1
00:00:01,040 --> 00:00:01,950
In this demonstration,

2
00:00:01,950 --> 00:00:05,280
we're going to take a look at Azure point‑to‑site VPN setup,

3
00:00:05,280 --> 00:00:06,340
and, in particular,

4
00:00:06,340 --> 00:00:10,600
what goes into configuring RADIUS authentication when you need

5
00:00:10,600 --> 00:00:15,500
to have local Active Directory users authenticate their P2S VPN

6
00:00:15,500 --> 00:00:17,580
with their local domain identities.

7
00:00:17,580 --> 00:00:22,040
So we're on a domain member server here, a Windows Server 2022 box.

8
00:00:22,040 --> 00:00:24,060
I'm signed into Windows Admin Center.

9
00:00:24,060 --> 00:00:26,750
The server, as you can see, is localmem1.contosolocal.int,

10
00:00:26,750 --> 00:00:31,670
and I've just gone over to the Roles & Features area and verified

11
00:00:31,670 --> 00:00:34,440
that I installed network policy and access services.

12
00:00:34,440 --> 00:00:37,010
That's all there is to it as far as that goes.

13
00:00:37,010 --> 00:00:40,790
Then you've got an MMC console called Network Policy Server.

14
00:00:40,790 --> 00:00:43,460
And we've got here RADIUS Clients and Servers.

15
00:00:43,460 --> 00:00:47,150
We're going to need to create a RADIUS client for our Azure VNet gateway.

16
00:00:47,150 --> 00:00:48,520
And then, under Policies,

17
00:00:48,520 --> 00:00:51,990
we have our connection request and network policies that we'll need to

18
00:00:51,990 --> 00:00:56,900
configure just to allow the P2S connections when they're initiated to

19
00:00:56,900 --> 00:01:00,550
be handed off for Active Directory authentication before they're

20
00:01:00,550 --> 00:01:02,640
rerouted across the P2S tunnel.

21
00:01:02,640 --> 00:01:04,390
So, that's what we've got.

22
00:01:04,390 --> 00:01:05,930
Let's go to NPS,

23
00:01:05,930 --> 00:01:09,200
and there's actually a wizard that allows you to abstract away the

24
00:01:09,200 --> 00:01:11,630
complexity of going to those nodes individually.

25
00:01:11,630 --> 00:01:14,590
So let's make sure that this standard configuration is

26
00:01:14,590 --> 00:01:19,700
set up for dial‑up or VPN connections, and then we'll click Configure VPN.

27
00:01:19,700 --> 00:01:22,200
I'm going to make this a virtual network connection

28
00:01:22,200 --> 00:01:26,580
and we'll call it Azure‑ P2S‑VPN, and click Next.

29
00:01:26,580 --> 00:01:28,570
We need to create a RADIUS client here.

30
00:01:28,570 --> 00:01:32,360
The friendly name for this is going to be our Azure VNet Gateway,

31
00:01:32,360 --> 00:01:35,020
and here, if you've used the Azure VNet Gateway,

32
00:01:35,020 --> 00:01:39,320
you might be thinking, how do we get the address of the gateway?

33
00:01:39,320 --> 00:01:41,530
We know that the gateway has a public address.

34
00:01:41,530 --> 00:01:42,160
Let me show you.

35
00:01:42,160 --> 00:01:43,000
Let's go out.

36
00:01:43,000 --> 00:01:47,290
I've got a virtual network gateway called vpn‑gateway, really imaginative.

37
00:01:47,290 --> 00:01:50,750
It's a VpnGw1 SKU, it's route‑based,

38
00:01:50,750 --> 00:01:53,880
it's in a virtual network I have called vnet11.

39
00:01:53,880 --> 00:01:56,430
If we jump over there and go to Subnets,

40
00:01:56,430 --> 00:02:01,110
it's sitting on a GatewaySubnet at 10.11.1.0/24.

41
00:02:01,110 --> 00:02:03,780
That's actually what we need is that subnet ID.

42
00:02:03,780 --> 00:02:07,530
Well, let me, it won't let me copy it, so let me just try to remember,

43
00:02:07,530 --> 00:02:11,090
10.11.1, 10.11.1.0/24.

44
00:02:11,090 --> 00:02:14,210
Okay, and then to authenticate client and server,

45
00:02:14,210 --> 00:02:16,660
we're just going to do a preshared key, and then,

46
00:02:16,660 --> 00:02:18,460
actually, I'm going to forget it.

47
00:02:18,460 --> 00:02:19,060
There we go.

48
00:02:19,060 --> 00:02:20,620
Hopefully, I'll remember this one.

49
00:02:20,620 --> 00:02:24,470
And we're going to need that both here in the NPS RADIUS server,

50
00:02:24,470 --> 00:02:27,480
as well as we'll configure it in the point‑to‑site

51
00:02:27,480 --> 00:02:29,560
settings on the Azure Gateway.

52
00:02:29,560 --> 00:02:30,550
Let's click Next.

53
00:02:30,550 --> 00:02:32,840
And now, what are we doing for authentication?

