Generate P2S Azure VPN Client profile configuration files - Microsoft Entra authentication
This article helps you generate and extract VPN client profile configuration files. Client profile configuration files contain information that's used to configure your VPN client. The sections in this article explain the information needed to configure the Azure VPN Client profile for Azure VPN Gateway point-to-site configurations that use Microsoft Entra authentication.
Generate profile configuration files
You can generate VPN client profile configuration files either with PowerShell, or the Azure portal. Either method returns the same zip file.
Azure portal
In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.
On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.
At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you might not see any indications until the packet generates.
Once the configuration package is generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.
Unzip the file to view the folders. You'll use some, or all, of these files to configure your VPN client. The files that are generated correspond to the authentication and tunnel type settings that you configured on the P2S server.
PowerShell
To generate the VPN client profile configuration files using PowerShell, you can use the following example:
When you generate VPN client configuration files, the value for '-AuthenticationMethod' is 'EapTls'. Generate the VPN client configuration files using the following command:
$profile=New-AzVpnClientConfiguration -ResourceGroupName "TestRG" -Name "VNet1GW" -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl
Copy the URL to your browser to download the zip file.
Extract the zip file
Extract the zip file. The file contains the following folders:
- AzureVPN: The AzureVPN folder contains the Azurevpnconfig.xml file that is used to configure the Azure VPN Client.
- Generic: The generic folder contains the public server certificate and the VpnSettings.xml file. The VpnSettings.xml file contains information needed to configure a generic client
Retrieve file information
In the AzureVPN folder, go to the azurevpnconfig.xml file and open it with Notepad. Make a note of the text between the following tags. This information is used later when configuring the Azure VPN Client.
<audience> </audience>
<issuer> </issuer>
<tenant> </tenant>
<fqdn> </fqdn>
<serversecret> </serversecret>
Profile details
When you add a connection, use the information you collected in the previous step for the profile details page. The fields correspond to the following information:
- Audience: Identifies the recipient resource the token is intended for.
- Issuer: Identifies the Security Token Service (STS) that emitted the token, and the Microsoft Entra tenant.
- Tenant: Contains an immutable, unique identifier of the directory tenant that issued the token.
- FQDN: The fully qualified domain name (FQDN) on the Azure VPN gateway.
- ServerSecret: The VPN gateway preshared key.
Next steps
Configure VPN clients.
For more information about point-to-site, see About point-to-site.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for