Azure Stack VPN for MAC OS X

Microsoft release the latest version of their Azure Stack during the Ignite 2016 conference in Atlanta. The new version has a lot of great features. One thing that I was not able to find is how to establish a VPN Session from your MAC OS X to Azure Stack.

You will ask why do we need it? Well one of the groups that will benefit the most from Azure Stack are the developers. As azure brings a lot of the services available from the Azure Cloud to the Enterprise On-Premise environment. Now the developers with Windows or MAC OS X environments can start testing in the latest TP2 version connecting directly and using their tools.

There is a very good PowerShell module that will do all the steps on Windows but it does not work in MAC OS X so here are all the steps to gather the details

Ebook Version (Click the book to get the PDF version)

azurestackebook

Video

Download Scripts to collect required information

Login to your Azure Stack Hyper-V host with your administrator account. ex: azurestack\administrator

Download the scripts. Ex: Invoke-WebRequest -Uri https://github.com/carlosvargasvip/azurestackmacvpn/archive/master.zip -OutFile master.zip

azurestackvpn1

Expand the downloaded file. Expand-Archive master.zip

azurestackvpn2

 

Gathering Certificates for Azure Stack

Azure Stack has its own internal certificate authority. All services and websites use SSL certificates and you need to download the Root CA certificate to your MAC in order to access all the resources.

Execute the Get-AzureStackRootCACert.ps1 script to get the certificate

.\Get-AzureStackRootCAcert.ps1

azurestackvpn4

Gather external IP from the MAS-BGPNAT VM

In order to establish a connection to your Azure Stack you need the external IP address of the MAS-BGBNAT VM hosted in your Hyper-V host.

.\Get-AzureStackNATIP.ps1

azurestackvpn5

 

Transfer certificate and VPN IP output out

The certificate and VPN IP address are saved in the %userprofile%\downloads folder.

azurestackvpn6

You need to copy it out. I will use my On-Premise File Sync And Share HCP Anywhere for this function.

azurestackvpn7

Install Azure Stack Root CA certificate in your MAC OS X

Now we need to install the Azure Stack Root CA certificate in the MAC OS X.  My files are automatically synchronized to my MAC OS X with the HCP Anywhere client. You see two files: CA.cer is the root certificate, the natip.txt is the file with the IP address for the VPN server.

Double click the CA.Cer file

azurestackvpn8

Open your Keychain  and you will see a new certificate with a red x. Double click the certificate with the name AzureStackCertificationAuthority.

azurestackvpn9

Because all the services use SSL certificates our MAC OS X need to trust the Azure Stack Certificate Authority. Click the first option and switch to Always Trust. And then click the close button (red dot).

azurestackvpn10

azurestackvpn11

Type your password

azurestackvpn12

Now will the Azure Stack Certification Authority is trusted.

azurestackvpn13

Configure Static Routes for Azure Stack in MAC OS X

In order to access all the services in the Internal Azure Stack you need to add two static routes that will be executed when you connect with the VPN profile

Create a new script in /etc/ppp/ip-up. Ex: sudo vi /etc/ppp/ip-up

https://gist.github.com/carlosvargasvip/8d02dc64f0a6647476886b5dc9001e81

Configure VPN Connection in your MAC OS X

Now we need to configure our new VPN connection to the Azure Stack MAS-BGPNAT01 VM.

Click your System Preferences

azurestackvpn25

Click Network

azurestackvpn14

Click the plus sign (+) in the lower left corner of the network screen

azurestackvpn15

Select VPN in the Interface drop down, LT2P over IPSec for VPN Type and a name for your VPN connection.

azurestackvpn16

Type the External IP for BGPNAT VM in the server Address. (This is located in the natip.txt file you copied before). Account Name is administrator and click Authentication Settings.

azurestackvpn17

Then type the Azure Stack administrator password in the Password field and Shared Secret and click OK.

azurestackvpn18

Click the Advanced button for your VPN connection.

azurestackvpn19

Click the DNS tab and add azurestack.local as a search domain for your VPN connection and click OK.

azurestackvpn20

Click connect

azurestackvpn21

Type your Azure Stack administrator password

azurestackvpn22

Open your browser and type: https://portal.azurestack.local and login to with an account that has access to Azure Stack.

azurestackvpn23

You are now connected to your Azure Stack environment.

azurestackvpn24

 

Subscribe For Latest Updates

Sign up for best of digital marketing, livestream and technology opinions on what matters to you.

Invalid email address
We promise not to spam you. You can unsubscribe at any time.

8 thoughts on “Azure Stack VPN for MAC OS X”

  1. Thanks for this – provided the last couple of clues I needed to get VPN connectivity from OSX working for my Azure Stack TP2 environment. One quick correction (for me anyway) – the name of the script to add the required routes needs to be ‘/etc/ppp/ip-up’ and not ‘/etc/pp/if-up’ as in your document. Also, if you create a parallel ‘/etc/ppp/ip-down’ script you can automatically remove the routes when the VPN connection ends which keeps things a bit tidier.

    Reply
  2. Hi,

    I work for a nonprofit and contemplating migrating our on-prem file server to Azure. Our managed IT services consultant suggested a vm of Server 2016 that we can then vpn into from any Win 10 computer to access production files. The same consultant believes Mac Users will have to use some sort of really expensive VPN client because Windows doesn’t have anything for Mac.

    I just wanted to make sure that your guide applies to an Azure file server vm as well as to an Azure developer stack. To me it seems to either be the same setup or very slight differences in config for my use case.

    Reply
    • This is local access only. Have you ever consider to Use Office 365? You can get OneDrive and share files and keep it in the Azure Cloud and there is a client that works with Windows and MacOSX

      Reply
      • We are currently using Office 365 including OneDrive for Business and Sharepoint online. I find the stability of the sync client very lacking. We run Server 2012 r2 with ext backups to local drives. The thinking, last month, was to get rid of on-prem and mimic it virtually in Azure.

        A month later, we’re sticking with Sharepoint, dropping OneDrive, and looking at backup services like StorageCraft while still keeping our local external drive backups which I rotate off-site.

        However, I think I would like to still try a vm of Server 2016 in Azure to replace my on-prem Server 2012.

        In your response, what client were you referring to other than using a web browser to access O365?

        Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: