I have more than 200 users distributed over 3 countries
I need to be able to publish the Azure VPN client and certificate using Group policy
How can i reach that >?
John Yassa - Senior Platform Engineer - http://johnyassa.wordpress.com/
↧
How to publish the Azure Client VPN and the Azure Client certificate to all users
↧
Point to site vpn problem
hello,
I have three Virtual machine insttalled in azure is 1)AD Server , 2) SQLSERVERERP 3)EPICORERP.This environment am using for Epicor ERP, epicor application is installed in db server . and i have configured Point to site VPN on virtual networks.after connecting point to site vpn in Client side,i can install epicor client software , but am not able to login the application, it is giving error-> NO DNS ENTRIES EXISTS FOR HOST SQLSERVERERP.
After conceting point to site vpn i can't resolve the the DNS, any solution so that my client pc can join the Domain of azure VM which is ADSERVER. Epicor erp is recomended to have in same domain to install client software .
↧
↧
unable to join client to azure VM domain throgh point To site VPN
Hello ,
I have created three virtual Machines in azure platform, 1. ADsever 2) SQLDB server 3) APPs server in same virtual network and i have configured point to site vpn. i have install client certificate and packges in my local pc and it is successfully connected, My problem is am unble to join to Domain of azure VM i. e ADserver.
Any solution for that i can join my local pc to domain through point site vpn.
↧
Problem with VPN in Phase 2
Hi, we configured a Site to Site Connection, using Static Routing, the tunnel successful established phase 1, when it starts phase 2 it crashes, the reason is, by policy of my partner, in their side of the VPN, they only allows specifics host to get connected to their network, but Azure send as local ip the complete network, so the negotiation fails.
The question is, is there any way to configure azure to send the ip that is originating traffic as local ip and not the network?
Being more specific, this is the error on my partner site:
7 Apr 17 2015 17:23:47 713222 Group = XXXX, IP = XXXX, Static Crypto Map check, map = outside_map, seq = 247, ACL does not match proxy IDssrc:192.168.159.0 dst:172.17.X.X
Azure sends the network and not the hosts that is originating the traffic.
This is a Azure Log:
QM State: State corresponding to first roundtripQM SA role: Initiator
Mode: Tunnel Mode
Local Subnet:
IPv4 Addr & Mask: 192.168.159.0/255.255.255.224
Remote Subnet:
IPv4 Addr & Mask: 172.17.X.X/255.255.255.255
Please help!
Will.
↧
Is it possible to get a Reserved IP in a particular geography?
Is it possible to Reserve an IP address which reports its location in a particular geo. I'm running some services on a VM which are failing because the public IP address "looks" like it's not in the UK. The VM is in the Europe North location, but the public IP addresses that you get allocated (either dynamic or reserved) seem to come from anywhere - Dublin, Redmond, Brazil, elsewhere in US etc.). If I look at the IP address locations, there are subnets which will report in the UK, but I can't find a way to secure one. I've tried just reserve, check, release in powershell, but can't get a UK one.
↧
↧
How to setup Traffic Manager with Azure API Management
Hello-
I have been trying to configure traffic manager as a Failover mechanism for Azure API Management (not sure if this is the correct terminology).
The gist is this: I have configured Azure API management to point to a set of Web API's hosted in a Cloud Service. I would like to use Traffic Manager as a Failover mechanism to route requests to a different data center, should the primary service becomes unresponsive or goes into a degraded state.
When going through the portal, there is no selection that is available to configure API Management/Web API: the selections are Cloud Service and Web apps.
I've also looked into th Powershell Add-AzureTrafficManagerProfile using the -Type ["Any"] option with same result - it adds the endpoint but it is in a "Degraded" state.
I need to understand the correct way to accomplish this - I'm pretty sure I'm doing something wrong.
gigabit
↧
Error 13801 when connecting to Azure Gateway
I have followed a number of different blogs to configure a site-to-site VPN with Azure. When the demand dial connection starts, the following occurs:
Message 1
CoId={28E6AE60-C778-4DE0-AE36-0046FA39B40B}: The user SYSTEM has started dialing a VPN connection using a all-user connection profile named x.x.x.x. The connection settings are:
Dial-in User =
VpnStrategy = IKEv2
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = PreShareKey
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = No
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = No.
Message 2:
CoId={28E6AE60-C778-4DE0-AE36-0046FA39B40B}: The user SYSTEM is trying to establish a link to the Remote Access Server for the connection named x.x.x.x using the following device:
Server address/Phone Number = x.x.x.x
Device = WAN Miniport (IKEv2)
Port = VPN2-4
MediaType = VPN.
