Tag: VPN

Azure VPN Azure Active Directory authentication

Create Azure P2S VPN with Azure AD authentication

A couple of days ago, we announced that you now can use Azure Active Directory to authentication Point-to-Site (P2S) VPN connections to your Azure virtual network. Before you were able to connect to your Azure virtual network (VNet) by using certificate-based or RADIUS authentication, however, if you are using the Open VPN protocol, you can now also use Azure Active Directory authentication. In this blog post, I will walk you through how you can set up an Azure P2S VPN connection using Azure AD authentication.

Prerequisites

To set this up, you will need a couple of things in place before we get started. Here are the prerequisites:

If you already have this in place, you are good to go.

How to configure Azure P2S VPN with Azure AD authentication

First, you will need to look up your Azure AD Directory ID that you want to use for authentication. It is listed in the properties of the Azure AD page.

Azure AD Directory ID

Azure AD Directory ID

Next, you will need to give admin consent. You can copy this URL to your browser’s address bar. This URL is for Azure Public, if you are deploying in Azure Government, Azure Cloud Germany or Azure China, check out the following Microsoft Docs article.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

You will be prompted to accept the Azure AD VPN application. You will need to log in with an account that has Global Admin rights.

If you now go back to the Azure Active Directory tenant, you can see the in Enterprise applications, and you see Azure VPN listed.

Azure AD Azure VPN App

Azure AD Azure VPN App

After that, you will find the Azure VPN application registered in your Azure Active Directory.

Registered App

Registered App

Enable Azure AD authentication on the VPN gateway

Now we need to configure the Azure Virtual Network Gateway itself. For that, you will need to have a functional point-to-site VPN environment already (see prerequisites). If you don’t have one, you can follow these steps here: Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal

To enable Azure AD authentication on the Azure Virtual Network Gateway (VPN Gateway), you need to run the following Azure PowerShell commands.

$gw = Get-AzVirtualNetworkGateway -Name "name of VPN gateway" -ResourceGroupName "Resource group"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/your Directory ID" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/your Directory ID/" -VpnClientAddressPool 192.168.0.0/24 -VpnClientProtocol OpenVPN

You can also modify the client IP address pool if you need to. The GUID 41b23e61-6c1e-4545-b367-cd054e0ed4b4 is the Application ID of the Azure VPN Client in Azure Public Cloud.

Now you can create the VPN profile for the client by running the following Azure PowerShell commands. By the way, you can also run Azure PowerShell directly from Azure Cloud Shell.

$profile = New-AzVpnClientConfiguration -Name "name of VPN gateway" -ResourceGroupName "Resource group" -AuthenticationMethod "EapTls"
$PROFILE.VpnProfileSASUrl

Copy the URL to your browser to download the profile in a zip file.

Download AzureVPN Configuration XML

Download AzureVPN Configuration XML

This zip file contains the azurevpnconfig.xml file, which contains the settings for the VPN connection, which users can import to their Azure VPN client. You can find more information about setting this up on Microsoft Docs.

Configure a VPN client for P2S OpenVPN protocol connections using Azure AD authentication

The next step will be to download the Azure VPN client here.

After you have installed the Azure VPN client, you can start configuring the VPN client.

Configure Azure VPN Client

Configure Azure VPN Client

Click on the bottom left on the “+” sign and click on Import. Select the azurevpnconfig.xml file.

Import azuervpnconfig file

Import azuervpnconfig.xml file

You can now review the settings for the configuration.

Review Settings

Review Settings

You can also set up the configuration manually if you want. It is a link to your Azure AD tenant, and the Audience is the Azure VPN application registered in your Azure AD tenant.

Azure VPN Client Azure AD Configuration

Azure VPN Client Azure AD Configuration

After that, you can now use the Azure VPN client to connect to your virtual network. It will prompt you to login with your Azure AD credentials.

Azure Active Directory Azure VPN connected

Azure Active Directory Azure VPN connected

If you need more information to set up the VPN client or find some additional troubleshooting information, have a look at this Microsoft Docs article.

