設定防火牆 RADIUS 流量Configure Firewalls for RADIUS Traffic

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

若要允許或封鎖類型的電腦或裝置執行防火牆 IP 流量的可以設定防火牆。Firewalls can be configured to allow or block types of IP traffic to and from the computer or device on which the firewall is running. 如果防火牆設定不正確允許 RADIUS RADIUS 戶端間的流量,RADIUS proxy 和 RADIUS 伺服器、網路存取驗證可能會失敗,防止使用者存取網路資源。If firewalls are not properly configured to allow RADIUS traffic between RADIUS clients, RADIUS proxies, and RADIUS servers, network access authentication can fail, preventing users from accessing network resources.

您可能需要設定防火牆允許 RADIUS 流量的兩種類型:You might need to configure two types of firewalls to allow RADIUS traffic:

  • Windows Defender 防火牆使用進階安全性本機伺服器執行的網路原則 Server (NPS)。Windows Defender Firewall with Advanced Security on the local server running Network Policy Server (NPS).
  • 防火牆在其他電腦或裝置上執行。Firewalls running on other computers or hardware devices.

Windows 防火牆 NPS 本機伺服器Windows Firewall on the local NPS server

根據預設,NPS 傳送和接收 RADIUS 流量透過 1812 年,1813 年、1645 年 1646 年的使用者資料流通訊協定 (UDP) 連接埠。By default, NPS sends and receives RADIUS traffic by using User Datagram Protocol (UDP) ports 1812, 1813, 1645, and 1646. NPS 伺服器上的 Windows Defender 防火牆自動設定的例外,來傳送和接收此 RADIUS 流量 NPS,在安裝期間。Windows Defender Firewall on the NPS server is automatically configured with exceptions, during the installation of NPS, to allow this RADIUS traffic to be sent and received.

因此,如果您正在使用的預設 UDP 連接埠,您不需要變更允許的伺服器 NPS RADIUS 流量的 Windows Defender 防火牆設定。Therefore, if you are using the default UDP ports, you do not need to change the Windows Defender Firewall configuration to allow RADIUS traffic to and from NPS servers.

有時候,您可能想要變更 NPS RADIUS 流量使用連接埠。In some cases, you might want to change the ports that NPS uses for RADIUS traffic. 如果您設定 NPS 與您的網路存取權的伺服器來傳送和接收 RADIUS 流量連接埠以外的預設值,您必須執行下列動作:If you configure NPS and your network access servers to send and receive RADIUS traffic on ports other than the defaults, you must do the following:

  • 移除例外允許 RADIUS 流量預設連接埠。Remove the exceptions that allow RADIUS traffic on the default ports.
  • 建立新例外允許 RADIUS 流量上新的連接埠。Create new exceptions that allow RADIUS traffic on the new ports.

如需詳細資訊,請查看設定 NPS UDP 連接埠資訊For more information, see Configure NPS UDP Port Information.

其他防火牆Other firewalls

最常見的設定,防火牆已連接到網際網路,而且 NPS 伺服器的內部網路資源,已連接到周邊網路。In the most common configuration, the firewall is connected to the Internet and the NPS server is an intranet resource that is connected to the perimeter network.

若要瑞曲之戰網域控制站內部,可能必須 NPS 伺服器:To reach the domain controller within the intranet, the NPS server might have:

  • 在企業網路介面周邊網路上的介面(IP 路由不支援)。An interface on the perimeter network and an interface on the intranet (IP routing is not enabled).
  • 單一介面周邊網路上。A single interface on the perimeter network. 此設定,NPS 會使用透過其他周邊網路連接到網際網路防火牆網域控制站通訊。In this configuration, NPS communicates with domain controllers through another firewall that connects the perimeter network to the intranet.

設定網際網路防火牆Configuring the Internet firewall

已連接到網際網路防火牆必須使用網際網路介面的輸入與輸出篩選器設定 \(,然後選擇該網路周邊 interface\),以便在網際網路上轉送 RADIUS 伺服器 NPS RADIUS 戶端或 proxy 間的訊息。The firewall that is connected to the Internet must be configured with input and output filters on its Internet interface (and, optionally, its network perimeter interface), to allow the forwarding of RADIUS messages between the NPS server and RADIUS clients or proxies on the Internet. 其他篩選可用,讓傳流量的網頁伺服器、VPN 伺服器,以及其他類型的伺服器上周邊網路。Additional filters can be used to allow the passing of traffic to Web servers, VPN servers, and other types of servers on the perimeter network.

