11

我在这里感觉自己像个白痴。我在 Azure 中设置了一个简单的 Windows 虚拟机,12 个远程用户(他们都在家工作)需要通过 VPN 访问它才能简单地访问共享驱动器。我认为这将非常容易,但我花了几天时间试图解决这个问题。

我已经设置了服务器,现在我已经意识到(经过几天的搜索)使用 RRAS 的传统 PPTP 或 L2TP VPN 将无法正常工作,因为 Azure 框架阻止了这些协议。我还从类似这样的帖子中看到说要使用 Azure Connect,它应该可以满足我们的需求。但是,该帖子中对Herve Roggero 的博客甚至微软自己的Azure 支持站点的引用都谈到了我无法使用的功能,并且屏幕截图看起来与我在 Azure 控制台上看到的完全不同。事实上,微软网站的帮助文档已有 2 到 2.5 年的历史。说真的 MS...更新您的文档!

我的控制台看起来像这张图片来自谷歌搜索的示例图片......不是我的真实界面

但是,文章引用了类似于此图像的控制台

我不是在正确版本的 Azure 上吗?他们是否更新了界面而不更新他们的文档?最重要的是,我如何(使用我拥有的 Azure 界面)使用 Azure Connect?我尝试创建一个虚拟网络,但那里没有任何选项可以使用 Windows Azure Connect 安装本地端点。我是白痴还是我在这里错过了什么?

4

5 回答 5

7

仅供参考 - 有一篇关于如何在 Azure 上设置 SSTP VPN 提供商的博客文章(无连接):

http://blogs.msdn.com/b/notime/archive/2013/06/01/how-to-configure-windows-azure-server-2012-as-an-sstp-vpn-provider.aspx

1. Create new Windows Server VM using "Quick Create"
2. The DNS name, username and password will be used to connect to the VPN
3. The public port created by default for RDP is a random one between 41952-65535. But you can edit the endpoint to change the public port to 3389. Go to Virtual Machines, select the VM, select Endpoints, select RemoteDesktop endpoint, click Edit Endpoint at the bottom and change the public port to 3389.
4. Create TCP endpoint at port 443
5. Connect using Remote Desktop (RDP) through the Dashboard

---------- Server Role
1. Click on Server Manager -> Manage -> "Add Roles and Features"
2. Add "Remote Access", include VPN and Routing (needed for NAT) role services and restart
3. Click on Server Manager -> Notifications -> "Open the Getting Started Wizard"
4. Select "Deploy VPN only"

---------- Server Certificate
1. Open an elevated CMD prompt
2. Use SelfSSL (IIS6 Resource Kit, custom install only this component, http://support.microsoft.com/kb/840671 ) to generate an SSL certificate for the SSTP:
C:\>"c:\Program Files (x86)\IIS Resources\SelfSSL\selfssl.exe" /N:cn=<...>.cloudapp.net /V:3650
(3650 == 10 years, "<...>.cloudapp.net" represents the fully-qualified domain name, FQDN)
3. Confirm prompt with "y", ignore metabase error (if it appears)
4. Run mmc.exe, add snap-in for Certificates -> Computer account
5. Click on Personal -> Certificates
6. Right-click on the <...>.cloudapp.net certificate, then on All Tasks -> Export, include private keys and protect with password

---------- Server RRAS
1. Run Routing and Remote Access (RRAS) tool
2. Right-click on the server and then on "Configure and Enable RRAS"
3. Choose "Custom configuration", select "VPN access" and NAT
4. Right-click on the server and then on Properties -> Security
5. Select the <...>.cloudapp.net certificate
6. Click on the IPv4 tab
7. Enter a "Static address pool" for the number of clients, e.g.: 192.168.1.1 - 192.168.1.20 (otherwise the connection will fail with error 720)
8. Don't enter a range that is too short. The OS keeps a lock on a used IP address for a while, so reconnecting often or from multiple devices may use up the pool and the connection will fail with error 0x8007274C
9. Right-click on IPv4 -> NAT, then on "New Interface", select the external interface (e.g. "Ethernet 2")
10. Click on "Public interface connected to the Internet" and check "Enable NAT on this interface"

---------- Server User
1. Open "Computer Management" console
2. Click on "Local Users and Groups", then on Users, double click on your account
3. Click on Dial-in and change "Network Access Permission" to "Allow access"

---------- Client Certificate
1. Manage Computer Certificates
2. Click on "Place all certificates in the following store", then on Browse
3. Select "Trusted Root Certificate Authorities", if you store the certificate in the personal store, the connection will fail with error 0x800B0109

---------- Client Connection
1. Go to Network and Sharing Center, click on "Setup a new connection or network"
2. Select "Connect to a workplace", then VPN
3. Enter <...>.cloudapp.net, name and create
4. Click on Network tray icon
5. Right-click on new VPN connection, then show properties
6. Click on Security, set VPN type to SSTP and allow only MS-CHAP v2
7. Connect using same credentials used to create the VM and for RDP
8. Test your internet connectivity
9. Use a web site that shows your external IP, it should be an IP from the Azure datacenter

---------- SSL Certificate
To avoid installing a self-certificate to the trusted store (or for devices with a locked trusted store), do the following:
1. Open the IIS Manager on the server
2. Click on the server, then on "Server Certificates"
3. Click on "Create Certificate Request" (Certificate Signing Request, CSR)
4. Enter <...>.cloudapp.net as the "Common name", fill the rest and export as text file
5. Buy an SSL certificate using the CSR (cheap SSL certificates start at around $5/year)
6. Once the SSL authority issues the certificate:
a) Install to the server's and client's "Local Machine" personal store as described above, skipping the step to copy/move it to the trusted store
b) Select the same certificate in the RRAS tool, on the Security tab

我验证它有效。

于 2013-07-08T09:33:10.390 回答
1

您是说 Windows Azure 框架正在阻止 PPTP 和 L2TP。您是否将正确的端点添加到 Windows Azure VM(L2TP 的端口 1707 和 PPTP 的端口 1723)?如果您已经这样做了,您还必须确保 Windows Azure VM 上的 Windows 防火墙允许通过这些端口进行通信。这不是自动完成的。

Windows Azure 虚拟网络是一种站点到站点解决方案,需要本地的 VPN 设备。它用于将整个网络连接在一起。您不能将 Windows Azure Connect 与它一起使用。Windows Azure Connect 是一种机器对机器的解决方案。您需要从旧的 (Silverlight) 门户安装本地端点代理。

问候,

帕特里克

于 2013-02-18T22:54:41.957 回答
0

要访问 Windows Azure Connect 维护,您仍然需要从管理控制台中的菜单子项通过旧门户访问,如果您单击右上角的 Live Id,您可以看到该菜单。

但我最喜欢的只是浏览https://windows.azure.com

进入旧门户后,在左侧面板上选择“虚拟网络”选项。前段时间我写了一篇关于您正在寻找的内容的博客文章(查看此处http://davidjrh.intelequia.com/2011/10/conectar-una-azure-cloud-drive.html并使用翻译小部件)

于 2013-02-20T23:24:50.620 回答
0

如果有人在搜索,我们在连接到点到站点 azure vpn 时在某些机器上遇到 0x8007274d 错误。解决方案:禁用所有由 vbox 或 vmware 创建的虚拟网络适配器(在网络管理中心)。然后尝试再次连接。连接正常后,您可以重新启用虚拟网络适配器。这解决了我们在各种机器上的 0x8007274d 问题,win7 和 win10。

于 2017-02-13T11:12:36.463 回答
0

这是一个可用于通过全自动 ARM 模板在 Azure 中设置 L2TP VPN 的文档 https://artisticcheese.wordpress.com/2021/03/01/l2tp-vpn-via-arm-template-in-azure/

于 2021-03-07T22:21:59.990 回答