The following is the work of Aaron Whittaker and should not be reproduced without prior permission.
Using a Point-to-Site VPN
Do I need a bigger Laptop?
Customers want to use Azure. There are many different use cases and scenarios. The following would be a great solution where on premise does not need direct tunnel connectivity to Azure. The more permanent option is a static Site to Site VPN utilising a hardware device.
Eg. Developers utilizing extra computing power, maintenance on webservers, IT guys that want to get by with a Surface2 and don’t need more than 4 gig or ram.
CA or Windows SDK
Azure subscription, with a running VM to test
Cooking time 35 mins.
CERTIFICATION CREATION PROCESS
To establish a firstly you need create some certs. You only need a private CA cert if you are running a domain. An even quicker you can make certs just by using makecert.exe provided free in the Windows SDK
PS C:\Program Files(x86)\Windows Kits\8.1\bin\x86>makecert.exe -r -pe -n CN=AzureCertName -ss my -sr localmachine -eku 188.8.131.52.184.108.40.206.2 -len 2048 -e 01/01/2016 AzureCertName.cer
PS C:\Program Files(x86)\Windows Kits\8.1\bin\x86>makecert.exe -n “CN=AzureCertName2” -pe -sky exchange -m 96 -ss My –in “AzureCertName2” -is my -a sha1
EXPORTING CLIENT CERTIFICATE
Now go to CertMgr.exe to will open the current user certs that you have just created. Go to personal certificates.
Right Click Certname1, export, select YES to export the private key
Select Next twice, enter a password (mandatory step), next, select a location to save and create PFX.
What have we done? This cert will now be installed on client pc’s that need to connect to Azure with VPN.
Recommendations are that if you right click and install on client pc it will put it in the correct location (current user).
Browse to Trusted Root Cert Auth, Certificates, right click Import PFX.
EXPORTING ROOT CERTIFICATE
Now lets get the cert for Azure. If you get confused which cert is for which, this below cert cannot be turned into a PFX because you can’t export the private key. You can only make a CER which is required on Azure.
Go to CertMgr.exe to will open the current user certs that you have just created. Go to personal certificates.
Right Click AzureCertName, export, select NO to export the private key
Select Next twice, select a location to save and create CER.
We need to put the cert in our Azure Virtual Network.
CREATING A Point-to-Site VPN CONNECTION IN WINDOWS AZURE
Now log into Azure, networks, new, select custom create. Enter and Name and select your Affinity Group.
Select the next arrow, enter your tenants DNS server if you have one, if not, this is not needed, Azure will provide DNS for you. Check the box for Configure Point-to-Site VPN, next arrow twice.
Here you can add your local address space by selecting Add address space, next, wait 2 mins.
Here is the finished product and settings I required.
Next go to the Certificate tab. Browse and upload your CER. Here you can’t get it wrong as it won’t allow you to upload the PFX you also made.
Now go to back to your Virtual network dashboard and on the right you will see quick glance, select download client vpn package.
Once downloaded install it, if you get an error like I did simply select more information and force the install.
Then go to the bottom right and select the network icon, select Network VPN (this network name is what you called your Virtual Network), connect.
Now select connect
Are we connected yet? Yes
What can I do now?
RDP to Azure VM, and RDP to local server at the same time. See my network configurations on my 3 different machines at once. DC2 (Azure), Win2012r2 (local Hyper-V host), lenovo (my laptop).
See the screenshot below, access to 2 different networks at the same time and yet my local laptop ip address does not change.
Do I need a bigger Laptop? No, I can do everything I need from a Surface2.
Here is the Azure article to follow, minus any screen shots. http://msdn.microsoft.com/en-us/library/windowsazure/dn133792.aspx
Thoughts and comments welcome.
Next time we will extend the Hyper-V datacentre to Azure.