使用证书身份验证(经典)配置点到站点连接Configure a Point-to-Site connection by using certificate authentication (classic)

备注

本文为经典部署模型而写。This article is written for the classic deployment model. 如果不熟悉 Azure,建议改用资源管理器部署模型。If you're new to Azure, we recommend that you use the Resource Manager deployment model instead. 资源管理器部署模型是最新的部署模型,提供比经典部署模型更多的选项和更强的功能兼容性。The Resource Manager deployment model is the most current deployment model and offers more options and feature compatibility than the classic deployment model. 有关部署模型的详细信息,请参阅了解部署模型For more information about the deployment models, see Understanding deployment models.

如需本文的资源管理器版本,请从下拉列表或左侧的目录中将其选中。For the Resource Manager version of this article, select it from the drop-down list, or from the table of contents on the left.

本文介绍如何创建具有点到站点连接的 VNet。This article shows you how to create a VNet with a Point-to-Site connection. 使用 Azure 门户创建这个具有经典部署模型的 VNet。You create this VNet with the classic deployment model by using the Azure portal. 此配置使用证书(不管是自签名的还是 CA 颁发的)来验证正在进行连接的客户端。This configuration uses certificates to authenticate the connecting client, either self-signed or CA issued. 还可以使用以下文章中描述的选项,通过不同的部署工具或模型创建此配置:You can also create this configuration with a different deployment tool or model by using options that are described in the following articles:

使用点到站点链接 (P2S) VPN 网关创建从单个客户端计算机到虚拟网络的安全连接。You use a Point-to-Site (P2S) VPN gateway to create a secure connection to your virtual network from an individual client computer. 要从远程位置连接到 VNet,可使用点到站点 VPN 连接。Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location. 如果只有一些客户端需要连接到 VNet,则可使用 P2S VPN 这种解决方案来代替站点到站点 VPN。When you have only a few clients that need to connect to a VNet, a P2S VPN is a useful solution to use instead of a Site-to-Site VPN. 可通过从客户端计算机启动连接来建立 P2S VPN 连接。A P2S VPN connection is established by starting it from the client computer.

重要

经典部署模型仅支持 Windows VPN 客户端,并使用安全套接字隧道协议 (SSTP),一种基于 SSL 的 VPN 协议。The classic deployment model supports Windows VPN clients only and uses the Secure Socket Tunneling Protocol (SSTP), an SSL-based VPN protocol. 为了支持非 Windows VPN 客户端,必须使用资源管理器部署模型创建 VNet。To support non-Windows VPN clients, you must create your VNet with the Resource Manager deployment model. 除了 SSTP,资源管理器部署模型还支持 IKEv2 VPN。The Resource Manager deployment model supports IKEv2 VPN in addition to SSTP. 有关详细信息,请参阅关于 P2S 连接For more information, see About P2S connections.

点到站点连接示意图

设置和要求Settings and requirements

要求Requirements

点到站点证书身份验证连接需要以下项。Point-to-Site certificate authentication connections require the following items. 本文中提供了可帮助你创建它们的步骤。There are steps in this article that will help you create them.

  • 动态 VPN 网关。A Dynamic VPN gateway.
  • 适用于根证书的公钥(.cer 文件),已上传到 Azure。The public key (.cer file) for a root certificate, which is uploaded to Azure. 此公钥被视为可信证书,用于身份验证。This key is considered a trusted certificate and is used for authentication.
  • 从根证书生成的客户端证书,安装在每个要连接的客户端计算机上。A client certificate generated from the root certificate, and installed on each client computer that will connect. 此证书用于客户端身份验证。This certificate is used for client authentication.
  • 必须生成 VPN 客户端配置包,并将其安装在每个进行连接的客户端计算机上。A VPN client configuration package must be generated and installed on every client computer that connects. 客户端配置包配置本机 VPN 客户端,该客户端已经位于操作系统中,且具有连接到 VNet 所需的信息。The client configuration package configures the native VPN client that's already on the operating system with the necessary information to connect to the VNet.

点到站点连接不需要 VPN 设备或面向公众的本地 IP 地址。Point-to-Site connections don't require a VPN device or an on-premises public-facing IP address. VPN 连接基于 SSTP(安全套接字隧道协议)创建。The VPN connection is created over SSTP (Secure Socket Tunneling Protocol). 在服务器端,我们支持 SSTP 1.0、1.1 和 1.2 版。On the server side, we support SSTP versions 1.0, 1.1, and 1.2. 客户端决定要使用的版本。The client decides which version to use. 对于 Windows 8.1 及更高版本,SSTP 默认使用 1.2。For Windows 8.1 and above, SSTP uses 1.2 by default.

