- Article
Note
This article describes how you can leverage Azure VPN Gateway, Azure, Microsoft network, and the Azure partner ecosystem to work remotely and mitigate network issues that you are facing because of COVID-19 crisis.
This article describes the options that are available to organizations to set up remote access for their users or to supplement their existing solutions with additional capacity during the COVID-19 epidemic.
The Azure point-to-site solution is cloud-based and can be provisioned quickly to cater for the increased demand of users to work from home. It can scale up easily and turned off just as easily and quickly when the increased capacity isn't needed anymore.
About Point-to-Site VPN
A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets or on-premises data centers from a remote location, such as from home or a conference. This article describes how to enable users to work remotely based on various scenarios.
The following table shows the client operating systems and the authentication options that are available to them. It would be helpful to select the authentication method based on the client OS that is already in use. For example, select OpenVPN with Certificate-based authentication if you have a mixture of client operating systems that need to connect. Also, note that point-to-site VPN is only supported on route-based VPN gateways.
Scenario 1 - Users need access to resources in Azure only
In this scenario, the remote users only need to access to resources that are in Azure.
At a high level, the following steps are needed to enable users to connect to Azure resources securely:
Create a virtual network gateway (if one doesn't exist).
Configure point-to-site VPN on the gateway.
- For certificate authentication, follow this link.
- For OpenVPN, follow this link.
- For Microsoft Entra authentication, follow this link.
- For troubleshooting point-to-site connections, follow this link.
Download and distribute the VPN client configuration.
Distribute the certificates (if certificate authentication is selected) to the clients.
Connect to Azure VPN.
Scenario 2 - Users need access to resources in Azure and/or on-premises resources
In this scenario, the remote users need to access to resources that are in Azure and in the on premises data center(s).
At a high level, the following steps are needed to enable users to connect to Azure resources securely:
- Create a virtual network gateway (if one doesn't exist).
- Configure point-to-site VPN on the gateway (see Scenario 1).
- Configure a site-to-site tunnel on the Azure virtual network gateway with BGP enabled.
- Configure the on-premises device to connect to Azure virtual network gateway.
- Download the point-to-site profile from the Azure portal and distribute to clients
To learn how to set up a site-to-site VPN tunnel, see this link.
FAQ for native Azure certificate authentication
How many VPN client endpoints can I have in my point-to-site configuration?
It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.
What client operating systems can I use with point-to-site?
The following client operating systems are supported:
- Windows Server 2008 R2 (64-bit only)
- Windows 8.1 (32-bit and 64-bit)
- Windows Server 2012 (64-bit only)
- Windows Server 2012 R2 (64-bit only)
- Windows Server 2016 (64-bit only)
- Windows Server 2019 (64-bit only)
- Windows Server 2022 (64-bit only)
- Windows 10
- Windows 11
- macOS version 10.11 or above
- Linux (StrongSwan)
- iOS
Can I traverse proxies and firewalls using point-to-site capability?
Azure supports three types of Point-to-site VPN options:
Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls don't always open these ports, so there's a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.
If I restart a client computer configured for point-to-site, will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect by configuring the Always On VPN client feature.
Does point-to-site support DDNS on the VPN clients?
DDNS is currently not supported in point-to-site VPNs.
Can I have Site-to-Site and point-to-site configurations coexist for the same virtual network?
Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We don't support point-to-site for static routing VPN gateways or PolicyBased VPN gateways.
Can I configure a point-to-site client to connect to multiple virtual network gateways at the same time?
Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to don't have conflicting address spaces between them or the network from with the client is connecting from. While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.
Can I configure a point-to-site client to connect to multiple virtual networks at the same time?
Yes, point-to-site client connections to a virtual network gateway that is deployed in a VNet that is peered with other VNets may have access to other peered VNets. point-to-site clients will be able to connect to peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features. For more information, see About point-to-site routing.
How much throughput can I expect through Site-to-Site or point-to-site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 point-to-site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.
Can I use any software VPN client for point-to-site that supports SSTP and/or IKEv2?
No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.
Can I change the authentication type for a point-to-site connection?
Yes. In the portal, navigate to the VPN gateway -> Point-to-site configuration page. For Authentication type, select the authentication types that you want to use. Note that after you make a change to an authentication type, current clients may not be able to connect until a new VPN client configuration profile has been generated, downloaded, and applied to each VPN client.
Does Azure support IKEv2 VPN with Windows?
IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2 in certain OS versions, you must install updates and set a registry key value locally. OS versions prior to Windows 10 aren't supported and can only use SSTP or OpenVPN® Protocol.
Note
Windows OS builds newer than Windows 10 Version 1709 and Windows Server 2016 Version 1607 do not require these steps.
