Microsoft Document Connection For Mac Os

-->

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet. This article applies to the Resource Manager deployment model.

What protocol does P2S use?

Point-to-site VPN can use one of the following protocols:

  • OpenVPN® Protocol, an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux and Mac devices (OSX versions 10.13 and above).

  • Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

  • When you install the OneDrive sync app for Mac, a copy of your OneDrive is downloaded to your Mac and put in the OneDrive folder. This folder is kept in sync with OneDrive. If you add, change, or delete a file or folder on the OneDrive website, the file or folder is added.
  • About Point-to-Site VPN.; 22 minutes to read +2; In this article. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. A P2S connection is established by starting it from the client computer.

You can work with files in your OneDrive account from Microsoft Office 2011 for Mac using Microsoft Document Connection. Note, though, that you may need to update your operating system (e.g., update to Mavericks) and/or Safari. for this to work. If you're having difficulty printing from Microsoft Office for Mac this article walks you through some steps you can take to troubleshoot. Troubleshoot printing problems in Office for Mac. If you have questions about how to print a document in Office for Mac or how to do special things like print on both sides of the page.

Note

IKEv2 and OpenVPN for P2S are available for the Resource Manager deployment model only. They are not available for the classic deployment model.

How are P2S VPN clients authenticated?

Before Azure accepts a P2S VPN connection, the user has to be authenticated first. There are two mechanisms that Azure offers to authenticate a connecting user.

Authenticate using native Azure certificate authentication

When using the native Azure certificate authentication, a client certificate that is present on the device is used to authenticate the connecting user. Client certificates are generated from a trusted root certificate and then installed on each client computer. You can use a root certificate that was generated using an Enterprise solution, or you can generate a self-signed certificate.

The validation of the client certificate is performed by the VPN gateway and happens during establishment of the P2S VPN connection. The root certificate is required for the validation and must be uploaded to Azure.

Authenticate using native Azure Active Directory authentication

Azure AD authentication allows users to connect to Azure using their Azure Active Directory credentials. Native Azure AD authentication is only supported for OpenVPN protocol and Windows 10 and requires the use of the Azure VPN Client.

With native Azure AD authentication, you can leverage Azure AD's conditional access as well as Multi-Factor Authentication(MFA) features for VPN.

At a high level, you need to perform the following steps to configure Azure AD authentication:

Authenticate using Active Directory (AD) Domain Server

AD Domain authentication allows users to connect to Azure using their organization domain credentials. It requires a RADIUS server that integrates with the AD server. Organizations can also leverage their existing RADIUS deployment. The RADIUS server could be deployed on-premises or in your Azure VNet. During authentication, the Azure VPN Gateway acts as a pass through and forwards authentication messages back and forth between the RADIUS server and the connecting device. So Gateway reachability to the RADIUS server is important. If the RADIUS server is present on-premises, then a VPN S2S connection from Azure to the on-premises site is required for reachability. The RADIUS server can also integrate with AD certificate services. This lets you use the RADIUS server and your enterprise certificate deployment for P2S certificate authentication as an alternative to the Azure certificate authentication. The advantage is that you don’t need to upload root certificates and revoked certificates to Azure.

A RADIUS server can also integrate with other external identity systems. This opens up plenty of authentication options for P2S VPN, including multi-factor options.

What are the client configuration requirements?

Note

For Windows clients, you must have administrator rights on the client device in order to initiate the VPN connection from the client device to Azure.

Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration zip file that contains settings required by these native clients to connect to Azure.

  • For Windows devices, the VPN client configuration consists of an installer package that users install on their devices.
  • For Mac devices, it consists of the mobileconfig file that users install on their devices.

The zip file also provides the values of some of the important settings on the Azure side that you can use to create your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types, routes, and the root certificate for gateway validation.

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.

Which gateway SKUs support P2S VPN?