Message 3:
CoId={28E6AE60-C778-4DE0-AE36-0046FA39B40B}: The user SYSTEM has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = x.x.x.x
Device = WAN Miniport (IKEv2)
Port = VPN2-4
MediaType = VPN.
Message 4:
CoId={28E6AE60-C778-4DE0-AE36-0046FA39B40B}: The link to the Remote Access Server has been established by user SYSTEM.
Message 5 (Error):
CoId={28E6AE60-C778-4DE0-AE36-0046FA39B40B}: The user SYSTEM dialed a connection named x.x.x.x which has failed. The error code returned on failure is 13801.
My ISP has confirmed there is no NAT and the firewall is wide open right now (hardware and software).
I have tried a self signed key with EKU's of Server Authentication and IP Security IKE Intermediate.
I've seen others have this problem but no solution. Anyone have any ideas?
↧
Point to Site VPN
Hello All
I believe I've found my answer but would like feedback. I'm looking at setting up a P2S connection without a physical server. I've found the link below as well as the attached forum post. I understand that I can create my DC in an Azure VM and then connect the users with certificates. Has anyone tried this and if so does it work? If not is their an alternative? Thanks
↧
bandwith issue in azure virtual machine
Hi,
Suddenly from last two three days we are not getting proper bandwith on one of our azure virtual machine ,uplaoding and dowloading speed which we are getting is below 30mpbs ,so please look in to this issue.
↧
↧
How to create azure virtual network by programming
Hi everyone
i want to create azure virtual network by programming
Doese anyone know how?
My way is create xml network config
and then call powershell Set-AzureVNetConfig-ConfigurationPath
But if on manage portal is exist any network
It is impossible to create new azure virtual network
Thank in advance,
QP
i want to create azure virtual network by programming
Doese anyone know how?
My way is create xml network config
and then call powershell Set-AzureVNetConfig-ConfigurationPath
But if on manage portal is exist any network
It is impossible to create new azure virtual network
Thank in advance,
QP
↧
On-premise VPN connect to (2) vNets in (1) subscription
Hello!
I have (1) Azure subscription with (2) vNets. Im looking to connect my on premise VPN to both vNets. Basically connecting two virtual networks to an on-premises site location while the two virtual networks don't have any communication with each other.
Im trying to do the following in Azure...
- (2) VNETs created: (1) Internet Facing; (1) Non-Internet Facing
- These (2) VNETs will need to communicate back to my OnPrem Network
- These (2) VNETs will NOT talk to each other in Azure.
I have a Cisco ASA 5500. I know this device doesnt support Dynamic Routing so a RRAS server will most likely need to be created. I need to setup a VPN connection between my On-Premise environment and the two VNETs that don't talk to each other within Azure.
If both VNETs talk to my OnPrem Local Network setup in Azure then they both need an Azure Gateway address, correct?
Will both VNETs need their own pipe back to OnPrem or can they communicate back on the same pipe? If so, how do I setup that?
So basically:
On-Premise < - > Azure VNET1
On-Premise < - > Azure VNET2
All this would connect to On-Premise with (1) VPN tunnel.
Any help would be greatly appreciated!
↧
VNETs, SUBNETs, OnPREM
I have a question about VNETs and SubNets. Do these have any interaction/relation within an OnPREM network - as in do I have to assign, set aside an IP range on my work network for my VNETs in Azure?
Two reasons why I ask:
1. I ask is I don’t like how Azure is forcing me to create subnets, I just want one subnet per vnet and connect that to a Local network. I don’t want to have 4-5 subnets to utilize all the IPs assigned for the vnet.
2. My concern is: if a web server is assigned to WebNet2 and I setup autoscale to scale the server to 25 at a certain time, I may be out of IPs and that may cause problems.
<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe"
stroked="f">
<v:stroke joinstyle="miter">
</v:stroke></v:shapetype>
Im curious if I could do something like below and be fine, in the clear when I create other subscriptions in Azure using the 10.225.0.0 space.
<v:shapetype coordsize="21600,21600" filled="f" id="_x0000_t75" o:preferrelative="t" o:spt="75" path="m@4@5l@4@11@9@11@9@5xe"
stroked="f"><v:stroke joinstyle="miter"> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0">
</v:f></v:formulas></v:stroke></v:shapetype>
Of course if I create another VNET within the same subscription, I would have to have a different Local network setup because of the conflict, overlapping 10.225.0.0.
