使用证书身份验证(经典)配置点到站点连接Configure a Point-to-Site connection by using certificate authentication (classic)


本文为经典部署模型而写。This article is written for the classic deployment model. 如果不熟悉 Azure,建议改用资源管理器部署模型。If you're new to Azure, we recommend that you use the Resource Manager deployment model instead. 资源管理器部署模型是最新的部署模型,提供比经典部署模型更多的选项和更强的功能兼容性。The Resource Manager deployment model is the most current deployment model and offers more options and feature compatibility than the classic deployment model. 有关部署模型的详细信息,请参阅了解部署模型For more information about the deployment models, see Understanding deployment models.

若要查看本文的资源管理器版本,请从下面的下拉列表或左侧的目录中将其选中。For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on the left.

本文介绍如何创建具有点到站点连接的 VNet。This article shows you how to create a VNet with a Point-to-Site connection. 使用 Azure 门户创建具有经典部署模型的 Vnet。You create this Vnet with the classic deployment model by using the Azure portal. 此配置使用证书(不管是自签名的还是 CA 颁发的)来验证正在进行连接的客户端。This configuration uses certificates to authenticate the connecting client, either self-signed or CA issued. 还可以使用以下文章中描述的选项,通过不同的部署工具或模型创建此配置:You can also create this configuration with a different deployment tool or model by using options that are described in the following articles:

使用点到站点链接 (P2S) VPN 网关创建从单个客户端计算机到虚拟网络的安全连接。You use a Point-to-Site (P2S) VPN gateway to create a secure connection to your virtual network from an individual client computer. 要从远程位置连接到 VNet,可使用点到站点 VPN 连接。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location. 如果只有一些客户端需要连接到 VNet,则可使用 P2S VPN 这种解决方案来代替站点到站点 VPN。When you have only a few clients that need to connect to a VNet, a P2S VPN is a useful solution to use instead of a Site-to-Site VPN. 可通过从客户端计算机启动连接来建立 P2S VPN 连接。A P2S VPN connection is established by starting it from the client computer.


经典部署模型仅支持 Windows VPN 客户端,并使用安全套接字隧道协议 (SSTP),一种基于 SSL 的 VPN 协议。The classic deployment model supports Windows VPN clients only and uses the Secure Socket Tunneling Protocol (SSTP), an SSL-based VPN protocol. 为了支持非 Windows VPN 客户端,必须使用资源管理器部署模型创建 VNet。To support non-Windows VPN clients, you must create your VNet with the Resource Manager deployment model. 除了 SSTP,资源管理器部署模型还支持 IKEv2 VPN。The Resource Manager deployment model supports IKEv2 VPN in addition to SSTP. 有关详细信息,请参阅关于 P2S 连接For more information, see About P2S connections.



点到站点证书身份验证连接需要以下先决条件:Point-to-Site certificate authentication connections require the following prerequisites:

  • 动态 VPN 网关。A Dynamic VPN gateway.
  • 适用于根证书的公钥(.cer 文件),已上传到 Azure。The public key (.cer file) for a root certificate, which is uploaded to Azure. 此公钥被视为可信证书,用于身份验证。This key is considered a trusted certificate and is used for authentication.
  • 从根证书生成的客户端证书,安装在每个要连接的客户端计算机上。A client certificate generated from the root certificate, and installed on each client computer that will connect. 此证书用于客户端身份验证。This certificate is used for client authentication.
  • 必须生成 VPN 客户端配置包,并将其安装在每个连接的客户端计算机上。A VPN client configuration package must be generated and installed on every client computer that connects. 客户端配置包配置本机 VPN 客户端,该客户端已经位于操作系统中,且具有连接到 VNet 所需的信息。The client configuration package configures the native VPN client that's already on the operating system with the necessary information to connect to the VNet.

点到站点连接不需要 VPN 设备或面向公众的本地 IP 地址。Point-to-Site connections don't require a VPN device or an on-premises public-facing IP address. VPN 连接基于 SSTP(安全套接字隧道协议)创建。The VPN connection is created over SSTP (Secure Socket Tunneling Protocol). 在服务器端,我们支持 SSTP 1.0、1.1 和 1.2 版。On the server side, we support SSTP versions 1.0, 1.1, and 1.2. 客户端决定要使用的版本。The client decides which version to use. 对于 Windows 8.1 及更高版本,SSTP 默认使用 1.2。For Windows 8.1 and above, SSTP uses 1.2 by default.

有关点到站点连接的详细信息,请参阅点到站点常见问题解答For more information about Point-to-Site connections, see Point-to-Site FAQ.