有关详细信息,请参阅关于点到站点连接常见问题解答For more information, see About Point-to-Site connections and the FAQ.

示例设置Example settings

使用以下值创建测试环境,或参考这些值以更好地理解本文中的示例:Use the following values to create a test environment, or refer to these values to better understand the examples in this article:

  • 资源组: TestRGResource Group: TestRG
  • VNet 名称: VNet1VNet Name: VNet1
  • 地址空间: 192.168.0.0/16Address space: 192.168.0.0/16
    对于此示例,我们只使用一个地址空间。For this example, we use only one address space. VNet 可以有多个地址空间。You can have more than one address space for your VNet.
  • 子网名称: FrontEndSubnet name: FrontEnd
  • 子网地址范围: 192.168.1.0/24Subnet address range: 192.168.1.0/24
  • GatewaySubnet: 10.11.255.0/27GatewaySubnet: 10.11.255.0/27
  • 区域: 中国北部Region: China North
  • 客户端地址空间: 172.16.201.0/24Client address space: 172.16.201.0/24
    使用此点到站点连接连接到 VNet 的 VPN 客户端接收来自指定池的 IP 地址。VPN clients that connect to the VNet by using this Point-to-Site connection receive an IP address from the specified pool.
  • 连接类型:选择“点到站点”。Connection type: Select Point-to-site.
  • GatewaySubnet 地址范围(CIDR 块): 192.168.200.0/24GatewaySubnet Address range (CIDR block): 192.168.200.0/24

开始之前,请确保拥有 Azure 订阅。Before you begin, verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.

创建虚拟网络Create a virtual network

如果已有一个 VNet,请验证这些设置是否与 VPN 网关设计兼容。If you already have a VNet, verify that the settings are compatible with your VPN gateway design. 请特别注意任何可能与其他网络重叠的子网。Pay particular attention to any subnets that may overlap with other networks.

  1. 从浏览器导航到 Azure 门户,并在必要时用 Azure 帐户登录。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
  2. 选择“+创建资源”。Select +Create a resource. 在“在市场中搜索”字段中,键入“虚拟网络”。In the Search the marketplace field, type 'Virtual Network'. 从返回的列表中找到“虚拟网络”,选择它以打开“虚拟网络”页。Locate Virtual Network from the returned list and select it to open the Virtual Network page.
  3. 在“虚拟网络”页的“创建”按钮下,可以看到“使用资源管理器部署(更改为经典)”。On the Virtual Network page, under the Create button, you see "Deploy with Resource Manager (change to Classic)". “资源管理器”是创建 VNet 的默认设置。Resource Manager is the default for creating a VNet. 不需要创建资源管理器 VNet。You don't want to create a Resource Manager VNet. 选择“(更改为经典)”以创建经典 VNet。Select (change to Classic) to create a Classic VNet. 然后,选择“概述”选项卡并选择“创建”。Then, select the Overview tab and select Create.
  4. 在“创建虚拟网络(经典)”页的“基本信息”选项卡上,使用示例值配置 VNet 设置。On the Create virtual network(classic) page, on the Basics tab, configure the VNet settings with the example values.
  5. 选择“查看 + 创建”以验证自己的 VNet。Select Review + create to validate your VNet.
  6. 此时验证将运行。Validation runs. 验证 VNet 后,选择“创建”。After the VNet is validated, select Create.

在此配置过程中不需进行 DNS 设置,但如果希望在 VM 之间进行名称解析,则 DNS 是必需的。DNS settings are not a required part of this configuration, but DNS is necessary if you want name resolution between your VMs. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析所连接的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to.

创建虚拟网络后,可以添加 DNS 服务器的 IP 地址来处理名称解析。After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. 打开虚拟网络的设置,选择“DNS 服务器”,并添加要用于名称解析的 DNS 服务器的 IP 地址。Open the settings for your virtual network, select DNS servers, and add the IP address of the DNS server that you want to use for name resolution.

  1. 在门户中找到虚拟网络。Locate the virtual network in the portal.
  2. 在虚拟网络页的“设置”部分,选择“DNS 服务器”。 On the page for your virtual network, under the Settings section, select DNS servers.
  3. 添加 DNS 服务器。Add a DNS server.
  4. 若要保存设置,请选择页面顶部的“保存”。To save your settings, select Save at the top of the page.

创建 VPN 网关Create a VPN gateway

  1. 导航到你创建的 VNet。Navigate to the VNet that you created.

