搭配 AD FS 與 Web 應用程式 Proxy 部署工作資料夾︰概觀Deploy Work Folders with AD FS and Web Application Proxy: Overview

適用於:Windows Server (半年度管道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

本節中的主題提供使用 Active Directory 同盟服務 (AD FS) 與 Web 應用程式 Proxy 進行工作資料夾部署的指示。The topics in this section provide instructions for deploying Work Folders with Active Directory Federation Services (AD FS) and Web Application Proxy. 其設計旨在協助您對於已準備透過內部部署或網際網路開始使用工作資料夾的用戶端電腦,建立運作正常的完整工作資料夾設定。The instructions are designed to help you create a complete functioning Work Folders setup with client machines that are ready to start using Work Folders either on-premises or over the Internet.

「工作資料夾」是 Windows Server 2012 R2 中所導入的一個元件,允許資訊工作者在他們的裝置間同步工作檔案。Work Folders is a component introduced in Windows Server 2012 R2 that allows information workers to sync work files between their devices. 如需有關工作資料夾的詳細資訊,請參閱工作資料夾概觀For more information about Work Folders, see Work Folders Overview.

若要讓使用者能夠透過網際網路同步他們的工作資料夾,您需要透過反向 Proxy 發佈工作資料夾,讓工作資料夾可以在網際網路上從外部提供。To enable users to sync their Work Folders across the Internet, you need to publish Work Folders through a reverse proxy, making Work Folders available externally on the Internet. 內含在 AD FS 中的 Web 應用程式 Proxy 是一個選項,您可用來提供反向 Proxy 功能。Web Application Proxy, which is included in AD FS, is one option that you can use to provide reverse proxy functionality. Web 應用程式 Proxy 會使用 AD FS 預先驗證工作資料夾 Web 應用程式的存取,讓使用者可以在任何裝置上從公司網路以外存取工作資料夾。Web Application Proxy pre-authenticates access to the Work Folders web application by using AD FS, so that users on any device can access Work Folders from outside the corporate network.

注意

本節中涵蓋的指示適用於 Windows Server 2016 環境。The instructions covered in this section are for a Windows Server 2016 environment. 如果您使用 Windows Server 2012 R2,請依照 Windows Server 2012 R2 指示If you're using Windows Server 2012 R2, follow the Windows Server 2012 R2 instructions.

這些主題提供下列資訊:These topics provide the following:

  • 透過 Windows Server 使用者介面搭配 AD FS 與 Web 應用程式 Proxy 設定和部署工作資料夾的逐步指示。Step-by-step instructions for setting up and deploying Work Folders with AD FS and Web Application Proxy via the Windows Server user interface. 如何以自我簽署憑證設定簡單的測試環境的操作指示。The instructions describe how to set up a simple test environment with self-signed certificates. 然後您可以使用測試範例做為指南,協助您建立一個使用公開信任憑證的生產環境。You can then use the test example as a guide to help you create a production environment that uses publicly trusted certificates.

必要條件Prerequisites

若要遵循這些主題中的程序和範例,您需要備妥下列元件︰To follow the procedures and examples in these topics, you need to have the following components ready:

  • Windows Server 2012 R2 中 Active Directory® Domain Services 樹系具有架構延伸,以支援您在使用多部檔案伺服器時,自動將電腦和裝置轉介到正確的檔案伺服器。An Active Directory® Domain Services forest with schema extensions in Windows Server 2012 R2 to support automatic referral of PCs and devices to the correct file server when you are using multiple file servers. 最好在樹系中啟用 DNS,不過這不一定必要。It is preferable that DNS be enabled in the forest, but this is not required.

  • 網域控制站︰已啟用 AD DS 角色的伺服器,並且已設定網域 (例如測試範例 contoso.com)。A domain controller: A server that has the AD DS role enabled, and is configured with a domain (for the test example, contoso.com).

    網域控制站需要至少執行 Windows Server 2012 R2,才能支援 Workplace Join 的裝置註冊。A domain controller running at least Windows Server 2012 R2 is needed in order to support device registration for Workplace Join. 如果您不想使用 Workplace Join,您可以在網域控制站上執行 Windows Server 2012。If you don't want to use Workplace Join, you can run Windows Server 2012 on the domain controller.

  • 加入網域 (例如 contoso.com) 的兩個伺服器,並且都執行 Windows Server 2016。Two servers that are joined to the domain (e.g., contoso.com) and that are running Windows Server 2016. 一部伺服器將用於AD FS,另一部則用於工作資料夾。One server will be for used for AD FS, and the other will be used for Work Folders.

  • 一部沒有加入網域的伺服器,並且執行 Windows Server 2016。One server that is not domain joined and that is running Windows Server 2016. 此部伺服器將執行 Web 應用程式 Proxy,而且其網路網域 (例如 contoso.com) 必須有一張網路卡,另一張網路卡則用於外部網路。This server will run Web Application Proxy, and it must have one network card for the network domain (e.g., contoso.com) and another network card for the external network.

  • 一部已加入網域的用戶端電腦且執行 Windows 7 或更新版本。One domain-joined client computer that is running Windows 7 or later.

  • 一個未加入網域的用戶端電腦且執行 Windows 7 或更新版本。One non-domain-joined client computer that is running Windows 7 or later.

若是我們在本指南所涵蓋的測試環境,您應該擁有下圖所示的拓撲。For the test environment that we're covering in this guide, you should have the topology that is shown in the following diagram. 電腦可以是實體電腦或虛擬機器 (VM)。The computers can be physical machines or virtual machines (VMs).

圖中顯示網際網路、DMZ 和 Contoso 網路區段。

部署概觀Deployment overview

在此主題群組中,您將在測試環境中透過範例逐步設定 AD FS、Web 應用程式 Proxy 和工作資料夾。In this group of topics, you'll walk through a step-by-step example of setting up AD FS, Web Application Proxy, and Work Folders in a test environment. 元件會以此順序設定︰The components will be set up in this order:

  1. AD FSAD FS

  2. 工作資料夾Work Folders

  3. Web 應用程式 ProxyWeb Application Proxy

  4. 加入網域的工作站和未加入網域的工作站The domain-joined workstation and non-domain-joined workstation

您也將使用 Windows PowerShell 指令碼來建立自我簽署憑證。You will also use a Windows PowerShell Script to create self-signed certificates.

部署步驟Deployment steps

若要使用 Windows Server 使用者介面執行部署,請遵循這些主題中的步驟操作︰To perform the deployment by using the Windows Server user interface, follow the steps in these topics:

另請參閱See Also

工作資料夾概觀Work Folders Overview
設計工作資料夾實作Designing a Work Folders Implementation
部署工作資料夾Deploying Work Folders