示例设置Example settings

使用以下值创建测试环境,或参考这些值以更好地理解本文中的示例:Use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • 创建虚拟网络(经典)设置Create virtual network (classic) settings

    • 名称:输入 VNetName: Enter VNet.

    • 地址空间:输入 。Address space: Enter 对于此示例,我们只使用一个地址空间。For this example, we use only one address space. 可以在 VNet 中使用多个地址空间,如图所示。You can have more than one address space for your VNet, as shown in the diagram.

    • 子网名称:输入 FrontEndSubnet name: Enter FrontEnd.

    • 子网地址范围:输入 。Subnet address range: Enter

    • 订阅:从可用订阅列表中选择订阅。Subscription: Select a subscription from the list of available subscriptions.

    • 资源组:输入 TestRG 。Resource group: Enter TestRG. 如果资源组不存在,选择“新建” 。Select Create new, if the resource group doesn't exist.

    • 位置:从列表中选择“中国北部” 。Location: Select China North from the list.

    • VPN 连接设置VPN connection settings

      • 连接类型:选择“点到站点” 。Connection type: Select Point-to-site.
      • 客户端地址空间:输入 。Client Address Space: Enter 使用此点到站点连接连接到 VNet 的 VPN 客户端接收来自指定池的 IP 地址。VPN clients that connect to the VNet by using this Point-to-Site connection receive an IP address from the specified pool.
  • 网关配置子网设置Gateway configuration subnet settings

    • 名称:自动填满 GatewaySubnet 。Name: Autofilled with GatewaySubnet.
    • 地址范围:输入 。Address range: Enter
  • 网关配置设置Gateway configuration settings:

    • 大小:选择要使用的网关 SKU。Size: Select the gateway SKU that you want to use.
    • 路由类型:选择“动态” 。Routing Type: Select Dynamic.

创建虚拟网络和 VPN 网关Create a virtual network and a VPN gateway

开始之前,请确保拥有 Azure 订阅。Before you begin, verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.

第 1 部分:创建虚拟网络Part 1: Create a virtual network

如果还没有虚拟网络 (VNet),请创建一个。If you don't already have a virtual network (VNet), create one. 这些屏幕截图仅供参考。Screenshots are provided as examples. 请务必替换成自己的值。Be sure to replace the values with your own. 若要使用 Azure 门户创建 VNet,请执行以下步骤:To create a VNet by using the Azure portal, use the following steps:

  1. Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource. 此时会打开一个“新建”页面 。The New page opens.

  2. 在“搜索市场”字段中,输入“虚拟网络”,然后从返回的列表中选择“虚拟网络” 。In the Search the marketplace field, enter virtual network and select Virtual network from the returned list. 此时会打开“虚拟网络”页 。The Virtual network page opens.

  3. 从“选择部署模型”列表,选择“经典”,然后选择“创建” 。From the Select a deployment model list, select Classic, and then select Create. 此时会打开“创建虚拟网络”页 。The Create virtual network page opens.

  4. 在“创建虚拟网络” 页上,配置 VNet 设置。On the Create virtual network page, configure the VNet settings. 在此页上,添加第一个地址空间和单个子网地址范围。On this page, you add your first address space and a single subnet address range. 完成创建 VNet 之后,可以返回并添加其他子网和地址空间。After you finish creating the VNet, you can go back and add additional subnets and address spaces.


  5. 从下拉列表中选择要使用的“订阅” 。Select the Subscription you want to use from the drop-down list.

  6. 选择现有“资源组” 。Select an existing Resource Group. 或者,通过选择“新建”并输入名称,创建新的资源组 。Or, create a new resource group by selecting Create new and entering a name. 如果要创建新资源组,请根据计划的配置值来命名资源组。If you're creating a new resource group, name the resource group according to your planned configuration values. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.

  7. 为 VNet 选择“位置” 。Select a Location for your VNet. 此设置确定部署到此 VNet 的资源的地理位置。This setting determines the geographical location of the resources that you deploy to this VNet.

  8. 选择“创建”来创建该 VNet 。Select Create to create the VNet. 从“通知”页,将看到“正在部署”消息 。From the Notifications page, you'll see a Deployment in progress message.

  9. 创建虚拟网络后,“通知”页上的该消息更改为“部署成功” 。After your virtual network has been created, the message on the Notifications page changes to Deployment succeeded. 如果希望能够在仪表板上轻松查找 VNet,请选择“固定到仪表板” 。Select Pin to dashboard if you want to easily find your VNet on the dashboard.

