Hello,

I'm currently facing an issue where we can not get any Mac onto our Azure VPN, we just get the same error of "The VPN server did not respond". The certificate works on many windows machines. 

This is not my area of expertise, so please bare with if I misunderstand or do not include the relevant information. 

I have installed the PFX Cert, and the Root CA from the P2S configuration. The XML file in the P2S says the VPN type is SSTP.

I followed the VPN instructions to set the Server Address, and Remote ID to the azure-gateway domain, and set the LocalID to the PFX certs Subject Common Name, in this case P2SChildCert. Authentication settings are set to None>Certificate, where I select the PFX P2SChildCert. I have also tried Authentication>Certificate and selected the same P2SChildCert.

I've run out of ideas to try, and can't find any settings in Azure to see what our VPN Type is set to. 

Any help is appreciated, thank you. 

I am trying to replicate the steps in a blog post titled "Add your WorkSpaces to Azure AD using Azure Active Directory Domain Services" available on google when you search for it. However, When I get to the step where I create the ad connector, it fails with the following error:

> Connectivity issues detected: DNS unavailable (TCP Port 53) for IP 10.0.0.4, DNS unavailable (TCP Port 53) for IP 10.0.0.5. Please ensure that the listed ports are available and retry the operation

I am very proficient with AWS. However, I'm struggling with Azure and feel I may have misconfigured something. I have carried out the following steps thus far:

In Azure, I used an existing resource group and created "Azure AD Domain Services" instance using default configuration

Basics

 - Name: sy******k.com 
 - Subscription: Pay-As-You-Go 
 - Resource Group:
 - Default Region: UK South
 - SKU: Standard  Forest type: User

Network

 - Virtual network: (new) aadds-vnet
 - Subnet: (new) aadds-subnet
 - Subnet Address: 10.0.0.0/24
 - Network Security Group: (new) aadds-nsg

I created a site to site vpn connection with azure virtual network. However, I am not sure about this step in the post: "The tunnels must be configured to allow traffic from your AADDS endpoints and the Subnets" How exactly do I do this?

In AWS VPC cidr is 10.1.0.0/16 and both tunnels between AWS VPC and Azure Virtual Network are up and connected. I tried to contact the post author: "Justin Stokes" directly but can't find any emails for him. I cannot find a single online guide on how to set this up step by step along with the site to site ipsec setup. It would be very very helpful if someone can provide a video tutorial for this step by step from A-Z instead of leaving a chunk of the steps out of the guide.

The troubleshooting guide on aws suggest that the firewall i.e. network security group is not allowing port 53TCP/UDP inbound for AD Connector. But I updated the networks security group as a test with a rule to allow any source, any destination and any port and still I'm getting the same error.

I have been tasked to build out an Azure Public load balancer with two Big IP F5 device's (in HA) to handle web requests to an Azure ASE (Isolated Web App's) 

In researching the pro's and con's I've developed a list of items pertaining to DSR (Direct Server Response). Looking at the list of pro's and con's, it's seems this may be the wrong solution considering management of the client traffic at the application layer is much needed. 

I would like to hear from others with options, comments or experiences utilizing / setting up this technology within the Azure environment. 

Is this list of pro's and con's accurate with the purposed solution? 

Client---->ALB---->F5's---->ASE

Thank you

so the two services sit on the same virtual machine (meaning it will be the same backends) ,

1. Can this setup work? if not why  not?

2. If yes, is it advisable?

3. if not advisable? then would you suggest Service A as one backend on VM1-2? and service B as as other backend on VM3-4? 

Image may be NSFW.
Clik here to view.

Hi All,

We have a requirement to connect to our on premise "agents" from our Azure based services. Our Azure based services may need to connect to many different on premise based agents (often over http/https but sometimes over other ports). The first obvious choice is of course a site to site VPN for each site however we have some issues with this.

i. We cannot always guarantee the on premise site has a security/VPN applicable capable of site to site VPN.
ii. The on premise network might have a private IP network that is not routable to the IP network on Azure.