  2. 在 VNet 页面的“设置”下选择“网关”。On the VNet page, under Settings, select Gateway. 在“网关”页面上,你可以查看虚拟网络的网关。On the Gateway page, you can view the gateway for your virtual network. 此虚拟网络尚无网关。This virtual network does not yet have a gateway. 单击注释“单击此处以添加连接和网关”。Click the note that says Click here to add a connection and a gateway.

  3. 在“配置 VPN 连接和网关”页上,选择以下设置:On the Configure a VPN connection and gateway page, select the following settings:

    • 连接类型:点到站点Connection type: Point-to-site
    • 客户端地址空间:添加 VPN 客户端在连接时要从中接收 IP 地址的 IP 地址范围。Client address space: Add the IP address range from which the VPN clients receive an IP address when connecting. 使用专用 IP 地址范围时,该范围不得与要通过其进行连接的本地位置重叠,也不得与连接到其中的 VNet 重叠。Use a private IP address range that doesn't overlap with the on-premises location that you connect from, or with the VNet that you connect to.
  4. 让“此时不配置网关”复选框保留未选中状态。Leave the checkbox for Do not configure a gateway at this time unselected. 我们将创建一个网关。We will create a gateway.

  5. 在页面底部,选择“下一页:网关”>。At the bottom of the page, select Next: Gateway >.

  6. 在“网关”选项卡上,选择以下值:On the Gateway tab, select the following values:

    • Size: 大小为虚拟网关的网关 SKU。Size: The size is the gateway SKU for your virtual network gateway. 在 Azure 门户中,默认 SKU 为“默认”。In the Azure portal, the default SKU is Default. 有关网关 SKU 的详细信息,请参阅关于 VPN 网关设置For more information about gateway SKUs, see About VPN gateway settings.
    • 路由类型: 对于点到站点配置,必须选择“动态”。Routing Type: You must select Dynamic for a point-to-site configuration. 静态路由将不起作用。Static routing will not work.
    • 网关子网: 此字段已自动填充。Gateway subnet: This field is already autofilled. 无法更改此名称。You cannot change the name. 如果你尝试使用 PowerShell 或任何其他方式更改名称,则网关将无法正常工作。If you try to change the name using PowerShell or any other means, the gateway will not work properly.
    • 地址范围(CIDR 块): 尽管创建的网关子网最小可为 /29,但建议至少选择 /28 或 /27,创建包含更多地址的更大子网。Address range (CIDR block): While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at least /28 or /27. 这样便可以留出足够多的地址,满足将来可能需要使用的其他配置。Doing so will allow for enough addresses to accommodate possible additional configurations that you may want in the future. 处理网关子网时,请避免将网络安全组 (NSG) 关联到网关子网。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关不再按预期方式工作。Associating a network security group to this subnet may cause your VPN gateway to not function as expected.
  7. 选择“查看 + 创建”以验证自己的设置 。Select Review + create to validate your settings.

  8. 通过验证后,选择“创建”。Once validation passes, select Create. VPN 网关可能需要长达 45 分钟的时间才能完成,具体取决于所选网关 SKU。A VPN gateway can take up to 45 minutes to complete, depending on the gateway SKU that you select.

创建证书Create certificates

Azure 使用证书对点到站点 VPN 的 VPN 客户端进行身份验证。Azure uses certificates to authenticate VPN clients for Point-to-Site VPNs. 请将根证书的公钥信息上传到 Azure,You upload the public key information of the root certificate to Azure. 然后即可将该公钥视为“可信”公钥。The public key is then considered trusted. 必须根据可信根证书生成客户端证书,并将其安装在每个客户端计算机的 Certificates-Current User\Personal\Certificates 证书存储中。Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User\Personal\Certificates certificate store. 客户端连接到 VNet 时,使用证书进行身份验证。The certificate is used to authenticate the client when it connects to the VNet.

如果使用自签名证书,这些证书必须使用特定的参数创建。If you use self-signed certificates, they must be created by using specific parameters. 可以按照 PowerShell 和 Windows 10MakeCert 的说明,创建自签名证书。You can create a self-signed certificate by using the instructions for PowerShell and Windows 10, or MakeCert. 在使用自签名根证书以及从自签名根证书生成客户端证书时,必须按这些说明中的步骤操作,这一点很重要。It's important to follow the steps in these instructions when you use self-signed root certificates and generate client certificates from the self-signed root certificate. 否则,创建的证书将与 P2S 连接不兼容,你将收到“连接错误”。Otherwise, the certificates you create won't be compatible with P2S connections and you'll receive a connection error.