Ultimately, I would like to actually have two subnets: /11 and the rest along with a gateway. I break it apart for Infrastructure (IaaS) and WebNet (PaaS) but I don’t see how that can be possible so…
Any help or suggestions would be much appreciated!
↧
Need help to configure a VPN connection to an azure
Hello there,
I’m doing a site recovery project and I’m successfully configured on-premise Hyper-v to Azure Site recovery.
I’m now trying to build a site-to-site recovery. My network settings are
- IP-range on-premise hyper-v server 172.16.16.0/24
- IP-range network for VPN to Azure 192.168.5.0/28
IP-range on Azure virtual machines are:
I followed this guide to build the site-to-site vpn on the Cisco 800 router serie and used the ISR serie script that I download from the Azure dashboard.
My Crypto map config on the router is:
Crypto Map IPv4 "VPN" 13 ipsec-isakmp
Description: AZURE-VPN
Peer = 104.40.xxx.x
Extended IP access list AZURE
access-list AZURE permit ip 192.168.5.0 0.0.0.15 172.18.0.0 0.0.255.255
Current peer: 104.40.xxx.x
Security association lifetime: 102400000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
AZURE: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map VPN:
Dialer1
The error I get on the router is:
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
032480: Apr 28 08:07:16.719: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
032481: Apr 28 08:07:16.719: ISAKMP:(2014): IPSec policy invalidated proposal with error 256
032482: Apr 28 08:07:16.719: ISAKMP:(2014): phase 2 SA policy not acceptable!(local 213.247.xxx.xxx remote 104.40.xxx.x
032483: Apr 28 08:07:16.719: ISAKMP: set new node -1867611319 to QM_IDLE
032484: Apr 28 08:07:16.719: ISAKMP:(2014):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2267024872, message ID = 2427355977
032485: Apr 28 08:07:16.719: ISAKMP:(2014): sending packet to 104.40.xxx.x my_port 500 peer_port 500 (R) QM_IDLE
032486: Apr 28 08:07:16.719: ISAKMP:(2014):Sending an IKE IPv4 Packet.
032487: Apr 28 08:07:16.719: ISAKMP:(2014):purging node -1867611319
032488: Apr 28 08:07:16.719: ISAKMP:(2014):deleting node -1790187706 error TRUE reason "QM rejected"
032489: Apr 28 08:07:16.719: ISAKMP:(2014):Node 2504779590, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
032490: Apr 28 08:07:16.723: ISAKMP:(2014):Old State = IKE_QM_I_QM1 New State = IKE_QM_I_QM1.....
Success rate is 0 percent (0/5)
Please someone help, because I can’t find what the problem is.
↧
↧
Connecting to Azure FTP Service
I'm new to creating web applications using VS, coding in C#, ASP.NET, and the perfect solution for me was using the Microsoft Azure services to host the site and the DB.
Everything was fine, i was away from home using my phone as a wireless hotspot, than when i came home and tried accessing the Azure FTP using FileZilla it got stuck on 'Initializing TLS...'
I used the phone's hotspot again and it worked.
I know it has something to do to my router's firewall and port forwarding but i tried everything and i cannot manage to access the FTP...
I've searched the web for Azure specific troubleshooting and couldn't find any, i'll be glad if someone could give me some guide on how to be able to access it, BTW i'm using a TP-Link router.
Thanks!
Everything was fine, i was away from home using my phone as a wireless hotspot, than when i came home and tried accessing the Azure FTP using FileZilla it got stuck on 'Initializing TLS...'
I used the phone's hotspot again and it worked.
I know it has something to do to my router's firewall and port forwarding but i tried everything and i cannot manage to access the FTP...
I've searched the web for Azure specific troubleshooting and couldn't find any, i'll be glad if someone could give me some guide on how to be able to access it, BTW i'm using a TP-Link router.
Thanks!
↧
Why is connecting a website to a vnet so expensive?
I have a virtual network in azure with a vm in that network. I need to connect to the VM from one of my azure websites, but the only way I can find to do this involves creating a P2S vpn and gateway on the virtual network which costs approx $30 per month.
This seems really expensive when all I want to do is talk between two resources in the same datacenter.
I can understand this pricing if I wanted to connect to an on-prem device, but connecting to another azure device in the same region seems a bit ridiculous.
↧
502 Error on Azure Wordpress app
Was editing an article when I began getting timeout errors and then reloading the page gave me the following error message:
The page cannot be displayed because an internal server error has occurred.
