Merge pull request #246888 from cherylmc/vwanmulti

JamesJBarnett · web-flow · commit e214547f45ee · 2023-07-31T15:40:35.000-07:00
format article
diff --git a/articles/virtual-wan/user-groups-about.md b/articles/virtual-wan/user-groups-about.md
@@ -5,7 +5,7 @@ description: Learn about using user groups to assign IP addresses from specific
 author: cherylmc
 ms.service: virtual-wan
 ms.topic: conceptual
-ms.date: 05/29/2023
+ms.date: 07/31/2023
 ms.author: cherylmc
 
 ---
@@ -25,79 +25,7 @@ This article covers the following concepts:
 * Configuration requirements and limitations
 * Use cases
 
-## Server configuration concepts
-
-The following sections explain the common terms and values used for server configuration.
-
-### User Groups (policy groups)
-
-A **User Group** or policy group is a logical representation of a group of users that should be assigned IP addresses from the same address pool.
-
-### Group members (policy members)
-
-User groups consist of members. Members don't correspond to individual users but rather define the criteria used to determine which group a connecting user is a part of. A single group can have multiple members. If a connecting user matches the criteria specified for one of the group's members, the user is considered to be part of that group and can be assigned an appropriate IP address.
-The types of member parameters that are available depend on the authentication methods specified in the VPN server configuration. For a full list of available criteria, see the [Available group settings](#available-group-settings) section of this article.
-
-### Default user/policy group
-
-For every P2S VPN server configuration, one group must be selected as default. Users who present credentials that don't match any group settings are considered to be part of the default group. Once a group is created, the default setting of that group can't be changed.
-
-### Group priority
-
-Each group is also assigned a numerical priority. Groups with lower priority are evaluated first. This means that if a user presents credentials that match the settings of multiple groups, they're considered part of the group with the lowest priority. For example, if user A presents a credential that corresponds to the IT Group (priority 3) and Finance Group (priority 4), user A is considered part of the IT Group for purposes of assigning IP addresses.
-
-### Available group settings
-
-The following section describes the different parameters that can be used to define which groups members are a part of. The available parameters vary based on selected authentication methods.
-The following table summarizes the available setting types and acceptable values. For more detailed information on each type of Member Value, view the section corresponding to your authentication type.
-
-|Authentication type|Member type |Member values|Example member value|
-|---|---|---|---|
-Azure Active Directory|AADGroupID|Azure Active Directory Group Object ID	|0cf484f2-238e-440b-8c73-7bf232b248dc|
-|RADIUS|AzureRADIUSGroupID|Vendor-specific Attribute Value (hexadecimal) (must begin with 6ad1bd)|6ad1bd23|
-|Certificate|AzureCertificateID|Certificate Common Name domain name (CN=user@red.com)|red|
-
-#### Azure Active Directory authentication (OpenVPN only)
-
-Gateways using Azure Active Directory authentication can use **Azure Active Directory Group Object IDs** to determine which user group a user belongs to. If a user is part of multiple Azure Active Directory groups, they're considered to be part of the Virtual WAN user group that has the lowest numerical priority.
-
-However, if you plan to have users who are external (users who aren't part of the Azure Active Directory domain configured on the VPN gateway) connect to the Virtual WAN Point-to-site VPN gateway, make sure that the user type of the external user is "Member" and **not** "Guest". Also, make sure that the "Name" of the user is set to the user's email address. If the user type and name of the connecting user isn't set correctly as described above or you can't set an external member to be a "Member" of your Azure Active Directory domain, that connecting user will be assigned to the default group and assigned an IP from the default IP address pool.   
-
-You can also identify whether or not a user is external by looking at the user's "User Principal Name." External users have **#EXT** in their "User Principal Name."
-
-:::image type="content" source="./media/user-groups-about/groups.png" alt-text="Screenshot of an Azure Active Directory group." lightbox="./media/user-groups-about/groups.png":::
-
-#### Azure Certificate (OpenVPN and IKEv2)
-
-Gateways that use Certificate-based authentication use the **domain name** of user certificate Common Names (CN) to determine which group a connecting user is in. Common Names must be in one of the following formats:
-
-* domain/username
-* username@domain.com
-
-Make sure that the **domain** is the input as a group member.
-
-#### RADIUS server (OpenVPN and IKEv2)
-
-Gateways that use RADIUS-based authentication use a new **Vendor-Specific Attribute (VSA)** to determine VPN user groups.
-When RADIUS-based authentication is configured on the P2S gateway, the gateway serves as a Network Policy Server (NPS) proxy. This means that the P2S VPN gateway serves as a client to authenticate users with your RADIUS server using the RADIUS protocol.
-
-After your RADIUS server has successfully verified the user's credentials, the RADIUS server can be configured to send a new Vendor-Specific Attribute (VSA) as part of Access-Accept packets. The P2S VPN gateway processes the VSA in the Access-Accept packets and assigns specific IP addresses to users based on the value of the VSAs.
-
-Therefore, RADIUS servers should be configured to send a VSA with the same value for all users that are part of the same group.
-
->[!NOTE]
-> The value of the VSA must be an octet hexadecimal string on the RADIUS server and the Azure. This octet string must begin with **6ad1bd**. The last two hexadecimal digits may be configured freely. For example, 6ad1bd98 is valid but 6ad12323 and 6a1bd2 would not be valid.
->
-
-The new VSA is **MS-Azure-Policy-ID**.
-
-The MS-Azure-Policy-ID VSA is used by the RADIUS server to send an identifier that is used by P2S VPN server to match an authenticated RADIUS user policy configured on Azure side. This policy is used to select the IP/ Routing configuration (assigned IP address) for the user.
-
-The fields of MS-Azure-Policy-ID MUST be set as follows:
-
-* **Vendor-Type:** An 8-bit unsigned integer that MUST be set to 0x41 (integer: 65).
-* **Vendor-Length:** An 8-bit unsigned integer that MUST be set to the length of the octet string in the Attribute-Specific Value plus 2.
-* **Attribute-Specific Value:** An octet string containing Policy ID configured on Azure Point to Site VPN server.
+[!INCLUDE [User groups configuration all](../../includes/virtual-wan-user-groups.md)]
 
