question

GregThomas-0401 avatar image
0 Votes"
GregThomas-0401 asked GregThomas-0401 commented

Point To Site VPN Certificates

Hi,

I'm looking to implement the P2S VPN in my azure VNET and have a few questions.

I'm following the guidance provided here - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

  1. For the Address Pool Range on the Gateway. Do I have to reserve that IP pool range and/or is it already reserved once I put it in? I.e., does it matter what I had here? I.e., if I'm using 10.0.30.0 for my VNET can I put in the prescribed 172.16.201.1/24 range? The idea is that whatever I put into this range that it will not overlap is that correct? So it doesn't really matter? I could do 10.0.40.0/24 instead correct?

  2. For the authentication being certificate-based, is there no user/password integration? We have a couple of hundred devices to roll this out to so we'd be looking to push down the client certificate to their machines and then they would run the VPN, authenticate via the password and be on the VPN? No user/pass prompts?


Is anyone using the P2S solution for large scale VPNs?

Am I looking at rolling out individual certs to each user so if they leave, I need to revoke their cert access individually. Right now people are remote, so they could still login their machine, kick off the VPN via an approved cert and then be blocked to getting onto VMs or services from there?

Thanks for help in answering these questions.

Greg



azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GregThomas-0401 commented

Hello @GregThomas-0401 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

  1. For the Address Pool Range on the Gateway, it doesn't matter which address range you are using here as long as the client address pool is a range of private IP addresses and it does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to.
    The clients that connect over a Point-to-Site VPN dynamically receive an IP address from this range.
    Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool
    Yes, if you are using 10.0.30.0 for your VNET, you can put in the prescribed 172.16.201.1/24 range. You could also use 10.0.40.0/24 instead as long as it doesn't overlap.

  2. For the certificate-based authentication, there is no user/password integration. When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user.
    If you need username/password prompts to connect to P2S VPN, you should look into Authenticate using Active Directory (AD) Domain Server.
    AD Domain authentication allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also leverage their existing RADIUS deployment. The RADIUS server could be deployed on-premises or in your Azure VNet.
    The RADIUS server can also integrate with AD certificate services. This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi - still working on this - we are trying out the RAD Service option.

Thank you.

1 Vote 1 ·

Hi, thank you for these answers.

I should have prefaced my implementation - we are trying to do a completely software based VPN and have no on-premise components.

Our AD is in the cloud along with Domain Services.

Looking at the documentation on the Radius server, would I need to deploy this as a VM in the cloud? Can I do it this way?

Thank you for the response on the IP range, that helps greatly.

0 Votes 0 ·

Hello @GregThomas-0401 ,

Yes, as I mentioned in my answer above, the RADIUS server could be deployed on-premises or in your Azure VNet.
Please refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-radius-ps#3-set-up-your-radius-server

Before creating and configuring the vpn gateway, your RADIUS server should be configured correctly for authentication.
Configure the VPN gateway as a RADIUS client on the RADIUS. When adding this RADIUS client, specify the vnet GatewaySubnet that you created.
Once the RADIUS server is set up in the Azure VNet, get the CA IP of the RADIUS server VM that the RADIUS clients should use to talk to the RADIUS server.

The Network Policy Server (NPS) article provides guidance about configuring a Windows RADIUS server (NPS) for AD domain authentication.
Refer : https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top
You can also deploy any other Radius server in your Azure Vnet from the Azure marketplace.

0 Votes 0 ·