VPN
Gateway
Generation
SKUS2S/VNet-to-VNet
Tunnels
P2S
SSTP Connections
P2S
IKEv2/OpenVPN Connections
Aggregate
Throughput Benchmark
BGPZone-redundant
Generation1BasicMax. 10Max. 128Not Supported100 MbpsNot SupportedNo
Generation1VpnGw1Max. 30*Max. 128Max. 250650 MbpsSupportedNo
Generation1VpnGw2Max. 30*Max. 128Max. 5001 GbpsSupportedNo
Generation1VpnGw3Max. 30*Max. 128Max. 10001.25 GbpsSupportedNo
Generation1VpnGw1AZMax. 30*Max. 128Max. 250650 MbpsSupportedYes
Generation1VpnGw2AZMax. 30*Max. 128Max. 5001 GbpsSupportedYes
Generation1VpnGw3AZMax. 30*Max. 128Max. 10001.25 GbpsSupportedYes
Generation2VpnGw2Max. 30*Max. 128Max. 5001.25 GbpsSupportedNo
Generation2VpnGw3Max. 30*Max. 128Max. 10002.5 GbpsSupportedNo
Generation2VpnGw4Max. 30*Max. 128Max. 50005 GbpsSupportedNo
Generation2VpnGw5Max. 30*Max. 128Max. 1000010 GbpsSupportedNo
Generation2VpnGw2AZMax. 30*Max. 128Max. 5001.25 GbpsSupportedYes
Generation2VpnGw3AZMax. 30*Max. 128Max. 10002.5 GbpsSupportedYes
Generation2VpnGw4AZMax. 30*Max. 128Max. 50005 GbpsSupportedYes
Generation2VpnGw5AZMax. 30*Max. 128Max. 1000010 GbpsSupportedYes

(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • Pricing information can be found on the Pricing page.

  • SLA (Service Level Agreement) information can be found on the SLA page.

  • On a single tunnel a maximum of 1 Gbps throughput can be achieved. Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. The table below lists the results of performance tests for Generation 1, VpnGw SKUs. As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

GenerationSKUAlgorithms
used
Throughput
observed
Packets per second
observed
Generation1VpnGw1GCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
120 Mbps
58,000
50,000
50,000
Generation1VpnGw2GCMAES256
AES256 & SHA256
DES3 & SHA256
1 Gbps
500 Mbps
120 Mbps
90,000
80,000
55,000
Generation1VpnGw3GCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
120 Mbps
105,000
90,000
60,000
Generation1VpnGw1AZGCMAES256
AES256 & SHA256
DES3 & SHA256
650 Mbps
500 Mbps
120 Mbps
58,000
50,000
50,000
Generation1VpnGw2AZGCMAES256
AES256 & SHA256
DES3 & SHA256
1 Gbps
500 Mbps
120 Mbps
90,000
80,000
55,000
Generation1VpnGw3AZGCMAES256
AES256 & SHA256
DES3 & SHA256
1.25 Gbps
550 Mbps
120 Mbps
105,000
90,000
60,000
  • For Gateway SKU recommendations, see About VPN Gateway settings.

Note

The Basic SKU does not support IKEv2 or RADIUS authentication.

What IKE/IPsec policies are configured on VPN gateways for P2S?

IKEv2

CipherIntegrityPRFDH Group
GCM_AES256GCM_AES256SHA384GROUP_24
GCM_AES256GCM_AES256SHA384GROUP_14
GCM_AES256GCM_AES256SHA384GROUP_ECP384
GCM_AES256GCM_AES256SHA384GROUP_ECP256
GCM_AES256GCM_AES256SHA256GROUP_24
GCM_AES256GCM_AES256SHA256GROUP_14
GCM_AES256GCM_AES256SHA256GROUP_ECP384
GCM_AES256GCM_AES256SHA256GROUP_ECP256
AES256SHA384SHA384GROUP_24
AES256SHA384SHA384GROUP_14
AES256SHA384SHA384GROUP_ECP384
AES256SHA384SHA384GROUP_ECP256
AES256SHA256SHA256GROUP_24
AES256SHA256SHA256GROUP_14
AES256SHA256SHA256GROUP_ECP384
AES256SHA256SHA256GROUP_ECP256
AES256SHA256SHA256GROUP_2

IPsec

CipherIntegrityPFS Group
GCM_AES256GCM_AES256GROUP_NONE
GCM_AES256GCM_AES256GROUP_24
GCM_AES256GCM_AES256GROUP_14
GCM_AES256GCM_AES256GROUP_ECP384
GCM_AES256GCM_AES256GROUP_ECP256
AES256SHA256GROUP_NONE
AES256SHA256GROUP_24
AES256SHA256GROUP_14
AES256SHA256GROUP_ECP384
AES256SHA256GROUP_ECP256
AES256SHA1GROUP_NONE

What TLS policies are configured on VPN gateways for P2S?

