If it hasn't already been pointed out, at 5:39 it says to select User VPN configuration. The wording has changed in the portal to Point-to-site configuration.
Great content. I loved the fact that you go directly to the central point of the video and still is able to deliver the details necessary to get the job done.
Thank you for this! No where in Microsoft documentation (that I could find) explained what the audience and issuer values needed to be so I was sitting here pulling my hair out until I found your video. Thank you!
Did you find out where audience comes from and is it just some magical value identical to everyone (unlikely) or specific value to the tenant or AAD and if yes where do we lift that off of?
Hi Travis. Thanks for this video. Supper helpful and easy to understand. Can the give admin consent step and restrict vpn to group step don via terraform?
Thanks for this amazing post. Is there a way to force MFA for all VPN connections (as opposed to the just the original connection)? Ideally, when i remove a user from the group, I don't want them to still be able to connect to the VPN. Currently, when i remove a user from the group, that user can still connect to the VPN. Is there a way to force MFA for all VPN connections? Currently, theres a cookie on the client machine that will allow them to connect even after the user is removed from the group. I want to enforce for all VPN connections MFA (and not only during the initial connection). Also, I followed this youtube video setup for context
wow that was nice and easy to setup and i prefer over certificates to forward to other users. My question to you now is do you have instructions on how to connect the VPN'd user to access azaure sql server. i can connect but cant figure out how to get the vnic 10.0.0.101 for my sql server?
Thank you! If i already have a site to site vpn can i go into that and enable the point to site? Or do you need to create a new VPN just for the point to site? Awesome info
Hi Travis, another great video. I do have a question, I couldn't get this to work. I currently have the VPN set to certificate based based on one of your other videos. I removed that then followed this tutorial so that login would be user based. At the point where you install the VPN client and import the xml file and test the VPN connection (before enabling MFA) my client fails with the following error "Server did not respond properly to VPN Control Packets. Session State: Key Material sent", any ideas? Did I not release the cert version before creating this one?
Thanks a million, helpled me a lot, however, I have a question about authentication. I've removed the user from the group to see if he could still login or not, but the user could still establish a connection, I've tested with another user that was never a member of the allowed group, and it couldn't access, which means that my setup on the Azure VPN app is correct. Though, I've even disabled that test account, so it was unable to loginto the Azure portal, however, it's still able to VPN!!!! how to fix this please, other wise I can't have this feature in production, unsafe. Thank you!
Thank you, this video was instrumental in helping me configure and install a Client - Virtual Server App. I followed the video regarding the IP / Subnet Addresses and got it to work but any suggestions to better understand the logic behind this without having to become a network engineer?
Hi, Thanks so much for the video! I have a question, would you say it's best practice to set up a separate VNG with your Azure resources your VNG used for your VPN? Or does it not make a difference. I hope my question makes sense.
Enjoy your videos Travis and learning a lot. One question my boss is asking is if the speed, latency and connection, is any different between regular RDP or using the VM? Thanks.
Hi Travis. Great Content. Love the delivery. I just have one question. Can I use the same GW as a Site to Site active VPN for my Azure to Site VPN or is it a must that I create a new GW?
I have a number of different virtual networks in my Azure, all with servers behind them. Currently the ports to remote desktop to the servers are locked to my home IP address but I need other people to also have access. Thanks to this video I have successfully setup VPN connections but how do I configure each networks file to allow access on some ports to VPN users?
That’s so cool! Almost to easy. I’m wondering if the azure app config can be deployed with Endpoint manager? The app wouldn’t be the problem, just wondering on the config.
Hi , your channel is really useful. I have one question....after log in with some user say test1 when I disconnect and connect again it does not require MFA. Is there any way I can force vpn client to ask for MFA everytime I hit connect , like when we use Connect-AzAccount it does not save token and ask for MFA each time.
@@jesuspenaranda585 yes jesus, I saw that in conditional access. But is there any other way via which I can reduce this time or change configuration to not save token values after disconnecting vpn.
Hello Travis, awesome videos. I have a question, is there any option instead to use Local administrator permissions to connect? Most of my users are configured as Standard users.
Fabulous video, got me thru the process - very appreciative of your professional delivery too, clear and quick, covers all the bases without meandering. But can you help with one more question - what now? I can connect my user to the Azure gateway over VPN , but how do I get them to see their remote application on the VM? Thanks again.
Azure VPN for P2S with MFA is ridiculously expensive at $6/user a month. Not sure if I can justify spending $10k/year for MFA. Might just end up not implementing MFA, even though we currently use MFA for onprem. (Edit: It looks like as of 5/14/2021 MFA is free for Azure VPN and no P1 license for users are needed)
This is great to get this stuff configured but doing these exact steps doesn't wire up dns to your vnet. I've done all of the steps and I can connect but I can't resolve any dns names in the vnet.
