在 Azure VM 来宾 OS 中启用或禁用防火墙规则Enable or disable a firewall rule on an Azure VM Guest OS

本文为排查以下问题提供参考:你怀疑来宾操作系统防火墙正在筛选虚拟机 (VM) 上的部分流量。This article provides a reference for troubleshooting a situation in which you suspect that the guest operating system firewall is filtering partial traffic on a virtual machine (VM). 使用这些参考信息的原因如下:This could be useful for the following reasons:

  • 如果有意对防火墙所做的更改导致 RDP 连接失败,使用“自定义脚本扩展”功能可以解决问题。If a change was deliberately made to the firewall that caused RDP connections to fail, using the Custom Script Extension feature can resolve the issue.

  • 与设置特定于 RDP 的防火墙规则相比,禁用所有防火墙配置文件是更安全可靠的故障排除方法。Disabling all firewall profiles is a more foolproof way of troubleshooting than setting the RDP-specific firewall rule.

解决方案Solution

如何配置防火墙规则取决于对所需 VM 的访问级别。How you configure the firewall rules depends on the level of access to the VM that's required. 以下示例使用 RDP 规则。The following examples use RDP rules. 但是,可以通过指向正确的注册表项,将相同的方法应用于其他任何类型的流量。However, the same methods can be applied to any other kind of traffic by pointing to the correct registry key.

联机故障排除Online troubleshooting

缓解措施 1:自定义脚本扩展Mitigation 1: Custom Script Extension

  1. 使用以下模板创建脚本。Create your script by using the following template.

    • 启用规则:To enable a rule:

      netsh advfirewall firewall set rule dir=in name="Remote Desktop - User Mode (TCP-In)" new enable=yes
      
    • 禁用规则:To disable a rule:

      netsh advfirewall firewall set rule dir=in name="Remote Desktop - User Mode (TCP-In)" new enable=no
      
  2. 使用自定义脚本扩展功能在 Azure 门户中上传此脚本。Upload this script in the Azure portal using the Custom Script Extension feature.

缓解措施 2:PSTools 命令Mitigation 2: PSTools commands

如果 VM 处于联机状态且可以在同一虚拟网络中的另一个 VM 上对其进行访问,则可以使用另一个 VM 执行以下缓解措施。If the VM is online and can be accessed on another VM on the same virtual network, you can make the follow mitigations by using the other VM.

  1. 在故障排除 VM 上,下载 PSToolsOn the troubleshooting VM, download PSTools.

  2. 打开 CMD 实例,然后通过 VM 的内部 IP (DIP) 访问该 VM。Open a CMD instance, and access the VM through its Internal IP (DIP).

    • 启用规则:To enable a rule:

      psexec \\<DIP> -u <username> cmd
      netsh advfirewall firewall set rule dir=in name="Remote Desktop - User Mode (TCP-In)" new enable=yes
      
    • 禁用规则:To disable a rule:

      psexec \\<DIP> -u <username> cmd
      netsh advfirewall firewall set rule dir=in name="Remote Desktop - User Mode (TCP-In)" new enable=no
      

缓解措施 3:远程注册表Mitigation 3: Remote Registry

如果 VM 处于联机状态且可以在同一虚拟网络中的另一个 VM 上对其进行访问,则可以在另一个 VM 上使用远程注册表If the VM is online and can be accessed on another VM on the same virtual network, you can use Remote Registry on the other VM.

  1. 在故障排除 VM 上启动注册表编辑器 (regedit.exe),然后选择“文件” > “连接网络注册表” 。On the troubleshooting VM, start Registry Editor (regedit.exe), and then select File > Connect Network Registry.

  2. 打开 TARGET MACHINE\SYSTEM 分支,然后指定以下值:Open the TARGET MACHINE\SYSTEM branch, and then specify the following values:

    • 若要启用规则,请打开以下注册表值:To enable a rule, open the following registry value:

      TARGET MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCPTARGET MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCP

      然后,将字符串中的 Active=FALSE 更改为 Active=TRUEThen, change Active=FALSE to Active=TRUE in the string:

      v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=\@FirewallAPI.dll,-28775|Desc=\@FirewallAPI.dll,-28756|EmbedCtxt=\@FirewallAPI.dll,-28752|

    • 若要禁用规则,请打开以下注册表值:To disable a rule, open the following registry value:

      TARGET MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCPTARGET MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCP

      然后,将 Active=TRUE 更改为 Active=FALSEThen, change Active =TRUE to Active=FALSE:

      v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=\@FirewallAPI.dll,-28775|Desc=\@FirewallAPI.dll,-28756|EmbedCtxt=\@FirewallAPI.dll,-28752|

  3. 重启 VM 以应用更改。Restart the VM to apply the changes.