TLS

Policies
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

How do I configure a P2S connection?

A P2S configuration requires quite a few specific steps. The following articles contain the steps to walk you through P2S configuration, and links to configure the VPN client devices:

To remove the configuration of a P2S connection

For steps, see the FAQ, below.

FAQ for native Azure certificate authentication

How many VPN client endpoints can I have in my Point-to-Site configuration?

It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.

What client operating systems can I use with Point-to-Site?

The following client operating systems are supported:

  • Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (64-bit only)
  • Windows 10
  • Mac OS X version 10.11 or above
  • Linux (StrongSwan)
  • iOS

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPNGateway will support only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.

Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)
  • DES (Data Encryption Algorithm)
  • 3DES (Triple Data Encryption Algorithm)
  • MD5 (Message Digest 5)

How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. Run the following commands in the command prompt:

  3. Install the following updates:

  4. Reboot the computer.

  5. Connect to the VPN.

Note

You will have to set the above registry key if you are running an older version of Windows 10 (10240).

Can I traverse proxies and firewalls using Point-to-Site capability?

Azure supports three types of Point-to-site VPN options:

  • Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

By default, the client computer will not reestablish the VPN connection automatically.

Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. For more information please reference this article.

How much throughput can I expect through Site-to-Site or Point-to-Site connections?

It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.

Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.

Does Azure support IKEv2 VPN with Windows?

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

To prepare Windows 10 or Server 2016 for IKEv2:

  1. Install the update.

    OS versionDateNumber/Link
    Windows Server 2016
    Windows 10 Version 1607
    January 17, 2018KB4057142
    Windows 10 Version 1703January 17, 2018KB4057144
    Windows 10 Version 1709March 22, 2018KB4089848
  2. Set the registry key value. Create or set “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasMan IKEv2DisableCertReqPayload” REG_DWORD key in the registry to 1.

What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX will only connect via IKEv2.

Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure supports Windows, Mac and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?

Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShell

Azure CLI

What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?

Uncheck 'Verify the server's identity by validating the certificate' or add the server FQDN along with the certificate when creating a profile manually. You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.

Bypassing server identity validation is not recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. Since the server certificate and FQDN is already validated by the VPN tunneling protocol, it is redundant to validate the same again in EAP.

Can I use my own internal PKI root CA to generate certificates for Point-to-Site connectivity?

Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.

Can I use certificates from Azure Key Vault?

No.

What tools can I use to create certificates?

You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

Are there instructions for certificate settings and parameters?

  • Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: See the MakeCert article for steps.

  • OpenSSL:

    • When exporting certificates, be sure to convert the root certificate to Base64.

    • For the client certificate:

      • When creating the private key, specify the length as 4096.
      • When creating the certificate, for the -extensions parameter, specify usr_cert.

FAQ for RADIUS authentication

How many VPN client endpoints can I have in my Point-to-Site configuration?

It depends on the gateway SKU. For more information on the number of connections supported, see Gateway SKUs.

What client operating systems can I use with Point-to-Site?

Microsoft Document Connection For Mac Os X

The following client operating systems are supported:

  • Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2 (64-bit only)
  • Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016 (64-bit only)
  • Windows 10
  • Mac OS X version 10.11 or above
  • Linux (StrongSwan)
  • iOS

Note

Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPNGateway will support only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.

Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)
  • DES (Data Encryption Algorithm)
  • 3DES (Triple Data Encryption Algorithm)
  • MD5 (Message Digest 5)

How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. Run the following commands in the command prompt:

  3. Install the following updates:

  4. Reboot the computer.

  5. Connect to the VPN.

Note

You will have to set the above registry key if you are running an older version of Windows 10 (10240).

Can I traverse proxies and firewalls using Point-to-Site capability?

Azure supports three types of Point-to-site VPN options:

  • Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

  • IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

By default, the client computer will not reestablish the VPN connection automatically.

Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

Yes. For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. For the classic deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

Can I configure a Point-to-Site client to connect to multiple virtual network gateways at the same time?

Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to do not have conflicting address spaces between them or the network from with the client is connecting from. While the Azure VPN Client supports many VPN connections, only one connection can be Connected at any given time.

Microsoft has made the Silverlight for macOS browser plug-in freely available for all supported platforms and browsers. Download, Install or Update Silverlight for Mac! Features and Highlights IIS Smooth Streaming IIS Smooth Streaming enables you to deliver high definition streams that play back smoothly on any device running this tool. Microsoft silverlight plugin for mac os x mac. Oct 12, 2016  Silverlight offers a flexible programming model that supports AJAX, VB, C#, Python, and Ruby, and integrates with existing Web applications. Silverlight supports fast, cost-effective delivery of high-quality video to all major browsers running on the OS X or Windows.

Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

Yes, Point-to-Site connections to a Virtual Network Gateway deployed in a VNet that is peered with other VNets may have access to other peered VNets. Provided the peered VNets are using the UseRemoteGateway / AllowGatewayTransit features, the Point-to-Site client will be able to connect to those peered VNets. For more information please reference this article.

How much throughput can I expect through Site-to-Site or Point-to-Site connections?

It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet. For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. For more information on throughput, see Gateway SKUs.

Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

No. You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. However, you can use the OpenVPN client on all platforms to connect over OpenVPN protocol. Refer to the list of supported client operating systems.

Does Azure support IKEv2 VPN with Windows?

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2, you must install updates and set a registry key value locally. OS versions prior to Windows 10 are not supported and can only use SSTP or OpenVPN® Protocol.

To prepare Windows 10 or Server 2016 for IKEv2:

  1. Install the update.

    OS versionDateNumber/Link
    Windows Server 2016
    Windows 10 Version 1607
    January 17, 2018KB4057142
    Windows 10 Version 1703January 17, 2018KB4057144
    Windows 10 Version 1709March 22, 2018KB4089848
  2. Set the registry key value. Create or set “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasMan IKEv2DisableCertReqPayload” REG_DWORD key in the registry to 1.

What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX will only connect via IKEv2.

Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure supports Windows, Mac and Linux for P2S VPN.

I already have an Azure VPN Gateway deployed. Can I enable RADIUS and/or IKEv2 VPN on it?

Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

How do I remove the configuration of a P2S connection?

A P2S configuration can be removed using Azure CLI and PowerShell using the following commands:

Azure PowerShell

Azure CLI

Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. It is not supported on the Basic Gateway SKU.

Is RADIUS authentication supported for the classic deployment model?

No. RADIUS authentication is not supported for the classic deployment model.

Are 3rd-party RADIUS servers supported?

Yes, 3rd-party RADIUS servers are supported.

What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.

Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

No. It can only be routed over a Site-to-Site connection.

Is there a change in the number of SSTP connections supported with RADIUS authentication? What is the maximum number of SSTP and IKEv2 connections supported?

There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. It remains 128 for SSTP, but depends on the gateway SKU for IKEv2. For more information on the number of connections supported, see Gateway SKUs.

What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. You need to upload your certificate public key to the gateway. You can also specify list of revoked certificates that shouldn’t be allowed to connect.

Does RADIUS authentication work with both IKEv2, and SSTP VPN?

Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN.

Does RADIUS authentication work with the OpenVPN client?

RADIUS authentication is supported for the OpenVPN protocol only through PowerShell.

Next Steps

'OpenVPN' is a trademark of OpenVPN Inc.

-->

Windows Virtual Desktop is a desktop and app virtualization service that runs on the cloud.

Here's what you can do when you run Windows Virtual Desktop on Azure:

  • Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability
  • Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios
  • Provide Windows 7 virtual desktops with free Extended Security Updates
  • Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer
  • Virtualize both desktops and apps
  • Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience

Introductory video

Learn about Windows Virtual Desktop, why it's unique, and what's new in this video:


For more videos about Windows Virtual Desktop, see our playlist.

Key capabilities

With Windows Virtual Desktop, you can set up a scalable and flexible environment:

  • Create a full desktop virtualization environment in your Azure subscription without having to run any additional gateway servers.
  • Publish as many host pools as you need to accommodate your diverse workloads.
  • Bring your own image for production workloads or test from the Azure Gallery.
  • Reduce costs with pooled, multi-session resources. With the new Windows 10 Enterprise multi-session capability exclusive to Windows Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server, you can greatly reduce the number of virtual machines and operating system (OS) overhead while still providing the same resources to your users.
  • Provide individual ownership through personal (persistent) desktops.