Because of the above we looked into using P2S point to site VPNs. This in principal solve all our problems as when we connect to the VPN on Azure we are then able to communicate with our Azure services and i've done proof of concepts and it works however it is our Azure services that will need to connect to our on premise agents rather than the other way round. This causes us a problem as we don't always know what dynamic IP address has been allocated to a particular VPN connection and Azure P2S VPN's don't support static IP.

I've come up with a solution to the above that relies on a service running on premise that connects to the Azure service in the cloud and allows the services in the cloud to map an agent connection to a VPN IP address however if a VPN connection drops and reconnects we cannot be sure that it is assigned the same address. Also, if another VPN client gets the other connection's IP  address we could have a period of time which we are connecting to the wrong service until our service 're-maps' the connection.

So, since S2S isn't a viable option, and static IP is not available on Azure P2S i was wondering if anyone had any suggestions. I'm thinking about perhaps an Azure VPN applicance that perhaps does support static IP P2S or some kind of IP 'mapping' software that will present a virtual network interface at each end of a connection with a static IP that is persistent for the client end.

We can ensure the identities of clients via a unique certificate for individual clients. It's really a shame that Azure has no way of mapping a certificate thumbprint to an IP address. Perhaps an idea there MS?

Thank for your your time reading this. If anyone has some smart ideas would be great to discuss.

Many Thanks,

Kevin Palmer

Kevin Palmer

Hi All Azure expert,

I setup a tunnel between my VPN gateway (gen 2) using active-active mode to my Check Point cluster. I can see the CP cluster get the BGP route from the Azure VNG gateway. But the CP route redisturbuted to Azure VNG side but VNG don't get it. I am testing to use Numbered VTI. Not sure if it is the setting of the peer IP problem. Anyone can help to tell me what BGP setting from CP side need to setup?

regards,

Sam 

Hi Team,

I want to return fqdn of created azure vm by out parameter of arm template and powershell
Powershell version as below on windows server 2016 -64 bit.

Version : 5.1.2
Name : Azure
Author : Microsoft Corporation
PowerShellVersion : 3.0

Below is powershell script that i wrote and azure Vm is creating but no fqdn data is coming . I am using az module in powershell

param (    
    [parameter(Mandatory = $true)]
    [PSCustomObject] $parameterObject,

[parameter(Mandatory = $true)]
    [System.IO.FileInfo] $armTemplateFilePath,

    [parameter(Mandatory = $true)]
    [string]$clientId,

    [parameter(Mandatory = $true)]
    [string]$clientSecrete,

    [parameter(Mandatory = $true)]
    [string]$tenantId,

    [parameter(Mandatory = $true)]
    [string]$subscriptionId
) 

#createing PObject

$networkSecurityGroupRulesArry = New-Object -TypeName psobject
$networkSecurityGroupRulesArry | Add-Member -MemberType NoteProperty -Name networkSecurityGroupRules -Value $parameterObject.networkSecurityGroupRules 

$addressPrefixesArry = New-Object -TypeName psobject
$addressPrefixesArry | Add-Member -MemberType NoteProperty -Name addressPrefixes -Value $parameterObject.addressPrefixes 

$subnetsArry = New-Object -TypeName psobject
$subnetsArry | Add-Member -MemberType NoteProperty -Name subnets -Value $parameterObject.subnets 

#createing Hashtable type
$Parameters = New-Object -TypeName Hashtable

$Parameters.Add("params", @( $parameterObject.location,
"botni01",
"botnsg01",
$networkSecurityGroupRulesArry.networkSecurityGroupRules,
"default",
"botvnet01",
$addressPrefixesArry.addressPrefixes,
$subnetsArry.subnets ,                                                        
"botpubip01",
"Dynamic",
"Basic",
$parameterObject.virtualMachineName,
     $parameterObject.resourceGroupName,
$parameterObject.osDiskType,
$parameterObject.virtualMachineSize,
"demouser",
"Paaaw0rd@1234",
$parameterObject.publisher,
$parameterObject.offer,
$parameterObject.sku)
)
#Write-Host "****************************print Parameters -var ***********************************"
#$Parameters