获取根证书的公钥 (.cer)Acquire the public key (.cer) for the root certificate

获取根证书的 .cer 文件。Obtain the .cer file for the root certificate. 你可以使用通过企业解决方案生成的根证书(推荐),或者生成自签名证书。You can use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. 创建根证书后,将公共证书数据(不是私钥)作为 Base64 编码的 X.509 .cer 文件导出。After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. 稍后,请将此文件上传到 Azure。You upload this file later to Azure.

  • 企业证书: 如果使用的是企业级解决方案,可以使用现有的证书链。Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. 获取要使用的根证书的 .cer 文件。Acquire the .cer file for the root certificate that you want to use.

  • 自签名根证书: 如果使用的不是企业证书解决方案,请创建自签名根证书。Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. 否则,创建的证书将不兼容 P2S 连接,客户端在尝试连接时会收到连接错误。Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. 可以使用 Azure PowerShell、MakeCert 或 OpenSSL。You can use Azure PowerShell, MakeCert, or OpenSSL. 以下文章中的步骤介绍了如何生成兼容的自签名根证书:The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert 指令:使用 MakeCert 的前提是,无法接触用于生成证书的 Windows 10 计算机。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 从根证书生成的客户端证书可以安装在任何受支持的 P2S 客户端上。Client certificates that you generate from the root certificate can be installed on any supported P2S client.
    • Linux 说明Linux instructions.

生成客户端证书Generate a client certificate

在使用点到站点连接连接到 VNet 的每台客户端计算机上,必须安装客户端证书。Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. 请从根证书生成它,然后将它安装在每个客户端计算机上。You generate it from the root certificate and install it on each client computer. 如果未安装有效的客户端证书,则当客户端尝试连接到 VNet 时,身份验证会失败。If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

可以为每个客户端生成唯一证书,也可以对多个客户端使用同一证书。You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. 生成唯一客户端证书的优势是能够吊销单个证书。The advantage to generating unique client certificates is the ability to revoke a single certificate. 否则,如果多个客户端使用相同的客户端证书进行身份验证而你将其撤销,则需为所有使用该证书的客户端生成并安装新证书。Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

可以通过以下方法生成客户端证书:You can generate client certificates by using the following methods:

  • 企业证书:Enterprise certificate:

    • 如果使用的是企业证书解决方案,请使用通用名称值格式“name@yourdomain.com” 生成客户端证书,If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. 而不要使用“域名\用户名”格式。 Use this format instead of the domain name\username format.

    • 请确保客户端证书基于“用户”证书模板,该模板将“客户端身份验证”列为用户列表中的第一项。 Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. 检查证书的方式是:双击证书,然后在“详细信息”选项卡中查看“增强型密钥用法” 。Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.

  • 自签名根证书: 按照下述某篇 P2S 证书文章中的步骤操作,使创建的客户端证书兼容 P2S 连接。Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections.

    从自签名根证书生成客户端证书时,该证书会自动安装在用于生成该证书的计算机上。When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. 如果想要在另一台客户端计算机上安装客户端证书,请以 .pfx 文件格式导出该证书以及整个证书链。If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. 这样做会创建一个 .pfx 文件,其中包含的根证书信息是客户端进行身份验证所必需的。Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

    这些文章中的步骤可生成兼容的客户端证书,然后你可以导出和分发该证书。The steps in these articles generate a compatible client certificate, which you can then export and distribute.

    • Windows 10 PowerShell 指令:这些指令需要 Windows 10 和 PowerShell 才能生成证书。Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. 生成的证书可以安装在任何受支持的 P2S 客户端上。The generated certificates can be installed on any supported P2S client.

    • MakeCert 说明:如果无权访问 Windows 10 计算机来生成证书,请使用 MakeCert。MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. 虽然 MakeCert 已弃用,但仍可使用它来生成证书。Although MakeCert is deprecated, you can still use it to generate certificates. 可以将生成的证书安装在任何受支持的 P2S 客户端上。You can install the generated certificates on any supported P2S client.

    • Linux 说明Linux instructions.

上传根证书 .cer 文件Upload the root certificate .cer file

创建网关之后,将可信根证书的 .cer 文件(包含公钥信息)上传到 Azure 服务器。After the gateway has been created, upload the .cer file (which contains the public key information) for a trusted root certificate to the Azure server. 请勿上传根证书私钥。Don't upload the private key for the root certificate. 上传证书后,Azure 使用该证书对已安装客户端证书(根据可信根证书生成)的客户端进行身份验证。After you upload the certificate, Azure uses it to authenticate clients that have installed a client certificate generated from the trusted root certificate. 之后可根据需要上传更多可信根证书文件(最多 20 个)。You can later upload additional trusted root certificate files (up to 20), if needed.