You can deploy and manage virtual desktops:

  • Use the Windows Virtual Desktop PowerShell and REST interfaces to configure the host pools, create app groups, assign users, and publish resources.
  • Publish full desktop or individual remote apps from a single host pool, create individual app groups for different sets of users, or even assign users to multiple app groups to reduce the number of images.
  • As you manage your environment, use built-in delegated access to assign roles and collect diagnostics to understand various configuration or user errors.
  • Use the new Diagnostics service to troubleshoot errors.
  • Only manage the image and virtual machines, not the infrastructure. You don't need to personally manage the Remote Desktop roles like you do with Remote Desktop Services, just the virtual machines in your Azure subscription.

You can also assign and connect users to your virtual desktops:

  • Once assigned, users can launch any Windows Virtual Desktop client to connect users to their published Windows desktops and applications. Connect from any device through either a native application on your device or the Windows Virtual Desktop HTML5 web client.
  • Securely establish users through reverse connections to the service, so you never have to leave any inbound ports open.

Requirements

There are a few things you need to set up Windows Virtual Desktop and successfully connect your users to their Windows desktops and applications.

Microsoft Document Connection For Mac Os 2

We plan to add support for the following OSes, so make sure you have the appropriate licenses for your users based on the desktop and apps you plan to deploy:

OSRequired license
Windows 10 Enterprise multi-session or Windows 10 EnterpriseMicrosoft 365 E3, E5, A3, A5, F1, Business
Windows E3, E5, A3, A5
Windows 7 EnterpriseMicrosoft 365 E3, E5, A3, A5, F1, Business
Windows E3, E5, A3, A5
Windows Server 2012 R2, 2016, 2019RDS Client Access License (CAL) with Software Assurance

Your infrastructure needs the following things to support Windows Virtual Desktop:

  • An Azure Active Directory
  • A Windows Server Active Directory in sync with Azure Active Directory. You can configure this with one of the following:
    • Azure AD Connect (for hybrid organizations)
    • Azure AD Domain Services (for hybrid or cloud organizations)
  • An Azure subscription that contains a virtual network that either contains or is connected to the Windows Server Active Directory

Microsoft Document Connection For Mac Os X

The Azure virtual machines you create for Windows Virtual Desktop must be:

  • Standard domain-joined or Hybrid AD-joined. Virtual machines can't be Azure AD-joined.
  • Running one of the following supported OS images.

Note

If you need an Azure subscription, you can sign up for a one-month free trial. If you're using the free trial version of Azure, you should use Azure AD Domain Services to keep your Windows Server Active Directory in sync with Azure Active Directory.

The Azure virtual machines you create for Windows Virtual Desktop must have access to the following URLs:

AddressOutbound TCP portPurposeService Tag
*.wvd.microsoft.com443Service trafficWindowsVirtualDesktop
mrsglobalsteus2prod.blob.core.windows.net443Agent and SXS stack updatesAzureCloud
*.core.windows.net443Agent trafficAzureCloud
*.servicebus.windows.net443Agent trafficAzureCloud
prod.warmpath.msftcloudes.com443Agent trafficAzureCloud
catalogartifact.azureedge.net443Azure MarketplaceAzureCloud
kms.core.windows.net1688Windows activationInternet

Important

Opening these URLs is essential for a reliable Windows Virtual Desktop deployment. Blocking access to these URLs is unsupported and will affect service functionality. These URLs only correspond to Windows Virtual Desktop sites and resources, and don't include URLs for other services like Azure Active Directory.

The following table lists optional URLs that your Azure virtual machines can have access to:

AddressOutbound TCP portPurposeService Tag
*.microsoftonline.com443Authentication to MS Online ServicesNone
*.events.data.microsoft.com443Telemetry ServiceNone
www.msftconnecttest.com443Detects if the OS is connected to the internetNone
*.prod.do.dsp.mp.microsoft.com443Windows UpdateNone
login.windows.net443Login to MS Online Services, Office 365None
*.sfx.ms443Updates for OneDrive client softwareNone
*.digicert.com443Certificate revocation checkNone

Note

Windows Virtual Desktop currently doesn't have a list of IP address ranges that you can whitelist to allow network traffic. We only support whitelisting specific URLs at this time.

