microsoft Office 365 Identity Platform relying party trust using the Claim Rule Wizard:

注意

本案例不支援和第三方 proxy 因為 client 被動式(Web 架構)要求存取原則標頭的限制。This scenario is not supported with a third-party proxy because of limitations on client access policy headers with passive (Web-based) requests.

若要建立封鎖所有外部存取 Office 365 以外的瀏覽器為基礎的應用程式規則To create a rule to block all external access to Office 365 except browser-based applications

  1. 按一下 [開始] 畫面,指向 [程式集,指向 [系統管理工具],然後按一下 AD FS 2.0 管理。Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. 主機樹,AD FS 2.0\Trust 關聯性,在按一下可以信任派對、Microsoft Office 365 的身分平台信任,以滑鼠右鍵按一下,然後按一下編輯理賠要求規則。In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.
  3. 在編輯理賠要求規則 ] 對話方塊中,選取 \ [發行授權規則] 索引標籤,,然後按一下 [新增規則開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.
  4. 在下理賠要求規則範本,選取 [規則範本頁面上,選取 [傳送主張使用自訂規則,,然後按一下 [下一步]。On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.
  5. 在設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱本規則。On the Configure Rule page, under Claim rule name, type the display name for this rule. 自訂規則,在輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax: exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
  6. 按一下 [完成]。Click Finish. 請確認新規則會立即出現下方發行授權規則清單中的所有使用者規則允許存取。Verify that the new rule appears immediately below the Permit Access to All Users rule in the Issuance Authorization Rules list.
  7. 若要儲存規則,在 [編輯理賠要求規則 ] 對話方塊中,按一下 [確定]。To save the rule, in the Edit Claim Rules dialog box, click OK.

案例 4:封鎖所有外部存取 Office 365 指定 Active Directory 群組Scenario 4: Block all external access to Office 365 for designated Active Directory groups

下列範例可讓存取從內部根據 IP 位址。The following example enables access from internal clients based on IP address. 它會封鎖存取從位於以外的公司網路有外部 client IP 位址,除了這些中指定的 Active Directory Group.The 規則的個人設定的組建要介紹標題為 [允許所有使用者存取預設發行授權規則。It blocks access from clients residing outside the corporate network that have an external client IP address, except for those individuals in a specified Active Directory Group.The rule set builds on the default Issuance Authorization rule titled Permit Access to All Users. 加入 Microsoft Office 365 的身分平台可以使用理賠要求規則精靈廠商信任發行授權規則使用下列步驟:Use the following steps to add an Issuance Authorization rule to the Microsoft Office 365 Identity Platform relying party trust using the Claim Rule Wizard:

若要建立封鎖所有外部存取 Office 365 指定 Active Directory 群組規則To create a rule to block all external access to Office 365 for designated Active Directory groups

  1. 按一下 [開始] 畫面,指向 [程式集,指向 [系統管理工具],然後按一下 AD FS 2.0 管理。Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.
  2. 主機樹,AD FS 2.0\Trust 關聯性,在按一下可以信任派對、Microsoft Office 365 的身分平台信任,以滑鼠右鍵按一下,然後按一下編輯理賠要求規則。In the console tree, under AD FS 2.0\Trust Relationships, click Relying Party Trusts, right-click the Microsoft Office 365 Identity Platform trust, and then click Edit Claim Rules.
  3. 在編輯理賠要求規則 ] 對話方塊中,選取 \ [發行授權規則] 索引標籤,,然後按一下 [新增規則開始理賠要求規則精靈。In the Edit Claim Rules dialog box, select the Issuance Authorization Rules tab, and then click Add Rule to start the Claim Rule Wizard.
  4. 在下理賠要求規則範本,選取 [規則範本頁面上,選取 [傳送主張使用自訂規則,,然後按一下 [下一步]。On the Select Rule Template page, under Claim rule template, select Send Claims Using a Custom Rule, and then click Next.
  5. 在設定規則頁面上,在理賠要求規則名稱,輸入顯示名稱本規則。On the Configure Rule page, under Claim rule name, type the display name for this rule. 自訂規則,在輸入或下列理賠要求規則語言語法貼上:Under Custom rule, type or paste the following claim rule language syntax: exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "Group SID value of allowed AD group"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");
  6. 按一下 [完成]。Click Finish. 請確認新規則會立即出現下方發行授權規則清單中的所有使用者規則允許存取。Verify that the new rule appears immediately below the Permit Access to All Users rule in the Issuance Authorization Rules list.
  7. 若要儲存規則,在 [編輯理賠要求規則 ] 對話方塊中,按一下 [確定]。To save the rule, in the Edit Claim Rules dialog box, click OK.

