Configuring Point-to-site in Azure Resource Manager

In addition to creating a site to site connection in Azure, you can also use the same gateway to configure a Point-to-site connection. Point-to-site configuration allows a secure connection from a client computer, individually, to the virtual network in Azure. It’s a very good solution when you need to work remotely or when you need to give temporary access to a customer to connect to a virtual network.

If you don’t have a VPN gateway yet, follow this guide to learn how to setup your first one. To configure a Point-to-site connection, follow these steps:

Get your VPN gateway:

Save your Gateway configuration to a new variable that will be used later.

PS C:\> $Gw = Get-AzureRmVirtualNetworkGateway -Name "vnetgatewayname" -ResourceGroupName "resourcegroupname"

Set the VPN client address pool:

Specify the IP addresses to be assigned to clients connecting to this gateway. For example: -VpnClientAddressPool “192.168.100.0/24”

PS C:\> Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $Gw -VpnClientAddressPool "ipaddresspool"

Create the certificates:

Certificates are used to authenticate VPN clients for Point-to-site VPNs. You can use any method of installing that you are comfortable with. I’m using makecert to create these and you can download this tool from the Windows Software Development Kit (SDK) for Windows 10.

To create the root certificate:

PS C:\> .\makecert.exe -sky exchange -r -n "CN=RootMyCompanyP2SAzure" -pe -a sha1 -len 2048 -ss My "RootMyCompanyP2SAzure.cer"

To create the client certificate:

PS C:\> .\makecert.exe -n "CN=ClientMyCompanyP2SAzure" -pe -sky exchange -m 96 -ss My -in "RootMyCompanyP2SAzure" -is my -a sha1

Upload the root certificate:

Note that, to add a root certificate, you must specify the certificate name and provide a text-only representation of the certificate. To obtain the text representation, export your certificate in .cer format (using Base64 encoding):

Then open the resulting file in a text editor. When you do that, you will see output similar to the following (note that the actual output will contain many more lines of text than the abbreviated sample is shown here):

—– BEGIN CERTIFICATE —–
MIIC13FAAXC3671Auij9HHgUNEW8343NMJklo09982CVVFAw8w
—– END CERTIFICATE —–

Save the text representation of the certificate to a variable:

PS C:\> $CertificateText = "MIIC13FAAXC3671Auij9HHgUNEW8343NMJklo09982CVVFAw8w"

or, thanks to Derek, use the cmdlets below to get it directly:

PS C:\> $Text = Get-Content -Path .\RootMyCompanyP2SAzureBase64.cer
PS C:\> $CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}

Finally, add the root certificate to your VPN Gateway:

PS C:\> $rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "RootMyCompanyP2SAzureBase64.cer" 
-PublicCertData ($CertificateText | out-string) -VirtualNetworkGatewayName $gw.Name -ResourceGroupName Network

Download the VPN Client Package:

Now all we need is to download and install the client package to automatically setup the VPN connection on our Windows machine.

PS C:\> Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

And that’s it, folks! You should have the connection ready to fire over Settings >> Network & Internet >> VPN.

References:

[1] Configure a Point-to-Site connection to a virtual network using PowerShell

[2] Create a virtual network with a Site-to-Site VPN connection using PowerShell and Azure Resource Manager

[3] Working with self-signed root certificates for Point-to-Site configurations

[4] Windows Software Development Kit (SDK) for Windows 10

 

Leave a Reply

Your email address will not be published. Required fields are marked *