1
00:00:01,440 --> 00:00:01,850
So,

2
00:00:01,850 --> 00:00:06,720
the use case is we've got an Azure virtual network that has VMs and

3
00:00:06,720 --> 00:00:10,370
other resources that we need our local users to access.

4
00:00:10,370 --> 00:00:15,180
Those local users or some local users are potentially remote,

5
00:00:15,180 --> 00:00:18,280
so we're talking Point‑to‑Site VPN tunnels.

6
00:00:18,280 --> 00:00:21,240
And the constraint here is that those users need to

7
00:00:21,240 --> 00:00:25,020
authenticate the Point‑to‑Site tunnel using their local Active

8
00:00:25,020 --> 00:00:28,160
Directory Domain Services identities that have not been

9
00:00:28,160 --> 00:00:30,590
synchronized into Azure Active Directory.

10
00:00:30,590 --> 00:00:31,550
What's required?

11
00:00:31,550 --> 00:00:31,980
Well,

12
00:00:31,980 --> 00:00:35,260
notice first of all that we can create this kind of

13
00:00:35,260 --> 00:00:37,960
connection with all of the different tunnel types.

14
00:00:37,960 --> 00:00:43,040
You can do SSTP, you can do IKE, you can do OpenVPN if you want to,

15
00:00:43,040 --> 00:00:47,160
but the secret sauce to the configuration occurs in your on‑premises Active

16
00:00:47,160 --> 00:00:52,260
Directory Domain Services domain in which you need at least one Windows server

17
00:00:52,260 --> 00:00:55,440
that has the Network Policy Server role installed.

18
00:00:55,440 --> 00:01:00,660
The NPS console, the NPS capability gives you RADIUS server ability.

19
00:01:00,660 --> 00:01:03,240
Now, RADIUS is a client/server protocol,

20
00:01:03,240 --> 00:01:08,460
so we'll need to set up the NPS policy server as a server that will link

21
00:01:08,460 --> 00:01:12,630
authentication requests to Azure to AD Domain Services.

22
00:01:12,630 --> 00:01:14,090
Now how does that link happen?

23
00:01:14,090 --> 00:01:16,220
Well, you create, in Azure,

24
00:01:16,220 --> 00:01:20,750
a RADIUS client entry that maps to the virtual network gateway in Azure.

25
00:01:20,750 --> 00:01:22,040
So in this context,

26
00:01:22,040 --> 00:01:26,860
the client on the RADIUS side is actually the Azure VPN gateway,

27
00:01:26,860 --> 00:01:29,660
the RADIUS server is the Network Policy Server,

28
00:01:29,660 --> 00:01:33,570
and your authenticator is the domain controller in your environment.

29
00:01:33,570 --> 00:01:34,210
Make sense?

30
00:01:34,210 --> 00:01:41,000
We don't have to get too far into the high weeds here. I just need you to know the general flow on how that works.