Merge pull request #294283 from cherylmc/certificate-azure-vpn

JillGrant615 · web-flow · commit 07b178238e10 · 2025-02-07T14:13:59.000-07:00
Azure VPN Client - windows certificate
diff --git a/articles/virtual-wan/vpn-client-certificate-windows.md b/articles/virtual-wan/vpn-client-certificate-windows.md
@@ -1,84 +1,66 @@
 ---
-title: 'User VPN client configuration: certificate authentication - Windows'
+title: 'Configure User VPN clients: certificate authentication: Azure VPN client: Windows'
 titleSuffix: Azure Virtual WAN
-description: Learn how to configure VPN clients on Windows computers for User VPN connections that use certificate authentication.
+description: Learn how to configure the Azure VPN Client on a Windows operating system for P2S configurations that use certificate authentication.
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 02/04/2025
+ms.date: 02/07/2025
 ms.author: cherylmc
 ---
 
-# User VPN (P2S) client configuration - certificate authentication - Windows
+# Configure Azure VPN Client for User VPN P2S certificate authentication connections - Windows
 
-This article helps you configure Virtual WAN User VPN clients on a Windows operating system for P2S configurations that use certificate authentication. When you connect to Virtual WAN using User VPN (P2S) and certificate authentication, you can use the VPN client that is natively installed on the operating system from which you’re connecting. If you use the tunnel type OpenVPN, you also have the additional options of using the Azure VPN Client or OpenVPN client software. All of the necessary configuration settings for the VPN clients are contained in a VPN client configuration zip file. The settings in the zip file help you easily configure VPN clients.
-
-The VPN client configuration files that you generate are specific to the P2S User VPN gateway configuration. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client configuration files and apply the new configuration to all of the VPN clients that you want to connect.
+If your User VPN point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate authentication, you can connect to your virtual network using the Azure VPN Client. This article walks you through the steps to configure the **Azure VPN Client** and connect to your virtual network.
 
 This article applies to Windows operating system clients. For more information about other VPN client configuration articles, see the following table:
 
-[!INCLUDE [P2S client configuration articles](../../includes/virtual-wan-vpn-client-install-articles.md)]
-
-## <a name="generate"></a>Before you begin
-
-Before beginning, make sure you've configured a virtual WAN according to the steps in the [Create User VPN point-to-site connections](virtual-wan-point-to-site-portal.md) article. Your User VPN configuration must use certificate authentication.
-
-## <a name="certificates"></a>1. Install client certificates
+## Before you begin
 
-When your User VPN configuration settings are configured for certificate authentication, in order to authenticate, a client certificate must be installed on each connecting client computer. Later in this article, you specify the client certificate(s) that you install in this section. The client certificate that you install must have been exported with its private key, and must contain all certificates in the certification path.
-
-* For steps to generate a client certificate, see [Generate and export certificates](certificates-point-to-site.md#clientcert).
-
-* For steps to install a client certificate see [Install client certificates](install-client-certificates.md).
+Before beginning client configuration steps, verify that you're on the correct VPN client configuration article. The following table shows the configuration articles available for Virtual WAN point-to-site VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.
 
-* To view an installed client certificate, open **Manage User Certificates**. The client certificate is installed in **Current User\Personal\Certificates**.
-
-## <a name="generate"></a>2. Generate VPN client profile configuration files
-
-The files contained in the profile configuration package are used to configure the VPN client and are specific to the User VPN configuration. You can generate VPN client profile configuration files using PowerShell, or by using the Azure portal. Either method returns the same zip file.
-
-After you configure the Azure VPN Client, if you later update or change the User VPN configuration (change tunnel type, add or remove/revoke certificates, etc.), you must generate a new VPN client profile configuration package and use it to reconfigure connecting Azure VPN clients.
+[!INCLUDE [P2S client configuration articles](../../includes/virtual-wan-vpn-client-install-articles.md)]
 
-To generate a VPN client profile configuration package, see [Generate VPN client configuration files](virtual-wan-point-to-site-portal.md#p2sconfig).
+### Prerequisites
 
-After you generate the client profile configuration package, use the instructions below that correspond to your User VPN configuration.
+This article assumes that you've already performed the following prerequisites:
 
