Server Role
1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select "Deploy VPN only"
---------- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:
selfssl.exe /N:cn=<...>.cloudapp.net /V:3650
(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)
3. Confirm prompt with "y", ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password
---------- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on "Configure and Enable RRAS"
3. Choose "Custom configuration", select "VPN access" and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <...>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")
10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"
---------- Server User
1. Open "Computer Management" console
2. Click on "Local Users and Groups", then on Users, double click on your account
3. Click on Dial-in and change "Network Access Permission" to "Allow access"
---------- Client Certificate
1. Double-click on the exported pfx server certificate file and install to client's "Local Machine" store, if you store the certificate in the personal store, the connection will fail with error 0x800B0109
2. Click on "Place all certificates in the following store", then on Browse
3. Select "Trusted Root Certificate Authorities"
---------- Client Connection
1. Go to Network and Sharing Center, click on "Setup a new connection or network"
2. Select "Connect to a workplace", then VPN
3. Enter <...>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter
---------- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on "Server Certificates"
3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)
4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab
---------- L2TP over IPsec
1. On the Azure Portal, add the following endpoints:
a) L2TP UDP: 1701
b) IPsec UDP: 500
c) IKEv2 UDP: 4500
2. On the Server, open the "Windows Firewall with Advanced Security", create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
3. Using the RRAS tool, right-click on the server and then on Properties -> Security
4. Check "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter a preshared key
5. On the client, right-click on new VPN connection, then show properties
6. Click on Security, then on click on "Advanced settings" and enter the same preshared key
For help, see Troubleshooting common VPN related errors.
1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select "Deploy VPN only"
---------- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component) to generate an SSL certificate for the SSTP:
selfssl.exe /N:cn=<...>.cloudapp.net /V:3650
(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)
3. Confirm prompt with "y", ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password
---------- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on "Configure and Enable RRAS"
3. Choose "Custom configuration", select "VPN access" and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <...>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720), then close the dialog
8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Expand the IPv4 node, then right-click on NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")
10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"
---------- Server User
1. Open "Computer Management" console
2. Click on "Local Users and Groups", then on Users, double click on your account
3. Click on Dial-in and change "Network Access Permission" to "Allow access"
---------- Client Certificate
1. Double-click on the exported pfx server certificate file and install to client's "Local Machine" store, if you store the certificate in the personal store, the connection will fail with error 0x800B0109
2. Click on "Place all certificates in the following store", then on Browse
3. Select "Trusted Root Certificate Authorities"
---------- Client Connection
1. Go to Network and Sharing Center, click on "Setup a new connection or network"
2. Select "Connect to a workplace", then VPN
3. Enter <...>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter
---------- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on "Server Certificates"
3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)
4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab
---------- L2TP over IPsec
1. On the Azure Portal, add the following endpoints:
a) L2TP UDP: 1701
b) IPsec UDP: 500
c) IKEv2 UDP: 4500
2. On the Server, open the "Windows Firewall with Advanced Security", create a rule called IKEv2 and allow inbound traffic to UDP port 4500 (otherwise the connection will fail with error 809)
3. Using the RRAS tool, right-click on the server and then on Properties -> Security
4. Check "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter a preshared key
5. On the client, right-click on new VPN connection, then show properties
6. Click on Security, then on click on "Advanced settings" and enter the same preshared key
For help, see Troubleshooting common VPN related errors.
DISCLAIMER: This solution is provided "AS IS," without any warranty or representation of any kind. Please note that, as of June 2014, this solution is not yet officially supported by Microsoft.
from http://blogs.msdn.com/b/notime/archive/2013/06/01/how-to-configure-windows-azure-server-2012-as-an-sstp-vpn-provider.aspx
------------------------
How to Deploy SSTP and L2TP VPN in Windows Azure (Windows Server 2012)
we can use Windows Server 2012 RRAS roles to provide VPN. Following the steps to implement it.
Prerequisite
Create SSL Certificate.
As SSTP is a VPN based on HTTPS, so we need to create a SSL certificate. If you would like to buy a SSL certificate from SSL authority, it would be better. If not, we can create a self-certificate by ourselves.
