VPN – Robert Smit MVP Blog

Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Using the wrong account will end up in

AADSTS50020: User account from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

When Accepted the you will be redirected to the Azure portal.

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications and search for Azure VPN

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

Configuration name – Enter the name you want to call your User VPN Configuration.
Tunnel type – Select OpenVPN.
Authentication method – Select Azure Active Directory.
Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
Issuer – https://sts.windows.net/tenantID/
AAD Tenant – https://login.microsoftonline.com/TenantID

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

Set the switch to yes and new fields will open.

Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
Issuer – https://sts.windows.net/3078684f/ ## remember the / this must be at the end
AAD Tenant – https://login.microsoftonline.com/3078684f

#the number is your tenant ID

Now that the VPN user profile is created we can configure the HUB

Now that the user vpn profile is created we can create the P2S VPN. Select your hub

Select the user VPN point to site VPN select create

Creating a VPN gateway you need to select the just created User profile.

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

On the page for your Virtual WAN, click User VPN configurations.
At the top of the page, click Download user VPN config.
Once the file has finished creating, you can click the link to download it.
Use the profile file to configure the VPN clients.

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

Open the VPN Client you can add a new VPN or import a Connection

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

If any thing goes wron with the import it is 99% your pbk file,

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

Now that the Import worked and you are ready to connect to the VPN in Azure.

Use your Azure AD credentials or your FIDO2 key

Now we are fully connected to the Secure Virtual WAN in Azure

It can take some time to see your connection in the portal

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

In our Custom settings we add the Following settings

Name: Enter a name for the configuration.
Description: Optional description.
OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
Data type: String (XML file).

Now that this is done we can create some assign ments and test this on the pilot group

As you can see there are a few steps involved and are linked together

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google : Robert Smit MVP profile

How to setup Azure VPN for Site-to-Site Cross-Premises or Create a Virtual Network for Point-to-Site #VPN #Azure #winserv

There are a lot of real good Blog post on how to create Azure Site to Site. And as the Vnext Windows Server is more and more connecting to the Cloud. I’ll show you how to create a S2S & P2P VPN setup. And The VPN option will get you to a real hybrid Network and This could be awesome. keep reading my blog posts. The Next blog post will be more about Hybrid Configurations.

So what do we need for a hybrid Environment Well I’ll setup a poor men’s version, that means One Hyper-v server home Router and an Azure Subscription.

First We setup a windows Server No special needs for this 4GB memory and 1 Disk but with two network cards. ( this is a VM )

So one NIC is on my corp network and the other NIC is connected to the friendly Internet.

When you have the server installed you only need to install RRAS Role Service and no direct configuration needed.

So by GUI or with Powershell add-WindowsFeature DirectAccess-VPN,Routing

That is all what needed and you will need to create two NAT rules on your router ( however NAT is not supported )

But this all depends on you network configuration.

The next step is Azure .

As I do net have a Network in azure I create a network that I will use for my VM’s that I will build after the network configuration, But I you already have a network in azure you can use that network.

But what Do I need Well It does not mater the Quick is configurable after creating the network. And the Custom is more Wizard driven.

For the screenshots I’ll pick Custom.

The First step is pick a network name, No Change can me made afterwards ( well not easily )

Next step is Setting Checkboxes and DNS. I use an on premise DNS server but If you run a DNS in Azure You can use this server.

If you have already a network then you can pick the DNS servers from the list and pick also a local network.

I this case everything is New So give the DNS server a name and IP this is my local DNS server and I use a Internet DNS server. Just because this is an Easy IP address.

And I selected the Configure a point-to-site VPN and Configure a site-to-site VPN and on the Local Network I choose a new local network.

Now that the Diagram is filled we do some configuration, As my local network is a 10 network and I like to not have this in the same range in this Scenario.

So I pick a 172.16.32.0/24 For my point-to-site VPN.

The next step is more Complicated, We need to pick a Local-Network name and We need to find the External IP on you network.

To find My external IP I use Bing just ask “ what is my IP “

Easy

The Next step is create a Address space for this network.

You have to check the Add Gateway Subnet this is uses for the Site-to-Site VPN

see Virtual Network Address Spaces page in About Configuring a Virtual Network using the Management Portal.

Check the Box and you can see it is creating the network configuration but not the Gateway this is done in the next step.

After the Network Creation is Done We add the Gateway Configuration / Creation

This will take about 30 minutes to create ( and Will cost you about 12 euro a month )

While this is creating we will configure the P2P VPN.

One way to create an X.509 certificate is by using the Certificate Creation Tool (makecert.exe). To use makecert, download and install Microsoft Visual Studio Express 2013 for Windows Desktop, which is free of charge.

In this case I’ll use make cert.

Generate a self-signed root certificate the name can be your name or what you like.

makecert -sky exchange -r -n "CN=BlogRootCert" -pe -a sha1 -len 2048 -ss My "BlogRootCert.cer"

Generate a client certificate

makecert.exe -n "CN=BlogClientCert1" -pe -sky exchange -m 96 -ss My -in "BlogRootCert" -is my -a sha1

All certificates are stored in your Personal certificate store on your computer. Check certmgr to verify. You can generate as many client certificates as needed based on this procedure. Recommend is that you create unique client certificates for each computer that you want to connect to the virtual network.

A client certificate must be installed on each computer that you want to connect to the virtual network. This means you will probably create multiple client certificates and then need to export them. To export the client certificates, use certmgr.msc. Right click on the client certificate that you want to export, click all tasks, and then click export.

Export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.

Copy the .pfx file to the client computer. On the client computer, double-click the .pfx file in order to install it. Enter the password when requested. Do not modify the installation location.

But the ROOTCERT is needed in Azure and we need to import this. When the Gateway is ready you can see in the Clients that it needs a certificate

Uploading the Certificate is the Certificate that we just Created

makecert -sky exchange -r -n "CN=BlogRootCert" -pe -a sha1 -len 2048 -ss My "BlogRootCert.cer"

Now that all the Azure Configuration is Done We configure the RRAS server as you can see in the overview the Gateway and P2P VPN is not Connected.

On the right there is a little list with some Download links

First we download the RRAS Configurations Script Download VPN Device Script

Just make sure You select the Windows Server 2012 R2 as we are using this for the gateway.

When running this script in the RRAS server there is a Common Error the RRAS service is restarted so therefor it can not connect just run the connect line again and it will work.

However this is a CFG script you can rename this to PS1 Or Run this in Powershell ISE like I did.

# Dial-in to Azure gateway
Connect-VpnS2SInterface -Name 191.233.89.184

The Site To –Site VPN is now connected

For the Client You will use the Download the 64-bit Client VPN Package

Keep in mind Windows Does not trust an Downloaded EXE file so before you can install this it needs to unblock

Now that the File is unblocked we can install the VPN this is a real quick install and no screens to view but in the network You can see a new network, in this case BlogHybrid.

For connecting just click the network and connect.