Hi everyone! I'm looking for some advice on VPN options as we need to replace our soon-to-be-deprecated system. We have an offline component for an app we develop that stores data using SQL Express. When our clients need to replicate that data to their main database, they use our VPN for the connection. The infrastructure is hosted in Azure, and we're currently using an Azure VPN gateway for point-to-site connections with SSTP. Unfortunately, the SKU we're using is already deprecated, and SSTP support will be removed by 2027.
Here's where it gets tricky: it's not just a simple matter of updating the VPN gateway configuration and redistributing the client. We've got a custom Azure VPN client that's been modified to include our domain DNS suffix for connection purposes since our clients aren't part of our domain. No one remembers who initially created this custom client or how they did it, and I wasn't with the company at that time.
So my question is, what would be a good alternative VPN solution that could be distributed to clients across North America and could easily accommodate our domain DNS suffix?
4 Answers
You might also consider getting advice from a networking expert. A VPN is basically just a tunnel that allows for custom routing and can use various protocols. If you’re looking for something with specific routing rules, you might not need a custom VPN client—you could be looking at VPN options with the right configurations instead.
Have you checked out the basic documentation from Microsoft? You can find good info about standard Azure VPN clients that may suit your needs without any customisation. That might save you some hassle!
Here’s a link to start: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-windows.
Instead of relying on a traditional VPN setup, you might want to look into Mutual TLS. Given that SQL already uses TLS, this could allow you to authenticate both the server and the client without needing a VPN at all. Just ensure that both sides support this—might be a safer route!
That’s an interesting point! But still, a VPN provides an extra layer of security by creating a private tunnel, right? I'm concerned about exposing anything publicly.
What exactly do you mean by a custom VPN client? It sounds like someone modified the standard Azure client to include your domain DNS suffix in the configuration. That way, computers can resolve connections seamlessly when using the VPN. Not the typical setup for most users, I guess!
Yeah, they reworked the installer from Azure and edited the XML file to get the DNS suffix in there. It's clever but a bit complicated for maintenance.
I see what you're saying, and yes, in hindsight, it does sound like a convoluted setup.