Firstly, open IIS manager, choose the Server (RoccosVPN) – Server Certificates. If there is a certificate showing in the windows Issued to your VM FQDN name, please export it with private key. Or you will follow the steps to make a self-certificate.
Figure 1 - Server Certificate
Figure 2 - Export Certificate
Make self-certificate
- Open an elevated CMD prompt
- Use SelfSSL (IIS6 Resource Kit) to generate an SSL certificate for the SSTP:
selfssl.exe /N:cn=RoccosVPN.cloudapp.net /V:3650
(3650 == 10 years, "RoccosVPN.cloudapp.net" represents the fully-qualified domain name, FQDN) - Confirm prompt with "y", ignore metabase error (if it appears)
- Run mmc.exe, add snap-in for Certificates -> Computer account
- Click on Personal -> Certificates
- Right-click on the RoccosVPN.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password
Step 3, Add Server Role
Click Server Manager – Add roles and features. then it pops out a window. In this window, we will add
Figure 5 - Add Roles
It pops out a window. In this window, we will add Remote Access role, DirectAccess and VPN (RAS) and Routing role services.
After installing the role and role services, it may need to restart.
Step 4, Configure Routing and Remote Access
After restarting, open Server Manager - Notification – Open the Getting Started Wizard, selectDeploy VPN only.
Figure 6 - Getting Started Wizard
Now, it opens Routing and Remote Access window. Right click server name, click Configure and Enable Routing and Remote Access.
Figure 7 - Routing and Remote Access Configure
Then, Routing and Remote Access Server Setup Wizard will be open.
Figure 8 - Setup Wizard
Choose Custom configuration after click Next button. Select VPN access and NAT in Custom Configuration.
Figure 9 - Customer Configuration
After click Finish, it will start Routing and Remote Access service.
Right click on the server and then click on Properties and choose Security tab. In the tab, select roccosvpn.cloudapp.net certificate.
Then, click on IPV4 tab, check a "Static address pool" for client acquiring ipv4 address and OK as follow:
Click IPv4 node and expand it. Right click NAT and choose New Interface…
In the dialog, select an external interface. And in the Network Address Translation Properties dialog, choose Public interface connected to the Internet and check Enable NAT on this interface. Click OK to save configurations.
Figure 10 - NAT Properties
Step 5, Add VPN Users
Use Local Users and Groups management tools to add a new user.
Open Run dialog and enter lusrmgr.msc and then click OK to open Local Users and Group management.
Then click Users folder, in the middle panel, right click on the blank and select New User. Type Users Name, Full Name and Password. Uncheck User must change password at next logon.
After that, double click the user, switch to Dial-in tab. Choose Allow access in Network Access Permission.
Figure 11 - User Properties
Step 6, Client Configuration
Install the exported certificate from Server into Trusted Root Certificate Authorities.
Go to Network and Sharing Center, click on Setup a new connection or network, then select Connect to a workplace then Use my Internet Connection (VPN).
Type RoccosVPN.cloudapp.net in the Internet Address and enter your Destination Name and Create.
Click on the network tray icon, right click on the VPN connection then Properties.
Switch to Security tab. Change the VPN type to Secure Socket Tunneling Protocol (SSTP).
In the last, check Microsoft CHAP Version 2 (MS-CHAP v2) and click OK now.
Now, connect this VPN, type your VPN user credential. Have fun with your Windows Azure VPN. Enjoy!
Step 7, L2TP VPN Deployment
While deployment L2TP VPN, we should enable some UDP ports as first in Windows Azure.
L2TP port: UDP 1701
IPsec port: UDP 500
IKEv2 port: UDP 4500
And, in addition, add exceptions in Windows Server firewall.
Then, open RRAS management tools, and right click the server, select Properties and Security tab.
Check "Allow custom IPsec policy for L2TP/IKEv2 connection" and enter a preshared key
from http://blogs.msdn.com/b/lighthouse/archive/2013/07/30/how-deploy-sstp-and-l2tp-vpn-in-windows-azure-windows-server-2012.aspx
(http://edi.wang/Post/2014/3/9/setup-sstp-windows-azure)