脱机故障排除Offline troubleshooting

如果无法通过任何方法访问该 VM,则无法使用自定义脚本扩展,此时,必须直接通过系统磁盘在脱机模式下工作。If you cannot access the VM by any method, using Custom Script Extension will fail, and you will have to work in OFFLINE mode by working directly through the system disk.

在执行这些步骤之前,请创建受影响 VM 的系统磁盘快照作为备份。Before you follow these steps, take a snapshot of the system disk of the affected VM as a backup. 有关详细信息,请参阅拍摄磁盘快照For more information, see Snapshot a disk.

  1. 将系统磁盘附加到恢复 VMAttach the system disk to a recovery VM.

  2. 开始与恢复 VM 建立远程桌面连接。Start a Remote Desktop connection to the recovery VM.

  3. 确保磁盘在磁盘管理控制台中标记为“联机”。 Make sure that the disk is flagged as Online in the Disk Management console. 请注意分配给附加的系统磁盘的驱动器号。Note that the drive letter that is assigned to the attached system disk.

  4. 在进行任何更改之前,请创建 \windows\system32\config 文件夹的副本,以防需要回退更改。Before you make any changes, create a copy of the \windows\system32\config folder in case a rollback of the changes is necessary.

  5. 在故障排除 VM 上,启动注册表编辑器 (regedit.exe)。On the troubleshooting VM, start Registry Editor (regedit.exe).

  6. 突出显示 HKEY_LOCAL_MACHINE 项,然后从菜单中选择“文件” > “加载配置单元”。 Highlight the HKEY_LOCAL_MACHINE key, and then select File > Load Hive from the menu.

    Regedit

  7. 找到并打开 \windows\system32\config\SYSTEM 文件。Locate and then open the \windows\system32\config\SYSTEM file.

    备注

    系统会提示输入名称。You are prompted for a name. 输入 BROKENSYSTEM,然后展开 HKEY_LOCAL_MACHINEEnter BROKENSYSTEM, and then expand HKEY_LOCAL_MACHINE. 现在,可以看到名为 BROKENSYSTEM 的附加项。You will now see an additional key that's named BROKENSYSTEM. 为了进行故障排除,我们将这些有问题的配置单元装载为 BROKENSYSTEMFor this troubleshooting, we are mounting these problem hives as BROKENSYSTEM.

  8. 对 BROKENSYSTEM 分支进行以下更改:Make the following changes on the BROKENSYSTEM branch:

    1. 检查 VM 是从哪个 ControlSet 注册表项启动的。Check which ControlSet registry key the VM is starting from. 会在 HKLM\BROKENSYSTEM\Select\Current 中看到该项的数值。You will see its key number in HKLM\BROKENSYSTEM\Select\Current.

    2. 若要启用规则,请打开以下注册表值:To enable a rule, open the following registry value:

      HKLM\BROKENSYSTEM\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCPHKLM\BROKENSYSTEM\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCP

      然后,将 Active=FALSE 更改为 Active=TrueThen, change Active=FALSE to Active=True.

      v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=\@FirewallAPI.dll,-28775|Desc=\@FirewallAPI.dll,-28756|EmbedCtxt=\@FirewallAPI.dll,-28752|

    3. 若要禁用规则,请打开以下注册表项:To disable a rule, open the following registry key:

      HKLM\BROKENSYSTEM\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCPHKLM\BROKENSYSTEM\ControlSet00X\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteDesktop-UserMode-In-TCP

      然后,将 Active=True 更改为 Active=FALSEThen, change Active=True to Active=FALSE.

      v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|Profile=Public|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=\@FirewallAPI.dll,-28775|Desc=\@FirewallAPI.dll,-28756|EmbedCtxt=\@FirewallAPI.dll,-28752|

  9. 突出显示 BROKENSYSTEM,然后选择菜单中的“文件” > “卸载配置单元” 。Highlight BROKENSYSTEM, and then select File > Unload Hive from the menu.

  10. 拆离系统磁盘并重新创建 VMDetach the system disk and re-create the VM.

  11. 检查是否解决了问题。Check whether the issue is resolved.