  10. 添加 DNS 服务器(可选)。Add a DNS server (optional). 创建虚拟网络后,可以添加 DNS 服务器的 IP 地址进行名称解析。After you create your virtual network, you can add the IP address of a DNS server for name resolution. 指定的 DNS 服务器 IP 地址应该是可以解析 VNet 中资源名称的 DNS 服务器的地址。The DNS server IP address that you specify should be the address of a DNS server that can resolve the names for the resources in your VNet.

    要添加 DNS 服务器,请从 VNet 页选择“DNS 服务器” 。To add a DNS server, select DNS servers from your VNet page. 然后,输入要用的 DNS 服务器的 IP 地址并选择“保存” 。Then, enter the IP address of the DNS server that you want to use and select Save.

第 2 部分:创建网关子网和动态路由网关Part 2: Create a gateway subnet and a dynamic routing gateway

本步骤创建网关子网和动态路由网关。In this step, you create a gateway subnet and a dynamic routing gateway. 在经典部署模型的 Azure 门户中,通过相同的配置页创建网关子网和网关。In the Azure portal for the classic deployment model, you create the gateway subnet and the gateway through the same configuration pages. 网关子网仅用于网关服务。Use the gateway subnet for the gateway services only. 切勿将任何资源(例如 VM 或任何其他服务)直接部署到网关子网。Never deploy anything directly to the gateway subnet (such as VMs or other services).

  1. 在 Azure 门户中,转到要为其创建网关的虚拟网络。In the Azure portal, go to the virtual network for which you want to create a gateway.

  2. 在虚拟网络页上,选择“概览”,在“VPN 连接”部分,选择“网关” 。On the page for your virtual network, select Overview, and in the VPN connections section, select Gateway.


  3. 在“新建 VPN 连接” 页中,选择“点到站点” 。On the New VPN Connection page, select Point-to-site.


  4. 对于“客户端地址空间”,添加 IP 地址范围,VPN 客户端连接时接收此范围中的 IP 地址 。For Client Address Space, add the IP address range from which the VPN clients receive an IP address when connecting. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与连接到其中的 VNet 重叠。Use a private IP address range that doesn't overlap with the on-premises location that you connect from, or with the VNet that you connect to. 可以用要使用的专用 IP 地址范围覆盖自动填充的范围。You can overwrite the autofilled range with the private IP address range that you want to use. 本示例演示自动填充的范围。This example shows the autofilled range.


  5. 选择“立即创建网关”,然后选择“可选网关配置”打开“网关配置”页 。Select Create gateway immediately, and then select Optional gateway configuration to open the Gateway configuration page.


  6. 从“网关配置”页,选择“子网”,添加网关子网 。From the Gateway configuration page, select Subnet to add the gateway subnet. 可以创建最小可为 /29 的网关子网。It's possible to create a gateway subnet as small as /29. 但建议至少选择 /28 或 /27,创建包含更多地址的更大子网。However, we recommend that you create a larger subnet that includes more addresses by selecting at least /28 or /27. 这样便可以留出足够多的地址,满足将来可能需要使用的其他配置。Doing so will allow for enough addresses to accommodate possible additional configurations that you may want in the future. 处理网关子网时,请避免将网络安全组 (NSG) 关联到网关子网。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关不再按预期方式工作。Associating a network security group to this subnet may cause your VPN gateway to not function as expected. 选择“确定”以保存此设置 。Select OK to save this setting.


  7. 选择网关“大小” 。Select the gateway Size. 大小为虚拟网关的网关 SKU。The size is the gateway SKU for your virtual network gateway. 在 Azure 门户中,默认 SKU 为“默认” 。In the Azure portal, the default SKU is Default. 有关网关 SKU 的详细信息,请参阅关于 VPN 网关设置For more information about gateway SKUs, see About VPN gateway settings.


  8. 选择网关的“路由类型” 。Select the Routing Type for your gateway. P2S 配置需要“动态” 路由类型。P2S configurations require a Dynamic routing type. 在此页中完成配置后,请选择“确定” 。Select OK when you've finished configuring this page.


  9. 在“新建 VPN 连接”页中,选择该页底部的“确定”开始创建虚拟网关 。On the New VPN Connection page, select OK at the bottom of the page to begin creating your virtual network gateway. VPN 网关可能需要长达 45 分钟的时间才能完成,具体取决于所选网关 SKU。A VPN gateway can take up to 45 minutes to complete, depending on the gateway SKU that you select.

