Install-RemoteAccess

Install-RemoteAccess

Performs prerequisite checks for DirectAccess (DA) to ensure that it can be installed, installs DA for remote access (RA) (includes management of remote clients) or for management of remote clients only, installs VPN (both Remote Access VPN and site-to-site VPN), and installs Border Gateway Protocol Routing..

구문

Parameter Set: DirectAccess
Install-RemoteAccess [-DAInstallType] <String> {FullInstall | ManageOut} [-ConnectToAddress] <String> [-CimSession <CimSession[]> ] [-ClientGpoName <String> ] [-ComputerName <String> ] [-DeployNat] [-Force] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-InternalInterface <String> ] [-InternetInterface <String> ] [-NlsCertificate <X509Certificate2> ] [-NlsUrl <String> ] [-NoPrerequisite] [-PassThru] [-ServerGpoName <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: DAPrerequisiteChecks
Install-RemoteAccess -Prerequisite [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: MultiTenant
Install-RemoteAccess [-MultiTenancy] [-CapacityKbps <UInt64> ] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-MsgAuthenticator <String> {Enabled | Disabled} ] [-PassThru] [-RadiusPort <UInt16> ] [-RadiusScore <Byte> ] [-RadiusServer <String> ] [-RadiusTimeout <UInt32> ] [-SharedSecret <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]

Parameter Set: Vpn
Install-RemoteAccess [-VpnType] <String> {Vpn | VpnS2S | SstpProxy | RoutingOnly} [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-EntrypointName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-IPAddressRange <String[]> ] [-IPv6Prefix <String> ] [-Legacy] [-MsgAuthenticator <String> {Enabled | Disabled} ] [-PassThru] [-RadiusPort <UInt16> ] [-RadiusScore <Byte> ] [-RadiusServer <String> ] [-RadiusTimeout <UInt32> ] [-SharedSecret <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]




자세한 설명

The Install-RemoteAccess cmdlet performs prerequisite checks for DirectAccess (DA) to ensure that it can be installed, installs DA for remote access (RA) (includes management of remote clients) or for management of remote clients only, installs VPN (both Remote Access VPN and site-to-site VPN), and installs Border Gateway Protocol Routing.

Prerequisite Checks.
-- Every prerequisite check results in a terminating, non-terminating error, or a warning.
-- The only terminating error condition is DA server not joined to a domain or the Active Directory server not being reachable and it results in the immediate stopping of the cmdlet.
-- If the cmdlet performs only prerequisite checks, then the user is informed about every check that fails, through an appropriate message.
-- If prerequisite checks are performed just before installation, such as the NoPreRequisite parameter is not specified, then the cmdlet performs all checks one after the other without displaying any messages for failed checks. If one or more terminating or non-terminating errors are encountered, then the cmdlet does not proceed with the installation. If all checks pass or only warnings are encountered, then the cmdlet proceeds with installation.

Re-using Existing Configuration.
If one of the remote access technologies is already installed and the cmdlet is used to install the other technology, then it tries to use as much of the configuration of the installed technology as possible and handles any discrepancies between the two technologies. There are separate parameter sets for DA and VPN installation. If the user specifies parameters, that can be re-used from the existing configuration they are ignored. Example: If VPN is already enabled and a user specifies the internal and internet interfaces ,then when installing DA they are ignored and the cmdlets uses the existing VPN interfaces.

Note: This cmdlet cannot be used to move from one DA installation type to another. Run the Set-DAServer cmdlet to move one DA installation type to another.