I hope this gives you a great overview of how you can set up Azure VPN using OpenVPN and Azure Active Directory (Azure AD) for authentication. You can find the official documentation about configuring your Azure AD tenant as well as the VPN gateway here, and you can find the documentation to configure the VPN client here. If you have any questions, feel free to leave a comment.



Azure OpenVPN Support

OpenVPN support in Azure VPN gateways

Today, the Azure networking team announced the General Availability (GA) of OpenVPN protocol in Azure VPN gateways for P2S connectivity. OpenVPN is an open-source software that implements a virtual private network (VPN) connectivity. Since OpenVPN is widely used in the industry, a lot of devices already have an OpenVPN client built-in. OpenVPN support for Azure VPN gateways should make it easy to set up new VPN connectivity to Azure virtual networks.

To use OpenVPN, you can now just simply select the tunnel type OpenVPN. You can find more information about how to set up an Azure VPN gateway on here.

We are announcing General Availability (GA) of OpenVPN protocol in Azure VPN gateways for P2S connectivity. OpenVPN is a popular open source VPN protocol supported in all major platforms (Windows, macOSX, Linux, Android) and available pre-installed on several WiFi routers and IOT devices. Adding OpenVPN protocol to Azure P2S VPN greatly expands our client footprint for TLS/SSL-based VPN customers and ecosystem.

– Ali Zaman, Senior Program Manager at Microsoft

To enable OpenVPN on your gateway you can run the following Azure PowerShell commands. Make sure that the gateway is already configured for point-to-site (IKEv2 or SSTP) before running the following commands:

$gw = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $name
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientProtocol OpenVPN

You can find more information about OpenVPN support in Azure on Microsoft Docs:

Next to the Windows Server Azure Network Adapter, which allowed you to configure P2S VPN for Windows Server directly from Windows Admin Center, this is another step to make connectivity to Azure even easier. If you have any questions, please let me know in the comments.

If you want to learn more about Azure networking in general, check out the recording from my Microsoft Ignite The Tour session in Amsterdam, where I was speaking about the basics of building a Hybrid Connectivity with Microsoft Azure.



Windows Server 2019 Azure Network Adapter

How to set up Windows Server Azure Network Adapter

In my series about Windows Server 2019, I have a new feature I want to introduce you to. Windows Server 2019 Azure Network Adapter is one of the Hybrid Cloud efforts Microsoft is making in Windows Server 2019. A lot of workloads are running cross-cloud and require connections to virtual machines running in Azure. To achieve this there are several options like Site-to-Site VPN, Azure Express Route or Point-to-Site VPN. With Windows Admin Center and Windows Server 2019 Azure Network Adapter, you get a one-click experience to connect your Windows Server with your Azure Virtual Network using a Point-to-Site VPN connection.

Even this is might not for every enterprise scenario, there are a lot of scenarios where you might quickly want to connect a server to Azure. The Azure Network Adapter functionality gives you that feature with a one-click button. And by the way, it also works on Windows Server 2012 R2 and higher.



Windows Server 2019 Add Remote Access Role

How to install VPN on Windows Server 2019

This blog post is a step by step guide how to install and configure VPN on Windows Server 2019. The blog post shows you how you can easily set up a VPN server for a small environment, branch office, or for a hosted server scenario. This VPN (Virtual Private Network) server allows you to connect from remote clients or firewalls to the Windows Server.

I already did a similar post for other versions of Windows

To install VPN access to a Windows Server 2019, simply follow this step by step guide:



Installation Windows Server 2016 VPN

How to Install VPN on Windows Server 2016

This post shows you how you can install a VPN Server on Windows Server 2016 Step-by-Step. It shows you how you can easily setup a VPN server for a small environment or for a hosted server scenario. This blog post covers how you can use Windows Server VPN.

This is definitely not a guide for an enterprise deployment, if you are thinking about a enterprise deployment you should definitely have a look at Direct Access.

I already did similar blog posts for Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

You can simply follow this step by step guide:

Install the Windows Server VPN Role

First install the “Remote Access” via Server Manager or Windows PowerShell.

