Azure Point to Site VPN Configuration & Silent installation using SCCM

Overview

One of our clients has infrastructure split between on premise and Azure. Users mostly access platform or infrastructure as a service directly over the internet but for accessing on premise file services remotely they currently use Direct Access which works well. To prepare them for the (unlikely) event of a full site outage I was intending to configure multi site direct access with a connection point within Azure using IaaS, however, according to Microsoft Direct Access it is not currently supported as a workload on Azure. As an alternative (and less elegant) solution I decided having a Azure Point To Site VPN configured on clients in the event of an emergency at the main site would be sufficient to retain access to services that are hosted on Azure virtual machines. This Azure Point To Site VPN coexists with their S2S VPN, and can route via it if both sites are available. Critical virtual machines are replicated from a on premise Hyper-V cluster to Azure Site Recovery. There are some other permanent virtual machines running on the same virtual network, including ADFS,  a domain controller and file server (selective DFS-N&R target).

I won’t go into detail about the configuration because you can read Microsoft’s official guidance on the topic which is here. What you will notice is that the documentation has no official support for silent installs, installs requires administrative access and therefore there are few options for mass deployment. When I realised this I was a bit shocked to be frank. I am glad I found this very helpful post on the topic explaining how the point to site VPN worked under the hood.

Solution

To achieve my desired outcome I followed the steps in the above blog article, making some slight modifications to the PowerShell scripts to match my requirements. I then placed the PowerShell scripts into a folder and made an application from SCCM as normal. I gathered the source files (.inf and PBK) by downloading the exe from the Azure portal and extracting the files using 7Zip.

In my case I want the Azure Point To Site VPN to be able to route to the Azure networks 172.16.0.0 as well as the on-premise networks 192.168.0.0 if they are contactable. I needed to adjust the on premise firewall to allow this traffic.

A summary of the below installation script is as follows:

  1. Script copies VPN profile that I have customised, using base settings generated from the EXE
  2. Creates scheduled tasks to run whenever the VPN is connected or disconnected, so that it updated the static routes on the system.

 

We are Azure experts, contact us to find out more