 For configuration information, see [RADIUS - configure NPS for vendor-specific attributes](user-groups-radius.md).
 
@@ -134,9 +62,13 @@ This section lists configuration requirements and limitations for user groups an
 
 [!INCLUDE [User groups configuration considerations](../../includes/virtual-wan-user-groups-considerations.md)]
 
+* Address pools can't overlap with address pools used in other connection configurations (same or different gateways) in the same virtual WAN.
+
+* Address pools also can't overlap with virtual network address spaces, virtual hub address spaces, or on-premises addresses.
+
 ## Use cases
 
-Contoso corporation is composed of multiple functional departments, such as Finance, Human Resources and Engineering. Contoso uses Virtual WAN to allow remote workers (users) to connect to Azure Virtual WAN and access resources hosted on-premises or in a Virtual Network connected to the Virtual WAN hub.
+Contoso corporation is composed of multiple functional departments, such as Finance, Human Resources and Engineering. Contoso uses Azure Virtual WAN to allow remote workers (users) to connect to the virtual WAN and access resources hosted on-premises or in a virtual network connected to the virtual WAN hub.
 
 However, Contoso has internal security policies where users from the Finance department can only access certain databases and virtual machines, and users from Human Resources have access to other sensitive applications.
 
diff --git a/articles/virtual-wan/user-groups-create.md b/articles/virtual-wan/user-groups-create.md
@@ -5,7 +5,7 @@ description: Learn how to configure user groups and assign IP addresses from spe
 author: cherylmc
 ms.service: virtual-wan
 ms.topic: how-to
-ms.date: 05/29/2023
+ms.date: 07/31/2023
 ms.author: cherylmc
 
 ---
@@ -35,6 +35,10 @@ This section lists configuration requirements and limitations for user groups an
 
 [!INCLUDE [User groups configuration considerations](../../includes/virtual-wan-user-groups-considerations.md)]
 
+* Address pools can't overlap with address pools used in other connection configurations (same or different gateways) in the same virtual WAN.
+
+* Address pools also can't overlap with virtual network address spaces, virtual hub address spaces, or on-premises addresses.
+
 ## Step 2: Choosing authentication mechanism
 