Anyone help out. I have done this in the past with no issue following this video, now a separate instance and It will not connect after setting up VPN client. always fails to connect with "server did not respond properly to VPN control packets" key material sent.. Time on my PC is 100% I triple checked my settings, all seem fine?
This is a great video guide. I was able to setup a P2S vpn easily just by following the steps from this video. Could you please help me with connecting to another vnet which has a gateway and is used to connect to on premise network. The other vnet has VMs in it. I want the P2S vpn users to access the resources available in that other vnet. Both resource groups are in the same region and under same subscription.
i dont think this works any more. Microsoft calls out a different audience value now and it looks like CA MFA is no longer working with these steps. Please review and update?
Thank you for this content. However, I am disconnected from internet while I am connected to vpn- gateway through azure vpn client. How to solve this? I can't use Azurevpn p2s with AzureAD if I cant use internet at the same time. Thanks in advance.
I have a VNET peered to my AADDS VNET and i specify custom DNS servers. When I connect to the Azure VPN client, I lose name resolution on my laptop. Any recommendations on this issue?
This VPN did not change my public IP address. Is there any way to use this VPN (or any other VPN which can be used to connect azure VNet) to change my public IP address?
Yes, it can. All you have to do is to add the address pool of the point to site in the on-premise firewall device and add the address space in the PC, once added, you have to disconnect the point to site and connect and you will be able to reach Azure and Onpremise.
Ok but you didn't go over how to VPN to the server after setting up Azure VPN Client. it still prompts me for a server username and password when mapping the drive.
Hi Travis your Videos are Amazing!!! I wanted to know how can i copy data from Oracle On-prem to Blob storage in Virtual network with out using integration runtime. Can it be possible?
This is an awesome demo and got me thinking perhaps a solution for updating remote users cached credentials on their PC after remote user reset their password via SSPR.. :)
Hello Travis, Thank you for all your videos :) While connecting to VPN the device throws error "Connecting to VPN server failed with exception: No such host is known." however the diagnostics doesnt show any error. Do you happen to know about the issue?
Hi, thanks for this video. I am getting error "Vpn client configuration AAD Audience is not valid for gateway. AAD Audience must be a Guid.". But i double checked, audience code is correct. It is same with yours also i can copy it from my Azure VPN as well. But i am getting this error, any idea? Thank you!
Here comes the old Microsoft again...Active Directory configuration only supports a Windows only client. Useless for everyone except the smallest Microsoft only shops.
If it hasn't already been pointed out, at 5:39 it says to select User VPN configuration. The wording has changed in the portal to Point-to-site configuration.
Great content. I loved the fact that you go directly to the central point of the video and still is able to deliver the details necessary to get the job done.
Thank you for this! No where in Microsoft documentation (that I could find) explained what the audience and issuer values needed to be so I was sitting here pulling my hair out until I found your video. Thank you!
That's so true.
Did you find out where audience comes from and is it just some magical value identical to everyone (unlikely) or specific value to the tenant or AAD and if yes where do we lift that off of?
Absolutely valuable information - highly appreciated
Job done in just a 15 min video. Thank you very much
Hi Travis. Thanks for this video. Supper helpful and easy to understand. Can the give admin consent step and restrict vpn to group step don via terraform?
Thanks for this amazing post. Is there a way to force MFA for all VPN connections (as opposed to the just the original connection)?
Ideally, when i remove a user from the group, I don't want them to still be able to connect to the VPN. Currently, when i remove a user from the group, that user can still connect to the VPN. Is there a way to force MFA for all VPN connections? Currently, theres a cookie on the client machine that will allow them to connect even after the user is removed from the group. I want to enforce for all VPN connections MFA (and not only during the initial connection). Also, I followed this youtube video setup for context
wow that was nice and easy to setup and i prefer over certificates to forward to other users. My question to you now is do you have instructions on how to connect the VPN'd user to access azaure sql server. i can connect but cant figure out how to get the vnic 10.0.0.101 for my sql server?
Thank you! If i already have a site to site vpn can i go into that and enable the point to site? Or do you need to create a new VPN just for the point to site? Awesome info
Great video and Great learning thanks . With this vpn connection can we access SQL server with private end point ?
Thanks for this fabulous content. Can I add P2S as described here to an existing VNET that is already connected in a site-to-site VPN setting?
Hi Travis, another great video. I do have a question, I couldn't get this to work. I currently have the VPN set to certificate based based on one of your other videos. I removed that then followed this tutorial so that login would be user based. At the point where you install the VPN client and import the xml file and test the VPN connection (before enabling MFA) my client fails with the following error "Server did not respond properly to VPN Control Packets. Session State: Key Material sent", any ideas? Did I not release the cert version before creating this one?
