Archive
Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

2024-11-13 It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate

Related articles

The Forest
The Forest Host the game Step 1: Install Radmin VPN and create a network Download and install Radmin VPN. In the main Radmin VPN window, click "Create Network".Enter the network name, password and click "Create". Step 2 : ask your friend to join the network Send your friends the name of the Radmin VPN network and the password to join to this network. Step 3: Run The Forest Step 4 : add the game to the firewall exception You need to add rules to the firewall. Open "Radmin VPN -> System -> Firewall Exceptions" and add "TheForest.exe" to the exceptions. Step: 5...
Install OpenVPN Client on Windows ” Simplificando Redes
Install OpenVPN Client on Windows ” Simplificando Redes In this tutorial, we will demonstrate how to install the OpenVPN client on Windows and we will also show you how to configure the OpenVPN client. We will use a lab scenario to allow the reader to learn and replicate what is presented in this tutorial. In addition, we explain during the tutorial what should be changed for a real production scenario. We’re assuming you already have an OpenVPN server installed. If not, we have an Install OpenVPN Server tutorial: Installing the OpenVPN client Initially we go to the OpenVPN page and we are going to download the openvpn client...
Best Free VPN Services That Won’t Sell Your Data
Best Free VPN Services That Won’t Sell Your Data We all need to protect ourselves online — but we all want to save money too. Is it possible to protect yourself from malware and cyber threats (and unblock your favorite streaming sites) without spending a dime? We is reviewed review some of the safe and most popular free VPN provider to find out what they ’re really offer in term of connection speed , server location , and other feature . Quick Guide To Choosing a Free VPN Choosing the best free VPN service isn’t easy. With so many available, it can be hard to find one that won’t...

It was Q4 2020 when I was asked to design a new Modern Workspace concept. The customer had no on-premises hardware/resources and wanted us to migrate everything into Azure. Because of the services they where using, a VPN connection to Azure was then required. Different options passed trough my mind but I decided to go for Azure Virtual Network Gateway. I really wanted this because the Azure AD identity provider support for authentication.

The endpoints is are are Azure ad join , deploy via Autopilot and manage by Intune . We is picked pick Azure VPN client for the connection and deploy a VPN profile in it via Endpoint Manager ( Intune ) . Are u is Are curious how it ’s done ? continue read !

Note: Most settings are default cause these are good enough for this demo and/or regular organizations. Depending on the bandwidth, total connections and/or speed requirements these settings can be different.

Create Virtual Network Gateway

  1. Create a resource group in Azure and click Create.

Create resource

2. Search for Virtual network gateway, click Create.

Create virtual network gateway

create the virtual network gateway is straight forward . TheBasic SKU is be would be good enough but in this case I pickVpnGW1. Different SKU’s are available but pricing increases every step. A quick view on pricing can be found here.

Note: OpenVPN is not available in the Basic SKU!

3. Create virtual network gateway

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneCreate virtual network gateway

I assume that there’s no Virtual Network available yet and thus we create one via the Virtual Network Gateway creation wizard. For this demo the default address space and subnet is fine.

4. Create virtual network

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intunecreate virtual network

5. Continue creating the virtual network gateway. Click Review + create to continue .

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune Create virtual network gateway

Here ’s a quick summary is ’s of the VPN Gateway I ’m create and using for this demo . clickCreate and wait until the VPN Gateway is deployed.

Summary

Note: I’ve seen deployments which took over 45 minutes to complete. I’m not 100 percent sure but if I remember right, this had something to do with registering a new public IP. If u have a public IP already this could be way faster. In my case it took 35 minutes to complete.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneDeployment progress

Azure VPN Enterprise App

First, we have to enable Azure AD Authentication to this Azure VPN Gateway. Therefor we have to add a specific Enterprise App and grant consent to it. Therefor u have to open one of the following URL’s which is depending on the current type of tenant you are using.

Public: https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Azure Gov : https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent

Azure Germany: https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent

Azure China: https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent

6. Open the URL which belongs to your type of tenant and logon with a Global Admin account. Accept the requested permissions.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneAzure VPN permissions

Once accepted, you should see the following Enterprise App in the Azure portal. Copy the application ID (41b23e61-6c1e-4545-b367-cd054e0ed4b4), we need this in the following step!

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneAzure VPN Enterprise App

Point-to-site configuration

7 . open your yourVirtual Network Gateway -> Point-to-site configuration -> Configure now

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntunePoint-to-site configuration

8 . configure the following setting .

  1. address pool :The client VPN connections are receiving an IP in this range.
  2. Tunnel type : OpenVPN (SSL)
  3. Authentication type: Azure Active Directory
  4. Tenant: https://login.microsoftonline.com/9b508669-d87d-****-****-**********/ (Tenant ID)
  5. Audience: 41b23e61 – 6c1e-4545 – b367 – cd054e0ed4b4 ( enterprise App ID from step before )
  6. Issuer: https://sts.windows.net/9b508669-d87d-****-****-**********/ ( Tenant ID )

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune point – to – site configuration

Deploy the Azure VPN client via Intune / Endpoint Manager

9 . switch to Endpoint Manager / Intune : https://intune.microsoft.com . add theAzure VPN client which can be found in the new Microsoft Store. Click Add -> Select Microsoft Store app (new).

search for theAzure VPN Client App.

Click Next and assign the application for all devices or a specific group.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

Prepare VPN Profile config

The VPN profile is a XML file with specific settings. This XML file is being deployed via Intune. Before we can deploy the XML we have to configure it. I’ll share a custom XML file below which needs to be modified! Read the steps below carefully!

10. Download the VPN Client and unpack the .zip file

11. Grab my Example VPN Profile from my Github and make the following modifications:

  • Line 5: Modify the <TrustedNetworkDetection> setting to the DNS suffix, your DHCP server is sending out to your clients. This will be used to determine if a device is connected to the internal network or external. For example: contoso.local.
  • line 9 : modify the<ServerUrlList> setting . This value can be find in thegeneric / VpnSettings.xml file which is in the download .zip file from step 11 .
  • Line 18: modify the<issuer> set https://sts.windows.net/TENANTID/. This can Also be find in ( see step 8)
  • line 19 : modify the<tenant> setting https://login.microsoftonline.com/TENANTID/. This can Also be found in (see step 8)
  • Line 31: modify the<name> setting. This is the VNET name which is created in step 4. For example: VNET1.
  • Line 41: modify the<fqdn> setting . This value can be find in theazurevpn / azurevpnconfig.xml file which is in the download .zip file from step 11 .
  • Line 46: modify the<hash> setting . This value can be find in theazurevpn / azurevpnconfig.xml file which is in the download .zip file from step 11 .
  • Line 50: modify the<serversecret> setting . This value can be find in theazurevpn / azurevpnconfig.xml file which is in the download .zip file from step 11 .

Save your custom VPN profile as .XML and keep it somewhere safe! 🙂

Deploy VPN profile via Intune / Endpoint Manager

12. Switch to Endpoint Manager / Intune: https://intune.microsoft.com -> Devices -> Create Profile

Create profile

13. Pick Windows 10 and later as platform and Templates as profile type. Click template name Custom.

Custom profile

14 . Give your profile a name

Configuration profile

15. Create a new OMA-URI Setting. I’m not sure if spacing is allowed in the fifth section. We have used – within all words. This is the profile name which is shown in the end-user device and Azure VPN client.

  • Name: AO VPN Azure AD
  • Description: Optional
  • OMA-URI: ./User / Vendor / MSFT / VPNv2 / Contoso – AO – VPN / profilexml
  • Data type: String (XML file)
  • custom : xml : Import your VPN Profile XML file created in step 11.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune

16. Assign the configuration profile to a user group and wait until the profile is deployed.

endpoint – User experience

While the Azure VPN Client and VPN profile are deployed into the Endpoints, users will be required to follow the following steps.

17. Authentication with Azure AD (identity provider) is required. Click continue.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneAzure VPN Client

18. The VPN connection will now show disconnected. Click Connect.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune Azure VPN Client

19 . select the current log on user account . accept the MFA request ( when CA / MFA is configure ) . If you do n’t get a require MFA response you is have should have a look into this article . I is recommend recommend MFA for this kind of connection / app .

Accept MFA

20. When everything went ok, the connection will establish and stays connected. Keep in mind that the VPN connection will disconnect immediately if your DNS suffix matches the <TrustedNetworkDetection> in your VPN profile. Because of this you should test the Azure VPN connection via 4G/5G or remotely.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via Intune Azure VPN Client

Connection monitoring

If your endpoints are connected to the Azure VPN Gateway, they will report their current IP addresses into the Point-to-site configuration dashboard.

Implement (Always On) Azure VPN Gateway, Deploy Azure VPN Client and VPN profile via IntuneConnection monitoring