1
00:00:03,240 --> 00:00:08,240
So let's configure Azure VPN gateway to support point‑to‑site VPN connection.

2
00:00:08,240 --> 00:00:11,370
So here we are in the Azure portal, and in this case,

3
00:00:11,370 --> 00:00:15,500
I've actually navigated to my resource group where my Azure lab VNet is

4
00:00:15,500 --> 00:00:20,150
already configured, as well as my Azure Lab VPN Gateway.

5
00:00:20,150 --> 00:00:22,940
So I'm going to click on the VPN Gateway link here,

6
00:00:22,940 --> 00:00:29,540
and on the left you'll see we have a Point‑to‑site configuration.

7
00:00:29,540 --> 00:00:35,540
So let's go ahead and click on that, and then we'll click Configure Now.

8
00:00:35,540 --> 00:00:38,180
And here we're going to supply an address pool.

9
00:00:38,180 --> 00:00:42,350
So the address pool must be unique in your environment.

10
00:00:42,350 --> 00:00:45,350
It cannot be in use anywhere in Azure,

11
00:00:45,350 --> 00:00:47,760
so this has to be a completely unique subnet,

12
00:00:47,760 --> 00:00:50,330
and it's entered here inside your notation.

13
00:00:50,330 --> 00:00:55,640
So I'm going to do this in a very simple way, I'm just going to use a /24.

14
00:00:55,640 --> 00:01:02,130
So in terms of VPN protocols, here we want to select either SSTP or IKEv2.

15
00:01:02,130 --> 00:01:04,140
You actually can do both on the same gateway,

16
00:01:04,140 --> 00:01:05,160
that's not a problem,

17
00:01:05,160 --> 00:01:08,830
but as this gateway is really focused on either device

18
00:01:08,830 --> 00:01:12,660
connections or user connections, it's probably best to select one.

19
00:01:12,660 --> 00:01:16,450
So I'm going to demonstrate setting up the gateway here for

20
00:01:16,450 --> 00:01:19,250
device‑based connections using IKEv2.

21
00:01:19,250 --> 00:01:20,770
So I'm going to select IKEv2,

22
00:01:20,770 --> 00:01:23,280
and then with the authentication type, you're going to

23
00:01:23,280 --> 00:01:25,730
see we have a couple of options here.

24
00:01:25,730 --> 00:01:28,780
Here we're going to select Azure certificate,

25
00:01:28,780 --> 00:01:32,360
and it's somewhat misleading because it's not a certificate,

26
00:01:32,360 --> 00:01:37,680
you know, generated by Azure, this is actually your on‑premises CA certificate.

27
00:01:37,680 --> 00:01:42,820
This is the certificate that's going to be the root of trust

28
00:01:42,820 --> 00:01:46,300
for the certificates that you're issuing to those devices

29
00:01:46,300 --> 00:01:48,120
that you want to allow to connect.

30
00:01:48,120 --> 00:01:51,190
So in this case, it would be our on‑premises root CA server.

31
00:01:51,190 --> 00:01:57,840
So I'm going to select Azure certificate. So we'll enter a name,

32
00:01:57,840 --> 00:02:01,440
and then for the Public certificate data,

33
00:02:01,440 --> 00:02:04,280
unfortunately there's no way to just simply upload a certificate,

34
00:02:04,280 --> 00:02:05,730
that would be really helpful here,

35
00:02:05,730 --> 00:02:11,370
but we have to supply the base64 encoded data that's a

36
00:02:11,370 --> 00:02:14,590
part of the root CA certificate.

37
00:02:14,590 --> 00:02:18,090
So the best place to get this is actually just from any

38
00:02:18,090 --> 00:02:21,340
domain‑joined system in your environment.

39
00:02:21,340 --> 00:02:24,040
So here we are on a domain‑joined system,

40
00:02:24,040 --> 00:02:35,040
I'm just going to open up the local computer certificate store,

41
00:02:35,040 --> 00:02:40,040
I'm going to navigate to the Trusted Root Certification Authorities folder,

42
00:02:40,040 --> 00:02:44,940
and I'm going to locate my root certificate.