不同的篩選器可以在 [網際網路介面和周邊網路介面設定的輸入與輸出封包。Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.

在 [網際網路介面設定輸入篩選器Configure Input Filters on the Internet Interface

允許下列類型的資料傳輸防火牆網際網路介面上,設定下列封的包篩選器:Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:

  • 目的地周邊網路介面和目的地連接埠 UDP 1812 (0x714) NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 驗證資料傳輸。This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. 這是定義 RFC 2865 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2865. 如果您使用不同的連接埠,以替代 1812 年該連接埠號碼。If you are using a different port, substitute that port number for 1812.
  • 目的地周邊網路介面與 UDP 目的地連接埠 (0x715) 1813 NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 計量流量。This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. 這是定義 RFC 2866 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2866. 如果您使用不同的連接埠,以替代 1813 年該連接埠號碼。If you are using a different port, substitute that port number for 1813.
  • (Optional) 周邊網路介面目的地 IP 位址和 UDP 目的地 1645 年 (0x66D) NPS 伺服器連接埠。(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 驗證資料傳輸。This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.
  • (Optional) 周邊網路介面目的地 IP 位址和 UDP 目的地 1646 年 (0x66E) NPS 伺服器連接埠。(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 計量流量。This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.

在 [網際網路介面設定輸出篩選器Configure Output Filters on the Internet Interface

允許下列類型的資料傳輸防火牆網際網路介面上,設定下列輸出篩選器:Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:

  • 來源周邊網路介面與 UDP 來源連接埠 1812 (0x714) NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server. 此篩選允許 RADIUS 驗證流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. 這是定義 RFC 2865 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2865. 如果您使用不同的連接埠,以替代 1812 年該連接埠號碼。If you are using a different port, substitute that port number for 1812.
  • 來源周邊網路介面與 UDP 來源連接埠 (0x715) 1813 NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server. 此篩選允許 RADIUS 計量流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. 這是定義 RFC 2866 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2866. 如果您使用不同的連接埠,以替代 1813 年該連接埠號碼。If you are using a different port, substitute that port number for 1813.
  • (Optional) 周邊網路介面的來源 IP 位址和 UDP 來源 1645 年 (0x66D) NPS 伺服器連接埠。(Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server. 此篩選允許 RADIUS 驗證流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.
  • (Optional) 周邊網路介面的來源 IP 位址和 UDP 來源 1646 年 (0x66E) NPS 伺服器連接埠。(Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server. 此篩選允許 RADIUS 計量流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.

設定輸入篩選器周邊網路介面Configure Input Filters on the Perimeter Network Interface

允許下列類型的資料傳輸防火牆周邊網路介面上,設定下列輸入篩選器:Configure the following input filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • 來源周邊網路介面與 UDP 來源連接埠 1812 (0x714) NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface and UDP source port of 1812 (0x714) of the NPS server. 此篩選允許 RADIUS 驗證流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. 這是定義 RFC 2865 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2865. 如果您使用不同的連接埠,以替代 1812 年該連接埠號碼。If you are using a different port, substitute that port number for 1812.
  • 來源周邊網路介面與 UDP 來源連接埠 (0x715) 1813 NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface and UDP source port of 1813 (0x715) of the NPS server. 此篩選允許 RADIUS 計量流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. 這是定義 RFC 2866 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2866. 如果您使用不同的連接埠,以替代 1813 年該連接埠號碼。If you are using a different port, substitute that port number for 1813.
  • (Optional) 周邊網路介面的來源 IP 位址和 UDP 來源 1645 年 (0x66D) NPS 伺服器連接埠。(Optional) Source IP address of the perimeter network interface and UDP source port of 1645 (0x66D) of the NPS server. 此篩選允許 RADIUS 驗證流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS authentication traffic from the NPS server to Internet-based RADIUS clients. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.
  • (Optional) 周邊網路介面的來源 IP 位址和 UDP 來源 1646 年 (0x66E) NPS 伺服器連接埠。(Optional) Source IP address of the perimeter network interface and UDP source port of 1646 (0x66E) of the NPS server. 此篩選允許 RADIUS 計量流量 NPS 伺服器從網際網路 RADIUS 戶端。This filter allows RADIUS accounting traffic from the NPS server to Internet-based RADIUS clients. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.

