Microsoft AZ-700: Connect Devices to Networks with Point-to-Site VPN Connections

Reading Time: 2 minutes

Notes from MS Learn AZ-700 Module 2: Design and Implement Hybrid Networking – Unit 5: Connect Devices to Networks with Point-to-Site VPN Connections

Point-to-Site (P2S) allows secure connection to VNet from an individual client. Connection started from client. Use for telecommuters or minimal amount of clients that need to connect.

  • Point-to-Site Protocols
    • OpenVPN
      • SSL/TLS based. Can penetrate firewall as most have TCP port 443 open outbound
      • Useful for:
        • Android
        • iOS 11 and up
        • Windows
        • Linux
        • Mac (macOS 10.13 and up)
    • Secure Socket Tunneling. Protocol (SSTP)
      • Proprietary TLS-based. Can penetrate most FW as TCP 443 based
      • Only supported on Windows
      • Azure supports all versions of Windows with SSTP (Windows 7 and up)
    • IKEv2
      • Standards based
      • Can be used for Macs (macOS 10.11 and up)
  • Point-to-Site Auth methods
    • Native Azure Certificate Auth
      • Client certificate on device used to auth user
      • Certificates generated from trusted root cert and installed on each client
      • Use root cert generated using Enterprise solution or generate self-signed cert
      • Validation of client cert happens during connection establishment
      • Root cert is required for validation, needs to be uploaded to Azure
    • Native MS Entra ID Auth
      • Native auth users connect using MS Entra ID Creds
      • Only supported for OpenVPN and Windows 10
      • Requires use of Azure VPN Client
      • Conditional access and MFA can be used
      • High Level Steps
        • Configure tenant
        • Enable auth on gateway
        • Download-Configure Azure VPN client
    • Auth using ADDS (Active Directory Domain Services)
      • Useful as it allows users to connect with Azure using org domain creds
      • Requires a RADIUS server (new or existing)
      • RADIUS Server on-prem or in Azure VNet
      • Azure VPN Gateway passes auth back and forth between RADIUS and connecting device
        • Gateway must have communication with RADIUS
        • If RADIUS on-prem a Site-to-Site VPN between Azure and on-prem required
      • RADIUS can integrate with certificate services
        • Integration means no need to upload root or revoked certs to Azure
      • RADIUS can also integrate with other external ID e.g. MFA
  • Configure Point-to-Site Clients
    • Utilize native Windows or Mac clients
      • Azure offers VPN client config zip with required settings
        • Zip provides values of some important settings on Azure side used to create own profile. Values:
          • VPN gateway address
          • Tunnel types
          • Routes
          • Root Cert
    • Windows
      • VPN config consists of installer package
      • Client must have admin rights on client device to initiate VPN to Azure
    • Mac
      • VPN config consists of mobileconfig file
Share this article:

Matt Ouellette

Matt Ouellette is a certified information technology professional residing in Southwest Michigan. His technology findings and advice can be found on his PacketPilot blog. Mr. Ouellette spent 4 years as an I.T. Technician before stepping into a Network Engineer role at Bronson Health Group. Since completing his Associates Degree in Network Administration Matt has taken a head on approach to career enrichment through obtaining credentials such as CCNP, CCNA Voice, MCSA: Server 2008, and VCP5. This passion for continued learning allows him to deliver up to date quality technical solutions.

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-connect-devices-to-networks-with-point-to-site-vpn-connections/

Leave a Reply

Your email address will not be published.