1
00:00:04,240 --> 00:00:07,360
So let's proceed with configuring Azure Virtual WAN to support

2
00:00:07,360 --> 00:00:10,940
point‑to‑site connections for Always On VPN.

3
00:00:10,940 --> 00:00:14,070
So here we are in the Azure management portal.

4
00:00:14,070 --> 00:00:18,160
I'm in the resource group where I've already created my Virtual WAN,

5
00:00:18,160 --> 00:00:20,660
and so I'm going to go ahead and click on my Virtual WAN.

6
00:00:20,660 --> 00:00:23,440
And then over on the left in the Connectivity section,

7
00:00:23,440 --> 00:00:25,970
you'll see there's a User VPN configurations.

8
00:00:25,970 --> 00:00:29,340
So we'll go ahead and click on that,

9
00:00:29,340 --> 00:00:32,090
and then we'll click Create user VPN configuration.

10
00:00:32,090 --> 00:00:35,480
We'll provide a friendly name here.

11
00:00:35,480 --> 00:00:39,440
And again, this name must not contain any spaces.

12
00:00:39,440 --> 00:00:41,730
If it has spaces, the UI will complain,

13
00:00:41,730 --> 00:00:44,260
so make sure that that doesn't contain any spaces.

14
00:00:44,260 --> 00:00:46,800
The Tunnel type will be IKEv2 VPN.

15
00:00:46,800 --> 00:00:51,440
Azure Virtual WAN does support OpenVPN,

16
00:00:51,440 --> 00:00:55,420
but we can't use that necessarily for Always On VPN,

17
00:00:55,420 --> 00:00:57,160
so we're going to select IKEv2.

18
00:00:57,160 --> 00:01:00,680
And one of the things that I do like about this UI in

19
00:01:00,680 --> 00:01:04,170
Azure Virtual WAN is that it does support defining our

20
00:01:04,170 --> 00:01:06,870
custom IP site policy in the UI.

21
00:01:06,870 --> 00:01:10,060
I really wish they would bring this over to the Azure Virtual Gateway.

22
00:01:10,060 --> 00:01:11,840
It would make life a lot easier.

23
00:01:11,840 --> 00:01:15,130
It certainly makes it more self‑discovering here.

24
00:01:15,130 --> 00:01:18,100
And if you've set any of these settings incorrectly,

25
00:01:18,100 --> 00:01:21,600
it's certainly more discoverable and easier to find if

26
00:01:21,600 --> 00:01:25,690
you've made a mistake by just looking at it in the UI

27
00:01:25,690 --> 00:01:28,980
versus looking at it via PowerShell.

28
00:01:28,980 --> 00:01:32,200
So I'm going to do define our settings as we've defined

29
00:01:32,200 --> 00:01:35,050
throughout this course using GCMAES28.

30
00:01:35,050 --> 00:01:38,490
So, we'll click Next on Azure certificate.

31
00:01:38,490 --> 00:01:41,670
And again, if you're using a device tunnel,

32
00:01:41,670 --> 00:01:43,070
then we'll select Yes,

33
00:01:43,070 --> 00:01:47,620
and we'll provide our certificate information just like we did previously.

34
00:01:47,620 --> 00:01:51,240
So here I'm going to give this certificate a name,

35
00:01:51,240 --> 00:01:54,650
and we're going to paste our public data just like

36
00:01:54,650 --> 00:01:56,800
we did in the previous lesson.

37
00:01:56,800 --> 00:02:03,940
This is the root certificate's public data, so we'll just paste that in there.

38
00:02:03,940 --> 00:02:06,790
And at this point, you would just configure,

39
00:02:06,790 --> 00:02:08,940
you could click Review + create,

40
00:02:08,940 --> 00:02:11,700
but just want to demonstrate how you would set this

41
00:02:11,700 --> 00:02:13,430
up for a user‑based connection.

42
00:02:13,430 --> 00:02:16,640
So we would disable Azure certificate,

43
00:02:16,640 --> 00:02:18,920
and then we would go to RADIUS authentication,

44
00:02:18,920 --> 00:02:19,860
click Yes,

45
00:02:19,860 --> 00:02:24,370
enter our primary server's shared secret and the

46
00:02:24,370 --> 00:02:28,240
primary NPS server's IP address.

47
00:02:28,240 --> 00:02:31,040
And if you want to provide a second server,

48
00:02:31,040 --> 00:02:33,230
you can certainly do that here as well.

49
00:02:33,230 --> 00:02:34,410
And interestingly,

50
00:02:34,410 --> 00:02:37,910
Azure Virtual WAN requires you to upload the NPS server certificate,

51
00:02:37,910 --> 00:02:39,750
so we'll give this a name here.

52
00:02:39,750 --> 00:02:47,840
And once again, we're going to supply our certificate data here as well.

53
00:02:47,840 --> 00:02:52,940
And at this point, we can then click Review + create and then click Create.

54
00:02:52,940 --> 00:02:55,970
And after a short period of time,

55
00:02:55,970 --> 00:02:59,850
our configuration should appear here in this configuration window.

56
00:02:59,850 --> 00:03:03,480
The next thing we need to do now is to set up our VPN Gateway,

57
00:03:03,480 --> 00:03:05,830
and to do that, we need to go over to Hubs.

58
00:03:05,830 --> 00:03:09,710
So, once again, I've already deployed in Virtual WAN hub,

59
00:03:09,710 --> 00:03:12,940
so I'm going to click on the hub that I've already created,

60
00:03:12,940 --> 00:03:16,940
and I'm going to click here on User VPN (Point to site),

61
00:03:16,940 --> 00:03:19,920
and now I'm going to click Create User VPN gateway.

