Windows Azure VPN - How to Install/Use Azure Connect
Asked Answered
C

5

11

I'm feeling like an idiot here. I've setup a simple Windows virtual machine in Azure that needs to be accessed via VPN by 12 remote users (who all work from home) to simply access a shared drive. I thought this would be super easy, but I have spent days trying to figure this out.

I have the server setup and I've now realized (after days of searching) that traditional PPTP or L2TP VPN's using RRAS won't work because the Azure framework prevents these protocols. I've also seen from post like this one that say to use Azure Connect and that it should work for our needs. However, the references in that post to Herve Roggero's Blog and even Microsoft's own Azure Support Site talk about features that are not available to me and the screen shots don't look anything like what I see on my Azure console. In fact, the Microsoft sites help documents are 2 to 2.5 years old. Seriously MS... update your docs!

My console looks like this image (sample image from a Google search... not my real interface)

However, the articles reference consoles that look like this image

Am I not on the right version of Azure? Did they update the interface and not update their documentation? Bottom line, how (using the Azure interface that I have) can I use the Azure Connect? I tried creating a Virtual Network, but there is nothing on there that has an option to Install Local Endpoints with Windows Azure Connect. Am I an idiot or am I missing something here?

Chapple answered 18/2, 2013 at 22:40 Comment(0)
M
7

FYI - there is a blog post on how to setup an SSTP VPN Provider on Azure (without connect):

http://blogs.msdn.com/b/notime/archive/2013/06/01/how-to-configure-windows-azure-server-2012-as-an-sstp-vpn-provider.aspx

1. Create new Windows Server VM using "Quick Create"
2. The DNS name, username and password will be used to connect to the VPN
3. The public port created by default for RDP is a random one between 41952-65535. But you can edit the endpoint to change the public port to 3389. Go to Virtual Machines, select the VM, select Endpoints, select RemoteDesktop endpoint, click Edit Endpoint at the bottom and change the public port to 3389.
4. Create TCP endpoint at port 443
5. Connect using Remote Desktop (RDP) through the Dashboard

---------- Server Role
1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select "Deploy VPN only"

---------- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component, http://support.microsoft.com/kb/840671 ) to generate an SSL certificate for the SSTP:
C:\>"c:\Program Files (x86)\IIS Resources\SelfSSL\selfssl.exe" /N:cn=<...>.cloudapp.net /V:3650
(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)
3. Confirm prompt with "y", ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password

---------- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on "Configure and Enable RRAS"
3. Choose "Custom configuration", select "VPN access" and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <...>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720)
8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Right-click on IPv4 -> NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")
10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"

---------- Server User
1. Open "Computer Management" console
2. Click on "Local Users and Groups", then on Users, double click on your account
3. Click on Dial-in and change "Network Access Permission" to "Allow access"

---------- Client Certificate
1. Manage Computer Certificates
2. Click on "Place all certificates in the following store", then on Browse
3. Select "Trusted Root Certificate Authorities", if you store the certificate in the personal store, the connection will fail with error 0x800B0109

---------- Client Connection
1. Go to Network and Sharing Center, click on "Setup a new connection or network"
2. Select "Connect to a workplace", then VPN
3. Enter <...>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter

---------- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on "Server Certificates"
3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)
4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab

I verified that it works.

Murial answered 8/7, 2013 at 9:33 Comment(1)
Having set this up recently, I thought I could add that in Windows 2008 R2 and later, there is no issue with running an SSL vpn on the same box as IIS running SNI https sites. Since both use http.sys to reserve the SSL binding, there is no compatibility issue.Weekender
G
1

You're saying that the Windows Azure Framework is blocking PPTP and L2TP. Did you add the right endpoints to the Windows Azure VM (port 1707 for L2TP en port 1723 for PPTP)? If you've done that, you must also ensure that the Windows Firewall on the Windows Azure VM allows trafic over these ports. This is not done automatically.

Windows Azure Virtual Network is a Site-to-Site solution, requiring a VPN device on-premises. It's used to connect entire networks together. You can't use Windows Azure Connect with it. Windows Azure Connect is a Machine-to-Machine solution. You'll need to install a Local Endpoint Agent from the old (Silverlight) portal.

Regards,

Patriek

Goodlooking answered 18/2, 2013 at 22:54 Comment(1)
Patriek, correct "PPTP VPN needs the GRE Protocol to be enabled and Azure only supports TCP. I suggest as well you use Windows Azure Connect" as stated at social.msdn.microsoft.com/Forums/en-US/windowsazureconnectivity/…. I've tried many option PPTP, L2TP, opening up all ports and all Azure endpoints, to no avail. Therefore, I wanted to use Azure Connect as everyone suggests, but can't figure out how to access it. Is it being deprecated? Where is the "old (Silverlight) portal" and why wouldn't it be in the new portal?Chapple
R
0

To access to the Windows Azure Connect maintenance, you still need to access via the Old Portal from a menu sub-item in the Management Console that you can see if you click in your Live Id in the top-right corner.

But my favorite is just to browse https://windows.azure.com

Once in the Old Portal, select on the left panel the "Virtual Network" option. I wrote a blog entry about what you are looking for some time ago (check here http://davidjrh.intelequia.com/2011/10/conectar-una-azure-cloud-drive.html and use the translation widget)

Rogozen answered 20/2, 2013 at 23:24 Comment(0)
E
0

In case someone is searching, we were getting 0x8007274d errors on some machines while connecting to a point-to-site azure vpn. Solution: Disable all of your virtual network adapters (in the network management center) that have been created by, for example, vbox or vmware. Then try to connect again. Once the connection works, then you can re-enable the virtual network adapters . This solved the 0x8007274d problem for us on various machines, win7 and win10.

Electro answered 13/2, 2017 at 11:12 Comment(0)
K
0

Here is document one can use to setup L2TP VPN in Azure via fully automated ARM template https://artisticcheese.wordpress.com/2021/03/01/l2tp-vpn-via-arm-template-in-azure/

Kirkwood answered 7/3, 2021 at 22:21 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.