Azure VPN Point to Site with RADIUS, NPS, Azure AD Multi Factor Authentication MFA Extension

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Applause] [Music] hello everybody hope everybody is doing okay so this video explains how to set up and configure a point to site vpn gateway connection within azure this is with radius and multi-factor authentication allowing a secure ipsec tunnel to be created from client devices to an azure virtual network this is a great solution for users who need to connect to an azure network from home or outside the office over an internet connection so as you can see from the diagram the user has a windows 10 device and is able to log in to the vpn using active directory credentials are also synced to azure ad the azure ad multi-factor nps extension is also installed so the user is required to log in with an ad username and password together with an additional form of verification such as to enter a code from their phone or approve the login via the microsoft authenticator app once logged in and authenticated via password and mfa the user can then access the virtual network and azure which in this case contains a windows server file share and the user can work remotely outside the office so let's take a look how to set all this up in the portal servers and on the windows 10 device but before we do please subscribe to the channel to be notified of future videos released weekly the next video will cover replacing an ageing traditional windows file server with azure file share storage so as your files offer fully managed ntfs file shares in the cloud that are accessible via the smb protocol we can use geo-redundancy in azure files to replicate our file share data across regions for resiliency and disaster recovery we will use the vpn configured here for the next video to access a private endpoint published for azure files so click that subscribe button to stay up to date okay let's get started [Music] so this video will cover virtual network ip configuration ready for the vpn gateway install network policy server installation the vpn policies for radius and mps login in mps we will test vpn connectivity from a windows 10 device without mfa login in nps we will test vpn connectivity from a windows 10 device without mfa install the azure mfa extension for mps we will configure a user account for multi-factor take a look at mfa conditional access policies we will test vpn connectivity form a windows 10 device with mfa and then look at mfa logging [Music] so let's look at our virtual network configuration so we have a single v-net in azure uk south region with uh the main controller file shares and mps on a single server provisioned within that vnet this is for testing the vpn only and to prove the concept in this video so i'd recommend you always review your own environment and design your servers networks and storage with resiliency and redundancy in place to meet your requirements we have one front-end subnet for our servers we will add a gateway subnet here which is required for the virtual network gateway the gateway subnet contains the ip addresses that the virtual network gateway services will use so you need to create a gateway subnet for your vena in order to configure a virtual network gateway so all gateway subnets must use the name gateway subnet to work properly so it's not currently supported to name your gateway subnet something else and you don't deploy vms or anything else to this subnet when you create the gateway subnet you specify the number of ip addresses that the subnet contains so the iep addresses in the gateway subnet are allocated to the gateway service so while you can create a gateway subnet as small as a slash 29 network it's recommended by microsoft that you create a gateway subnet of the slash 27 or larger to meet future requirements so take a look at the requirements for for your configuration that you want to create and verify that the gateway 7 that you have will meet those requirements in this test scenario we will create the gateway subnet ip with a subnet of 28 and then leave everything as default and then click save [Music] now we can create our virtual network gateway within the gateway subnet so we choose our name in this case we will choose a root based vpn we have options of different gateways and we will choose a vpn gw1 here for this test your choice of skew or gateway will provide a different tunnel connection and throughput options based upon your requirements there's a link below in the description which shows the different options available for you to view next we select our virtual network and as you can see this automatically picks up the gateway subnet within this v-net we created earlier we create a new public ip address and then we will leave the rest as default for this test click next and then review and create next we will configure the point-to-site configuration within the created vpn gateway we enter our address pool we want to assign to our client devices choose our tunnel type and then we will be using radius authentication for this video therefore we enter our radius server ip address that we will build in the next mps section together with our shared secret password that we will also sign to our radius mps server once built so if we have two radius servers for resiliency we could add a second ip and secrets here [Music] now let's run server manager run the add roles and features wizard and then we can install our network policy server by selecting the defaults tick network policy and access services click add features click next next and then click install and then once that's complete in the next section we will create a vpn policy for radius [Music] so we now open the mps server to configure the vpn policy for radius so we go to network policies and new so we type a policy name and then we choose remote access server vpn dial up for the type of network access server we will limit the vpn connection to users that are members of a group called