54
00:02:32,840 --> 00:02:35,260
We're going to use EAP here, and specifically,

55
00:02:35,260 --> 00:02:38,670
we're going to do a secure password, EAP‑MSCHAP v2.

56
00:02:38,670 --> 00:02:40,470
I'll just leave the defaults for that.

57
00:02:40,470 --> 00:02:41,540
For our Groups here,

58
00:02:41,540 --> 00:02:45,980
we're just specifying the constraints that govern this particular policy.

59
00:02:45,980 --> 00:02:48,380
I'm going to say that domain admins are going to be

60
00:02:48,380 --> 00:02:51,180
allowed to authenticate the P2S tunnel.

61
00:02:51,180 --> 00:02:53,600
We're not going to worry about filtering IPs,

62
00:02:53,600 --> 00:02:55,700
I'm just going to leave the encryption settings,

63
00:02:55,700 --> 00:02:59,840
we're not dealing with realms, we're not dealing with internet service providers.

64
00:02:59,840 --> 00:03:00,930
Let's click Finish.

65
00:03:00,930 --> 00:03:02,120
It's pretty much done.

66
00:03:02,120 --> 00:03:05,020
Again, we're not concerned with deep‑diving into NPS,

67
00:03:05,020 --> 00:03:07,370
I just want to give you the general flavor.

68
00:03:07,370 --> 00:03:09,450
The bottom line is that we've got a RADIUS

69
00:03:09,450 --> 00:03:12,570
client‑defined that points to our Azure gateway,

70
00:03:12,570 --> 00:03:16,100
and we've created policy at this point that's saying that if

71
00:03:16,100 --> 00:03:19,140
you're coming in and setting up a VPN,

72
00:03:19,140 --> 00:03:21,520
and you're a member of the domain admins group,

73
00:03:21,520 --> 00:03:23,990
we're going to allow that connection to proceed.

74
00:03:23,990 --> 00:03:27,000
Now, as far as setting up the virtual network gateway,

75
00:03:27,000 --> 00:03:28,870
let's go back to that gateway,

76
00:03:28,870 --> 00:03:33,130
and instead of configuring express route or site‑to‑site VPN,

77
00:03:33,130 --> 00:03:36,950
which happens with connections, we're going to go to point‑to‑site configuration,

78
00:03:36,950 --> 00:03:39,650
and it's not configured, so we're going to configure it now.

79
00:03:39,650 --> 00:03:41,710
We specify a client address pool.

80
00:03:41,710 --> 00:03:46,340
This needs to be a non‑overlapping address range of private addresses that

81
00:03:46,340 --> 00:03:49,770
will be given to clients coming in on the P2S tunnel,

82
00:03:49,770 --> 00:03:53,210
and they'll be put into this virtual network gateway and Azure

83
00:03:53,210 --> 00:03:57,180
routing will allow connectivity between those hosts and any

84
00:03:57,180 --> 00:03:59,170
other resources that are in the VNet.

85
00:03:59,170 --> 00:04:02,140
As I mentioned, we have a lot of options for Tunnel type.

86
00:04:02,140 --> 00:04:06,540
I like, for most compatibility, the IKEv2 and OpenVPN,

87
00:04:06,540 --> 00:04:10,410
but I don't have the Azure VPN client available to me right now,

88
00:04:10,410 --> 00:04:13,430
I'm just going to use the one that's built right into Windows Server.

89
00:04:13,430 --> 00:04:16,080
And it is Windows in my situation only,

90
00:04:16,080 --> 00:04:19,610
so I'm going to do IKEv2 and SSTP this time around.

91
00:04:19,610 --> 00:04:21,330
Now, here's the exam alert.

92
00:04:21,330 --> 00:04:24,010
For Authentication type, we're not going to do a certificate.

93
00:04:24,010 --> 00:04:26,170
In the next demo, with Azure Network Adapter,

94
00:04:26,170 --> 00:04:27,640
you'll see a little bit about that.

95
00:04:27,640 --> 00:04:30,780
If you do Azure AD, there's some additional work you have to do,

96
00:04:30,780 --> 00:04:33,030
like I said, to get that set up in your tenant.

97
00:04:33,030 --> 00:04:36,140
But what we're going to do is just the one authentication

98
00:04:36,140 --> 00:04:38,330
type and that is RADIUS authentication.

99
00:04:38,330 --> 00:04:41,810
And here, we need to provide our primary server address,

100
00:04:41,810 --> 00:04:43,970
which is going to be the address of our host,

101
00:04:43,970 --> 00:04:46,400
the private address of our host, which is,

102
00:04:46,400 --> 00:04:51,030
in my case, let me do a quick ipconfig, 10.1.10.158,

103
00:04:51,030 --> 00:04:53,760
10.1.10.158.

104
00:04:53,760 --> 00:04:56,330
And the shared secret, carefully type that in.

105
00:04:56,330 --> 00:04:58,820
Unfortunately, it shows up in plain text.

106
00:04:58,820 --> 00:05:02,160
I don't have a secondary server IP or secondary secret,

107
00:05:02,160 --> 00:05:03,930
so I'll leave that, and click Save.

