question

AaronL-2094 avatar image
0 Votes"
AaronL-2094 asked AaronL-2094 commented

VPN configuration advice for AADDS

We're looking at going "cloud only" using Azure Files to replace the last of our on-prem file servers(and therefore legacy domain).

  • I have setup the storage account and can access via name/secret key from a local device.

  • I'd like to integrate full NTFS perms, so I have setup AADDS (Cloud only)

  • I can successfully authenticate an Azure VM to the share using NTLM to access the files.

My next objective is I'd like to expand this functionality to our workstations. From what I have read, I believe a VPN would be required to enable the authentication requests to AADDS, therefore joining the workstations to the Managed Domain.

My questions:

  1. Is this the only approach I can take to achieve this goal?

  2. Which VPN would the most appropriate assuming staff want the flexibility of in-office and WFH?

  3. Anything else I should be aware of before I implement this?

Thanks in advance for any advice








azure-vpn-gatewayazure-ad-domain-servicesazure-files
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered AaronL-2094 commented

@AaronL-2094

Thank you for reaching out to us.

Yes you are right, VPN would be required to enable the authentication requests to AADDS and accessing the resources.

This is only approach we have to access the NTLM resources managed by AADDS.

Regarding VPN, point to site would be ideal option to go about,

Reference:
https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-azure-ad

Let me know if you have any other questions regarding this, would be happy to answer it.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Appreciate the advice and the link, will consider this option.

My concern is on reliability of the VPN connection. ie. If I pushed out the VPN client to my directors, how reliable is it?
If the VPN gets disconnected, would we ever encounter issues with the device dropping off the domain or the user account locking out?

The other option we're considering now is Azure WVD to serve a file explorer connected the smb share. We're thinking that this is perhaps closer to the intended approach from MS...

0 Votes 0 ·

@AaronL-2094 · There is 99.9% availability for Basic Gateway for VPN SKU and 99.95% availability for all other Gateway for VPN SKUs guaranteed. You can deploy VPN Gateway in Availability Zone to provide further resiliency, scalability, and higher availability.
Yes, going with Azure WVD is also an option. Hope the above SLAs for the availability of VPN Gateways would help you make a choice suitable for your environment.

0 Votes 0 ·
AaronL-2094 avatar image AaronL-2094 amanpreetsingh-msft ·

@amanpreetsingh-msft Thanks for that, though I was never concerned with the SLAs/uptime for the VPN itself, it was more a question on the reliability from an individual client perspective.

I guess I'll have to test it out for myself.

0 Votes 0 ·