62
00:03:19,920 --> 00:03:23,220
Here is where we're going to select our scale units.

63
00:03:23,220 --> 00:03:28,400
And as I mentioned before, you'll see that it supports an incredible scalability.

64
00:03:28,400 --> 00:03:29,740
If I can go all the way down here,

65
00:03:29,740 --> 00:03:32,860
you can see if I were to purchase 200 scale units,

66
00:03:32,860 --> 00:03:39,540
I would get 10,000 clients times 10, so that is a pretty astronomical number.

67
00:03:39,540 --> 00:03:42,030
So, for the purposes of our demonstration here,

68
00:03:42,030 --> 00:03:44,950
I'll just select one with, you know, 2 scale units,

69
00:03:44,950 --> 00:03:48,960
a paltry 1 Gb of throughput and 500 clients.

70
00:03:48,960 --> 00:03:51,310
It's going to ask you for the point‑to‑site configuration.

71
00:03:51,310 --> 00:03:55,410
This is the configuration that we just completed, so we'll click that.

72
00:03:55,410 --> 00:03:57,210
We'll choose our preference.

73
00:03:57,210 --> 00:03:59,790
In this case, we want to use a routing preference.

74
00:03:59,790 --> 00:04:01,920
We're going to use the Microsoft network for that.

75
00:04:01,920 --> 00:04:06,140
We will use a remote RADIUS server, so we'll select that.

76
00:04:06,140 --> 00:04:08,950
And then we're going to add our client IP address pool.

77
00:04:08,950 --> 00:04:09,420
And again,

78
00:04:09,420 --> 00:04:11,620
we want to make sure that we have a large enough address pool

79
00:04:11,620 --> 00:04:14,270
to support our expected number of clients.

80
00:04:14,270 --> 00:04:20,440
And so since we're supporting up to 500 here, I'll use a /23.

81
00:04:20,440 --> 00:04:23,200
And if you want to supply your own custom DNS servers,

82
00:04:23,200 --> 00:04:25,960
that's a great idea because we needed to be able to resolve

83
00:04:25,960 --> 00:04:29,050
our on‑premises Active Directory hostname,

84
00:04:29,050 --> 00:04:32,110
so we'll enter our custom DNS servers here.

85
00:04:32,110 --> 00:04:34,630
These are our on‑premises DNS servers.

86
00:04:34,630 --> 00:04:37,290
Those servers could also be in Azure as well,

87
00:04:37,290 --> 00:04:41,010
but they're capable of resolving AD, or Active Directory,

88
00:04:41,010 --> 00:04:41,480
hostnames.

89
00:04:41,480 --> 00:04:46,660
And then we'll select Disable for Propagate Default Route.

90
00:04:46,660 --> 00:04:47,570
We don't need that option.

91
00:04:47,570 --> 00:04:49,220
And now we'll click Create.

92
00:04:49,220 --> 00:04:53,300
And at this point, as it's creating the VPN Gateway,

93
00:04:53,300 --> 00:04:56,240
you're going to wait a rather extended period of time.

94
00:04:56,240 --> 00:05:00,720
Usually takes about 30 to 40 minutes in my experience to create the gateway.

95
00:05:00,720 --> 00:05:02,860
Through the magic of video editing,

96
00:05:02,860 --> 00:05:07,440
I've spared you the agony of watching the gateway get prepared.

97
00:05:07,440 --> 00:05:10,280
So now that it's all finished,

98
00:05:10,280 --> 00:05:16,540
what we'll do here is click Download virtual Hub User VPN profile.

99
00:05:16,540 --> 00:05:18,590
Doesn't matter which one you select here because we're really

100
00:05:18,590 --> 00:05:20,500
not interested in the configuration itself,

101
00:05:20,500 --> 00:05:22,810
just some information that's included in that.

102
00:05:22,810 --> 00:05:29,740
So we're going to select EAPTLS, and we'll select Generate and download profile.

103
00:05:29,740 --> 00:05:32,540
So once that's complete, we'll open this file,

104
00:05:32,540 --> 00:05:36,650
and once again we'll double‑click on the Generic folder, and we

105
00:05:36,650 --> 00:05:40,180
will edit the settings, or look at the settings, in the

106
00:05:40,180 --> 00:05:47,640
VpnSettings.xml file. And once again, we're looking for the FQDN

107
00:05:47,640 --> 00:05:50,680
here that is listed as the VpnServer.

108
00:05:50,680 --> 00:05:55,630
So this VpnServer value is what you will again input into your

109
00:05:55,630 --> 00:06:01,010
device configuration profile and Intune, or if you are using XML,

110
00:06:01,010 --> 00:06:04,500
you would place this in the VPN Server field in your XML

111
00:06:04,500 --> 00:06:06,640
configuration file. And at that point,

112
00:06:06,640 --> 00:06:11,070
assuming all of your other configuration settings line up with the

113
00:06:11,070 --> 00:06:13,890
way we've configured the hub, so in other words,

114
00:06:13,890 --> 00:06:19,340
the gateway at part of this hub is set up to use either device or user tunnel,

115
00:06:19,340 --> 00:06:22,840
then as long as we match those settings on the client side,

116
00:06:22,840 --> 00:06:34,000
then we should be able to connect to the VPN Gateway and access any resources that are reachable on this particular Virtual LAN.