VPN - point-to-site
2 minute read
Overview
- Private connection from a single device to an Azure VNet
- Started from the connecting device
- Useful for telecommuters or if you do not want a site-to-site VPN as there are only a few users
Protocol options
OpenVPN | an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).
Secure Socket Tunneling Protocol (SSTP) |, a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).
IKEv2 VPN | a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
Authentication options
Azure certificate | uses a certificate present on the connecting device that is used to authenticate the user. The certificate is generated from a trusted root certificate and then installed on teh deivce. You can use an enterprise PKI or a self-signed certificate. The certificate is validated on teh VPN gateway when the connection is established. The root certificate must be prsent on the VPN gateway.
Azure Active Directory user | uses a user profile in the Azure Active Directory. Native Azure AD authentication is only supported by OpenVPN for Windows 10/11 and requires the use of the Azure VPN client. using this allows adds the availability of Azure AD conditional access and MFA.
Acitve Directory user | allows the user to use their traditional Active Directory service. It requires a new or existing RADIUS service that is integrated with the domain. The RADIUS service can be on-prem or in Azure. During the connection the VPN gateway acts as a pass through and forwards authentication messages back and forth between the connecting device and the RADIUS server. This means the RADIUS server and VPN gateway must be able to communicate. So for simplicity locate the RADIUS server in Azure otherwise you’ll need a site-to-site VPN for the RADIUS server to be connected to the VPN gateway. The RADIUS server can also use ADDSCS (certificate services) allowing the use of corporate certificates via RADIUS and not the VPN gateway. Lastly, the RADIUS server can also use external IDP systems so you could add MFA.