 The following sections list available authentication mechanisms that can be used while creating user groups.
diff --git a/includes/media/virtual-wan-user-groups-about/groups.png b/includes/media/virtual-wan-user-groups-about/groups.png
diff --git a/includes/virtual-wan-user-groups-considerations.md b/includes/virtual-wan-user-groups-considerations.md
@@ -1,13 +1,12 @@
 ---
 author: cherylmc
 ms.author: cherylmc
-ms.date: 05/29/2023
+ms.date: 07/31/2023
 ms.service: virtual-wan
 ms.topic: include
 ---
 
-* The maximum number of groups that can be referenced by a single P2S VPN gateway is 90. The maximum number of policy/group members (criteria used to identify which group a connecting user is a part of) in groups assigned to a gateway is 390. However, if a group is assigned to multiple connection configurations on the same gateway, this group and its members are counted multiple times towards the limits. For example, if there's a policy group with 10 members that is assigned to three VPN connection configurations on the gateway. This configuration would count as three groups with 30 total members as opposed to one group with 10 members. The total number of concurrent users connecting to a gateway is limited by the gateway scale unit and the number of IP
-addresses allocated to each user group and not the number of policy/group members associated with a gateway.
+* The maximum number of groups that can be referenced by a single P2S VPN gateway is 90. The maximum number of policy/group members (criteria used to identify which group a connecting user is a part of) in groups assigned to a gateway is 390. However, if a group is assigned to multiple connection configurations on the same gateway, this group and its members are counted multiple times towards the limits. For example, if there's a policy group with 10 members that is assigned to three VPN connection configurations on the gateway. This configuration would count as three groups with 30 total members as opposed to one group with 10 members. The total number of concurrent users connecting to a gateway is limited by the gateway scale unit and the number of IP addresses allocated to each user group and not the number of policy/group members associated with a gateway.
 
 * Once a group has been created as part of a VPN server configuration, the name and default setting of a group can't be modified.
 
@@ -18,5 +17,3 @@ addresses allocated to each user group and not the number of policy/group member
 * Groups that are being used by existing point-to-site VPN gateways can't be deleted.
 