Qq mail sign up. For a list of Office-related URLs, including required Azure Active Directory-related URLs, see Office 365 URLs and IP address ranges.

You must use the wildcard character (*) for URLs involving service traffic. If you prefer to not use * for agent-related traffic, here's how to find the URLs without wildcards:

  1. Register your virtual machines to the Windows Virtual Desktop host pool.
  2. Open Event viewer and navigate to Windows logs > Application > WVD-Agent and look for Event ID 3702.
  3. Whitelist the URLs that you find under Event ID 3702. The URLs under Event ID 3702 are region-specific. You'll need to repeat the whitelisting process with the relevant URLs for each region you want to deploy your virtual machines in.

Windows Virtual Desktop comprises the Windows desktops and apps you deliver to users and the management solution, which is hosted as a service on Azure by Microsoft. Desktops and apps can be deployed on virtual machines (VMs) in any Azure region, and the management solution and data for these VMs will reside in the United States. This may result in data transfer to the United States.

For optimal performance, make sure your network meets the following requirements:

  • Round-trip (RTT) latency from the client's network to the Azure region where host pools have been deployed should be less than 150 ms.
  • Network traffic may flow outside country/region borders when VMs that host desktops and apps connect to the management service.
  • To optimize for network performance, we recommend that the session host's VMs are collocated in the same Azure region as the management service.

Supported Remote Desktop clients

The following Remote Desktop clients support Windows Virtual Desktop:

Important

Windows Virtual Desktop doesn't support the RemoteApp and Desktop Connections (RADC) client or the Remote Desktop Connection (MSTSC) client.

Important

Windows Virtual Desktop doesn't currently support the Remote Desktop client from the Windows Store. Support for this client will be added in a future release.

The Remote Desktop clients must have access to the following URLs:

Microsoft Document Connection For Mac Os 1

AddressOutbound TCP portPurposeClient(s)
*.wvd.microsoft.com443Service trafficAll
*.servicebus.windows.net443Troubleshooting dataAll
go.microsoft.com443Microsoft FWLinksAll
aka.ms443Microsoft URL shortenerAll
docs.microsoft.com443DocumentationAll
privacy.microsoft.com443Privacy statementAll
query.prod.cms.rt.microsoft.com443Client updatesWindows Desktop

Important

Opening these URLs is essential for a reliable client experience. Blocking access to these URLs is unsupported and will affect service functionality. These URLs only correspond to the client sites and resources, and don't include URLs for other services like Azure Active Directory.

Supported virtual machine OS images

Windows Virtual Desktop supports the following x64 operating system images:

  • Windows 10 Enterprise multi-session, version 1809 or later
  • Windows 10 Enterprise, version 1809 or later
  • Windows 7 Enterprise
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2

Windows Virtual Desktop does not support x86 (32-bit), Windows 10 Enterprise N, or Windows 10 Enterprise KN operating system images. Windows 7 also doesn't support any VHD or VHDX-based profile solutions hosted on managed Azure Storage due to a sector size limitation.

Available automation and deployment options depend on which OS and version you choose, as shown in the following table:

Operating systemAzure Image GalleryManual VM deploymentAzure Resource Manager template integrationProvision host pools on Azure MarketplaceWindows Virtual Desktop Agent updates
Windows 10 multi-session, version 1903YesYesYesYesAutomatic
Windows 10 multi-session, version 1809YesYesNoNoAutomatic
Windows 10 Enterprise, version 1903YesYesYesYesAutomatic
Windows 10 Enterprise, version 1809YesYesNoNoAutomatic
Windows 7 EnterpriseYesYesNoNoManual
Windows Server 2019YesYesNoNoAutomatic
Windows Server 2016YesYesYesYesAutomatic
Windows Server 2012 R2YesYesNoNoAutomatic

Next steps

Microsoft Document Connection Mac Os X

To get started, you'll need to create a tenant. To learn more about how to create a tenant, continue to the tenant creation tutorial.