  1. 导航到你创建的虚拟网络。Navigate to the virtual network you created.
  2. 在“设置”下,选择“点到站点连接”。 Under Settings, select Point-to-site connections.
  3. 选择“管理证书”。Select Manage certificate.
  4. 选择“上传”。Select Upload.
  5. 在“上传证书”窗格中,选择文件夹图标,然后导航到要上传的证书。On the Upload a certificate pane, select the folder icon and navigate to the certificate you want to upload.
  6. 选择“上传”。Select Upload.
  7. 成功上传证书后,可以在“管理证书”页上查看该证书。After the certificate has uploaded successfully, you can view it on the Manage certificate page. 你可能需要选择“刷新”才能查看刚才上传的证书。You may need to select Refresh to view the certificate you just uploaded.

配置客户端Configure the client

要通过点到站点 VPN 连接到 VNet,每个客户端都必须安装一个用于配置本机 Windows VPN 客户端的包。To connect to a VNet by using a Point-to-Site VPN, each client must install a package to configure the native Windows VPN client. 配置包使用连接到虚拟网络所需的设置配置本机 Windows VPN 客户端。The configuration package configures the native Windows VPN client with the settings necessary to connect to the virtual network.

只要版本与客户端的体系结构匹配,就可以在每台客户端计算机上使用相同的 VPN 客户端配置包。You can use the same VPN client configuration package on each client computer, as long as the version matches the architecture for the client. 有关支持的客户端操作系统的列表,请参阅关于点到站点连接常见问题解答For the list of client operating systems that are supported, see About Point-to-Site connections and the FAQ.

生成和安装 VPN 客户端配置包Generate and install a VPN client configuration package

  1. 导航到你的 VNet 的“点到站点连接”设置。Navigate to the Point-to-site connections settings for your VNet.

  2. 在页面顶部,选择与要在其中进行安装的客户端操作系统对应的下载包:At the top of the page, select the download package that corresponds to the client operating system where it will be installed:

    • 对于 64 位客户端,请选择“VPN 客户端(64 位)”。For 64-bit clients, select VPN client (64-bit).
    • 对于 32 位客户端,请选择“VPN 客户端(32 位)”。For 32-bit clients, select VPN client (32-bit).
  3. Azure 会使用客户端需要的特定设置来生成包。Azure generates a package with the specific settings that the client requires. 每次对 VNet 或网关进行更改时,你都需要下载新的客户端配置包,并将其安装在客户端计算机上。Each time you make changes to the VNet or gateway, you need to download a new client configuration package and install them on your client computers.

  4. 包生成后,选择“下载”。After the package generates, select Download.

  5. 在客户端计算机上安装客户端配置包。Install the client configuration package on your client computer. 在安装时,如果看到一个 SmartScreen 弹出窗口,指出 Windows 保护了你的电脑,请选择“详细信息”,然后选择“仍要运行”。When installing, if you see a SmartScreen popup saying Windows protected your PC, select More info, then select Run anyway. 也可将要安装的包保存在其他客户端计算机上。You can also save the package to install on other client computers.

安装客户端证书Install a client certificate

在此练习中,它已在你生成客户端证书时自动安装在你的计算机上。For this exercise, when you generated the client certificate, it was automatically installed on your computer. 若要从另一台客户端计算机(而不是用于生成客户端证书的计算机)创建 P2S 连接,必须将生成的客户端证书安装在该计算机上。To create a P2S connection from a different client computer than the one used to generate the client certificates, you must install the generated client certificate on that computer.

安装客户端证书时,需要使用导出客户端证书时创建的密码。When you install a client certificate, you need the password that was created when the client certificate was exported. 通常,只需双击证书即可安装。Typically, you can install the certificate by just double-clicking it. 有关详细信息,请参阅安装已导出的客户端证书For more information, see Install an exported client certificate.

连接到 VNetConnect to your VNet

备注

在要从其进行连接的客户端计算机上,你必须拥有管理员权限。You must have Administrator rights on the client computer from which you are connecting.

