在 Azure Active Directory 域服务中保护对虚拟机的远程访问Secure remote access to virtual machines in Azure Active Directory Domain Services

若要保护对 Azure Active Directory 域服务 (Azure AD DS) 托管域中运行的虚拟机 (VM) 的远程访问,可以使用远程桌面服务 (RDS) 和网络策略服务器 (NPS)。To secure remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Azure AD DS 在用户请求通过 RDS 环境进行访问时对用户进行身份验证。Azure AD DS authenticates users as they request access through the RDS environment. 为了提高安全性,你可以集成 Azure 多重身份验证,以便在发生登录事件期间提供额外的身份验证提示。For enhanced security, you can integrate Azure Multi-Factor Authentication to provide an additional authentication prompt during sign-in events. Azure 多重身份验证使用 NPS 的一个扩展来提供此功能。Azure Multi-Factor Authentication uses an extension for NPS to provide this feature.

重要

若要安全地连接到 Azure AD DS 托管域中的 VM,建议使用 Azure Bastion,这是在虚拟网络中预配的一项完全由平台托管的 PaaS 服务。The recommended way to securely connect to your VMs in an Azure AD DS managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. 堡垒主机直接在 Azure 门户中通过 SSL 提供与 VM 的安全无缝远程桌面协议 (RDP) 连接。A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. 通过堡垒主机进行连接时,VM 不需要公共 IP 地址,你无需使用网络安全组在 TCP 端口 3389 上公开对 RDP 的访问。When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.

强烈建议你在支持 Azure Bastion 的所有区域中使用它。We strongly recommend that you use Azure Bastion in all regions where it's supported. 在不可使用 Azure Bastion 的区域中,请按本文中详述的步骤操作,直到 Azure Bastion 可用。In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. 向已加入允许所有传入 RDP 流量的 Azure AD DS 的 VM 分配公共 IP 地址时一定要谨慎。Take care with assigning public IP addresses to VMs joined to Azure AD DS where all incoming RDP traffic is allowed.

有关详细信息,请参阅什么是 Azure Bastion?For more information, see What is Azure Bastion?.

本文介绍了如何在 Azure AD DS 中配置 RDS,以及如何选择使用 Azure 多重身份验证 NPS 扩展。This article shows you how to configure RDS in Azure AD DS and optionally use the Azure Multi-Factor Authentication NPS extension.

远程桌面服务 (RDS) 概述

先决条件Prerequisites

若要完成本文,需准备好以下资源:To complete this article, you need the following resources:

部署和配置远程桌面环境Deploy and configure the Remote Desktop environment

若要开始,请至少创建两个运行 Windows Server 2016 或 Windows Server 2019 的 Azure VM。To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. 为了实现远程桌面 (RD) 环境的冗余性和高可用性,你可以在以后添加其他主机并对其进行负载均衡。For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance additional hosts later.

建议的 RDS 部署包含以下两个 VM:A suggested RDS deployment includes the following two VMs:

  • RDGVM01 - 运行 RD 连接代理服务器、RD Web 访问服务器和 RD 网关服务器。RDGVM01 - Runs the RD Connection Broker server, RD Web Access server, and RD Gateway server.
  • RDSHVM01 - 运行 RD 会话主机服务器。RDSHVM01 - Runs the RD Session Host server.

请确保将 VM 部署到 Azure AD DS 虚拟网络的“工作负载”子网中,然后将 VM 加入托管域。Make sure that VMs are deployed into a workloads subnet of your Azure AD DS virtual network, then join the VMs to managed domain. 有关详细信息,请参阅如何创建 Windows Server VM 并将其加入托管域For more information, see how to create and join a Windows Server VM to a managed domain.

RD 环境部署包含许多步骤。The RD environment deployment contains a number of steps. 可以使用现有的 RD 部署指南,不需要进行任何特定变更便可在托管域中使用:The existing RD deployment guide can be used without any specific changes to use in a managed domain:

  1. 使用“Azure AD DC 管理员”组中的帐户(例如 contosoadmin)登录到为 RD 环境创建的 VM。Sign in to VMs created for the RD environment with an account that's part of the Azure AD DC Administrators group, such as contosoadmin.
  2. 若要创建和配置 RDS,请使用现有的远程桌面环境部署指南To create and configure RDS, use the existing Remote Desktop environment deployment guide. 根据需要将 RD 服务器组件分布到各个 Azure VM。Distribute the RD server components across your Azure VMs as desired.
    • 特定于 Azure AD DS - 配置 RD 许可时,请将其设置为“每设备”模式而不是“每用户”模式,如部署指南中所述。Specific to Azure AD DS - when you configure RD licensing, set it to Per Device mode, not Per User as noted in the deployment guide.
  3. 如果要使用 Web 浏览器提供访问,请为用户设置远程桌面 Web 客户端If you want to provide access using a web browser, set up the Remote Desktop web client for your users.

将 RD 部署到托管域后,你可以像使用本地 AD DS 域一样管理和使用该服务。With RD deployed into the managed domain, you can manage and use the service as you would with an on-premises AD DS domain.

后续步骤Next steps

若要详细了解如何提高部署复原能力,请参阅远程桌面服务 - 高可用性For more information on improving resiliency of your deployment, see Remote Desktop Services - High availability.

若要详细了解如何保护用户登录,请参阅工作原理:Azure 多重身份验证For more information about securing user sign-in, see How it works: Azure Multi-Factor Authentication.