To prepare Windows 10 or Server 2016 for IKEv2:
Install the update based on your OS version:
OS version Date Number/Link Windows Server 2016
Windows 10 Version 1607January 17, 2018 KB4057142 Windows 10 Version 1703 January 17, 2018 KB4057144 Windows 10 Version 1709 March 22, 2018 KB4089848 Set the registry key value. Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.
What is the IKEv2 traffic selector limit for point-to-site connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit to 255. Versions of Windows earlier than this have a traffic selector limit of 25.
The traffic selectors limit in Windows determines the maximum number of address spaces in your virtual network and the maximum sum of your local networks, VNet-to-VNet connections, and peered VNets connected to the gateway. Windows based point-to-site clients will fail to connect via IKEv2 if they surpass this limit.
What happens when I configure both SSTP and IKEv2 for P2S VPN connections?
When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection isn't successful. MacOSX will only connect via IKEv2.
When you have both SSTP and IKEv2 enabled on the Gateway, the point-to-site address pool will be statically split between the two, so clients using different protocols will be assigned IP addresses from either sub-range. Note that the maximum amount of SSTP clients is always 128 even if the address range is larger than /24 resulting in a bigger amount of addresses available for IKEv2 clients. For smaller ranges, the pool will be equally halved. Traffic Selectors used by the gateway may not include the Point to Site address range CIDR, but the two sub-range CIDRs.
Other than Windows and Mac, which other platforms does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.
I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?
Yes, if the gateway SKU that you're using supports RADIUS and/or IKEv2, you can enable these features on gateways that you've already deployed by using PowerShell or the Azure portal. The Basic SKU doesn't support RADIUS or IKEv2.
How do I remove the configuration of a P2S connection?
A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:
Azure PowerShell
$gw=Get-AzVirtualNetworkGateway -name <gateway-name>` $gw.VPNClientConfiguration = $null` Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`Azure CLI
az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?
Uncheck "Verify the server's identity by validating the certificate", or add the server FQDN along with the certificate when creating a profile manually. You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.
Bypassing server identity validation isn't recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. Since the server certificate and FQDN are already validated by the VPN tunneling protocol, it's redundant to validate the same again in EAP.
Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I use certificates from Azure Key Vault?
No.
What tools can I use to create certificates?
You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.
Are there instructions for certificate settings and parameters?
Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.
Azure PowerShell: See the Azure PowerShell article for steps.
MakeCert: See the MakeCert article for steps.
OpenSSL:
When exporting certificates, be sure to convert the root certificate to Base64.
For the client certificate:
- When creating the private key, specify the length as 4096.
- When creating the certificate, for the -extensions parameter, specify usr_cert.
FAQ for RADIUS authentication
How many VPN client endpoints can I have in my point-to-site configuration?
It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.
What client operating systems can I use with point-to-site?
The following client operating systems are supported:
- Windows Server 2008 R2 (64-bit only)
- Windows 8.1 (32-bit and 64-bit)
- Windows Server 2012 (64-bit only)
- Windows Server 2012 R2 (64-bit only)
- Windows Server 2016 (64-bit only)
- Windows Server 2019 (64-bit only)
- Windows Server 2022 (64-bit only)
- Windows 10
- Windows 11
- macOS version 10.11 or above
- Linux (StrongSwan)
- iOS
Can I traverse proxies and firewalls using point-to-site capability?
Azure supports three types of Point-to-site VPN options:
Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.
IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls don't always open these ports, so there's a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.
If I restart a client computer configured for point-to-site, will the VPN automatically reconnect?
Auto-reconnect is a function of the client being used. Windows supports auto-reconnect by configuring the Always On VPN client feature.
Does point-to-site support DDNS on the VPN clients?
DDNS is currently not supported in point-to-site VPNs.
Can I have Site-to-Site and point-to-site configurations coexist for the same virtual network?
Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We don't support point-to-site for static routing VPN gateways or PolicyBased VPN gateways.
Can I configure a point-to-site client to connect to multiple virtual network gateways at the same time?
Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to don't have conflicting address spaces between them or the network from with the client is connecting from. While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.
Can I configure a point-to-site client to connect to multiple virtual networks at the same time?
Yes, point-to-site client connections to a virtual network gateway that is deployed in a VNet that is peered with other VNets may have access to other peered VNets. point-to-site clients will be able to connect to peered VNets as long as the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features. For more information, see About point-to-site routing.
How much throughput can I expect through Site-to-Site or point-to-site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 point-to-site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.
Can I use any software VPN client for point-to-site that supports SSTP and/or IKEv2?
No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.
Can I change the authentication type for a point-to-site connection?
