Monday, November 23, 2015

Setup a secure point-to-site connection to a virtual network in Azure

Configure the network and gateway

Log in to the Azure portal (http://manage.windowsazure.com/). Create a new Virtual Network. Click Custom Create. On the DNS Servers and VPN Connectivity page, then click on: 

  • Configure Point-To-Site VPN: Select the checkbox.
  • On the Point-To-Site Connectivity page, specify the IP address range from which your VPN clients will receive an IP address when connected. Don't overlap with an on-premise address.

Update the IP range for the Azure subnet

When your virtual network has been created, you will see Created listed under Status on the networks page in the Azure portal. Once your virtual network has been created, you can create your dynamic routing gateway.

 
The gateway type must be configured as dynamic. Static routing gateways will not work with this feature.
  1. In the portal, on the Networks page, click the virtual network that you just created, and navigate to the Dashboard page.
  2. Create Gateway. It can take around 15 minutes for the gateway to create.

 

Generate and upload certificates

Previously, you were required to generate your own self-signed certificate. Now, you can now use certificates that you generated using an enterprise solution. You can upload up to 20 root certificates to Azure.

Option 1: Planning to use an enterprise certificate solution, the steps within each section will be different, but you'll still need to do the following:

  • Identify or generate a root certificate.
  • Upload the root certificate .cer file to Azure.
  • Generate a client certificate.
  • Export and install the client certificate.
Option 2: Planning to use a self-signed certificate, use the steps:
  • One way to create an X.509 certificate is by using the Certificate Creation Tool (makecert.exe). To use makecert, download and install Microsoft Visual Studio Express, which is free of charge.
  • Navigate to the Visual Studio Tools folder and start the command prompt as Administrator.
  • The command in the following example will create and install a root certificate in the Personal certificate store on your computer and also create a corresponding .cer file that you'll later upload to the Azure portal.
  • Change to the directory that you want the .cer file to be located in and run the following command, where RootCertificateName is the name that you want to use for the certificate. If you run the following example with no changes, the result will be a root certificate and the corresponding file RootCertificateName.cer.

Because you have created a root certificate from which client certificates will be generated, you may want to export this certificate along with its private key and save it to a safe location where it may be recovered.

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert -sky exchange -r -n "CN=NewRootCertName" -pe -a sha256 -len 4096 -ss My "NewRootCertFile.cer"

    • NewRootCertName refers to the self-signed root certificate that you generated.
Upload the root certificate .cer file to the Azure portal
  1. In the Azure portal, on the Certificates page for your virtual network, click Upload a root certificate.
Generate a client certificate

The steps below are for generating a client certificate. On the same computer that you used to create the self-signed root certificate, open a Visual Studio command prompt window as administrator.

  1. Change the directory to the location where you want to save the client certificate file. RootCertificateName refers to the self-signed root certificate that you generated. If you run the following example (changing the RootCertificateName to the name of your root certificate), the result will be a client certificate named "ClientCertificateName" in your Personal certificate store.
  2. C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert.exe -n "CN=NewClientCertificateName" -pe -sky exchange -m 96 -ss My -in "NewRootCertName" -is my -a sha256

    image

  3. All certificates are stored in your Personal certificate store on your computer. If you want to reuse it export it

Installing a client certificate on each computer that you want to connect to the virtual network is a mandatory step.

The steps below will walk you through installing the client certificate manually.

  1. A client certificate must be installed on each computer that you want to connect to the virtual network. This means you will probably create multiple client certificates and then need to export them. To export the client certificates, use certmgr.msc. Right-click the client certificate that you want to export, click all tasks, and then click export.
  2. Export the client certificate with the private key. This will be a .pfx file. Make sure to record or remember the password (key) that you set for this certificate.
  3. Copy the .pfx file to the client computer. On the client computer, double-click the .pfx file in order to install it. Enter the password when requested. Do not modify the installation location.

Configure your VPN client

The client requires both a client certificate and the proper VPN client configuration in order to connect.

Create the VPN client configuration package
  1. In the Azure portal, on the Dashboard page for your virtual network, navigate to the quick glance menu in the right corner and click the VPN package that pertains to the client that you want to connect to your virtual network.
  2. After you generate and download the VPN client package from the Azure portal, you can install the client package on the client computer from which you want to connect to your virtual network.

  3. If you plan to install the VPN client package to multiple client computers, make sure that they each also have a client certificate installed. The VPN client package contains configuration information to configure the VPN client software built into Windows. The package does not install additional software.

Install the VPN configuration package on the client and start the connection. Done.

 

 

This information is a simplification of the article https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/#create-your-certificates

No comments:

Blog Archive