Thanks a million, helpled me a lot, however, I have a question about authentication. I've removed the user from the group to see if he could still login or not, but the user could still establish a connection, I've tested with another user that was never a member of the allowed group, and it couldn't access, which means that my setup on the Azure VPN app is correct. Though, I've even disabled that test account, so it was unable to loginto the Azure portal, however, it's still able to VPN!!!! how to fix this please, other wise I can't have this feature in production, unsafe. Thank you!
Did you ever figure out a solution? I have the same question/concern.
Thank you, this video was instrumental in helping me configure and install a Client - Virtual Server App. I followed the video regarding the IP / Subnet Addresses and got it to work but any suggestions to better understand the logic behind this without having to become a network engineer?
Hi,
Thanks so much for the video! I have a question, would you say it's best practice to set up a separate VNG with your Azure resources your VNG used for your VPN? Or does it not make a difference.
I hope my question makes sense.
Old question but I agree. A "VPN DMZ" vnet which then uses VNET peering to connect to other vnets (using NSGs).
Enjoy your videos Travis and learning a lot. One question my boss is asking is if the speed, latency and connection, is any different between regular RDP or using the VM? Thanks.
Hi Travis. Great Content. Love the delivery. I just have one question. Can I use the same GW as a Site to Site active VPN for my Azure to Site VPN or is it a must that I create a new GW?
You can use the same GW. Both S2S and P2S are included with the service
I have a number of different virtual networks in my Azure, all with servers behind them. Currently the ports to remote desktop to the servers are locked to my home IP address but I need other people to also have access. Thanks to this video I have successfully setup VPN connections but how do I configure each networks file to allow access on some ports to VPN users?
That’s so cool! Almost to easy. I’m wondering if the azure app config can be deployed with Endpoint manager? The app wouldn’t be the problem, just wondering on the config.
great idea, .. and I'm also interested in a similar deployment for my remote users
Hi , your channel is really useful. I have one question....after log in with some user say test1 when I disconnect and connect again it does not require MFA. Is there any way I can force vpn client to ask for MFA everytime I hit connect , like when we use Connect-AzAccount it does not save token and ask for MFA each time.
Hi Ekansh, seems like MFA has an 1 hour minimum token, that means that user doesn’t need to re enter MFA until that time is reached.
@@jesuspenaranda585 yes jesus, I saw that in conditional access. But is there any other way via which I can reduce this time or change configuration to not save token values after disconnecting vpn.
This video was a huge help! Great content, thanks for posting!
What do you think is better cert based with IKEv2 or OpenVPN AAD?
Hello Travis, awesome videos. I have a question, is there any option instead to use Local administrator permissions to connect? Most of my users are configured as Standard users.
Fabulous video, got me thru the process - very appreciative of your professional delivery too, clear and quick, covers all the bases without meandering. But can you help with one more question - what now? I can connect my user to the Azure gateway over VPN , but how do I get them to see their remote application on the VM? Thanks again.
Very helpfull, I was missing the part of information for Azure AD URLs in the Microsoft docs. I managed to configure this with your help, thanks.
Glad it helped!
Azure VPN for P2S with MFA is ridiculously expensive at $6/user a month. Not sure if I can justify spending $10k/year for MFA. Might just end up not implementing MFA, even though we currently use MFA for onprem. (Edit: It looks like as of 5/14/2021 MFA is free for Azure VPN and no P1 license for users are needed)
This is great to get this stuff configured but doing these exact steps doesn't wire up dns to your vnet. I've done all of the steps and I can connect but I can't resolve any dns names in the vnet.
Is it required to use IKEv2 with certificates on Mac OS? I couldn't find the Azure VPN client application for Mac OS.
Anyone help out. I have done this in the past with no issue following this video, now a separate instance and It will not connect after setting up VPN client. always fails to connect with "server did not respond properly to VPN control packets" key material sent.. Time on my PC is 100% I triple checked my settings, all seem fine?
Will this work for Linux client machines? if no? any other possibilities to use azure ad MFA for Linux client machines for azure p2s vpn?
This is a great video guide. I was able to setup a P2S vpn easily just by following the steps from this video. Could you please help me with connecting to another vnet which has a gateway and is used to connect to on premise network. The other vnet has VMs in it. I want the P2S vpn users to access the resources available in that other vnet. Both resource groups are in the same region and under same subscription.
you should use vnet peering for this
i dont think this works any more. Microsoft calls out a different audience value now and it looks like CA MFA is no longer working with these steps. Please review and update?
Great video, Can this be connected to multiple regions? what are the costs?
May I ask you if it's possible to use AD CS with P2S?
Thank you for this content. However, I am disconnected from internet while I am connected to vpn- gateway through azure vpn client. How to solve this? I can't use Azurevpn p2s with AzureAD if I cant use internet at the same time. Thanks in advance.