宣告規則語言語法上述案例中使用的描述Descriptions of the claim rule language syntax used in the above scenarios

描述Description 取得規則語言語法Claim Rule language syntax
預設 AD FS 規則允許所有使用者的存取。Default AD FS rule to Permit Access to All Users. 此規則應該已經存在於 Microsoft Office 365 的身分平台可以廠商信任發行授權規則清單。This rule should already exist in the Microsoft Office 365 Identity Platform relying party trust Issuance Authorization Rules list. = > 問題 (輸入 =」http://schemas.microsoft.com/authorization/claims/permit」,值 =」true」)。=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
新增到新的自訂規則本節指定要求,已來自聯盟 proxy 伺服器(也就是具有 x-ms-proxy 標頭)Adding this clause to a new, custom rule specifies that the request has come from the federation server proxy (i.e., it has the x-ms-proxy header)
包含的所有規則這建議。It is recommended that all rules include this. 有 ([輸入 =」http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy」])exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])
用來建立要求從 client IP 定義可接受的範圍中使用。Used to establish that the request is from a client with an IP in the defined acceptable range. 不存在 ([輸入 =」http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip」,值 = ~」客戶提供公用 ip 位址 regex「])NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"])
本節指定,如果應用程式存取不 Microsoft.Exchange.ActiveSync 要求應該無法使用。This clause is used to specify that if the application being accessed is not Microsoft.Exchange.ActiveSync the request should be denied. 不存在 ([輸入 =」http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application」,Value=="Microsoft.Exchange.ActiveSync」])NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"])
此規則可讓您以判斷是否通話是透過網頁瀏覽器,並都會不無法。This rule allows you to determine whether the call was through a Web browser, and will not be denied. 不存在 ([類型 =」http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path」,值 =」日 adfs 日!日」])NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])
此規則會指出無法應該到特定的 Active Directory 群組(根據 SID 值)只使用者。This rule states that the only users in a particular Active Directory group (based on SID value) should be denied. 新增不到此聲明,表示群組中的使用者會允許,無論位置。Adding NOT to this statement means a group of users will be allowed, regardless of location. 存在 ([輸入 =」http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid」,值 = ~」{群組 SID 值允許 AD 群組的}」])exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "{Group SID value of allowed AD group}"])
這是發行 deny 符合所有上述條件時所需的條款。This is a required clause to issue a deny when all preceding conditions are met. = > 問題 (輸入 =」http://schemas.microsoft.com/authorization/claims/deny」,值 =」true」)。=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

建置 IP 位址範圍運算式Building the IP address range expression

HTTP 標頭目前設定僅供換貨 Online 填入標頭,以 AD FS 傳遞驗證要求時,會填入 x ms-轉送-client-ip 理賠要求。The x-ms-forwarded-client-ip claim is populated from an HTTP header that is currently set only by Exchange Online, which populates the header when passing the authentication request to AD FS. 宣告值可能下列其中一個動作:The value of the claim may be one of the following:

注意

換貨 Online 目前支援只 IPV4 與不 IPV6 位址。Exchange Online currently supports only IPV4 and not IPV6 addresses.

單一 IP 位址:直接連接至換貨 Online client 的 IP 位址A single IP address: The IP address of the client that is directly connected to Exchange Online

注意

Client 公司網路上的 IP 位址會出現外部介面組織的輸出 proxy 或閘道 IP 位址。The IP address of a client on the corporate network will appear as the external interface IP address of the organization’s outbound proxy or gateway.