43
00:02:44,940 --> 00:02:48,540
And it is this one right here.

44
00:02:48,540 --> 00:02:51,350
And the best way to do this is just simply right‑click,

45
00:02:51,350 --> 00:02:58,180
choose All Tasks, Export, choose Next, select Base‑64,

46
00:02:58,180 --> 00:03:04,990
this is critical, and then choose Next, and then supply a file name for this.

47
00:03:04,990 --> 00:03:08,740
Choose Next and Finish.

48
00:03:08,740 --> 00:03:10,710
So once we've saved the certificate,

49
00:03:10,710 --> 00:03:13,860
let's right‑click on the certificate and choose Open With,

50
00:03:13,860 --> 00:03:16,340
and we'll select Notepad.

51
00:03:16,340 --> 00:03:18,350
And here, what we want to do is,

52
00:03:18,350 --> 00:03:21,810
unfortunately we don't want to copy the entire block,

53
00:03:21,810 --> 00:03:23,840
that would obviously make sense,

54
00:03:23,840 --> 00:03:26,600
but that's not what the Azure interface is looking for.

55
00:03:26,600 --> 00:03:31,150
What we need is everything between the lines BEGIN

56
00:03:31,150 --> 00:03:33,390
CERTIFICATE and END CERTIFICATE.

57
00:03:33,390 --> 00:03:38,820
So in this case, we want everything in like this.

58
00:03:38,820 --> 00:03:42,510
So we don't want to include both the beginning and end tags there.

59
00:03:42,510 --> 00:03:45,360
So we're going to copy this, I'm just going to put it on the clipboard,

60
00:03:45,360 --> 00:03:49,240
and then we're going to jump back over to the Azure configuration,

61
00:03:49,240 --> 00:03:53,740
and we'll simply paste that here.

62
00:03:53,740 --> 00:03:54,640
And then also,

63
00:03:54,640 --> 00:03:57,160
I just want to bring your attention here that there is

64
00:03:57,160 --> 00:03:59,570
this section called Revoked certificates.

65
00:03:59,570 --> 00:04:04,810
Revoked certificates means that if there's any certificates for devices

66
00:04:04,810 --> 00:04:09,340
that you want to prevent from accessing the VPN gateway,

67
00:04:09,340 --> 00:04:11,960
and again, this isn't a device‑based scenario,

68
00:04:11,960 --> 00:04:15,200
then you would just simply provide the name and the

69
00:04:15,200 --> 00:04:17,050
thumbprint of that certificate here,

70
00:04:17,050 --> 00:04:20,400
and then the Azure VPN gateway would deny access to them.

71
00:04:20,400 --> 00:04:23,880
And the reason for this is because the Azure VPN Gateway does

72
00:04:23,880 --> 00:04:27,160
not have access to your CRL infrastructure so it doesn't

73
00:04:27,160 --> 00:04:29,630
perform CRL checks in the standard way,

74
00:04:29,630 --> 00:04:35,340
we have to explicitly tell it which devices would not be allowed to connect.

75
00:04:35,340 --> 00:04:37,940
So once we're done here, we'll click Save,

76
00:04:37,940 --> 00:04:40,280
and then once the gateway is finished saving,

77
00:04:40,280 --> 00:04:44,340
now we'll click our Download VPN client,

78
00:04:44,340 --> 00:04:48,240
and then once that's downloaded, we'll just open this file,

79
00:04:48,240 --> 00:04:52,740
and then we'll double‑click on the Generic folder,

80
00:04:52,740 --> 00:05:01,370
and then we'll open this VpnSettings.xml file.

81
00:05:01,370 --> 00:05:09,320
Now, this XML file is not useful at all for Always On VPN.

82
00:05:09,320 --> 00:05:15,070
The only reason we're looking at it here is that we need the VPN server name,

83
00:05:15,070 --> 00:05:17,880
so we need to know what the name of this VPN gateway

84
00:05:17,880 --> 00:05:21,050
is because we don't define that, it's defined by Azure.

85
00:05:21,050 --> 00:05:26,940
And you'll find it here in this VpnServer section.