This is really informative and easy to understand. Thanks!
thanks. Does it work with OpenVPN client too?
Great Video, thanks..I tried implementing the same and everything works, however post connecting to the vpn I am unable to browse to the internet.
This is a DNS problem on Azure..had the same problem. Change your DNS to google or a local DNS with the virtual network and you will get internet.
Very informative.. The content of the video is very good.. Thanks :)
Most welcome 😊
does this work if the user does not have Local Admin rights to the client machine?
I have a VNET peered to my AADDS VNET and i specify custom DNS servers. When I connect to the Azure VPN client, I lose name resolution on my laptop. Any recommendations on this issue?
This VPN did not change my public IP address. Is there any way to use this VPN (or any other VPN which can be used to connect azure VNet) to change my public IP address?
Travis, what if we already have a VNet gateway for our site-to-site conneciton?
Can we use the site-to-site gateway or do we need a new gateway?
One gateway can do both. Here is a link to the limits per SKU. docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#benchmark
I have a free Azure AAD and I don't see azure VPN in the enterprise applications, what could be the reason? Is it because of the free subscription?
If that VPN Gateway has an S2S connection with an On-Premise site, would P2S users be able to connect to the On-Prem network too?
Yes, it can. All you have to do is to add the address pool of the point to site in the on-premise firewall device and add the address space in the PC, once added, you have to disconnect the point to site and connect and you will be able to reach Azure and Onpremise.
@@04chavez it works sick but I have an issue with the client deployment. Can't seem to find an easy way (without intune) to deploy this.
Ok but you didn't go over how to VPN to the server after setting up Azure VPN Client. it still prompts me for a server username and password when mapping the drive.
This is an awesome video! thank you so much.
Amazing video! Thank you!
Great video. Can you assist with getting this deployed using Intune. Much appreciated
Very good, thank you, do you know if Azure VPN works with start before login like Cisco SBL?
Thanks. Azure VPN does not support that.
Hi Travis your Videos are Amazing!!! I wanted to know how can i copy data from Oracle On-prem to Blob storage in Virtual network with out using integration runtime. Can it be possible?
Not sure about Oracle specifically, but have you checked out AZCopy?
Awesome, thanks for the video
Absolutely fantastic .. why does it take a non-Microsoft person to explain the concept so clearly . the Microsoft guides are garbage
This is an awesome demo and got me thinking perhaps a solution for updating remote users cached credentials on their PC after remote user reset their password via SSPR.. :)
Glad to help
Will Azure AD work with Hybrid AD?
Will this allow always-on VPN so the computer can talk to a Domain Controller in the VNET?
It will work with hybrid identities sourced from Windows AD. It will not provide always on connectivity like Always On VPN.
i am facing this error code CAA2000B and please show each step for this lab
Great video. Thank you so much!!!
Thanks for another great video
Hello Travis,
Thank you for all your videos :)
While connecting to VPN the device throws error "Connecting to VPN server failed with exception: No such host is known." however the diagnostics doesnt show any error. Do you happen to know about the issue?
If you are on a corporate issued PC you might have an issue with cisco or another security tool. Just put the IP and URL in your hosts file.
Just flush your dns cache with following commands in cmd.
ipconfig /flushdns
ipconfig/renew
and reboot your pc.
It’s clear and good
Hi, thanks for this video. I am getting error "Vpn client configuration AAD Audience is not valid for gateway. AAD Audience must be a Guid.". But i double checked, audience code is correct. It is same with yours also i can copy it from my Azure VPN as well. But i am getting this error, any idea? Thank you!
Excellent video
Just cant download configuration file. Azure portal just give me a message "fail to download file. cant get uri"
Great video! 👍
Glad you liked it!
I receive the following error : Status = Server did not respond properly to VPN Control Packets. Session State: Key Material sent.
I'm getting the same error as well. Any luck?
Just figured this out. It's likely your issuer is incorrect. Make sure it's the right ID and has a / at the end of it. This fixed it for me.
Thanks for this greatb Vid
Glad you enjoyed it!
Thanks
Thank you!
Here comes the old Microsoft again...Active Directory configuration only supports a Windows only client. Useless for everyone except the smallest Microsoft only shops.
if you use Azure Active Directory authentication is supports windows, mac and linux
@@joepiskapoo sorry, but you are wrong. The VPN client only supports Windows.
@@floid33556 the client yes, but you can use open vpn for linux to connect to the P2S
it doesnt work "Keyset does not exist
", this is fucked up because googling "Azure VPN Client" "keyset does not exist" results in zero results!!!
it does now 😁
Need help :-(
Have you seen the link below? The Directory ID needs the "/" at the end. github.com/MicrosoftDocs/azure-docs/issues/45598