 * You can reorder the priorities of your groups by clicking on the up-down arrow buttons corresponding to that group.
-
-* Address pools can't overlap with address pools used in other connection configurations (same or different gateways) in the same virtual WAN. Address pools also can't overlap with virtual network address spaces, virtual hub address spaces, or on-premises addresses
diff --git a/includes/virtual-wan-user-groups.md b/includes/virtual-wan-user-groups.md
@@ -0,0 +1,83 @@
+---
+author: cherylmc
+ms.author: cherylmc
+ms.date: 07/31/2023
+ms.service: virtual-wan
+ms.topic: include
+
+#This article is used for both Virtual WAN and VPN Gateway. Any updates to the article must work for both of these services. Otherwise, update the VWAN or VPNGW article directly.
+---
+
+## Server configuration concepts
+
+The following sections explain the common terms and values used for server configuration.
+
+### User Groups (policy groups)
+
+A **User Group** or policy group is a logical representation of a group of users that should be assigned IP addresses from the same address pool.
+
+### Group members (policy members)
+
+User groups consist of members. Members don't correspond to individual users but rather define the criteria used to determine which group a connecting user is a part of. A single group can have multiple members. If a connecting user matches the criteria specified for one of the group's members, the user is considered to be part of that group and can be assigned an appropriate IP address.
+The types of member parameters that are available depend on the authentication methods specified in the VPN server configuration. For a full list of available criteria, see the [Available group settings](#available-group-settings) section of this article.
+
+### Default user/policy group
+
+For every P2S VPN server configuration, one group must be selected as default. Users who present credentials that don't match any group settings are considered to be part of the default group. Once a group is created, the default setting of that group can't be changed.
+
+### Group priority
+
+Each group is also assigned a numerical priority. Groups with lower priority are evaluated first. This means that if a user presents credentials that match the settings of multiple groups, they're considered part of the group with the lowest priority. For example, if user A presents a credential that corresponds to the IT Group (priority 3) and Finance Group (priority 4), user A is considered part of the IT Group for purposes of assigning IP addresses.
+
+### Available group settings
+
+The following section describes the different parameters that can be used to define which groups members are a part of. The available parameters vary based on selected authentication methods.
+The following table summarizes the available setting types and acceptable values. For more detailed information on each type of Member Value, view the section corresponding to your authentication type.
+
+|Authentication type|Member type |Member values|Example member value|
+|---|---|---|---|
+Azure Active Directory|AADGroupID|Azure Active Directory Group Object ID	|0cf484f2-238e-440b-8c73-7bf232b248dc|
+|RADIUS|AzureRADIUSGroupID|Vendor-specific Attribute Value (hexadecimal) (must begin with 6ad1bd)|6ad1bd23|
+|Certificate|AzureCertificateID|Certificate Common Name domain name (CN=user@red.com)|red|
+
+#### Azure Active Directory authentication (OpenVPN only)
+
+Gateways using Azure Active Directory authentication can use **Azure Active Directory Group Object IDs** to determine which user group a user belongs to. If a user is part of multiple Azure Active Directory groups, they're considered to be part of the P2S VPN user group that has the lowest numerical priority.
+
+However, if you plan to have users who are external (users who aren't part of the Azure Active Directory domain configured on the VPN gateway) connect to the point-to-site VPN gateway, make sure that the user type of the external user is "Member" and **not** "Guest". Also, make sure that the "Name" of the user is set to the user's email address. If the user type and name of the connecting user isn't set correctly as described above or you can't set an external member to be a "Member" of your Azure Active Directory domain, that connecting user will be assigned to the default group and assigned an IP from the default IP address pool.
+
+You can also identify whether or not a user is external by looking at the user's "User Principal Name." External users have **#EXT** in their "User Principal Name."
+
+:::image type="content" source="./media/virtual-wan-user-groups-about/groups.png" alt-text="Screenshot of an Azure Active Directory group." lightbox="./media/virtual-wan-user-groups-about/groups.png":::
+
+#### Azure Certificate (OpenVPN and IKEv2)
+
+Gateways that use Certificate-based authentication use the **domain name** of user certificate Common Names (CN) to determine which group a connecting user is in. Common Names must be in one of the following formats:
+
+* domain/username
+* username@domain.com
+
+Make sure that the **domain** is the input as a group member.
+
+#### RADIUS server (OpenVPN and IKEv2)
+
+Gateways that use RADIUS-based authentication use a new **Vendor-Specific Attribute (VSA)** to determine VPN user groups.
+When RADIUS-based authentication is configured on the P2S gateway, the gateway serves as a Network Policy Server (NPS) proxy. This means that the P2S VPN gateway serves as a client to authenticate users with your RADIUS server using the RADIUS protocol.
+
+After your RADIUS server has successfully verified the user's credentials, the RADIUS server can be configured to send a new Vendor-Specific Attribute (VSA) as part of Access-Accept packets. The P2S VPN gateway processes the VSA in the Access-Accept packets and assigns specific IP addresses to users based on the value of the VSAs.
+
+Therefore, RADIUS servers should be configured to send a VSA with the same value for all users that are part of the same group.
+
+> [!NOTE]
+> The value of the VSA must be an octet hexadecimal string on the RADIUS server and the Azure. This octet string must begin with **6ad1bd**. The last two hexadecimal digits may be configured freely. For example, 6ad1bd98 is valid but 6ad12323 and 6a1bd2 would not be valid.
+>
+
+The new VSA is **MS-Azure-Policy-ID**.
+
+The MS-Azure-Policy-ID VSA is used by the RADIUS server to send an identifier that is used by P2S VPN server to match an authenticated RADIUS user policy configured on Azure side. This policy is used to select the IP/ Routing configuration (assigned IP address) for the user.
+
+The fields of MS-Azure-Policy-ID MUST be set as follows:
+
+* **Vendor-Type:** An 8-bit unsigned integer that MUST be set to 0x41 (integer: 65).
+* **Vendor-Length:** An 8-bit unsigned integer that MUST be set to the length of the octet string in the Attribute-Specific Value plus 2.
+* **Attribute-Specific Value:** An octet string containing Policy ID configured on Azure point-to-site VPN server.