-* [IKEv2 and SSTP - native VPN client steps](#native)
-* [OpenVPN - Azure VPN Client steps](#vpn-client)
-* [OpenVPN - OpenVPN Client steps](howto-openvpn-clients.md)
+* You configured a virtual WAN according to the steps in the [Create User VPN point-to-site connections](virtual-wan-point-to-site-portal.md) article. Your User VPN configuration must use certificate authentication and the OpenVPN tunnel type.
+* You generated and downloaded the VPN client configuration files. For steps to generate a VPN client profile configuration package, see [Generate VPN client configuration files](virtual-wan-point-to-site-portal.md#download).
+* You can either generate client certificates, or acquire the appropriate client certificates necessary for authentication.
 
-## <a name="native"></a>IKEv2 and SSTP - native VPN client
+### Workflow
 
-If you specified the IKEv2 VPN tunnel type for the User VPN configuration, you can connect using the Windows native VPN client already installed on your computer.
+The workflow for this article is as follows:
 
-1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
+1. Generate and install client certificates if you haven't already done so.
+1. View the VPN client profile configuration files contained in the VPN client profile configuration package that you generated.
+1. Configure the Azure VPN Client.
+1. Connect to Azure.
 
-1. Double-click the package to install it. If you see a SmartScreen popup, select **More info**, then **Run anyway**.
+## <a name="certificates"></a>Install client certificates
 
-1. On the client computer, go to your VPN page and select the connection that you configured. Then, click **Connect**.
+When your User VPN configuration settings are configured for certificate authentication, in order to authenticate, a client certificate must be installed on each connecting client computer. Later in this article, you specify the client certificates that you install in this section. The client certificate that you install must have been exported with its private key, and must contain all certificates in the certification path.
 
-## <a name="vpn-client"></a>OpenVPN - Azure VPN Client
+* For steps to generate a client certificate, see [Generate and export certificates](certificates-point-to-site.md#clientcert).
 
-The following steps help you download, install, and configure the Azure VPN Client to connect. This section assumes that you have already installed required [client certificates](#certificates) locally on the client computer.
+* For steps to install a client certificate see [Install client certificates](install-client-certificates.md).
 
-> [!NOTE]
-> The Azure VPN Client is only supported for OpenVPN® protocol connections. If the VPN tunnel type is not OpenVPN, use the [native VPN client](#native) that is part of the Windows operating system.
->
+* To view an installed client certificate, open **Manage User Certificates**. The client certificate is installed in **Current User\Personal\Certificates**.
 
-### View client profile config files
+## <a name="generate"></a>View configuration files
 
-When you open the zip file, you'll see the **AzureVPN** folder. Locate the **azurevpnconfig.xml** file. This file contains the settings you use to configure the VPN client profile. If you don't see the file, verify the following items:
+The VPN client profile configuration package contains specific folders. The files within the folders contain the settings needed to configure the VPN client profile on the client computer. The files and the settings they contain are specific to the P2S VPN gateway and the type of authentication and tunnel your VPN gateway is configured to use.
 
-* Verify that your User VPN gateway is configured to use the OpenVPN tunnel type.
-* If you're using Microsoft Entra authentication, you may not have an AzureVPN folder. See the [Microsoft Entra ID](openvpn-azure-ad-client.md) configuration article instead.
+Locate and unzip the VPN client profile configuration package you generated. For Certificate authentication and OpenVPN, you'll see the **AzureVPN** folder. In this folder, you'll see either the **azurevpnconfig_cert.xml** file or the **azurevpnconfig.xml** file, depending on whether your P2S configuration includes multiple authentication types. The .xml file contains the settings you use to configure the VPN client profile.
 
-For more information about User VPN client profile files, see [Working with User VPN client profile files](about-vpn-profile-download.md).
+If you don't see either file, or you don't have an **AzureVPN** folder, verify that your VPN gateway is configured to use the OpenVPN tunnel type and that certificate authentication is selected.
 
 ### Download the Azure VPN Client
 
 [!INCLUDE [Download the Azure VPN client](../../includes/vpn-gateway-download-vpn-client.md)]
 
-### Configure the Azure VPN Client
+### Configure the Azure VPN Client profile
 
 [!INCLUDE [Configure the Azure VPN client](../../includes/vpn-gateway-vwan-configure-azure-vpn-client-certificate.md)]
 