為內部公司戶端或外部戶端 VPN 或 DA.的設定而定,可能會出現戶端的或由 Microsoft DirectAccess (DA) VPN 連接到企業網路Clients that are connected to the corporate network by a VPN or by Microsoft DirectAccess (DA) may appear as internal corporate clients or as external clients depending upon the configuration of VPN or DA.

一或多個 IP 位址:時 Exchange Online 無法判斷連接 client 的 IP 位址,它將會設定 x 轉送的標頭,會納入 HTTP 為基礎的要求,支援許多戶端、負載平衡器,與市面上的 proxy 的非標準標頭的值為基礎的值。One or more IP addresses: When Exchange Online cannot determine the IP address of the connecting client, it will set the value based on the value of the x-forwarded-for header, a non-standard header that can be included in HTTP-based requests and is supported by many clients, load balancers, and proxies on the market.

注意

將會以逗號分隔多個 IP 位址,指出 client IP 位址和傳遞要求,每個 proxy 的地址。Multiple IP addresses, indicating the client IP address and the address of each proxy that passed the request, will be separated by a comma.

不有關 Exchange Online 基礎結構的 IP 位址會出現在清單中。IP addresses related to Exchange Online infrastructure will not appear on the list.

一般運算式Regular Expressions

當您必須符合 IP 位址時,您需要建構運算式來進行比較。When you have to match a range of IP addresses, it becomes necessary to construct a regular expression to perform the comparison. 在接下來的步驟,我們將會提供範例,以了解如何建立這類運算式符合下列地址範圍(請注意,您將會有變更成符合您公用 IP 範圍這些範例):In the next series of steps, we will provide examples for how to construct such an expression to match the following address ranges (note that you will have to change these examples to match your public IP range):

  • 192.168.1.1 – 192.168.1.25192.168.1.1 – 192.168.1.25
  • 10.0.0.1 – 10.0.0.1410.0.0.1 – 10.0.0.14

第一次,符合單一 IP 位址的基本模式時,如下所示:\b###.###.###.###\bFirst, the basic pattern that will match a single IP address is as follows: \b###.###.###.###\b

將它擴展這,我們可以符合兩個或運算式使用不同的 IP 位址,如下所示:\b###.###.###.###\b|\b###.###.###.###\bExtending this, we can match two different IP addresses with an OR expression as follows: \b###.###.###.###\b|\b###.###.###.###\b

因此,以符合兩個(例如 192.168.1.1 或 10.0.0.1)的地址就會:\b192.168.1.1\b|\b10.0.0.1\bSo, an example to match just two addresses (such as 192.168.1.1 or 10.0.0.1) would be: \b192.168.1.1\b|\b10.0.0.1\b

這會讓您可以輸入地址任何數字的技術。This gives you the technique by which you can enter any number of addresses. 當您需要有各種不同的地址允許,例如 192.168.1.1 – 192.168.1.25,符合必須完成字元依字元:\b192.168.1\。([1-9] | 1 [0 9] | 2 [0 5]) \bWhere a range of address need to allowed, for example 192.168.1.1 – 192.168.1.25, the matching must be done character by character: \b192.168.1.([1-9]|1[0-9]|2[0-5])\b

注意

IP 位址會被視為字串,並不是數字。The IP address is treated as string and not a number.

規則作業切割,如下所示:\b192.168.1\。The rule is broken down as follows: \b192.168.1.

這比對任何值 192.168.1 開頭。This matches any value beginning with 192.168.1.

下列符合最終小數點之後所需的地址的部分的範圍:The following matches the ranges required for the portion of the address after the final decimal point:

  • ([1-9] 相符項目的地址結尾 1-9([1-9] Matches addresses ending in 1-9
  • | 1 [0 9] 符合 10 至 19 結尾的地址|1[0-9] Matches addresses ending in 10-19
  • 在 20-25 結束 |2[0-5]) 相符項目的地址|2[0-5]) Matches addresses ending in 20-25

注意

括弧必須正確位於,以便開始不符合其他部分的 IP 位址。The parentheses must be correctly positioned, so that you don’t start matching other portions of IP addresses.

