Windows Azure Point-to-Site Networking

If you are having trouble with the point-to-site VPN configuration in Windows Azure, here are some tips about the procedure:

  • Follow the procedure located at for creating the virtual network and the gateway.
  • When configuring the certificates for the VPN connection, first create the self-signed root certificate with the following command:  

    makecert -sky exchange -r -n "CN=RootCertificateName" –pe -a sha1 -len 2048 -ss My

  • The above command creates a self-signed root certificate and stores it in your certificate store (Certificates – Current User\Personal\Certificates). Next, export that certificate to a .cer file and upload it to Azure from the dashboard of the virtual network using the Upload client certificate link (the name of that link will probably be changed in the future Smile) I also stored the root certificate in my Trusted Roots.
  • Now create a client certificate with the self-signed root certificate as the issuer. The command I used is different from the one in the documentation because it did not work for me. I used:

    makecert -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss
    my -a sha1 -is my -in "RootCertificateName"

  • The above command creates the client certificate in the same store as the root certificate and uses the root certificate previously generated as the issuer. Be sure to check that the issuer is the root certificate you uploaded to Azure.

In the dashboard of the virtual network, download the x64 or x86 client VPN package and install it. There will be an extra network connection that uses SSTP to connect to your Azure gateway:



In Azure the dashboard should show connected clients:


7 thoughts on “Windows Azure Point-to-Site Networking”

  1. Hi,
    I experienced some issues with the point-to-site VPN configuration in Windows Azure too… The connection does not work beacause of an error concerning the certificates.
    When you write that the command for creating the client certificate didn’t work for you, do you mean the certificate wasn’t created or it was but the connection didn’t work as expected ?

    1. The original command from the documentation created the client certificate but did not use the root certificate as the issuer (it also threw an error but I don’t remember what it said exactly). Naturally, the VPN connection then failed because the client cert was not “issued” by the uploaded root cert. By using the command in the blog post, the client cert used the created root cert properly which made the connection work. I used makecert on Windows 8 (from my Visual Studio 2012 install).

      1. Thanks for your answer…
        Unfortunately, nothing works for me: neither the command from the MSDN documentation nor the one you give in the blog post. The client certificate is well issued by the root cert but the connection always fails with error 0x800b0109. After a Google search, I also tried to import the cert into localhost certificates. No result…
        I used makecert from VS 2012 on Windows Seven. I have no other idea but trying on Windows 8.

  2. Hi

    Nice post – got everything up and running!

    An additional question; since this is to replace the Azure Enpoint Connect, have you given it any thought how it would be possible to initate the connection at startup?



  3. Yes, strange.
    It works perfectly… on another computer ! So the problem comes from my system (Windows 7 integrale edition) on my laptop and I can’t figure it out.
    I’m going to reinstal my OS 😉
    Thanks for your post and your help.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: