Recently I was helping a customer setup an isolated test environment in Azure IaaS to which they wanted to use a Point-to-Site VPN connection to access the machines. Setting up the connection in Azure was just a case of following the published notes from Microsoft.

We however ran into problems when trying to install the client, the customer’s staff although Domain administrators didn’t have admin rights on the account they use to log in with and they could not temporarily elevate their rights. With the Point-to-Site VPN a connection specific client installation is prepared for Windows but this requires local administrator rights to install (as per the Microsoft documentation) even choosing to run-as another user won’t work as the setup is placed in the profile of that run-as user.

The solution was to create the VPN connection manually, to do so we needed to know some key bits of information:

  1. VPN gate IP/Host
  2. VPN Type
  3. Remote networks
  4. Gateway

Fortunately in the VPN client download package that Microsoft provides there is configuration information which can be used by other Operating Systems, this is located in the VpnSettings.xml file. This file provides us with three of the pieces of information needed.

As you can see, in the XML file we can see the VPN gateway address, the VPN type and the subnet used on the VNET, unfortunately the XML file doesn’t have the client address pool information needed to configure the route. The client address pool information can be found within the Virtual Network Gateway configuration section in the Azure portal and the gateway will be the .1 host in the range (at least it was in my range)

With this information to hand it is then pretty straight forward to configure the VPN client. Right Click Network in the taskbar, Open Network Internet settings and then select VPN and then Add a VPN connection


  • Select the VPN Provider as Windows (built-in)
  • Enter a connection name – I’d recommend the name of the VNET
  • Set Server name to the value from the <VpnServer></VpnServer> field in the XML file
  • Set VPN type as Secure Socket Tunnelling Protocol (SSTP)
  • Type of sign-in info to certificate

Via Command Prompt add a static route for the Vnet subnet – for example

“Route add mask”


The Microsoft VPN client enables split-tunnelling, unfortunately that is not possible in the GUI of the VPN connection but can be set using the following PowerShell

Set-VpnConnection “VPN Connection Name” -SplitTunneling $true


When you connect for the first time you’ll be prompted with a warning, accept and connect.

About the author