The status of my Azure server seems to be running smoothly, and I have not changed the wordpress codex at all. I'm also unable to access my directories through FTP. I'm getting a message saying "530 User cannot log in, home directory inaccessible. Please contact your web hosting service provider for assistance."
Some assistance would be appreciated. Thanks.
↧
unable to connect to VM's in new cloud service via express route
We have changed our express route setup, initially we had an express route via London, but we have added a second one via Amsterdam and removed the one via London. All existing and new vm's in the different vnet's have connection to our local datacenter, but as soon as we create vm's in a new cloud service the published routes don't seem to be picked up and the machine are only reachable in their local vnet on azure.
Does anyone have an idea where to look, it looks like the route publishing does not seem to work correctly, but it is strange that new vm's in existing cloud service do work correctly. BGP peering and vnet have been provided access via the expressroute and all have status provisioned.
↧
↧
Monitoring VPN Data Usage
Is there a way to monitor the traffic flowing over a VPN? I had to rebuild my gateway last night so my statistics reset. This morning I checked the status of the gateway and found that I had over 25 GB of outbound data. This is extremely excessive for what's sitting in Azure.
Any ideas on how to monitor the traffic? Get an aggregate of inbound/outbound data by IP?
↧
VNET to VNET conection issue
i am using the below URL to establish the Vnet to vnet connection under the same subscription.
http://blogs.technet.com/b/canitpro/archive/2014/06/03/step-by-step-configure-vnet-to-vnet-connectivity-in-azure.aspx
i am getting the below gateway event
Unable to establish the cross-premise tunnel for site 'VNET2-2'. Previous state: Initializing. Current state: Not Connected. 6/17/2014 5:25:52 PM
can some one guide me where i am going wrong. i fallowed exactly the same as in the link. I have copied the network configuration. from the link and imported.
↧
VPN between Linux/strongSwan and Azure Virtual Network gateway
Hi all,
i've just succeeded in establishing a VPN between strongSwan and an Azure VN gateway.
Performance is good and Connection is stable. It reconnects when it's lost and i've just transfered ~20GB without any problems.
Our network has several more VPN Connections (10.X.0.0/24) and this is the connection between the central hub and the Azure gateway. To enable access from all locations to the Azure network I had to install a 172.29.0.0/16<-->10.X.0.0/24 VPN between each location and the hub.
I've used strongswan-5.0.2 with this patch: http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0235914d
I've also tested strongswan-4.5 but I was not able to establish a connection. Also the patch above was important because otherwise the connection comes up but an additional QUICK_MODE drops the Connection immediately.
This was my VN configuration which I uploaded using the Azure PowerShell. This turned out to be easier and faster than doing all changes during testing in the management console:
<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration"><VirtualNetworkConfiguration><Dns /><LocalNetworkSites><LocalNetworkSite name="MyLocalNetwork"><AddressSpace><AddressPrefix>10.0.0.0/8</AddressPrefix></AddressSpace><VPNGatewayAddress>A.A.A.A</VPNGatewayAddress></LocalNetworkSite></LocalNetworkSites><VirtualNetworkSites><VirtualNetworkSite name="MyVirtualNetwork" AffinityGroup="MyAffinityGroup"><AddressSpace><AddressPrefix>172.29.0.0/16</AddressPrefix></AddressSpace><Subnets><Subnet name="azure-lan"><AddressPrefix>172.29.0.0/24</AddressPrefix></Subnet><Subnet name="GatewaySubnet"><AddressPrefix>172.29.1.0/24</AddressPrefix></Subnet></Subnets><Gateway><ConnectionsToLocalNetwork><LocalNetworkSiteRef name="MyLocalNetwork" /></ConnectionsToLocalNetwork></Gateway></VirtualNetworkSite></VirtualNetworkSites></VirtualNetworkConfiguration></NetworkConfiguration>
And this is the strongSwan configuration:
conn azurenetwork-mynetwork
left=B.B.B.B (official IP of my Azure gateway) leftsubnet=172.29.0.0/16 right=A.A.A.A (official IP of my local gateway) rightsubnet=10.0.0.0/8 type=tunnel keyexchange=ikev1 ikelifetime=3600s keylife=28800s lifebytes=104857600000 esp=aes128-sha1 ike=aes128-sha1-modp1024 rekey=yes auth=esp keyingtries=1 authby=secret mobike=no dpdaction=none auto=start rekeymargin=3m
and this my ipsec.secrets:
A.A.A.A B.B.B.B : PSK "mypresharedkeymypresharedkey"
Any comments or suggestions are welcome.
Best regards,
Harald
↧