Install Remote Access Role VPN

Select the “DirectAccess and VPN (RAS)” role services and click next.

DirectAccess and VPN (RAS)



Green Cloud based on Windows Server Hyper-V and Windows Azure Pack

If you try to host some IaaS workloads or build a Hybrid Cloud environment connected to a service provider in Switzerland, you probably want to check out the Green Hyper-V ServerCloud.

Based on Hyper-V technology from Windows Server 2012 R2, Green virtual servers provide you with a powerful, high-availability server platform for your applications. The virtual servers can be seamlessly integrated into your existing IT environment, using Site-2-Site VPN.

Green also offers a own image container function in Windows Azure Pack which allows you to quickly and smoothly migrate your server to the Hyper-V ServerCloud, including configuration and software. Install your VHDX and ISO images and save valuable time on reinstallation and setup.

Options and the ability to gradually expand the system pave the way for future expansion. From individual applications to virtualization of entire IT areas, Server Cloud offers enough scope for your business.

Green Server Cloud

Some of the cool stuff Green offers in there Cloud Solution:

  • Cloud based on Windows Server 2012 R2 Hyper-V and Windows Azure Pack
  • Powerful packages on virtual server with up to 16 CPU cores and 128GB RAM
  • Windows Server 2008 R2 and Windows Server 2012 R2 Images
  • Linux Images (CentOS and more…)
  • Bring your own Server and ISO Images
  • Create VM Checkpoint (Snapshots) right from the Tenant Portal
  • Seamless expansion of local infrastructure through network virtualization and free-of-charge site-to-site VPN
  • Local service and support in three local languages
  • High Security standards implemented in the Green Datacenter
  • Server Location in Switzerland
  • Hyper-V Replica support – Replicated your Hyper-V Virtual Machines to the Green Cloud for DR scenarios
  • 30 days free trial

Green Business Connectivity and Security

Green Cloud Datacenters

Green is using it own datacenter to host the Green Cloud. The GreenCloud is hosted in their Tier 4 and Tier 3 datacenters for maximal security. The newest green.ch data center offers all the benefits of a state-of-the-art data center. It is situated in an excellent location, is the only Swiss data center that was awarded a Tier 4 design certification, and was designed for energy-efficient operation.

The Lupfig site is located west of Zurich in an easy to access location. It is far away from hazardous zones, yet centrally located within the Zurich-Basel-Bern business triangle.

From the very beginning, greenDatacenter Zurich West was designed for highest availability. All systems required for operation are duplicated. Multiple feeds are used for the power and emergency power supply, and the connection to the data network. And these feeds are even separately routed within the data center. Four security perimeters protect the data center against unauthorized access. Security measures include biometric access systems.

The Swiss Federal Office of Energy awarded greenDatacenter Zurich West the Watt d’Or 2013 for exemplary energy efficiency in the buildings and space category.

Green Cloud Technology

Green Cloud Image Container

As already mentioned Green is using the Microsoft Cloud Platform stack with Windows Azure Pack and Windows Server 2012 R2 Hyper-V for their Cloud offering. By using Hyper-V Network Virtualization and Site-2-Site VPN, customers can easily connect their local networks to the Green Cloud and build a Hybrid Cloud scenario. Green also extended their offering beyond the standard WAP offerings by adding additional features such as Hyper-V Replica support, the option to create Checkpoints (Snapshots) of Virtual Machines and the possibility to bring your own server images and ISO images to the Green Cloud.

Green Cloud Checkpoints

So if you are interested in the things Green offers checkout the 30 days free trial offering.

 



Getting Started Wizard

How to Install VPN on Windows Server 2012 R2

This post shows you how you can install a VPN Server on Windows Server 2012 R2 Step-by-Step. It shows you how you can easily setup a VPN server fro a small environment or for a hosted server scenario.

This is definitely not a guide for an enterprise deployment, if you are thinking about a enterprise deployment you should definitely have a look at Direct Access.

I already did a similar post on Windows Server 2008 R2 and Windows Server 2012.

First install the “Remote Access” via Server Manager or Windows PowerShell.

Remote Access