Yes. In the portal, navigate to the VPN gateway -> Point-to-site configuration page. For Authentication type, select the authentication types that you want to use. Note that after you make a change to an authentication type, current clients may not be able to connect until a new VPN client configuration profile has been generated, downloaded, and applied to each VPN client.
Does Azure support IKEv2 VPN with Windows?
IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2 in certain OS versions, you must install updates and set a registry key value locally. OS versions prior to Windows 10 aren't supported and can only use SSTP or OpenVPN® Protocol.
Note
Windows OS builds newer than Windows 10 Version 1709 and Windows Server 2016 Version 1607 do not require these steps.
To prepare Windows 10 or Server 2016 for IKEv2:
Install the update based on your OS version:
OS version Date Number/Link Windows Server 2016
Windows 10 Version 1607January 17, 2018 KB4057142 Windows 10 Version 1703 January 17, 2018 KB4057144 Windows 10 Version 1709 March 22, 2018 KB4089848 Set the registry key value. Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.
What is the IKEv2 traffic selector limit for point-to-site connections?
Windows 10 version 2004 (released September 2021) increased the traffic selector limit to 255. Versions of Windows earlier than this have a traffic selector limit of 25.
The traffic selectors limit in Windows determines the maximum number of address spaces in your virtual network and the maximum sum of your local networks, VNet-to-VNet connections, and peered VNets connected to the gateway. Windows based point-to-site clients will fail to connect via IKEv2 if they surpass this limit.
What happens when I configure both SSTP and IKEv2 for P2S VPN connections?
When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection isn't successful. MacOSX will only connect via IKEv2.
When you have both SSTP and IKEv2 enabled on the Gateway, the point-to-site address pool will be statically split between the two, so clients using different protocols will be assigned IP addresses from either sub-range. Note that the maximum amount of SSTP clients is always 128 even if the address range is larger than /24 resulting in a bigger amount of addresses available for IKEv2 clients. For smaller ranges, the pool will be equally halved. Traffic Selectors used by the gateway may not include the Point to Site address range CIDR, but the two sub-range CIDRs.
Other than Windows and Mac, which other platforms does Azure support for P2S VPN?
Azure supports Windows, Mac, and Linux for P2S VPN.
I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?
Yes, if the gateway SKU that you're using supports RADIUS and/or IKEv2, you can enable these features on gateways that you've already deployed by using PowerShell or the Azure portal. The Basic SKU doesn't support RADIUS or IKEv2.
How do I remove the configuration of a P2S connection?
A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:
Azure PowerShell
$gw=Get-AzVirtualNetworkGateway -name <gateway-name>` $gw.VPNClientConfiguration = $null` Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw`Azure CLI
az network vnet-gateway update --name <gateway-name> --resource-group <resource-group name> --remove "vpnClientConfiguration"Is RADIUS authentication supported on all Azure VPN Gateway SKUs?
RADIUS authentication is supported for all SKUs except the Basic SKU.
For legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. It isn't supported on the Basic Gateway SKU.
Is RADIUS authentication supported for the classic deployment model?
No. RADIUS authentication isn't supported for the classic deployment model.
What is the timeout period for RADIUS requests sent to the RADIUS server?
RADIUS requests are set to timeout after 30 seconds. User defined timeout values aren't supported today.
Are 3rd-party RADIUS servers supported?
Yes, 3rd-party RADIUS servers are supported.
What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?
A site-to-site VPN connection to the on-premises site, with the proper routes configured, is required.
Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?
No. It can only be routed over a site-to-site connection.
Is there a change in the number of SSTP connections supported with RADIUS authentication? What is the maximum number of SSTP and IKEv2 connections supported?
There's no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. It remains 128 for SSTP, but depends on the gateway SKU for IKEv2. For more information on the number of connections supported, see Gateway SKUs.
What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure)?
In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.
When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. You need to upload your certificate public key to the gateway. You can also specify list of revoked certificates that shouldn’t be allowed to connect.
Does Radius authentication support Network Policy Server (NPS) integration for multifactor authorization (MFA)?
If your MFA is text based (SMS, mobile app verification code etc.) and requires the user to enter a code or text in the VPN client UI, the authentication won't succeed and isn't a supported scenario. See Integrate Azure VPN gateway RADIUS authentication with NPS server for multifactor authentication
Does RADIUS authentication work with both IKEv2, and SSTP VPN?
Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN.
Does RADIUS authentication work with the OpenVPN client?
RADIUS authentication is supported for the OpenVPN protocol.
Next Steps
Configure a P2S connection - Microsoft Entra authentication
Configure a P2S connection - RADIUS authentication
Configure a P2S connection - Azure native certificate authentication
"OpenVPN" is a trademark of OpenVPN Inc.