  1. 在客户端计算机上,转到 VPN 设置。On the client computer, go to VPN settings.
  2. 选择你创建的 VPN。Select the VPN that you created. 如果你使用了示例设置,则连接会被标记为“Group TestRG VNet1”。If you used the example settings, the connection will be labeled Group TestRG VNet1.
  3. 选择“连接”。Select Connect.
  4. 在“Windows Azure 虚拟网络”框中,选择“连接”。In the Windows Azure Virtual Network box, select Connect. 如果显示了关于证书的弹出消息,请选择“继续”以使用提升的权限,并选择“是”以接受配置更改 。If a pop-up message about the certificate appears, select Continue to use elevated privileges and Yes to accept configuration changes.
  5. 当连接成功时,你会看到“已连接”通知。When your connection succeeds, you'll see a Connected notification.

如果在连接时遇到问题,请检查以下项:If you have trouble connecting, check the following items:

  • 如果你已通过证书导出向导导出客户端证书,请确保已将其导出为 .pfx 文件并选中了“包括证书路径中的所有证书(如果可能)”。 If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. 使用此值将其导出时,也会导出根证书信息。When you export it with this value, the root certificate information is also exported. 在客户端计算机上安装证书后,还会安装 .pfx 文件中的根证书。After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. 若要验证是否安装了根证书,请打开“管理用户证书” ,然后选择“受信任的根证书颁发机构\证书” 。To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification Authorities\Certificates. 验证是否列出了根证书,必须存在根证书才能进行身份验证。Verify that the root certificate is listed, which must be present for authentication to work.

  • 如果使用的是由企业 CA 解决方案颁发的证书,并且无法进行身份验证,请在客户端证书上验证身份验证顺序。If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. 通过双击客户端证书,选择“详细信息”选项卡并选择“增强型密钥用法”来检查身份验证列表顺序。 Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. 确保此列表中的第一项是“客户端身份验证”。 Make sure Client Authentication is the first item in the list. 如果不是,请基于将“客户端身份验证”作为列表中第一项的用户模板颁发客户端证书。 If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

  • 如需更多的 P2S 故障排除信息,请参阅排查 P2S 连接问题For additional P2S troubleshooting information, see Troubleshoot P2S connections.

验证 VPN 连接Verify the VPN connection

  1. 验证 VPN 连接是否激活。Verify that your VPN connection is active. 在客户端计算机上打开提升的命令提示符,并运行 ipconfig/all。Open an elevated command prompt on your client computer, and run ipconfig/all.

  2. 查看结果。View the results. 请注意,收到的 IP 地址是点到站点连接地址范围中的一个地址,该范围是你在创建 VNet 时指定的。Notice that the IP address you received is one of the addresses within the Point-to-Site connectivity address range that you specified when you created your VNet. 结果应类似于以下示例:The results should be similar to this example:

     PPP adapter VNet1:
         Connection-specific DNS Suffix .:
         Description.....................: VNet1
         Physical Address................:
         DHCP Enabled....................: No
         Autoconfiguration Enabled.......: Yes
         IPv4 Address....................: 192.168.130.2(Preferred)
         Subnet Mask.....................: 255.255.255.255
         Default Gateway.................:
         NetBIOS over Tcpip..............: Enabled
    

连接到虚拟机To connect to a virtual machine

创建远程桌面连接来连接到部署到 VNet 的 VM。Create a Remote Desktop Connection to connect to a VM that's deployed to your VNet. 若要验证是否能够连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to verify you can connect to your VM is to connect with its private IP address, rather than its computer name. 这种方式测试的是能否进行连接,而不是测试名称解析是否已正确配置。That way, you're testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位 VM 的专用 IP 地址。Locate the private IP address for your VM. 若要查找 VM 的专用 IP 地址,可以在 Azure 门户中或使用 PowerShell 查看 VM 的属性。To find the private IP address of a VM, view the properties for the VM in the Azure portal or use PowerShell.
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you're connected to your VNet with the Point-to-Site VPN connection.
  3. 若要打开远程桌面连接,请在任务栏上的搜索框中键入 RDP远程桌面连接,然后选择“远程桌面连接”。To open Remote Desktop Connection, enter RDP or Remote Desktop Connection in the search box on the taskbar, then select Remote Desktop Connection. 也可以在 PowerShell 中使用 mstsc 命令打开远程桌面连接。You can also open it by using the mstsc command in PowerShell.
  4. 在“远程桌面连接”中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 如果需要,选择“显示选项”来调整其他设置,然后进行连接。If necessary, select Show Options to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,可以查看一些项目。If you're having trouble connecting to a virtual machine over your VPN connection, there are a few things you can check.