108
00:05:03,930 --> 00:05:07,740
So this is going to take a little while to commit because what's happening is

109
00:05:07,740 --> 00:05:11,540
Azure is now creating that point‑to‑site configuration for us,

110
00:05:11,540 --> 00:05:14,880
and it's also building the client VPN package.

111
00:05:14,880 --> 00:05:15,240
See,

112
00:05:15,240 --> 00:05:18,260
this Download VPN client button is going to activate

113
00:05:18,260 --> 00:05:20,830
once Azure completes the configuration,

114
00:05:20,830 --> 00:05:24,760
and there'll be a number of profile files in there that you can use.

115
00:05:24,760 --> 00:05:27,500
For example, if you have the Azure VPN client,

116
00:05:27,500 --> 00:05:31,440
that's the Windows Store app that's good for Windows 10 and Windows 11,

117
00:05:31,440 --> 00:05:33,860
not good on Windows Server, can't get to it there,

118
00:05:33,860 --> 00:05:36,210
but it's good for Windows 10 and Windows 11,

119
00:05:36,210 --> 00:05:37,380
you can do an import.

120
00:05:37,380 --> 00:05:38,120
But what I like,

121
00:05:38,120 --> 00:05:43,310
and one reason why I chose IKEv2 and SSTP is that we'll also get an installer,

122
00:05:43,310 --> 00:05:44,640
a Windows installer,

123
00:05:44,640 --> 00:05:47,830
that will create a VPN connectoid that works on Windows

124
00:05:47,830 --> 00:05:50,890
Server just with the native Azure VPN client.

125
00:05:50,890 --> 00:05:52,680
That's what I'm looking at in this case.

126
00:05:52,680 --> 00:05:53,060
Great.

127
00:05:53,060 --> 00:05:54,900
Saved virtual network gateway.

128
00:05:54,900 --> 00:05:56,390
Looks like we're ready to test.

129
00:05:56,390 --> 00:05:58,340
Let me download the VPN client.

130
00:05:58,340 --> 00:06:01,420
I'm going to bring it down as an EAPMSCHAPv2.

131
00:06:01,420 --> 00:06:02,980
All right, click Download.

132
00:06:02,980 --> 00:06:06,710
Let me open this in the folder to make sure I'm getting the most recent one.

133
00:06:06,710 --> 00:06:09,210
Looks like I downloaded it twice accidentally.

134
00:06:09,210 --> 00:06:12,090
We extract this to my desktop, and as I said,

135
00:06:12,090 --> 00:06:13,990
there's a number of different configs here.

136
00:06:13,990 --> 00:06:20,040
There's Generic, there's Mac mobileconfig, there's Windows 32 and 64‑bit.

137
00:06:20,040 --> 00:06:23,450
I'm going to go to AMD, and this is a nice installer, like I said.

138
00:06:23,450 --> 00:06:26,760
Do you wish to install a Vpn Client for vnet11?

139
00:06:26,760 --> 00:06:27,360
Yes.

140
00:06:27,360 --> 00:06:32,330
And then if we look for VPN in the start.vpn settings on the systems app,

141
00:06:32,330 --> 00:06:36,580
then we've got our vnet11 Connect, it brings up our Azure VPN.

142
00:06:36,580 --> 00:06:39,470
And because we've wired up RADIUS authentication,

143
00:06:39,470 --> 00:06:46,180
we'll use either an NT, this is contosolocalint\user,

144
00:06:46,180 --> 00:06:50,090
or we could do the UPN notation, password,

145
00:06:50,090 --> 00:06:50,810
Connect.

146
00:06:50,810 --> 00:06:53,290
Elevated privilege required, do not show again.

147
00:06:53,290 --> 00:06:54,670
And that's all there is to it.

148
00:06:54,670 --> 00:06:57,880
Once the handshaking completes, I don't think it liked that.

149
00:06:57,880 --> 00:06:59,640
Let me try one more credential.

150
00:06:59,640 --> 00:07:03,140
Let me do tim@contosolocal.int.

151
00:07:03,140 --> 00:07:07,370
Carefully type in my password, and I'll save it, and then Connect.

152
00:07:07,370 --> 00:07:10,890
It looks like I've got some more troubleshooting and some work to do here.

153
00:07:10,890 --> 00:07:14,580
Probably there's something that's gone sideways in my network policy server.

154
00:07:14,580 --> 00:07:15,990
But you get the idea.

155
00:07:15,990 --> 00:07:19,760
We've got a persistent VPN connectoid here that whenever we want

156
00:07:19,760 --> 00:07:22,870
Layer 3 connectivity to that Azure virtual network,

157
00:07:22,870 --> 00:07:25,850
all we have to do is stand up the point‑to‑site VPN,

158
00:07:25,850 --> 00:07:28,690
disconnect it when we're finished, and we're off and running.

159
00:07:28,690 --> 00:07:36,000
So this demo is going to serve as a nice precursor to what we'll do in the next demo with Azure network adapter.