設定輸出篩選器周邊網路介面Configure Output Filters on the Perimeter Network Interface

允許下列類型的資料傳輸防火牆周邊網路介面上,設定下列輸出封包篩選器:Configure the following output packet filters on the perimeter network interface of the firewall to allow the following types of traffic:

  • 目的地周邊網路介面和目的地連接埠 UDP 1812 (0x714) NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface and UDP destination port of 1812 (0x714) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 驗證資料傳輸。This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. 這是定義 RFC 2865 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2865. 如果您使用不同的連接埠,以替代 1812 年該連接埠號碼。If you are using a different port, substitute that port number for 1812.
  • 目的地周邊網路介面與 UDP 目的地連接埠 (0x715) 1813 NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface and UDP destination port of 1813 (0x715) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 計量流量。This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. 這是定義 RFC 2866 NPS,使用的預設 UDP 連接埠。This is the default UDP port that is used by NPS, as defined in RFC 2866. 如果您使用不同的連接埠,以替代 1813 年該連接埠號碼。If you are using a different port, substitute that port number for 1813.
  • (Optional) 周邊網路介面目的地 IP 位址和 UDP 目的地 1645 年 (0x66D) NPS 伺服器連接埠。(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1645 (0x66D) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 驗證資料傳輸。This filter allows RADIUS authentication traffic from Internet-based RADIUS clients to the NPS server. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.
  • (Optional) 周邊網路介面目的地 IP 位址和 UDP 目的地 1646 年 (0x66E) NPS 伺服器連接埠。(Optional) Destination IP address of the perimeter network interface and UDP destination port of 1646 (0x66E) of the NPS server. 此篩選會允許從網際網路 RADIUS 伺服器 NPS RADIUS 計量流量。This filter allows RADIUS accounting traffic from Internet-based RADIUS clients to the NPS server. 這是使用較舊 RADIUS 用 UDP 連接埠。This is the UDP port that is used by older RADIUS clients.

提高安全性,您可以使用每個 RADIUS client 傳送封包透過防火牆定義流量 client 之間 NPS 伺服器的 IP 位址篩選器周邊網路上的 IP 位址。For added security, you can use the IP addresses of each RADIUS client that sends the packets through the firewall to define filters for traffic between the client and the IP address of the NPS server on the perimeter network.

周邊網路介面的篩選器Filters on the perimeter network interface

允許下列類型的資料傳輸內部防火牆周邊網路介面上,設定下列輸入封包篩選器:Configure the following input packet filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • 來源周邊網路介面 NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface of the NPS server. 此篩選允許流量 NPS 伺服器從周邊網路上。This filter allows traffic from the NPS server on the perimeter network.

允許下列類型的資料傳輸內部防火牆周邊網路介面上,設定下列輸出篩選器:Configure the following output filters on the perimeter network interface of the intranet firewall to allow the following types of traffic:

  • 目的地周邊網路介面 NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface of the NPS server. 此篩選允許周邊網路上的流量 NPS 伺服器。This filter allows traffic to the NPS server on the perimeter network.

在 internet 介面篩選Filters on the intranet interface

允許下列類型的資料傳輸在防火牆 internet 介面上,設定下列輸入篩選器:Configure the following input filters on the intranet interface of the firewall to allow the following types of traffic:

  • 目的地周邊網路介面 NPS 伺服器的 IP 位址。Destination IP address of the perimeter network interface of the NPS server. 此篩選允許周邊網路上的流量 NPS 伺服器。This filter allows traffic to the NPS server on the perimeter network.

允許下列類型的資料傳輸在防火牆 internet 介面上,設定下列輸出封包篩選器:Configure the following output packet filters on the intranet interface of the firewall to allow the following types of traffic:

  • 來源周邊網路介面 NPS 伺服器的 IP 位址。Source IP address of the perimeter network interface of the NPS server. 此篩選允許流量 NPS 伺服器從周邊網路上。This filter allows traffic from the NPS server on the perimeter network.

如需有關管理 NPS 的詳細資訊,請查看管理的網路原則伺服器]For more information about managing NPS, see Manage Network Policy Server.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).