Azure VM 来宾 OS 防火墙阻止入站流量Azure VM Guest OS firewall is blocking inbound traffic

本文介绍如何修复来宾操作系统防火墙阻止入站流量时出现的远程桌面门户 (RDP) 问题。This article discusses how to fix the Remote Desktop Portal (RDP) issue that occurs if the guest operating system firewall blocks inbound traffic.

症状Symptoms

无法使用 RDP 连接来连接 Azure 虚拟机 (VM)。You cannot use an RDP connection to connect to an Azure virtual machine (VM). 从“启动诊断”->“屏幕截图”中,可看到操作系统已在欢迎屏幕 (Ctrl+Alt+Del) 上完全加载。From Boot diagnostics -> Screenshot, it shows that the operating system is fully loaded at the Welcome screen (Ctrl+Alt+Del).

原因Cause

原因 1Cause 1

未设置 RDP 规则来允许 RDP 流量。The RDP rule is not set up to allow the RDP traffic.

原因 2Cause 2

来宾系统防火墙配置文件设置为阻止所有入站连接,包括 RDP 流量。The guest system firewall profiles are set up to block all inbound connections, including the RDP traffic.

防火墙设置

解决方案Solution

在执行这些步骤之前,请创建受影响 VM 的系统磁盘快照作为备份。Before you follow these steps, take a snapshot of the system disk of the affected VM as a backup. 有关详细信息,请参阅 创建磁盘快照For more information, see Snapshot a disk.

要解决此问题,请使用如何使用远程工具解决 Azure VM 问题中介绍的方法远程连接到 VM,然后将来宾操作系统防火墙规则编辑为“允许”RDP 流量 。To fix the issue, use one of the methods in How to use remote tools to troubleshoot Azure VM issues to connect to the VM remotely, and then edit the guest operating system firewall rules to Allow RDP traffic.

脱机缓解措施Offline Mitigations

  1. 将系统磁盘附加到恢复 VMAttach the system disk to a recovery VM.

  2. 开始与恢复 VM 建立远程桌面连接。Start a Remote Desktop connection to the recovery VM.

  3. 确保磁盘在磁盘管理控制台中标记为“联机”。 Make sure that the disk is flagged as Online in the Disk Management console. 请留意分配给附加系统磁盘的驱动器号。Note the drive letter that is assigned to the attached system disk.

缓解措施 1Mitigation 1

请参阅 如何在来宾 OS 上启用/禁用某个防火墙规则See How to Enable-Disable a Firewall rule on a Guest OS.

缓解措施 2Mitigation 2

  1. 将系统磁盘附加到恢复 VMAttach the system disk to a recovery VM.

  2. 开始与恢复 VM 建立远程桌面连接。Start a Remote Desktop connection to the recovery VM.

  3. 将系统磁盘附加到恢复 VM 后,请确保磁盘在磁盘管理控制台中标记为“联机” 。After the system disk is attached to the recovery VM, make sure that the disk is flagged as Online in the Disk Management console. 请注意分配给附加的 OS 磁盘的驱动器号。Note the drive letter that is assigned to the attached OS disk.

  4. 打开提升后的 CMD 实例,然后运行以下脚本:Open an elevated CMD instance, and then run the following script:

    REM Backup the registry prior doing any change
    robocopy f:\windows\system32\config f:\windows\system32\config.BACK /MT
    
    REM Mount the hive
    reg load HKLM\BROKENSYSTEM f:\windows\system32\config\SYSTEM
    
    REM Delete the keys to block all inbound connection scenario
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v DoNotAllowExceptions
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v DoNotAllowExceptions
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v DoNotAllowExceptions
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v DoNotAllowExceptions
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v DoNotAllowExceptions
    REG DELETE "HKLM\BROKENSYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v DoNotAllowExceptions
    
    REM Unmount the hive
    reg unload HKLM\BROKENSYSTEM
    
  5. 拆离系统磁盘并重新创建 VMDetach the system disk and re-create the VM.

  6. 检查是否解决了问题。Check whether the issue is resolved.