Configuring the point to site connection for remote uses is demonstrated, including installing the self signed certificates and downloading and installing the VPN client.
- [Instructor] We're going to go ahead and configure our point to site connection now within Azure. I can use the same gateway I already installed for our site to site connection, and you can see that as I'm already logged in to my VNetConnectivity Resource group within Azure. The STSG was our site to site gateway, the blade is already open, I'm going to scroll over just a little bit, and we can see that we have our information about our site to site gateway. We're going to go ahead and configure our point to site configuration. I already have an address pool populated in here of 172.16.201.0/24.
Next I need to upload the rootcertificate.cer file. I'm going to provide a name, and now I'm going to have to go pull this information. I have already configured my self-signing certificate. A self-signing certificate is fine for testing dev, but for production you'll want to use a certificate from your CA. I'm going to go ahead and open up the certificate, and copy the required data. I'm going to use the Azurerootcert, I'm going to go ahead and go Open with, Notepad, and I'm going to copy the certificate details, and then I'm going to paste those into Azure.
Go ahead and do the paste, and then it's critical that you save this. This will take a few moments to save, there we go. That information has now been saved, and we can go ahead and download the VPN connection. This will not be able to be downloaded until that information is saved. I'm going to go ahead, click Download, and your download will be presented to you. It could take a few moments for this to become active. Go ahead, click Download, you'll notice that I do have a warning here that this type of file can harm my computer. Yes I want to go ahead and actually keep it, and then I'll launch it.
Again I am being presented with another warning, yes I accept this, and now do I want to install the VPN Client for Production? Yes I do, click Yes, perfect, and you would think this is all there is to do, but there is another step that you have to be aware of, and this involves installing the certificate on the local device. I'm going to pop back into my certificates folder, and I'm going to go ahead and install the clientcert into my local store. To do so I'm going to right-click, I'm going to hit Install PFX, I'm going to choose Local Machine, I'm going to click Next, Yes I do want to allow this, the file that I'd like to import is specified, I'm going to click next, and now I'm going to enter in the password.
When I created the client certificate, I was prompted to enter a password. This is the same password that I will use. Click Next, I'm going to go ahead and go with the default option here. If you do need to place the certificate in a specific store, you would go ahead and select your second option, and then browse for the store and then click Finish, and that's it. Your certificate will have been imported. You'll notice here that I have an additional certificate, this is more of a heads-up than anything else. When you download the VPN client, if you come across the error when you try to connect that a certificate chain processed but terminated in a root certificate, which is not trusted by the trust provider, what you can do is you can actually open up the VPN client EXE, and pull out the certificate.
I'm actually going to show that to you. I'm going to click in Downloads, here is that client, I'm going to open up that application with 7-Zip, Open archive, and you'll notice that is where the certificate is. Basically what you're going to want to do is move this out, I moved it in to my certificates folder. I'm going to go ahead and close this, and then you're going to install the certificate. Local Machine, Next, Yes I realize what I'm doing, and in this case I actually want to put this in to the Trusted Root Certification Authorities store.
Click Next, Yes this will import, Finish. Again, only if you have that error will you have to do this, and we can go ahead and take a look at these within that certificate store. To do so I'm going to launch MMC, and to do that within Windows 10, you're going to go ahead and use the Run command, and then type mmc. I'm going to go ahead and add in my certificate snap-in, and click OK. You have to do this through MMC, you cannot just do this through the certificate management console that you would open up, let's say through Cortana, you will not see all of the certificates.
If I click in Personal you will see that I have my ClientCert there, I have a couple of other ones as well, and then I have my AzureRootCert, and here is the gateway certificate that I had to add. Let's go ahead and see what this looks like from a client point-of-view. I'm going to go ahead and just launch a VPN, now we can go ahead and use our VPN to connect to our production network. I'm going to go ahead, open up our Production icon, and then click Connect. I can go ahead and click Connect again.
This warning is just letting me know that we're going to run with elevated privilege, I'm going to go ahead, turn that off, I don't need to see that again. I'm going to click Continue, and to verify our connection I'm going to go ahead and run ipconfig /all from an elevated command prompt. I'm going to go ahead and scroll up, and you will notice, under my PPP adapter, we can see that I am connected to Production, and I have been assigned a 172.16.201.2 IP address from our virtual network.
We use point to site connectivity for our remote users. Again, I always like to think about it as anybody behind NAT will require a point to site. Best practice is to use a certificate authority, but you can use the self-signed certificates for testing, or maybe test and dev. And that's all there is to it, for setting up a point to site connection. Again, we use these for our remote users, anybody who sits behind NAT.
- Creating an Azure virtual network
- Creating a virtual network using PowerShell
- Deploying a VM into a virtual network
- Modifying IP addresses
- Working with Azure DNS
- Configuring NSGs
- Setting up load balancers
- Configuring Azure load balancers
- Creating an application gateway
- Setting up on-premises connectivity
- Adding gateway VPNs
- Validating VPN devices
- Configuring VNet
- Creating site connections