创建证书Create certificates

Azure 使用证书对点到站点 VPN 的 VPN 客户端进行身份验证。Azure uses certificates to authenticate VPN clients for Point-to-Site VPNs. 将根证书的公钥信息上传到 Azure,You upload the public key information of the root certificate to Azure. 然后即可将该公钥视为“可信”公钥 。The public key is then considered trusted. 必须根据可信根证书生成客户端证书,并将其安装在每个客户端计算机的 Certificates-Current User\Personal\Certificates 证书存储中。Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User\Personal\Certificates certificate store. 客户端连接到 VNet 时,使用证书进行身份验证。The certificate is used to authenticate the client when it connects to the VNet.

如果使用自签名证书,这些证书必须使用特定的参数创建。If you use self-signed certificates, they must be created by using specific parameters. 可以按照 PowerShell 和 Windows 10MakeCert 的说明,创建自签名证书。You can create a self-signed certificate by using the instructions for PowerShell and Windows 10, or MakeCert. 在使用自签名根证书以及从自签名根证书生成客户端证书时,必须按这些说明中的步骤操作,这一点很重要。It's important to follow the steps in these instructions when you use self-signed root certificates and generate client certificates from the self-signed root certificate. 否则,创建的证书将与 P2S 连接不兼容,你将收到“连接错误”。Otherwise, the certificates you create won't be compatible with P2S connections and you'll receive a connection error.

获取根证书的公钥 (.cer)Acquire the public key (.cer) for the root certificate

使用通过企业解决方案生成的根证书(推荐),或者生成自签名证书。Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 然后,将公共证书数据上传到 Azure 服务器。Then, upload the public certificate data to the Azure server.

  • 企业证书: 如果使用的是企业级解决方案,可以使用现有的证书链。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 获取要使用的根证书的 .cer 文件。Acquire the .cer file for the root certificate that you want to use.

  • 自签名根证书: 如果使用的不是企业证书解决方案,请创建自签名根证书。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否则,创建的证书将不兼容 P2S 连接,客户端在尝试连接时会收到连接错误。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 以下文章中的步骤介绍了如何生成兼容的自签名根证书:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 说明:这些说明要求使用 Windows 10 和 PowerShell 来生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 说明:使用 MakeCert 的前提是,无法接触用于生成证书的 Windows 10 计算机。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 说明Linux instructions

生成客户端证书Generate a client certificate

在使用点到站点连接连接到 VNet 的每台客户端计算机上,必须安装客户端证书。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 请从根证书生成它,然后将它安装在每个客户端计算机上。You generate it from the root certificate and install it on each client computer. 如果未安装有效的客户端证书,则当客户端尝试连接到 VNet 时,身份验证会失败。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

可以为每个客户端生成唯一证书,也可以对多个客户端使用同一证书。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 生成唯一客户端证书的优势是能够吊销单个证书。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否则,如果多个客户端使用相同的客户端证书进行身份验证而你将其撤销,则需为所有使用该证书的客户端生成并安装新证书。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

可以通过以下方法生成客户端证书:You can generate client certificates by using the following methods:

  • 企业证书:Enterprise certificate:

    • 如果使用的是企业证书解决方案,请使用通用名称值格式“name@yourdomain.com” 生成客户端证书,If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 而不要使用“域名\用户名”格式。 Use this format instead of the domain name\username format.
    • 请确保客户端证书基于“用户”证书模板,该模板将“客户端身份验证”列为用户列表中的第一项。 Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 检查证书的方式是:双击证书,然后在“详细信息”选项卡中查看“增强型密钥用法” 。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.
  • 自签名根证书: 按照下述某篇 P2S 证书文章中的步骤操作,使创建的客户端证书兼容 P2S 连接。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections. 这些文章中的步骤可生成兼容的客户端证书:The steps in these articles generate a compatible client certificate:

    • Windows 10 PowerShell 说明:这些说明要求使用 Windows 10 和 PowerShell 来生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 生成的证书可以安装在任何受支持的 P2S 客户端上。The generated certificates can be installed on any supported P2S client.
    • MakeCert 说明:如果无权访问 Windows 10 计算机来生成证书,请使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 可以将生成的证书安装在任何受支持的 P2S 客户端上。You can install the generated certificates on any supported P2S client.
    • Linux 说明Linux instructions

    从自签名根证书生成客户端证书时,该证书会自动安装在用于生成该证书的计算机上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果想要在另一台客户端计算机上安装客户端证书,请以 .pfx 文件格式导出该证书以及整个证书链。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 这样做会创建一个 .pfx 文件,其中包含的根证书信息是客户端进行身份验证所必需的。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

导出证书To export the certificate

如需导出证书的步骤,请参阅使用 PowerShell 为点到站点连接生成和导出证书For steps to export a certificate, see Generate and export certificates for Point-to-Site using PowerShell.