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you're connecting to the private IP address for the VM.
  • 输入 ipconfig 来检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是你要从其进行连接的计算机。Enter ipconfig to check the IPv4 address assigned to the Ethernet adapter on the computer from which you're connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则会出现重叠的地址空间。An overlapping address space occurs when the IP address is within the address range of the VNet that you're connecting to, or within the address range of your VPNClientAddressPool. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM by using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 为 VNet 指定 DNS 服务器 IP 地址之后,验证是否生成了 VPN 客户端配置包。Verify that the VPN client configuration package is generated after you specify the DNS server IP addresses for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you update the DNS server IP addresses, generate and install a new VPN client configuration package.

如需更多故障排除信息,请参阅排查到 VM 的远程桌面连接问题For more troubleshooting information, see Troubleshoot Remote Desktop connections to a VM.

添加或删除受信任的根证书To add or remove trusted root certificates

可以在 Azure 中添加和删除受信任的根证书。You can add and remove trusted root certificates from Azure. 删除根证书时,具有从该根生成的证书的客户端不能再进行身份验证和连接。When you remove a root certificate, clients that have a certificate generated from that root can no longer authenticate and connect. 为了让这些客户端再次进行身份验证并连接,必须安装新的客户端证书,该证书由 Azure 信任的根证书生成。For those clients to authenticate and connect again, you must install a new client certificate generated from a root certificate that's trusted by Azure.

添加受信任的根证书Add a trusted root certificate

你可以使用添加第一个受信任的根证书时所用的过程,将最多 20 个受信任的根证书 .cer 文件添加到 Azure。You can add up to 20 trusted root certificate .cer files to Azure by using the same process that you used to add the first trusted root certificate.

删除受信任的根证书Remove a trusted root certificate

  1. 在 VNet 页的“点到站点连接”部分中,选择“管理证书”。On the Point-to-site connections section of the page for your VNet, select Manage certificate.
  2. 选择要删除的证书旁边的省略号,然后选择“删除”。Select the ellipsis next to the certificate that you want to remove, then select Delete.

吊销客户端证书To revoke a client certificate

如有必要,可以吊销客户端证书。If necessary, you can revoke a client certificate. 证书吊销列表用于选择性地拒绝基于单个客户端证书的点到站点连接。The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. 此方法不同于删除可信根证书。This method differs from removing a trusted root certificate. 如果从 Azure 中删除受信任的根证书 .cer,它会吊销由吊销的根证书生成/签名的所有客户端证书的访问权限。If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. 如果吊销客户端证书而非根证书,则可继续使用从根证书生成的其他证书,以便进行点到站点连接所需的身份验证。Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication for the Point-to-Site connection.

常见的做法是使用根证书管理团队或组织级别的访问权限,并使用吊销的客户端证书针对单个用户进行精细的访问控制。The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

可以通过将指纹添加到吊销列表来吊销客户端证书。You can revoke a client certificate by adding the thumbprint to the revocation list.

  1. 检索客户端证书指纹。Retrieve the client certificate thumbprint. 有关详细信息,请参阅如何:检索证书的指纹For more information, see How to: Retrieve the Thumbprint of a Certificate.
  2. 将信息复制到文本编辑器,删除其中的空格,使之成为连续的字符串。Copy the information to a text editor and remove its spaces so that it's a continuous string.
  3. 导航到“点到站点 VPN 连接”,然后选择“管理证书”。 Navigate to Point-to-site VPN connection, then select Manage certificate.
  4. 选择“吊销列表”,打开“吊销列表”页。Select Revocation list to open the Revocation list page.
  5. 在“指纹”页中,将证书指纹以连续文本行的形式进行粘贴,不留空格。In Thumbprint, paste the certificate thumbprint as one continuous line of text, with no spaces.
  6. 选择“+ 添加到列表”,将指纹添加到证书吊销列表 (CRL)。Select + Add to list to add the thumbprint to the certificate revocation list (CRL).

更新完成后,不再可以使用证书来连接。After updating has completed, the certificate can no longer be used to connect. 客户端在尝试使用此证书进行连接时,会收到一条消息,指出证书不再有效。Clients that try to connect by using this certificate receive a message saying that the certificate is no longer valid.

常见问题解答FAQ

此常见问题解答适用于使用经典部署模型的 P2S 连接。This FAQ applies to P2S connections that use the classic deployment model.

点到站点连接允许使用哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8(32 位和 64 位)Windows 8 (32-bit and 64-bit)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows 10Windows 10

是否可以使用支持将 SSTP 用于点到站点连接的任何软件 VPN 客户端?Can I use any software VPN client that supports SSTP for Point-to-Site?

不是。No. 仅支持所列出的 Windows 操作系统版本。Support is limited only to the listed Windows operating system versions.

在我的点到站点配置中,可以存在多少 VPN 客户端终结点?How many VPN client endpoints can exist in my Point-to-Site configuration?

VPN 客户端终结点的数量取决于网关 SKU 和协议。The amount of VPN client endpoints depends on your gateway sku and protocol.

VPN
网关
代系
VPN
Gateway
Generation
SKUSKU S2S/VNet 到 VNet
隧道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 连接
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 连接
P2S
IKEv2/OpenVPN Connections
聚合
吞吐量基准
Aggregate
Throughput Benchmark
BGPBGP
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支持Not Supported 100 Mbps100 Mbps 不支持Not Supported
第 1 代Generation1 VpnGw1 VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported
第 1 代Generation1 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported
第 1 代Generation1 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported
第 2 代Generation2 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported
第 2 代Generation2 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支持Supported
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支持Supported

(*) 如果需要 30 个以上 S2S VPN 隧道,请使用虚拟 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 在同一代中允许调整 VpnGw SKU 的大小,但基本 SKU 的大小调整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 基本 SKU 是旧版 SKU,并且具有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要从基本 VpnGw SKU 移到其他 VpnGw SKU,必须删除基本 SKU VPN 网关,并使用所需代系和 SKU 大小组合来创建新网关。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 这些连接限制是独立的。These connection limits are separate. 例如,在 VpnGw1 SKU 上可以有 128 个 SSTP 连接,还可以有 250 个 IKEv2 连接。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page.

  • 可在 SLA 页上查看 SLA(服务级别协议)信息。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在单个隧道中,最多可以达到 1 Gbps 的吞吐量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的聚合吞吐量基准基于对通过单个网关聚合的多个隧道的测量。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. 适用于 VPN 网关的聚合吞吐量基准组合了 S2S 和 P2S。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果有大量的 P2S 连接,则可能会对 S2S 连接造成负面影响,因为存在吞吐量限制。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 受 Internet 流量情况和应用程序行为影响,无法保证聚合吞吐量基准。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

为了帮助我们的客户了解使用不同算法的 SKU 的相对性能,我们使用市售 iPerf 和 CTSTraffic 工具来衡量性能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出了第 1 代 VpnGw SKU 的性能测试结果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 可以看到,对 IPsec 加密和完整性使用 GCMAES256 算法时,可获得最佳性能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 对 IPsec 加密使用 AES256 以及对完整性使用 SHA256 时,可获得平均性能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 对 IPsec 加密使用 DES3 以及对完整性使用 SHA256 可获得最低性能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

代系Generation SKUSKU 使用
的算法
Algorithms
used
观察到的
吞吐量
Throughput
observed
观察到的
每秒数据包数
Packets per second
observed
第 1 代Generation1 VpnGw1 VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2 VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3 VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

能否将我自己的内部 PKI 根 CA 用于点到站点连接?Can I use my own internal PKI root CA for Point-to-Site connectivity?

是的。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 现在还可以上传最多 20 个根证书。You can still upload up to 20 root certificates.

是否可以使用点到站点连接穿越代理和防火墙?Can I traverse proxies and firewalls by using Point-to-Site?

是的。Yes. 我们使用安全套接字隧道协议 (SSTP) 作为隧道来穿越防火墙。We use Secure Socket Tunneling Protocol (SSTP) to tunnel through firewalls. 此隧道显示为 HTTPS 连接。This tunnel appears as an HTTPS connection.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机将不会自动重新建立 VPN 连接。By default, the client computer won't reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto reconnect and DDNS on the VPN clients?

不是。No. 点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto reconnect and DDNS are currently not supported in Point-to-Site VPNs.

同一虚拟网络中是否可以同时存在站点到站点和点到站点配置?Can I have Site-to-Site and Point-to-Site configurations for the same virtual network?

是的。Yes. 如果网关使用 RouteBased VPN 类型,这两种解决方案都可行。Both solutions will work if you have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 我们不支持将点到站点连接用于静态路由 VPN 网关,也不支持将其用于使用 -VpnType PolicyBased cmdlet 的网关。We don't support Point-to-Site for static routing VPN gateways or gateways that use the -VpnType PolicyBased cmdlet.

能否将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

是的。Yes. 但是,虚拟网络的 IP 前缀不得重叠,并且点到站点地址空间在虚拟网络之间不得重叠。However, the virtual networks can't have overlapping IP prefixes and the Point-to-Site address spaces must not overlap between the virtual networks.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the internet.

后续步骤Next steps