azure vpn so our users need to be a member of this group to connect across the vpn grant access and then choose eap type of ms chap v2 we will leave the constraints as default here you can configure timeouts etc review the options selected and finish we now create a radius client to point to our vpn gate we created earlier in the jaw this subnet in this case being 10.0.255.240.28 so the fourth ip is 10.0.255.245. now enter the shared secret we created on our azure virtual network gateway earlier and click ok [Music] now it's handy to enable login in nps so click accounting log to a text file and choose a separate path to log all your vpn connectivity for any troubleshooting required so now with that configuration done we are now in a position to test the vpn from a windows 10 client without mfa applied at this stage so in the portal we can download the vpn client from this location and then click save once we're ready we can install the client vpn on our windows 10 device so once installed we can see our vpn created named as our uks vnet if we double click this and connect we enter the ad user uh that's a member of the vpn group we added earlier we typed the password and now we can see from the iep config we have a connection established to the azure vnet with the client ip we can ping our file server and browse the shares in the azure vnet to confirm connectivity [Music] now we can install the mfa extension for mps to enable us to use azure multi-factor authentication or mfa for short links will be in the description for the mps extension let's download then let's run the installer let's open powershell as an administrator and switch to that install directory now let's run the powershell on the directory as shown type a to install all sign in as administrator now copy your tenant id from azure active directory so this will automatically create your client certificate and then install the mps extension once pasted in the certificate is installed as shown but please be aware this expires after two years to note the expiry date and set a reminder to a new before expiry [Music] now we go to aka dot ms slash mfa setup to show the process of configuring mfa for this user so log in with the username and password click next as you can see we have our phone on the right where we have downloaded the authenticator application we click next on the main screen on the phone we then add a work or school account and choose scan qr code then the qr code appears on the main screen to scan with our phone on our phone on the right we then scan the code with hit approve for the verification together with entering our phone number to verify via code [Music] so now we can create an mfa conditional access policy to apply to our vpn group of users so we name the policy select our azure vpn group our condition for this policy is to apply to any device now we can select other options here based on location particular cloud apps or the azure portal mfa we did not configure this as we just want to grant mfa for the vpn only for this test you would need to configure and review mfa conditional access policy based upon your own security requirements for example applications location devices operating system special requirements so every customer is different based upon their own configuration when we enable the policy and click create we get an error as the security defaults are in place so if we go to properties of the directory and manage security defaults we can turn this off to enable our policy again you also need to review what other mfa policies you require based upon your configuration we're only enabling mfa here for the test vpn users group for any device for this demo so your requirements might fall outside of this and you would need to think about applying other mfa policies for any other requirements in your environment now we can create [Music] so we have our users assigned to our azure vpn group which allows access over the vpn via radius and mps and also now mfa conditional access so what happens when we have a user not manually configured for mfa already via the aka mfa setup as shown earlier well let's see our new user vpn01 at cloudinspired.com has been synced from our on-premise active directory to azure id and we attempt the login if by the way you're wondering how to sync users you need ad connect which is covered in another video in my channel links are below in the description so let's try the login we get an error the connection prevented because of policy this is because the user vpn01 is not configured for mfa at the moment so we need to do this first before we can log in i configured the mfa for ci admin user earlier so we will skip the full process here so now mfa is configured for the user vpn01 let's try the login again so we type our domain password you can see the phone on the right is now triggered mfa via the authenticator app and is asking for approval for the user to log in so we hit approve on the phone and then we can log in so we can see that we are now connected to the vpn with our client ip address and can access a file share and create a file on the server in the azure vnat when we switch to that server in azure we can see the file has just been created [Music] we can also check out and view the access logs on the mps server in the events viewer this is under the application and service logs microsoft azure mfa so when we reconnect and refresh we can see that our user is accepted for mfa within the logs so thank you very much for watching the video please subscribe to the channel to receive updates on new videos posted weekly all the very best take care and see you in the next video bye for now

Info

Channel: Cloud Inspired

Views: 3,288

Rating: undefined out of 5

Keywords: azure, vpn, gateway, point to site, radius, nps, mfa, ad, extension, network policy server, setup, step by step, client, configuration, remote

Id: VZJLmh0ZweE

Channel Id: undefined

Length: 18min 41sec (1121 seconds)

Published: Wed Feb 17 2021