上传根证书 .cer 文件Upload the root certificate .cer file

创建网关之后,将可信根证书的 .cer 文件(包含公钥信息)上传到 Azure 服务器。After the gateway has been created, upload the .cer file (which contains the public key information) for a trusted root certificate to the Azure server. 请勿上传根证书私钥。Don't upload the private key for the root certificate. 上传证书后,Azure 使用该证书对已安装客户端证书(根据可信根证书生成)的客户端进行身份验证。After you upload the certificate, Azure uses it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 之后可根据需要上传更多可信根证书文件(最多 20 个)。You can later upload additional trusted root certificate files (up to 20), if needed.

  1. 在 VNet 页的“VPN 连接”部分,选择客户端图形,打开“点到站点 VPN 连接”页 。On the VPN connections section of the page for your VNet, select the clients graphic to open the Point-to-site VPN connection page.


  2. 在“点到站点 VPN 连接”页中,选择“管理证书”,打开“证书”页 。On the Point-to-site VPN connection page, select Manage certificate to open the Certificates page.


  3. 在“证书”页中,选择“上传”,打开“上传证书”页 。On the Certificates page, select Upload to open the Upload certificate page.


  4. 选择文件夹图形浏览 .cer 文件。Select the folder graphic to browse for the .cer file. 选择该文件,然后选择“确定” 。Select the file, then select OK. 上传的证书显示在“证书”页 。The uploaded certificate appears on the Certificates page.


配置客户端Configure the client

要通过点到站点 VPN 连接到 VNet,每个客户端都必须安装一个用于配置本机 Windows VPN 客户端的包。To connect to a VNet by using a Point-to-Site VPN, each client must install a package to configure the native Windows VPN client. 配置包使用连接到虚拟网络所需的设置配置本机 Windows VPN 客户端。The configuration package configures the native Windows VPN client with the settings necessary to connect to the virtual network.

只要版本与客户端的体系结构匹配,就可以在每台客户端计算机上使用相同的 VPN 客户端配置包。You can use the same VPN client configuration package on each client computer, as long as the version matches the architecture for the client. 有关支持的客户端操作系统的列表,请参阅点到站点连接常见问题解答For the list of client operating systems that are supported, see the Point-to-Site connections FAQ.

生成和安装 VPN 客户端配置包Generate and install a VPN client configuration package

  1. 在 Azure 门户中,在 VNet“概览”页的“VPN 连接”中,选择客户端图形,打开“点到站点 VPN 连接”页 。In the Azure portal, in the Overview page for your VNet, in VPN connections, select the client graphic to open the Point-to-site VPN connection page.

  2. 从“点到站点 VPN 连接” 页,选择在其中进行安装的客户端操作系统所对应的下载包:From the Point-to-site VPN connection page, select the download package that corresponds to the client operating system where it's installed:

    • 对于 64 位客户端,请选择“VPN 客户端(64 位)” 。For 64-bit clients, select VPN Client (64-bit).
    • 对于 32 位客户端,请选择“VPN 客户端(32 位)” 。For 32-bit clients, select VPN Client (32-bit).

    下载 VPN 客户端配置包

  3. 生成包后,下载该包并将其安装在客户端计算机上。After the package generates, download it and then install it on your client computer. 如果看到弹出 SmartScreen,选择“详细信息”,然后选择“仍要运行” 。If you see a SmartScreen popup, select More info, then select Run anyway. 也可将要安装的包保存在其他客户端计算机上。You can also save the package to install on other client computers.

安装客户端证书Install a client certificate

要从另一台客户端计算机(而不是用于生成客户端证书的计算机)创建 P2S 连接,请安装客户端证书。To create a P2S connection from a different client computer than the one used to generate the client certificates, install a client certificate. 安装客户端证书时,需要使用导出客户端证书时创建的密码。When you install a client certificate, you need the password that was created when the client certificate was exported. 通常,只需双击证书即可安装。Typically, you can install the certificate by just double-clicking it. 有关详细信息,请参阅安装已导出的客户端证书For more information, see Install an exported client certificate.

连接到 VNetConnect to your VNet


在要从其进行连接的客户端计算机上,你必须拥有管理员权限。You must have Administrator rights on the client computer from which you are connecting.

  1. 要连接到 VNet,请在客户端计算机上转到 Azure 门户中的“VPN 连接”,并找到创建的 VPN 连接 。To connect to your VNet, on the client computer, go to VPN connections in the Azure portal and locate the VPN connection that you created. 该 VPN 连接名称与虚拟网络的名称相同。The VPN connection has the same name as your virtual network. 选择“连接” 。Select Connect. 如果显示关于证书的弹出消息,请选择“继续”以使用提升的权限 。If a pop-up message about the certificate appears, select Continue to use elevated privileges.

  2. 在“连接”状态页上,选择“连接”以启动连接 。On the Connection status page, select Connect to start the connection. 如果看到“选择证书”屏幕,请验证显示的客户端证书是否正确 。If you see the Select Certificate screen, verify that the displayed client certificate is the correct one. 如果错误,请从下拉列表中选择正确的证书,然后选择“确定” 。If not, select the correct certificate from the drop-down list, and then select OK.

  3. 如果连接成功,将看到“已连接”通知 。If your connection succeeds, you'll see a Connected notification.

排查 P2S 连接问题Troubleshooting P2S connections

如果在连接时遇到问题,请检查以下项:If you have trouble connecting, check the following items:

  • 如果你已通过证书导出向导导出客户端证书,请确保已将其导出为 .pfx 文件并选中了“包括证书路径中的所有证书(如果可能)”。 If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 使用此值将其导出时,也会导出根证书信息。When you export it with this value, the root certificate information is also exported. 在客户端计算机上安装证书后,还会安装 .pfx 文件中的根证书。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要验证是否安装了根证书,请打开“管理用户证书” ,然后选择“受信任的根证书颁发机构\证书” 。To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 验证是否列出了根证书,必须存在根证书才能进行身份验证。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果使用的是由企业 CA 解决方案颁发的证书,并且无法进行身份验证,请在客户端证书上验证身份验证顺序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 通过双击客户端证书,选择“详细信息”选项卡并选择“增强型密钥用法”来检查身份验证列表顺序。 Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 确保此列表中的第一项是“客户端身份验证”。 Make sure Client Authentication is the first item in the list. 如果不是,请基于将“客户端身份验证”作为列表中第一项的用户模板颁发客户端证书。 If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需更多的 P2S 故障排除信息,请参阅排查 P2S 连接问题For additional P2S troubleshooting information, see Troubleshoot P2S connections.

验证 VPN 连接Verify the VPN connection

  1. 验证 VPN 连接是否激活。Verify that your VPN connection is active. 在客户端计算机上打开提升的命令提示符,并运行 ipconfig/all 。Open an elevated command prompt on your client computer, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是点到站点连接地址范围中的一个地址,该范围是你在创建 VNet 时指定的。Notice that the IP address you received is one of the addresses within the Point-to-Site connectivity address range that you specified when you created your VNet. 结果应类似于以下示例:The results should be similar to this example:

     PPP adapter VNet1:
         Connection-specific DNS Suffix .:
         Description.....................: VNet1
         Physical Address................:
         DHCP Enabled....................: No
         Autoconfiguration Enabled.......: Yes
         IPv4 Address....................:
         Subnet Mask.....................:
         Default Gateway.................:
         NetBIOS over Tcpip..............: Enabled

连接到虚拟机Connect to a virtual machine

创建远程桌面连接来连接到部署到 VNet 的 VM。Create a Remote Desktop Connection to connect to a VM that's deployed to your VNet. 若要验证是否能够连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to verify you can connect to your VM is to connect with its private IP address, rather than its computer name. 这种方式测试的是能否进行连接,而不是测试名称解析是否已正确配置。That way, you're testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位 VM 的专用 IP 地址。Locate the private IP address for your VM. 若要查找 VM 的专用 IP 地址,可以在 Azure 门户中或使用 PowerShell 查看 VM 的属性。To find the private IP address of a VM, view the properties for the VM in the Azure portal or use PowerShell.
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you're connected to your VNet with the Point-to-Site VPN connection.
  3. 若要打开远程桌面连接,请在任务栏上的搜索框中键入 RDP远程桌面连接,然后选择“远程桌面连接”。 To open Remote Desktop Connection, enter RDP or Remote Desktop Connection in the search box on the taskbar, then select Remote Desktop Connection. 也可以在 PowerShell 中使用 mstsc 命令打开远程桌面连接。You can also open it by using the mstsc command in PowerShell.
  4. 在“远程桌面连接”中,输入 VM 的专用 IP 地址。 In Remote Desktop Connection, enter the private IP address of the VM. 如果需要,选择“显示选项”来调整其他设置,然后进行连接。 If necessary, select Show Options to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,可以查看一些项目。If you're having trouble connecting to a virtual machine over your VPN connection, there are a few things you can check.

