Step by Step Create a User P2S VPN using Azure Secured Virtual Hub and Azure Active Directory #SDWAN #Azure #Secure

There are multiple ways on use a VPN and connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based or RADIUS . However, when you use the OpenVPN protocol, you can also use Azure Active Directory .

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

image

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com' does not exist in tenant ‘Microsoft' and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

When Accepted the you will be redirected to the Azure portal.

image

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

imageimagehttps://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

  • Configuration name – Enter the name you want to call your User VPN Configuration.
  • Tunnel type – Select OpenVPN.
  • Authentication method – Select Azure Active Directory.
  • Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
  • Issuerhttps://sts.windows.net/tenantID/
  • AAD Tenanthttps://login.microsoftonline.com/TenantID

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select open VPN

image

image

Set the switch to yes and new fields will open.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

#the number is your tenant ID

image

Now that the VPN user profile is created we can configure the HUB

image

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select the user VPN point to site VPN  select create

image

Creating a VPN gateway you need to select the just created User profile.  

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

image

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

  1. On the page for your Virtual WAN, click User VPN configurations.
  2. At the top of the page, click Download user VPN config.
  3. Once the file has finished creating, you can click the link to download it.
  4. Use the profile file to configure the VPN clients.

imageimage

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011image

Open the VPN Client you can add a new VPN or import a Connection

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

image

image https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

If any thing goes wron with the import it is 99% your pbk file,

image

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%AppDataRoamingMicrosoftNetworkConnectionsPbkrasphone.pbk

C:UsersadminAppDataLocalPackagesMicrosoft.AzureVpn_8wekyb3d8bbweLocalState

imageimage

Now that the Import worked and you are ready to connect to the VPN in Azure.

image

  Use your Azure AD credentials or your FIDO2 key

imageimage

image

  Now we are fully connected to the Secure Virtual WAN in Azure

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

It can take some time to see your connection in the portal

image

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

image

image

In our Custom settings we add the Following settings

  • Name: Enter a name for the configuration.
  • Description: Optional description.
  • OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
  • Data type: String (XML file).

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Now that this is done we can create some assign ments and test this on the pilot group

image

As you can see there are a few steps involved and are linked together

https://docs.microsoft.com/en-us/learn/modules/introduction-azure-virtual-wan/?WT.mc_id=AZ-MVP-4025011

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009.
Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries.
Robert's past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals
who are trying to address real concerns around business continuity, disaster and regulatory compliance issues. Robert holds the following certifications:
MCT – Microsoft Certified Trainer, MCTS – , MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization.
Follow Robert on Twitter @ClusterMVP
Or follow his blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues.

A customer says ” Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. ”

Details of the Recommendation: “I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project

 

This article was originally published by The Windows Server HA Blog. You can find the original article here.