DA Installation.
Client configuration:
-- By default DA is deployed on all domain laptop and netbook computers that belong to the domain specified in the client GPO. This is achieved by adding the Domain Computers AD group as the client SG and creating a WMI filter to filter out devices that are classified as either non-laptops and netbooks. If a client GPO is not specified then the domain of the DA server is used and a client GPO with default name is created in that domain. If the user running the cmdlet does not have the permissions to create the WMI filter, then no client SG is added.
-- Force tunneling is disabled for the clients.
-- This cmdlet does not deploy DA on down-level clients.
DA Server configuration.
-- If a GPO with the specified name or default name is not present, then it is created. If it is found, then it is edited with the DA server settings.
-- Selecting the internal and internet interfaces.
-- The internal and internet interfaces can be specified in the cmdlet. If the user wishes to deploy DA in a single network adapter configuration, then the same name should be specified for both interfaces.
-- If one or none of them is specified, then the cmdlet itself selects the appropriate interfaces based on their configuration.
-- If a VPN is already installed and the interfaces were specified during its installation, then the same interfaces are re-used. If the interfaces were not specified during VPN installation, then the user is allowed to manually specify the interfaces or the cmdlet picks them itself.
-- Transition Technologies: IPHTTPS is always enabled. Teredo is enabled only if 2 consecutive IP addresses are found on the internet interface.
-- User authentication: All DA users are authenticated using their domain user name and password.
-- IPv6 deployment in internal network: If a native IPv6 deployment is detected inside corporate network, then its IPv6 prefix is obtained. Otherwise ISATAP is automatically deployed. Note: That ISATAP will not become effective until the DNS is configured to resolve ISATAP.
-- DA is installed in a PKI-less mode, i.e. no IPsec root certificate is required.
-- A certificate is still required for IPHTTPS: If VPN is already installed, then the SSL certificate for SSTP is re-used. If there is no certificate configured for VPN, then the cmdlet looks for an appropriate certificate on the computer (a certificate that matches the ConnectToAddress parameter value) or generates a self-signed certificate.
Infrastructure Server configuration.
-- If the NLS location is not specified in the cmdlet, then it is deployed on the DA server by default. The cmdlet looks for a certificate for which the subject name matches the internal interface of the DA server. If an appropriate certificiate cannot be found, then a self-signed certificate is generated.
-- Health checks are not enabled during installation.
-- Application servers are not configured during installation.
-- If an IPv4 address is detected on the internal interface of the DA server, then the DNS64 or NAT64 configuration is enabled on the DA server which enables DA clients to access corporate network resources that have IPv4 address only by allotting v6 addresses to these hosts.
-- This cmdlet also does an auto-discovery of SCCM servers including Domain Controllers and configures them as the Management Servers.

VPN Installation.
Authentication configuration.
By default Windows authentication is enabled. This also includes authentication through NPS installed locally on the VPN server. If a RADIUS server is specified, then external RADIUS authentication is used.
IP address assignment configuration.
-- IPv4 addressing with DHCP address assignment is enabled by default. If an IP address range is specified, then static pool addressing is used.
-- IPv6 addressing is disabled by default. If an IPv6 prefix is specified, then v6 addressing is enabled and the prefix is used for the addresses.

매개 변수

-CapacityKbps<UInt64>

Specifies thebandwidth processing capacity of the gateway in Kbps.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-CimSession<CimSession[]>

원격 세션이나 원격 컴퓨터에서 cmdlet을 실행합니다. 컴퓨터 이름이나 New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 세션 개체를 입력하세요. 기본값은 로컬 컴퓨터 상의 현재 세션입니다.


별칭

Session

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-ClientGpoName<String>

Specifies the names of the client GPO. The GPO name is specified in DOMAIN\GPO_NAME format. A domain can be one of the domains deployed in the corporate network.
If a GPO name is not specified, then by default a GPO with following name is created in the domain of the DA server:
-- DirectAccess Client Settings.


별칭

GpoName

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-ComputerName<String>

Specifies the IPv4 or IPv6 address, or host name, of the computer on which the remote access server computer specific tasks should be run.


별칭

Cn

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-ConnectToAddress<String>

Specifies the DA server or NAT public address to which the clients connect. Specified as a host name or an IPv4 address. If the address is specified, then is must to be public.


별칭

none

필수 여부

true

위치

3

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-DAInstallType<String>

Specifies the configuration in which DA should be installed. 이 매개 변수에 허용되는 값은 다음과 같습니다.
-- FullInstall: DA is installed for both remote access and for the management of remote clients.
-- ManageOut: DA is installed only for the management of remote clients.


별칭

none

필수 여부

true

위치

2

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-DeployNat

Specifies that DA should be deployed behind a NAT. In a single network adapter configuration scenario the DA server is always deployed behind a NAT and there is no need to specify this parameter.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-EntrypointName<String>

Specifies the identity of a site in a multi-site deployment where VPN needs to be installed. This is required in a scenario where DA with multi-site is already deployed and a user wants to additionally deploy VPN. If this parameter is not specified, then the entry point name to which the server on which the cmdlet is run is used. The server could also be represented using the ComputerName parameter.
If both this parameter and ComputerName parameter are specified and the computer name does not belong to the site represented by the entry point name then this parameter takes precedence and VPN is deployed at the site indicated by it.
Note: A multi-site deployment case VPN can only be installed one site at a time.
Note: In a S2S case, the cmdlet will install it on any one available node in that entry point.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-Force

사용자에게 확인 메시지를 표시하지 않고 명령을 강제 실행합니다.
When suppressed, the cmdlet assumes user confirmation for the following conditions.
-- If an appropriate certificate for NLS is not found, then a self-signed certificate is created.
-- If an appropriate SSL certificate is not found, then a self-signed certificate is created.
Note: If the addresses are not static (such as DHCP), then ShouldContinue can be used.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-InformationAction<System.Management.Automation.ActionPreference>

Specifies how this cmdlet responds to an information event. 이 매개 변수에 허용되는 값은 다음과 같습니다.