#Connect with azure cloud and do creation process
$passwd = ConvertTo-SecureString $clientSecrete -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($clientId , $passwd)

$subscription = Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId -Subscription $subscriptionId
#Exist chk for RsgRp
$rg = Get-AzResourceGroup -Name $parameterObject.resourceGroupName -Location $parameterObject.location -ErrorAction SilentlyContinue -Verbose

if(($rg -eq $null) -or ($rg -eq '')) {
    $rg = New-AzResourceGroup -Name $parameterObject.resourceGroupName -Location  $parameterObject.location -Force  -Verbose
}

#$deployment start
$deployment = New-AzResourceGroupDeployment -Name deployvmbot  -ResourceGroupName  $rg.ResourceGroupName  -Mode Incremental `
            -TemplateFile  $armTemplateFilePath `
            -TemplateParameterObject  $Parameters  `  -Verbose

$VMs = Get-AzVM -ResourceGroupName $rg.ResourceGroupName -Name "BotVM01"
$nics = Get-AzNetworkInterface -ResourceGroupName $rg.ResourceGroupName -Name $(Split-Path -Leaf $VMs.NetworkProfile.NetworkInterfaces[0].Id)
$PrivateIpAddress = $nics.IpConfigurations.PrivateIpAddress
ForEach($nic in $nics)
{
Write-Host "****************************try to  foreach loop print NIC -var ***********************************"
    $PrivateIpAddress = $nic.IpConfigurations.PrivateIpAddress

}

Hi

We have Site-to-Site connection between our On-Premise network and VNET in Azure via VPN Gateway.

What are my failover options here? If just in case Azure region goes does how to automatically switch to secondary VNET in different region. We do have same VNET in different region for failover but how to connect that is the question.

Thanks, Piyush

Hi,

I have added a custom domain to Azure tenant. On-Premise domain has ".local". I have added a DNS suffix ".com" using the "Active Directory Domains and Trusts" tool. I have added to on-premise DNS server the DNS TXT record (provided by Azure) but the verify process still fails. Not sure why and cannot find any further information to assist.

Question: Is there anyway to achieve the verification process without having a registered domain name pointing back to your on-premise DNS server?

Thanks.

Bora

Hello guys,

need your help here...

Environment is MS 2019 Datacenter. All VMs are on azure including the network configuration. 

I have 2 node cluster with Node A and Node B. Each of the 2 nodes has 2 Network Interfaces. One is for the Production (LAN) network and one is for the cluster communication (HeartBeat) network. 

Production network is: 192.168.0.0/24

Node A have IP: 192.168.0.7

Node B have IP: 192.168.0.8

HB network is: 192.168.1.0/24

Node A: 192.168.1.100

Node B: 192.168.1.101

The problem is when node A hold the roles and resources (for example: File role) you can ping the file role and cluster virtual name IPs without problem. But there is no ping from the passive node to File Server role or cluster name IPs. "Destination host unreachable". If I do a failover to node B then, you can't ping cluster name or role from node A. Ping to the cluster virtual name or any of the roles is possible only from the active node. It's not working from the passive node or different server in the same production subnet 192.168.0.0/24

Failover is working. DNS successfully resolve the names when I ping the cluster role and cluster name. 

I search and found that the issue maybe is related to MAC Address Changes for Virtual Server During a Failover with Clustering.

But I don't know how to enable this gratuitous ARP requests on Azure network? Do you have any idea how to achieve this? 

I would like to share also: arp -a

Node A:

Interface: 169.254.2.241 --- 0x3
  Internet Address      Physical Address      Type
  169.254.255.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static

Interface: 192.168.1.100 --- 0x4
  Internet Address      Physical Address      Type
  192.168.1.101         12-34-56-78-9a-bc     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 192.168.0.7 --- 0x5
  Internet Address      Physical Address      Type
  192.168.0.1           12-34-56-78-9a-bc     dynamic
  192.168.0.4           12-34-56-78-9a-bc     dynamic
  192.168.0.5           12-34-56-78-9a-bc     dynamic
  192.168.0.6           12-34-56-78-9a-bc     dynamic
  192.168.0.8           12-34-56-78-9a-bc     dynamic
  192.168.0.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Node B 

Interface: 192.168.0.8 --- 0x4
  Internet Address      Physical Address      Type
  192.168.0.1           12-34-56-78-9a-bc     dynamic
  192.168.0.4           12-34-56-78-9a-bc     dynamic
  192.168.0.5           12-34-56-78-9a-bc     dynamic
  192.168.0.6           12-34-56-78-9a-bc     dynamic
  192.168.0.7           12-34-56-78-9a-bc     dynamic
  192.168.0.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 169.254.1.63 --- 0x5
  Internet Address      Physical Address      Type
  169.254.255.255       ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static

Interface: 192.168.1.101 --- 0x6
  Internet Address      Physical Address      Type
  192.168.1.100         12-34-56-78-9a-bc     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

I see that all network interfaces use the same and one MAC address? Is this the root cause of the issue? 

Thank you. 

We have an on-premise FTP server which we have been using with other on-premise web servers for transferring files. 

As we are in the process of migrating these web servers to Azure, we encountered an issue where the FTP server connections are getting disconnected.

We used multiple client tools from Azure web server such as FileZilla and we can see the connection is being established (using port 21). This can happen as we click on the folder structure to browse or start transferring files, we get the odd disconnection and error messages:

Networking team have assured me that they are not seeing anything being dropped in the firewalls. 

Anyone have any suggestions?

Hi,

I need to add a VM to an existing classic Virtual Network, but don't seem to be able to, I'm only given the option to create a new one.

I have selected the same Geo location and REsource GRoup as the other servers connected to the same Virtual Network

Can anyone advise?  I know it's preferable to use resource manager, but migrating over the whole infrastructure is not an option at the moment, and the primary ADFS server seems not to be recoverable, so I need a quick solution ... :) 

Thanks in advance

Hello,

I am trying to find a cli/powershell or other utility tell me what ip address available on vnet/subnet? please let me know if anyone did resolve that. 

Thank you!

raindrop18

Hello,

We need to write a DR plan and we only have one single ER circuit.

My question is: can we create another ER Gw (with the same settings as the first one) in the paired region (if the whole main region goes down) to access the onprem resources? I would like to know if there is a possibility of tapping into the same ER circuit from other (paired) region. My thoughts are that the azure end of the ER terminates somewhere at the edge routers that are shared between regions but I could not find anywhere on the MS docs.

I know there are possibilities to achieve this with multiple ER circuits or even with a VPN gateway in the second region.

Thanks,

Adrian

Hi all,
I configured my gateway for Azure AD Authentication and configure it on a few endpoints

however on all of them I get the same error:

Image may be NSFW.
Clik here to view.

AzureVPNcxn.log

Image may be NSFW.
Clik here to view.

will be happy to get an assistance

Tamir Levy

I have centralize mailflow selected in Hybrid configuration. I have found that my DLP and Exchange transport rules are not working or getting skipped for outbound email. Can you please help me with KB article or document which explains why DLP and ETR are not working after configuring CENTRALIZE Email flow in Hybrid Configuration.

• I have centralize mailflow selected in Hybrid configuration. I have found that my DLP and Exchange transport rules are not working or getting skipped for outbound email. Can you please help me with KB article or document which explains why DLP and ETR are not working after configuring CENTRALIZE Email flow in Hybrid Configuration.

Hi,

I have an azure front door in my subscription and I'm looking to add the application gateway as one of the backend pools.
When I added the application gateway, there does not seem to be any issue.
When I open the backend pool, I see the IP address of the application gateway. But the backend health percentage metric is showing 0 since it has been added.

I also tried adding it as a Custom host by giving the DNS name of the application gateway. But still the backend is showing 0 as health.

When I access the front door URL, it is responding as :

Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.

However when I access the app gateway's URL, i'm being routed to my application.

Is there any restrictions in adding the app gateway behind the front door?