86
00:05:26,940 --> 00:05:33,800
So it is this value that you will put in your Always On VPN device

87
00:05:33,800 --> 00:05:36,990
configuration profile in Intune as the server name,

88
00:05:36,990 --> 00:05:39,290
or if you were using XML,

89
00:05:39,290 --> 00:05:43,270
you would put this in for the VPN server value in your XML.

90
00:05:43,270 --> 00:05:46,940
So it does look, you know, rather complex.

91
00:05:46,940 --> 00:05:50,820
The good news here is that it's not anything you have to remember,

92
00:05:50,820 --> 00:05:53,840
it's not anything that you're ever going to ask users to type in,

93
00:05:53,840 --> 00:05:56,680
you just need to copy and paste this value into your

94
00:05:56,680 --> 00:06:00,690
configurations and you're good to go.

95
00:06:00,690 --> 00:06:06,130
The final piece of configuration for Always On VPN

96
00:06:06,130 --> 00:06:10,870
point‑to‑site gateway using IKEv2 in the device tunnel is to

97
00:06:10,870 --> 00:06:13,980
configure our IPsec security policy.

98
00:06:13,980 --> 00:06:17,270
If you'll recall, when we did that with Windows Server,

99
00:06:17,270 --> 00:06:18,490
we used PowerShell,

100
00:06:18,490 --> 00:06:22,760
and that's the same process that we'll have to go through to

101
00:06:22,760 --> 00:06:26,330
set the policy on our VPN gateway as well.

102
00:06:26,330 --> 00:06:27,730
It's a little bit different though.

103
00:06:27,730 --> 00:06:30,610
If you've never managed Azure using PowerShell,

104
00:06:30,610 --> 00:06:34,430
you'll first need to install the PowerShell management module,

105
00:06:34,430 --> 00:06:37,960
and that command is Install‑Module Az.

106
00:06:37,960 --> 00:06:43,440
Once that's installed, then you'll just run the command Connect‑AzAccount,

107
00:06:43,440 --> 00:06:46,340
you'll log in and authenticate to Azure.

108
00:06:46,340 --> 00:06:47,430
You should,

109
00:06:47,430 --> 00:06:50,980
if you have multiple subscriptions, you'll want to run the command

110
00:06:50,980 --> 00:06:57,090
Get‑AzSubscription and then identify the correct subscription that you

111
00:06:57,090 --> 00:06:59,920
want to manage where your gateway is installed,

112
00:06:59,920 --> 00:07:05,140
and then enter that as the SubscriptionId to select AzSubscription,

113
00:07:05,140 --> 00:07:09,810
and at that point, then you can continue with configuring the policy.

114
00:07:09,810 --> 00:07:13,330
And you can configure the IKEv2 security policy using

115
00:07:13,330 --> 00:07:15,820
the commands on your screen here.

116
00:07:15,820 --> 00:07:18,390
These are the same parameters that we used when we

117
00:07:18,390 --> 00:07:21,440
configured on‑premises Windows Server,

118
00:07:21,440 --> 00:07:25,140
and so these settings will match those that are configured on the client.

119
00:07:25,140 --> 00:07:30,080
And again, these are kind of minimum baseline recommendations for security.

120
00:07:30,080 --> 00:07:32,930
Then you'll set the policy in this first block here,

121
00:07:32,930 --> 00:07:38,110
and then in the second block, this is where you actually set the policy itself.

122
00:07:38,110 --> 00:07:39,610
And then once that's done,

123
00:07:39,610 --> 00:07:43,310
if you just want to validate that the policy is actually installed correctly,

124
00:07:43,310 --> 00:07:48,240
the command to do that is just Get‑AzVpnClientIpsecParameter.

125
00:07:48,240 --> 00:07:51,060
And, of course, you'll have to put in your gateway name,

126
00:07:51,060 --> 00:07:52,670
these are just placeholders here.

127
00:07:52,670 --> 00:07:56,660
Put your gateway name and resource name and then

128
00:07:56,660 --> 00:08:06,000
you should have that policy set, and the policy should match that that's configured on the endpoint.