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you're connecting to the private IP address for the VM.
  • 输入 ipconfig 来检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是你要从其进行连接的计算机。Enter ipconfig to check the IPv4 address assigned to the Ethernet adapter on the computer from which you're connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则会出现重叠的地址空间。An overlapping address space occurs when the IP address is within the address range of the VNet that you're connecting to, or within the address range of your VPNClientAddressPool. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM by using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 为 VNet 指定 DNS 服务器 IP 地址之后,验证是否生成了 VPN 客户端配置包。Verify that the VPN client configuration package is generated after you specify the DNS server IP addresses for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you update the DNS server IP addresses, generate and install a new VPN client configuration package.

如需更多故障排除信息,请参阅排查到 VM 的远程桌面连接问题For more troubleshooting information, see Troubleshoot Remote Desktop connections to a VM.

添加或删除可信根证书Add or remove trusted root certificates

可以在 Azure 中添加和删除受信任的根证书。You can add and remove trusted root certificates from Azure. 删除根证书时,具有从该根生成的证书的客户端不能再进行身份验证和连接。When you remove a root certificate, clients that have a certificate generated from that root can no longer authenticate and connect. 为了让这些客户端再次进行身份验证并连接,必须安装新的客户端证书,该证书由 Azure 信任的根证书生成。For those clients to authenticate and connect again, you must install a new client certificate generated from a root certificate that's trusted by Azure.

添加受信任的根证书To add a trusted root certificate

最多可以将 20 个受信任的根证书 .cer 文件添加到 Azure。You can add up to 20 trusted root certificate .cer files to Azure. 有关说明,请参阅“上传根证书 .cer 文件”。For instructions, see Upload the root certificate .cer file.

删除受信任的根证书To remove a trusted root certificate

  1. 在 VNet 页的“VPN 连接”部分,选择客户端图形,打开“点到站点 VPN 连接”页 。On the VPN connections section of the page for your VNet, select the clients graphic to open the Point-to-site VPN connection page.


  2. 在“点到站点 VPN 连接”页中,选择“管理证书”,打开“证书”页 。On the Point-to-site VPN connection page, select Manage certificate to open the Certificates page.


  3. 在“证书”页中,选择要删除的证书旁边的省略号,然后选择“删除” 。On the Certificates page, select the ellipsis next to the certificate that you want to remove, then select Delete.


吊销客户端证书Revoke a client certificate

如有必要,可以吊销客户端证书。If necessary, you can revoke a client certificate. 通过证书吊销列表,可以选择性地拒绝基于单个客户端证书的点到站点连接。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 此方法不同于删除可信根证书。This method differs from removing a trusted root certificate. 如果从 Azure 中删除受信任的根证书 .cer,它会吊销由吊销的根证书生成/签名的所有客户端证书的访问权限。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 如果吊销客户端证书而非根证书,则可继续使用从根证书生成的其他证书,以便进行点到站点连接所需的身份验证。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication for the Point-to-Site connection.

常见的做法是使用根证书管理团队或组织级别的访问权限,并使用吊销的客户端证书针对单个用户进行精细的访问控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

吊销客户端证书To revoke a client certificate

可以通过将指纹添加到吊销列表来吊销客户端证书。You can revoke a client certificate by adding the thumbprint to the revocation list.

  1. 检索客户端证书指纹。Retrieve the client certificate thumbprint. 有关更多信息,请参阅如何:检索证书的指纹For more information, see How to: Retrieve the Thumbprint of a Certificate.
  2. 将信息复制到文本编辑器,删除其中的空格,使之成为连续的字符串。Copy the information to a text editor and remove its spaces so that it's a continuous string.
  3. 转到经典虚拟网络。Go to the classic virtual network. 选择“点到站点 VPN 连接”,然后选择“管理证书”,打开“证书”页 。Select Point-to-site VPN connection, then select Manage certificate to open the Certificates page.
  4. 选择“吊销列表”,打开“吊销列表”页 。Select Revocation list to open the Revocation list page.
  5. 选择“添加证书”,打开“将证书添加到吊销列表”页 。Select Add certificate to open the Add certificate to revocation list page.
  6. 在“指纹”页中,将证书指纹以连续文本行的形式进行粘贴,不留空格 。In Thumbprint, paste the certificate thumbprint as one continuous line of text, with no spaces. 选择“确定” ,以完成操作。Select OK to finish.

更新完成后,不再可以使用证书来连接。After updating has completed, the certificate can no longer be used to connect. 客户端在尝试使用此证书进行连接时,会收到一条消息,指出证书不再有效。Clients that try to connect by using this certificate receive a message saying that the certificate is no longer valid.

点到站点常见问题解答Point-to-Site FAQ

此常见问题解答适用于使用经典部署模型的 P2S 连接。This FAQ applies to P2S connections that use the classic deployment model.