-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend


별칭

infa

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-InformationVariable<System.String>

Specifies a variable to store an information event message.


별칭

iv

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-IPAddressRange<String[]>

Specifies that static pool IPv4 addressing should be enabled. This parameter contains an IP address range, and consisting of a start IP and an end IP, from which IP addresses are allocated to VPN clients.
In a load balancing scenario only static pool IPv4 addressing is supported for a VPN (DHCP address assignment is not supported). This parameter must be specified and an IPv4 address range should be provided for every node in the cluster. This parameter is specified in the following format:
StartIPRange1, EndIPRange1, StartIPRange2, EndIPRange2, StartIPRange3, EndIPRange3, and so on.
The start and end IPs of each of the ranges must be specified one after the other and separated by commas.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-IPv6Prefix<String>

Enables IPv6 address assignment for a VPN and specifies the prefix to use for the addressing.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-InternalInterface<String>

Specifies the name of the corporate network facing interface. In a single network adapter configuration the same name is specified for both internal and internet interfaces.
If a name is not specified, then the cmdlet attempts to detect the internal interface automatically.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-InternetInterface<String>

Specifies the name of the internet facing interface. In a single network adapter configuration the same name is specified for both internal and internet interfaces.
If name is not specified, then this cmdlet attempts to detect the internet interface automatically.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-Legacy

별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-MsgAuthenticator<String>

Specifies that the usage of message authenticator should be enabled or disabled. 이 매개 변수에 허용되는 값은 다음과 같습니다.
-- Enabled.
-- Disabled.
The default value is Disabled.
This parameter is applicable only when a RADIUS server is being configured for authentication.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-MultiTenancy

Indicates that multitenancy is enabled for the service.


별칭

none

필수 여부

true

위치

3

기본값

none

파이프라인 입력 허용 여부

True (ByValue)

와일드카드 문자 허용 여부

false

-NlsCertificate<X509Certificate2>

Specifies that the Network Location Server (NLS) should be configured on the DA server itself and represents the certificate to be used. The subject name of the certificate should resolve to an address on the internal interface of the DA server.


별칭

Certificate

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByValue)

와일드카드 문자 허용 여부

false

-NlsUrl<String>

Specifies that the NLS is present on a different server and represents the URL on the server that will be used to provide clients with location information.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-NoPrerequisite

Specifies that a prerequisite check should not be performed for DA.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-PassThru

작업 중인 항목을 나타내는 개체를 반환합니다. 기본적으로 이 cmdlet은 출력을 생성하지 않습니다.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-Prerequisite

Specifies that prerequisite checks should be performed. This parameter is part of a separate parameter set used to only run the prerequisite checks for DA.


별칭

none

필수 여부

true

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-RadiusPort<UInt16>

Specifies the port number on which the RADIUS server is accepting authentication requests.
The default value is 1813.
This parameter is applicable only when a RADIUS server is being configured for authentication.


별칭

Port

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-RadiusScore<Byte>

Specifies the initial score for the RADIUS server.
The default value is 30.
This parameter is applicable only when a RADIUS server is being configured for authentication.


별칭

Score

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-RadiusServer<String>

Specifies the IPv4 or IPv6 address, or host name, of the RADIUS server that is to be used for authentication. Specifying this parameter indicates that RADIUS authentication should be used for VPN.


별칭

ServerName

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-RadiusTimeout<UInt32>

Specifies the timeout value for the RADIUS server, in seconds.
The default value is 5 seconds.
This parameter is applicable only when a RADIUS server is being configured for authentication.