符合 192 區塊時,我們可以撰寫 10 封鎖類似運算式:\b10.0.0\。([1-9] | 1 [0 4]) \bWith the 192 block matched, we can write a similar expression for the 10 block: \b10.0.0.([1-9]|1[0-4])\b

並將它們放在一起,為以下運算式應該符合」192.168.1.1~25」和「10.0.0.1~14」的所有地址:\b192.168.1\。([1-9]|1[0-9]|2[0-5])\b|\b10.0.0\。([1-9] | 1 [0 4]) \bAnd putting them together, the following expression should match all the addresses for “192.168.1.1~25” and “10.0.0.1~14”: \b192.168.1.([1-9]|1[0-9]|2[0-5])\b|\b10.0.0.([1-9]|1[0-4])\b

測試運算式Testing the Expression

Regex 運算式變成很難,因此建議使用 regex 驗證工具。Regex expressions can become quite tricky, so we highly recommend using a regex verification tool. 如果您在網際網路上的搜尋適用於「online regex 運算式」,您會發現幾個良好的 online 公用程式,可讓您可以嘗試範例資料對您運算式。If you do an internet search for “online regex expression builder”, you will find several good online utilities that will allow you to try out your expressions against sample data.

在測試運算式時,很重要,您知道必須符合的預期行為。When testing the expression, it’s important that you understand what to expect to have to match. 換貨 online 系統可能會傳送,以逗號分隔的許多 IP 位址。The Exchange online system may send many IP addresses, separated by commas. 這能運算式上面提供。The expressions provided above will work for this. 不過,請務必思考這測試 regex 運算式時。However, it’s important to think about this when testing your regex expressions. 例如,一可能會使用輸入驗證上述範例以下的範例:For example, one might use the following sample input to verify the examples above:

192.168.1.1, 192.168.1.2, 192.169.1.1.192.168.1.1, 192.168.1.2, 192.169.1.1. 192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30, 1192.168.1.20192.168.12.1, 192.168.1.10, 192.168.1.25, 192.168.1.26, 192.168.1.30, 1192.168.1.20

10.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.110.0.0.1, 10.0.0.5, 10.0.0.10, 10.0.1.0, 10.0.1.1, 110.0.0.1, 10.0.0.14, 10.0.0.15, 10.0.0.10, 10,0.0.1

驗證部署Validating the Deployment

安全性稽核登Security Audit Logs

若要確認宣告傳送且 AD FS 使用的新要求操作宣告處理管線,可讓稽核登入 AD FS 伺服器。To verify that the new request context claims are being sent and are available to the AD FS claims processing pipeline, enable audit logging on the AD FS server. 然後傳送標準安全性稽核登入的項目某些驗證要求並檢查有理賠要求值。Then send some authentication requests and check for the claim values in the standard security audit log entries.

要使用的安全性事件登入 AD FS 伺服器稽核登入,請遵循的步驟,AD FS 2.0 的稽核設定。To enable the logging of audit events to the security log on an AD FS server, follow the steps at Configure auditing for AD FS 2.0.

事件登入Event Logging

根據預設,登位於 [應用程式及服務登應用程式事件登入失敗的要求 \ AD FS 2.0 \ Admin.For 詳細資訊,AD fs 事件登入查看設定 AD FS 2.0 事件登入By default, failed requests are logged to the application event log located under Applications and Services Logs \ AD FS 2.0 \ Admin.For more information on event logging for AD FS, see Set up AD FS 2.0 event logging.

設定追蹤登的詳細資訊 AD FSConfiguring Verbose AD FS Tracing Logs

AD FS 追蹤事件登 AD FS 2.0 偵錯登入。AD FS tracing events are logged to the AD FS 2.0 debug log. 要描圖,請查看設定為 AD FS 2.0 偵錯追蹤To enable tracing, see Configure debug tracing for AD FS 2.0.

您有支援追蹤之後,使用下列命令列語法層級詳細資訊的登入以便:wevtutil.exe sl」AD FS 2.0 追蹤/偵錯「/l: 5After you have enabled tracing, use the following command line syntax to enable the verbose logging level: wevtutil.exe sl “AD FS 2.0 Tracing/Debug” /l:5

如需有關宣告新型查看AD FS 宣告類型For more information on the new claim types see AD FS Claims Types.