点到站点连接允许使用哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8(32 位和 64 位)Windows 8 (32-bit and 64-bit)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows 10Windows 10

是否可以使用支持将 SSTP 用于点到站点连接的任何软件 VPN 客户端?Can I use any software VPN client that supports SSTP for Point-to-Site?

不是。No. 仅支持所列出的 Windows 操作系统版本。Support is limited only to the listed Windows operating system versions.

在我的点到站点配置中,可以存在多少 VPN 客户端终结点?How many VPN client endpoints can exist in my Point-to-Site configuration?

VPN 客户端终结点的数量取决于网关 SKU 和协议。The amount of VPN client endpoints depends on your gateway sku and protocol.

SSTP Connections
IKEv2/OpenVPN 连接
IKEv2/OpenVPN Connections
Throughput Benchmark
基本Basic 最大Max. 10 个10 最大Max. 128128 不支持Not Supported 100 Mbps100 Mbps 不支持Not Supported
VpnGw1VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported
VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported
VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported

(*) 如果需要 30 个以上 S2S VPN 隧道,请使用虚拟 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 允许调整 VpnGw SKU 的大小,但基本 SKU 的大小调整除外。The resizing of VpnGw SKUs is allowed except resizing of the Basic SKU. 基本 SKU 是旧版 SKU,并且具有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要从基本 SKU 移到其他 VpnGw SKU,必须删除基本 SKU VPN 网关,并使用所需 SKU 大小创建新网关。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired SKU size.

  • 这些连接限制是独立的。These connection limits are separate. 例如,在 VpnGw1 SKU 上可以有 128 个 SSTP 连接,还可以有 250 个 IKEv2 连接。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page.

  • 可在 SLA 页上查看 SLA(服务级别协议)信息。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在单个隧道中,最多可以达到 1 Gbps 的吞吐量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的聚合吞吐量基准基于对通过单个网关聚合的多个隧道的测量。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. 适用于 VPN 网关的聚合吞吐量基准组合了 S2S 和 P2S。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果有大量的 P2S 连接,则可能会对 S2S 连接造成负面影响,因为存在吞吐量限制。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 受 Internet 流量情况和应用程序行为影响,无法保证聚合吞吐量基准。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

为了帮助我们的客户了解使用不同算法的 SKU 的相对性能,我们使用市售 iPerf 和 CTSTraffic 工具来衡量性能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出了 VpnGw SKU 的性能测试结果。The table below lists the results of performance tests for VpnGw SKUs. 可以看到,对 IPsec 加密和完整性使用 GCMAES256 算法时,可获得最佳性能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 对 IPsec 加密使用 AES256 以及对完整性使用 SHA256 时,可获得平均性能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 对 IPsec 加密使用 DES3 以及对完整性使用 SHA256 可获得最低性能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

Packets per second
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps

能否将我自己的内部 PKI 根 CA 用于点到站点连接?Can I use my own internal PKI root CA for Point-to-Site connectivity?

是的。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 现在还可以上传最多 20 个根证书。You can still upload up to 20 root certificates.

是否可以使用点到站点连接穿越代理和防火墙?Can I traverse proxies and firewalls by using Point-to-Site?

是的。Yes. 我们使用安全套接字隧道协议 (SSTP) 作为隧道来穿越防火墙。We use Secure Socket Tunneling Protocol (SSTP) to tunnel through firewalls. 此隧道显示为 HTTPS 连接。This tunnel appears as an HTTPS connection.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不会自动重新建立 VPN 连接。By default, the client computer won't reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto reconnect and DDNS on the VPN clients?

不是。No. 点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto reconnect and DDNS are currently not supported in Point-to-Site VPNs.

同一虚拟网络中是否可以同时存在站点到站点和点到站点配置?Can I have Site-to-Site and Point-to-Site configurations for the same virtual network?

是的。Yes. 如果网关使用 RouteBased VPN 类型,这两种解决方案都可行。Both solutions will work if you have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 我们不支持将点到站点连接用于静态路由 VPN 网关,也不支持将其用于使用 -VpnType PolicyBased cmdlet 的网关。We don't support Point-to-Site for static routing VPN gateways or gateways that use the -VpnType PolicyBased cmdlet.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

是的。Yes. 但是,虚拟网络的 IP 前缀不得重叠,并且点到站点地址空间在虚拟网络之间不得重叠。However, the virtual networks can't have overlapping IP prefixes and the Point-to-Site address spaces must not overlap between the virtual networks.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the internet.

后续步骤Next steps