별칭

Timeout

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-ServerGpoName<String>

Specifies the name of the GPO for the DA server. Specified in the format DOMAIN\GPO_NAME.
If a name is not specified, then a GPO with the following name is created in the domain of a DA server:
-- DirectAccess Client Settings.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-SharedSecret<String>

Specifies the shared secret between the RA server and the specified external RADIUS server, which is required for successful communication between the two servers. Note: The secret is specified in plain text.
It is mandatory to specify this parameter if a RADIUS server is being configured for authentication.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-ThrottleLimit<Int32>

Cmdlet을 실행하도록 설정할 수 있는 동시 작업의 최대 수를 지정합니다. 이 매개 변수를 생략하거나 값으로 0 을 입력하면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 스로틀 제한을 계산합니다. 스로틀 제한은 현재 cmdlet에만 적용되고, 세션이나 컴퓨터에는 적용되지 않습니다.


별칭

none

필수 여부

false

위치

named

기본값

none

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-VpnType<String>

Specifies the type of VPN installation. 이 매개 변수에 허용되는 값은 다음과 같습니다.
-- Vpn.
-- VpnS2S.
-- SstpProxy
-- RoutingOnly


별칭

RoleType

필수 여부

true

위치

2

기본값

none

파이프라인 입력 허용 여부

True (ByPropertyName)

와일드카드 문자 허용 여부

false

-Confirm

cmdlet을 실행하기 전에 확인 메시지를 표시합니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

-WhatIf

cmdlet이 실행되는 경우 발생할 결과를 보여 줍니다. cmdlet은 실행되지 않습니다.


필수 여부

false

위치

named

기본값

false

파이프라인 입력 허용 여부

false

와일드카드 문자 허용 여부

false

<CommonParameters>

이 cmdlet은 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, -OutVariable 등의 일반 매개 변수를 지원합니다. 자세한 내용은 TechNet의 about_CommonParameters(http://go.microsoft.com/fwlink/p/?LinkID=113216)

<WorkflowParameters>

입력

입력 형식은 cmdlet으로 파이프할 수 있는 개체의 형식입니다.

  • None

출력

출력 형식은 cmdlet 실행 시 출력되는 개체의 형식입니다.

  • Microsoft.Management.Infrastructure.CimInstance#RemoteAccessCommon

    Microsoft.Management.Infrastructure.CimInstance 개체는 WMI(Windows Management Instrumentation) 개체를 표시하는 래퍼 클래스입니다. 파운드 기호(#) 뒤의 경로는 기본 WMI 개체에 대한 네임 스페이스 및 클래스 이름을 제공합니다.
    The RemoteAccessCommon object consists of the following properties:
    -- The status of DirectAccess: installed or uninstalled.
    -- The status of VPN: installed or uninstalled.
    -- The status of site-to-site VPN: installed or uninstalled.
    -- The status of load balancing: enabled or disabled.
    -- The name of the internet-facing interface of the Remote Access server.
    -- The name of the internal-facing interface of the Remote Access server.
    -- The SSL certificate which is used for IP-HTTPS and SSTP.


Example 1: Log in as a test user and display error message

This command logs in as a test user who is not a domain user or an administrator on the server. This results in the error specifying that DA can only be configured by a user with local administrator permissions.


PS C:\> Install-RemoteAccess –PreRequisite

Example 2: Install Direct Access to allow remote clients to connect to corporate network

This command installs DA to allow remote clients to connect to corporate network. This cmdlet searches for Internet interface and Internal interfaces. If it finds both these interfaces (as in this example), the cmdlet configures DA in edge topology. In case the cmdlet does not find a public interface and the DeployNat parameter is not specified, the cmdlet will display the following error.


 

PS C:\> $RemAccess = Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress edge1.contoso.com -PassThru

 

Note: The cmdlet automatically creates a Server and a Client GPO with Default names in the domain to which the current computer is connected. The Client GPO will be filtered on Domain Computers Security Group by default. The default settings can be modified using Set-DAClient.

This cmdlet will prompt the user that IPsec and Firewall Policies will be updated. It will automatically try and locate a certificate for NLS and IP-HTTPS (SSL cert), in case it does not find these the cmdlet will prompt the user to create a self-signed certificate for the ones not found.


PS C:\> $RemAccess.DAStatus

Example 3: Deploy Direct Access behind another edge device

This command will deploy DA behind another edge device (NAT box). In the example setup, the DA server has a single network adapter connected to the corporate network named corp.contoso.com. Note: The public interface of the NAT device is the one used in ConnectToAddress parameter. For a single network adapter behind NAT topology, the InternalInterface and InternetInterface parameters need to be mentioned, or the cmdlet will display an error that an external interface was not found.


PS C:\> Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress nat1.contoso.com -InternalInterface 'Internal Connection' -InternetInterface 'Internal Connection' –DeployNat

관련 항목

커뮤니티 추가 항목

추가
표시: