How To Download The Vpn Certificate For Phone Vpn Rating: 4,7/5 1405 votes

🔴Android ☑Hotspot Shield Certificate For Windows Phone Do I Need A Vpn For Kodi ☑Hotspot Shield Certificate For Windows Phone Best Vpn For Firestick ☑Hotspot Shield Certificate For Windows Phone Download Herehow to Hotspot Shield Certificate For Windows Phone for. Jan 31, 2019  Whether it's for work or personal use, you can connect to a virtual private network (VPN) on your Windows 10 PC. A VPN connection can help provide a more secure connection to your company's network and the internet, for example, if you’re working from a coffee shop or similar public place. Step By Step Guide To Install krunker.io using BlueStacks. Download & Install BlueStacks at: Open the 1 last update 2019/10/20 apk file: Double-click the install vpn certificate iphone 1 last update 2019/10/20 apk file to launch BlueStacks and install the 1 last update 2019/10/20 application.

  1. How To Download The Vpn Certificate For Phone Vpn Online
  2. How To Download The Vpn Certificate For Phone Vpn Download
  3. How To Download The Vpn Certificate For Phone Vpn Free
  4. How To Download The Vpn Certificate For Phone Vpn Software

Introduction

This document provides a sample configuration that shows how to configure the Adaptive Security Appliance (ASA) and CallManager devices to provide certificate authentication for AnyConnect clients that run on Cisco IP Phones. After this configuration is complete, Cisco IP Phones can establish VPN connections to the ASA that make use of certificates in order to secure the communication.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • AnyConnect Premium SSL License

  • AnyConnect for Cisco VPN Phone License

Dependent upon the ASA version, you will see either 'AnyConnect for Linksys phone' for ASA Release 8.0.x or 'AnyConnect for Cisco VPN Phone' for ASA Release 8.2.x or later.

Components Used

The information in this document is based on these software and hardware versions:

  • ASA - Release 8.0(4) or later

  • IP Phone Models - 7942 / 7962 / 7945 / 7965 / 7975

  • Phones - 8961 / 9951 / 9971 with Release 9.1(1) firmware

  • Phone - Release 9.0(2)SR1S - Skinny Call Control Protocol (SCCP) or later

  • Cisco Unified Communications Manager (CUCM) - Release 8.0.1.100000-4 or later

The releases used in this configuration example include:

  • ASA - Release 9.1(1)

  • CallManager - Release 8.5.1.10000-26

For a complete list of supported phones in your CUCM version, complete these steps:

  1. Open this URL: https://<CUCM Server IP Address>:8443/cucreports/systemReports.do

  2. Choose Unified CM Phone Feature List > Generate a new report > Feature: Virtual Private Network.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Phone Certificate Types

Cisco uses these certificate types in phones:

  • Manufacturer Installed Certificate (MIC) - MICs are included on all 7941, 7961, and newer model Cisco IP phones. MICs are 2048-bit key certificates that are signed by the Cisco Certificate Authority (CA). When a MIC is present, it is not necessary to install a Locally Significant Certificate (LSC). In order for the CUCM to trust the MIC certificate, it utilizes the pre-installed CA certificates CAP-RTP-001, CAP-RTP-002, and Cisco_Manufacturing_CA in its certificate trust store.

  • LSC - The LSC secures the connection between CUCM and the phone after you configure the device security mode for authentication or encryption.

    The LSC possesses the public key for the Cisco IP phone, which is signed by the CUCM Certificate Authority Proxy Function (CAPF) private key. This is the preferred method (as opposed to the use of MICs) because only Cisco IP phones that are manually provisioned by an administrator are allowed to download and verify the CTL file.

    Note: Due to the increased security risk, Cisco recommends the use of MICs solely for LSC installation and not for continued use. Customers who configure Cisco IP phones to use MICs for Transport Layer Security (TLS) authentication or for any other purpose do so at their own risk.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configurations

This document describes these configurations:

  • ASA Configuration

  • CallManager Configuration

  • VPN Configuration on CallManager

  • Certificate Installation on IP Phones

ASA Configuration

The configuration of the ASA is almost the same as when you connect an AnyConnect client computer to the ASA. However, these restrictions apply:

  • The tunnel-group must have a group-url. This URL will be configured in CM under the VPN Gateway URL.

  • The group policy must not contain a split tunnel.

This configuration uses a previously configured and installed ASA (self-signed or third party) certificate in the Secure Socket Layer (SSL) trustpoint of the ASA device. For more information, refer to these documents:

The relevant configuration of the ASA is:

CallManager Configuration

In order to export the certificate from the ASA and import the certificate into CallManager as a Phone-VPN-Trust certificate, complete these steps:

  1. Register the generated certificate with CUCM.

  2. Check the certificate used for SSL.

  3. Export the certificate.

    The Privacy Enhanced Mail (PEM) encoded identity certificate follows:

  4. Copy the text from the terminal and save it as a .pem file.

  5. Log in to CallManager and choose Unified OS Administration > Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust in order to upload the certificate file saved in the previous step.

VPN Configuration on CallManager

  1. Navigate to Cisco Unified CM Administration.

  2. From the menu bar, choose Advanced Features > VPN > VPN Gateway.

  3. In the VPN Gateway Configuration window, complete these steps:

    1. In the VPN Gateway Name field, enter a name. This can be any name.

    2. In the VPN Gateway Description field, enter a description (optional).

    3. In the VPN Gateway URL field, enter the group-url defined on the ASA.

    4. In the VPN Certificates in this Location field, select the certificate that was uploaded to CallManager previously to move it from the truststore to this location.

  4. From the menu bar, choose Advanced Features > VPN > VPN Group.

  5. In the All Available VPN Gateways field, select the VPN Gateway previously defined. Click the down arrow in order to move the selected gateway to the Selected VPN Gateways in this VPN Group field.

  6. From the menu bar, choose Advanced Features > VPN > VPN Profile.

  7. In order to configure the VPN Profile, complete all fields that are marked with an asterisk (*).

    Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.

    Enable Host ID Check: If enabled, the VPN phone compares the FQDN of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.

    Enable Password Persistence: This allows the VPN phone to cache the username and passsword for the next VPN attempt.

  8. In the Common Phone Profile Configuration window, click Apply Config in order to apply the new VPN configuration. You can use the 'Standard Common Phone Profile' or create a new profile.

  9. If you created a new profile for specific phones/users, go to the Phone Configuration window. In the Common Phone Profile field, choose Standard Common Phone Profile.

  10. Register the phone to CallManager again in order to download the new configuration.

Certificate Authentication Configuration

In order to configure certificate authentication, complete these steps in CallManager and the ASA:

  1. From the menu bar, choose Advanced Features > VPN > VPN Profile.

  2. Confirm the Client Authentication Method field is set to Certificate.

  3. Log in to CallManager. From the menu bar, choose Unified OS Administration > Security > Certificate Management > Find.

  4. Export the correct certificate(s) for the selected certificate authentication method:

    • MICs: Cisco_Manufacturing_CA - Authenticate IP Phones with a MIC

    • LSCs: Cisco Certificate Authority Proxy Function (CAPF) - Authenticate IP Phones with an LSC

  5. Find the certificate, either Cisco_Manufacturing_CA or CAPF. Download the .pem file and save as a .txt file
  6. Create a new trustpoint on the ASA and authenticate the trustpoint with the previous saved certificate. When you are prompted for base-64 encoded CA certificate, select and paste the text in the downloaded .pem file along with the BEGIN and END lines. An example is shown:

  7. Confirm the authentication on the tunnel-group is set to certificate authentication.

Certificate Installation on IP Phones

The IP Phones can work with either MICs or LSCs, but the configuration process is different for each certificate.

MIC Installation

By default, all the phones that support VPN are pre-loaded with MICs. The 7960 and 7940 phones do not come with a MIC, and require a special installation procedure for the LSC to register securely.

Note: Cisco recommends that you use MICs for LSC installation only. Cisco supports LSCs to authenticate the TLS connection with CUCM. Because MIC root certificates can be compromised, customers who configure phones to use MICs for TLS authentication or for any other purpose do so at their own risk. Cisco assumes no liability if MICs are compromised.

LSC Installation

  1. Enable CAPF service on CUCM.

  2. After the CAPF service is activated, assign the phone instructions to generate a LSC in CUCM. Log in to Cisco Unified CM Administration and choose Device > Phone. Select the phone you configured.

  3. In the Certificate Authority Proxy Function (CAPF) Information section, ensure all settings are correct and the operation is set to a future date.

  4. If Authentication Mode is set to Null String or Existing Certificate, no further action is required.

  5. If Authentication Mode is set to a string, manually select Settings > Security Configuration > **# > LSC > Update in the phone console.

Verify

Use this section in order to confirm that your configuration works properly.

ASA Verification

CUCM Verification

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Bugs

  • Cisco bug ID CSCtf09529, Add support for VPN feature in CUCM for 8961, 9951, 9971 phones
  • Cisco bug ID CSCuc71462, IP phone VPN failover takes 8 minutes
  • Cisco bug ID CSCtz42052, IP Phone SSL VPN Support For Non Default Port Numbers
  • Cisco bug ID CSCth96551, Not all ASCII characters are supported during phone VPN user + password login.
  • Cisco bug ID CSCuj71475, Manual TFTP entry needed for IP Phone VPN
  • Cisco bug ID CSCum10683, IP phones not logging missed, placed, or received calls

Related Information

-->

This article helps you securely connect individual clients running Windows, Linux, or Mac OS X to an Azure VNet. Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. For more information about Point-to-Site VPN, see About Point-to-Site VPN.

Architecture

Point-to-Site native Azure certificate authentication connections use the following items, which you configure in this exercise:

  • A RouteBased VPN gateway.
  • The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • A client certificate that is generated from the root certificate. The client certificate installed on each client computer that will connect to the VNet. This certificate is used for client authentication.
  • A VPN client configuration. The VPN client configuration files contain the necessary information for the client to connect to the VNet. The files configure the existing VPN client that is native to the operating system. Each client that connects must be configured using the settings in the configuration files.

Before you begin

Note

This article has been updated to use the new Azure PowerShell Azmodule. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020.To learn more about the new Az module and AzureRM compatibility, seeIntroducing the new Azure PowerShell Az module. ForAz module installation instructions, see Install Azure PowerShell.

Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell, an interactive shell environment hosted in Azure and usedthrough the browser. Azure Cloud Shell comes with the Azure PowerShell cmdlets pre-installed.

To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code,and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automaticallyexecuted, so press Enter to run code.

You can launch Azure Cloud Shell with:

Select Try It in the upper-right corner of a code block. This doesn't automatically copy text to Cloud Shell.
Open shell.azure.com in your browser.
Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal.

Running PowerShell locally

You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you are not running the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. To install or update, see Install the Azure PowerShell module.

Most of the steps in this article can use Cloud Shell. However, to upload the root certificate public key, you must either use PowerShell locally, or the Azure portal.

Example values

You can use the example values to create a test environment, or refer to these values to better understand the examples in this article. The variables are set in section 1 of the article. You can either use the steps as a walk-through and use the values without changing them, or change them to reflect your environment.

  • Name: VNet1
  • Address space: 192.168.0.0/16 and 10.254.0.0/16
    This example uses more than one address space to illustrate that this configuration works with multiple address spaces. However, multiple address spaces are not required for this configuration.
  • Subnet name: FrontEnd
    • Subnet address range: 192.168.1.0/24
  • Subnet name: BackEnd
    • Subnet address range: 10.254.1.0/24
  • Subnet name: GatewaySubnet
    The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
    • GatewaySubnet address range: 192.168.200.0/24
  • VPN client address pool: 172.16.201.0/24
    VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN client address pool.
  • Subscription: If you have more than one subscription, verify that you are using the correct one.
  • Resource Group: TestRG
  • Location: East US
  • DNS Server: IP address of the DNS server that you want to use for name resolution. (optional)
  • GW Name: Vnet1GW
  • Public IP name: VNet1GWPIP
  • VpnType: RouteBased

1. Sign in and set variables

In this section, you sign in and declare the values used for this configuration. The declared values are used in the sample scripts. Change the values to reflect your own environment. Or, you can use the declared values and go through the steps as an exercise.

Sign in

Open your PowerShell console with elevated privileges.

If you are running Azure PowerShell locally, connect to your Azure account. The Connect-AzAccount cmdlet prompts you for credentials. After authenticating, it downloads your account settings so that they are available to Azure PowerShell. If you are not running PowerShell locally and are instead using the Azure Cloud Shell 'Try it' in the browser, skip this first step. You will connect to your Azure account automatically.

If you have more than one subscription, get a list of your Azure subscriptions.

Specify the subscription that you want to use.

Declare variables

Declare the variables that you want to use. Use the following sample, substituting the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to re-declare the variables.

2. Configure a VNet

  1. Create a resource group.

  2. Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet. These prefixes must be part of the VNet address space that you declared.

  3. Create the virtual network.

    In this example, the -DnsServer server parameter is optional. Specifying a value does not create a new DNS server. The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to from your VNet. This example uses a private IP address, but it is likely that this is not the IP address of your DNS server. Be sure to use your own values. The value you specify is used by the resources that you deploy to the VNet, not by the P2S connection or the VPN client.

  4. Specify the variables for the virtual network you created.

  5. A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation. You cannot request a Static Public IP address assignment. However, it doesn't mean that the IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    Request a dynamically assigned public IP address.

3. Create the VPN gateway

Configure and create the virtual network gateway for your VNet.

  • The -GatewayType must be Vpn and the -VpnType must be RouteBased.
  • The -VpnClientProtocol is used to specify the types of tunnels that you would like to enable. The tunnel options are OpenVPN, SSTP and IKEv2. You can choose to enable one of them or any supported combination. If you want to enable multiple types, then specify the names separated by a comma. OpenVPN and SSTP cannot be enabled together. The strongSwan client on Android and Linux and the native IKEv2 VPN client on iOS and OSX will use only the IKEv2 tunnel to connect. Windows clients try IKEv2 first and if that doesn’t connect, they fall back to SSTP. You can use the OpenVPN client to connect to OpenVPN tunnel type.
  • The virtual network gateway 'Basic' SKU does not support IKEv2, OpenVPN or RADIUS authentication. If you are planning on having Mac clients connect to your virtual network, do not use the Basic SKU.
  • A VPN gateway can take up to 45 minutes to complete, depending on the gateway sku you select. This example uses IKEv2.

4. Add the VPN client address pool

After the VPN gateway finishes creating, you can add the VPN client address pool. The VPN client address pool is the range from which the VPN clients receive an IP address when connecting. Use a private IP address range that does not overlap with the on-premises location that you connect from, or with the VNet that you want to connect to. In this example, the VPN client address pool is declared as a variable in Step 1.

5. Generate certificates

Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key information of the root certificate to Azure. The public key is then considered 'trusted'. Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User/Personal certificate store. The certificate is used to authenticate the client when it initiates a connection to the VNet.

If you use self-signed certificates, they must be created using specific parameters. You can create a self-signed certificate using the instructions for PowerShell and Windows 10, or, if you don't have Windows 10, you can use MakeCert. It's important that you follow the steps in the instructions when generating self-signed root certificates and client certificates. Otherwise, the certificates you generate will not be compatible with P2S connections and you receive a connection error.

1. Obtain the .cer file for the root certificate

Use either a root certificate that was generated with an enterprise solution (recommended), or generate a self-signed certificate. After you create the root certificate, export the public certificate data (not the private key) as a Base64 encoded X.509 .cer file. Then, upload the public certificate data to the Azure server.

  • Enterprise certificate: If you're using an enterprise solution, you can use your existing certificate chain. Acquire the .cer file for the root certificate that you want to use.

  • Self-signed root certificate: If you aren't using an enterprise certificate solution, create a self-signed root certificate. Otherwise, the certificates you create won't be compatible with your P2S connections and clients will receive a connection error when they try to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The steps in the following articles describe how to generate a compatible self-signed root certificate:

    • Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. Client certificates that are generated from the root certificate can be installed on any supported P2S client.
    • MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to generate certificates. Although MakeCert is deprecated, you can still use it to generate certificates. Client certificates that you generate from the root certificate can be installed on any supported P2S client.

2. Generate a client certificate

Each client computer that you connect to a VNet with a Point-to-Site connection must have a client certificate installed. You generate it from the root certificate and install it on each client computer. If you don't install a valid client certificate, authentication will fail when the client tries to connect to the VNet.

You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients. The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if multiple clients use the same client certificate to authenticate and you revoke it, you'll need to generate and install new certificates for every client that uses that certificate.

You can generate client certificates by using the following methods:

  • Enterprise certificate:

    • If you're using an enterprise certificate solution, generate a client certificate with the common name value format name@yourdomain.com. Use this format instead of the domain nameusername format.
    • Make sure the client certificate is based on a user certificate template that has Client Authentication listed as the first item in the user list. Check the certificate by double-clicking it and viewing Enhanced Key Usage in the Details tab.

  • Self-signed root certificate: Follow the steps in one of the following P2S certificate articles so that the client certificates you create will be compatible with your P2S connections. The steps in these articles generate a compatible client certificate:

    • Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to generate certificates. The generated certificates can be installed on any supported P2S client.
    • MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer for generating certificates. Although MakeCert is deprecated, you can still use it to generate certificates. You can install the generated certificates on any supported P2S client.

    When you generate a client certificate from a self-signed root certificate, it's automatically installed on the computer that you used to generate it. If you want to install a client certificate on another client computer, export it as a .pfx file, along with the entire certificate chain. Doing so will create a .pfx file that contains the root certificate information required for the client to authenticate.

To export the certificate

For steps to export a certificate, see Generate and export certificates for Point-to-Site using PowerShell.

6. Upload the root certificate public key information

Verify that your VPN gateway has finished creating. Once it has completed, you can upload the .cer file (which contains the public key information) for a trusted root certificate to Azure. Once a.cer file is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. You can upload additional trusted root certificate files - up to a total of 20 - later, if needed.

You can't upload this information using Azure Cloud Shell. You can either use PowerShell locally on your computer, the Azure portal steps.

  1. Declare the variable for your certificate name, replacing the value with your own.

  2. Replace the file path with your own, and then run the cmdlets.

  3. Upload the public key information to Azure. Once the certificate information is uploaded, Azure considers it to be a trusted root certificate.

7. Install an exported client certificate

If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. When installing a client certificate, you need the password that was created when the client certificate was exported.

Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default). Otherwise, the root certificate information isn't present on the client computer and the client won't be able to authenticate properly.

For install steps, see Install a client certificate.

8. Configure the native VPN client

The VPN client configuration files contain settings to configure devices to connect to a VNet over a P2S connection. For instructions to generate and install VPN client configuration files, see Create and install VPN client configuration files for native Azure certificate authentication P2S configurations.

9. Connect to Azure

To connect from a Windows VPN client

Note

You must have Administrator rights on the Windows client computer from which you are connecting.

  1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection that you created. It is named the same name as your virtual network. Click Connect. A pop-up message may appear that refers to using the certificate. Click Continue to use elevated privileges.

  2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use the drop-down arrow to select the correct certificate, and then click OK.

  3. Your connection is established.

Troubleshooting Windows client P2S connections

If you have trouble connecting, check the following items:

  • If you exported a client certificate with Certificate Export Wizard, make sure that you exported it as a .pfx file and selected Include all certificates in the certification path if possible. When you export it with this value, the root certificate information is also exported. After you install the certificate on the client computer, the root certificate in the .pfx file is also installed. To verify that the root certificate is installed, open Manage user certificates and select Trusted Root Certification AuthoritiesCertificates. Verify that the root certificate is listed, which must be present for authentication to work.

  • If you used a certificate that was issued by an Enterprise CA solution and you can't authenticate, verify the authentication order on the client certificate. Check the authentication list order by double-clicking the client certificate, selecting the Details tab, and then selecting Enhanced Key Usage. Make sure Client Authentication is the first item in the list. If it isn't, issue a client certificate based on the user template that has Client Authentication as the first item in the list.

    Facebook hacking software download for mobile. Yes you will have fully access.

  • For additional P2S troubleshooting information, see Troubleshoot P2S connections.

To connect from a Mac VPN client

From the Network dialog box, locate the client profile that you want to use, then click Connect.Check Install - Mac (OS X) for detailed instructions. If you are having trouble connecting, verify that the virtual network gateway is not using a Basic SKU. Basic SKU is not supported for Mac clients.

To verify your connection

These instructions apply to Windows clients.

  1. To verify that your VPN connection is active, open an elevated command prompt, and run ipconfig/all.

  2. View the results. Notice that the IP address you received is one of the addresses within the Point-to-Site VPN Client Address Pool that you specified in your configuration. The results are similar to this example:

To connect to a virtual machine

These instructions apply to Windows clients.

You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. Locate the private IP address. You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure portal - Locate your virtual machine in the Azure portal. View the properties for the VM. The private IP address is listed.

    • PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. You don't need to modify this example before using it.

  2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. Open Remote Desktop Connection by typing 'RDP' or 'Remote Desktop Connection' in the search box on the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. In Remote Desktop Connection, enter the private IP address of the VM. You can click 'Show Options' to adjust additional settings, then connect.

To troubleshoot an RDP connection to a VM

If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • Verify that your VPN connection is successful.
  • Verify that you are connecting to the private IP address for the VM.
  • Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.
  • For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

To add or remove a root certificate

You can add and remove trusted root certificates from Azure. When you remove a root certificate, clients that have a certificate generated from the root certificate can't authenticate and won't be able to connect. If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

To add a trusted root certificate

You can add up to 20 root certificate .cer files to Azure. The following steps help you add a root certificate:

Method 1

This method is the most efficient way to upload a root certificate. It requires Azure PowerShell cmdlets installed locally on your computer (not Azure Cloud Shell).

  1. Prepare the .cer file to upload:

  2. Upload the file. You can only upload one file at a time.

  3. To verify that the certificate file uploaded:

Method 2 - Azure portal

This method has more steps than Method 1, but has the same result. It is included in case you need to view the certificate data. It requires Azure PowerShell cmdlets installed locally on your computer (not Azure Cloud Shell).

How To Download The Vpn Certificate For Phone Vpn Online

  1. Create and prepare the new root certificate to add to Azure. Export the public key as a Base-64 encoded X.509 (.CER) and open it with a text editor. Copy the values, as shown in the following example:

    Note

    When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds.

  2. Specify the certificate name and key information as a variable. Replace the information with your own, as shown in the following example:

  3. Add the new root certificate. You can only add one certificate at a time.

  4. You can verify that the new certificate was added correctly by using the following example:

To remove a root certificate

  1. Declare the variables.

  2. Remove the certificate.

  3. Use the following example to verify that the certificate was removed successfully.

To revoke a client certificate

You can revoke client certificates. The certificate revocation list allows you to selectively deny Point-to-Site connectivity based on individual client certificates. This is different than removing a trusted root certificate. If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. Revoking a client certificate, rather than the root certificate, allows the other certificates that were generated from the root certificate to continue to be used for authentication.

The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

Revoke a client certificate

  1. Retrieve the client certificate thumbprint. For more information, see How to retrieve the Thumbprint of a Certificate.

  2. Copy the information to a text editor and remove all spaces so that it is a continuous string. This string is declared as a variable in the next step.

  3. Declare the variables. Make sure to declare the thumbprint you retrieved in the previous step.

  4. Add the thumbprint to the list of revoked certificates. You see 'Succeeded' when the thumbprint has been added.

  5. Verify that the thumbprint was added to the certificate revocation list.

  6. After the thumbprint has been added, the certificate can no longer be used to connect. Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

To reinstate a client certificate

You can reinstate a client certificate by removing the thumbprint from the list of revoked client certificates.

  1. Declare the variables. Make sure you declare the correct thumbprint for the certificate that you want to reinstate.

  2. Remove the certificate thumbprint from the certificate revocation list.

  3. Check if the thumbprint is removed from the revoked list.

Point-to-Site FAQ

How many VPN client endpoints can I have in my Point-to-Site configuration?

It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.

What client operating systems can I use with Point-to-Site?

The following client operating systems are supported:

  • Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (64-bit only)
  • Windows 10
  • Mac OS X version 10.11 or above
  • Linux (StrongSwan)
  • iOS

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPNGateway will support only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.

Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)
  • DES (Data Encryption Algorithm)
  • 3DES (Triple Data Encryption Algorithm)
  • MD5 (Message Digest 5)

How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. Run the following commands in the command prompt:

  3. Install the following updates:

  4. Reboot the computer.

  5. Connect to the VPN.

Note

How To Download The Vpn Certificate For Phone Vpn Download

You will have to set the above registry key if you are running an older version of Windows 10 (10240).

Can I traverse proxies and firewalls using Point-to-Site capability?

Azure supports three types of Point-to-site VPN options:

  • Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

By default, the client computer will not reestablish the VPN connection automatically.

Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

No. A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

How much throughput can I expect through Site-to-Site or Point-to-Site connections?

It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.

How To Download The Vpn Certificate For Phone Vpn Free

Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.

Does Azure support IKEv2 VPN with Windows?

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPNÂŽ Protocol.

To prepare Windows 10 or Server 2016 for IKEv2:

  1. Install the update.

    OS versionDateNumber/Link
    Windows Server 2016
    Windows 10 Version 1607    		January 17, 2018KB4057142
    Windows 10 Version 1703January 17, 2018KB4057144
    Windows 10 Version 1709March 22, 2018KB4089848

  2. Set the registry key value. Create or set “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasMan IKEv2DisableCertReqPayload” REG_DWORD key in the registry to 1.

What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX will only connect via IKEv2.

Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure supports Windows, Mac and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?

Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

How To Download The Vpn Certificate For Phone Vpn Software

Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.

Can I use certificates from Azure Key Vault?

No.

What tools can I use to create certificates?

You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

Are there instructions for certificate settings and parameters?

  • Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: See the MakeCert article for steps.

  • OpenSSL:

    • When exporting certificates, be sure to convert the root certificate to Base64.

    • For the client certificate:

      • When creating the private key, specify the length as 4096.
      • When creating the certificate, for the -extensions parameter, specify usr_cert.

Next steps

Once your connection is complete, you can add virtual machines to your virtual networks. For more information, see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM network overview.

For P2S troubleshooting information, Troubleshooting: Azure point-to-site connection problems.