1 Setup Azure VPN Client

2/17/2020 Setup Azure VPN Client - Overview
Setup Azure VPN Client

Last updated by | Cedric Harispuru | Feb 17, 2020 at 11:37 AM GMT+1
Contents
• Purpose of configuring the VPN
• Technical view of the VPN
• Setting Up the Azure VPN Client
• Disconnecting the VPN connection
• Removing the VPN configuration
• Troubleshooting of VPN
• For users of ADFS
• For VPN connection errors
• Connection pending
• Error 0x80092013
• Error 720
• Error 798
Purpose of configuring the VPN

Many testing and simulation features are offered with the SIPROTEC DigitalTwin in the Cloud
(https://www.siprotec-digitaltwin.siemens.com ) without any local installation, only via using a web-browser
such as Microsoft Edge, Mozilla Firefox or Google Chrome, e.g.:
Upload of SIM file

Front display visualization and operation (menu navigation, function keys, …)
Injection of currents, voltages, binary inputs, e.g. for protection trips
Virtual wiring between simulated IEDs
IEC 61850 GOOSE functionality between simulated devices
Protection data interface (PDI) functionality between simulated devices
Upload of fault records in COMTRADE 1999 or 2013 format and replayed with sampling frequencies of 1,2,
4, 8 or 16kHz
Additional testing features of SIPROTEC DigitalTwin can be used by enabling a VPN Connection, e.g.:
DIGSI 5 (including online CFC Debugging and Test suite)

SIPROTEC 5 WebUI via HTTPS (to see event logs, protection setings)
Ethernet Substation communication IEC 61850, IEC 60870-5-104, DNP3, Modbus TCP (e.g. to SICAM
PAS/PQS/SCC, IEC browser)
PMU communication (e.g. to SIGUARD PDP)
Cyber Security communication (e.g. SysLog, RADIUS, RBAC)
https://dev.azure.com/siemens-energy-siprotec/SIPROTEC-5/_wiki/wikis/SIPROTEC-5.wiki/79/Setup-Azure-VPN-Client 1/20
Technical view of the VPN

The VPN connection to communicate from user's computer to the virtual devices consists of 2 VPN connections:
Azure VPN and SoftEther VPN Client.
Setting Up the Azure VPN Client

This section describes how to set-up the Azure VPN Client which is required for communicating with the virtual
SIPROTEC devices.
The Azure VPN Client depends directly of the personal login account. If the same computer is used by different
users with different accounts, the initial installation has to be done for each account.
Important:
Administrator rights are required to complete the following steps for installing and configuring the VPN
connection
The use of the VPN connection is supported only on a Windows 10 system.
Additional information: You can find additional information regarding the Microsoft Azure VPN Installation
here https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about 
Setup
1. Download the user-specific VPN client configuration via the SIPROTEC DigitalTwin website . Navigate to
the Menu button in the top left corner and select VPN Client from the context menu. This downloads a
ZIP-file (VPN_Client.zip) to your Downloads directory.
2. Right-click the ZIP file and select Extract All... from the context menu to extract the data from the ZIP file.
3. Define the destination directory into which the data should be extracted (c:\temp in this example) and click
Extract.
4. Change to the Certificate directory and double-click the PFX(Personal Information Exchange) file, which
contains the private and public keys. The name of the file begins with 3 letters followed by 6 characters
and ends with the current version number.
5. Select Current User as store location and click Next.

Note: This step increases the security, to prevent another user on the same computer from getting access.
6. Confirm the PFX File Name to be imported (no changes necessary) and click Next.
7. Enter the Password to install the certificate. The password is SIPROTEC_DigitalTwin.

Keep the default options and click Next.
Note: in Windows environments (such as Siemens Corporate), strong private key protection is enabled.
8. Select the Place all certificates in the following store option, then click Browse... and select the
Personal directory in the Select Certificate Store dialog. Confirm the dialog with OK and continue with
Next.
Note: Setting the directory allows efficient management of installed certificates.
9. To complete the import, click Finish. Confirm the successful import with OK.
Note: if a strong key protection was activated in step 7, you first have to define a password that will be
requested later for each VPN connection:
10. OPTIONAL: To verify that the imported certificates have been imported correctly, the certification manager
can be called. Press <Windows> + <R>, type "certmgr.msc" into the input field and press <Enter> (or
click OK).
You will find the 2 imported certificates under Personal > Certificates.
11. Navigate to the AzureVpnProfile folder where you find 3 directories:
Generic: Contains general files to create the VPN client configuration

WindowsAmd64: Contains Windows 64-bit installer packages for all supported 64-bit clients (not just
AMD)
WindowsX86: Contains Windows 32-bit installer packages
Select the appropriate directory according to the underlying computer. For example, the installation file
WindowsAmd64\VpnClientSetupAmd64.exe is used for Windows10.
Double-click on the respective file.

If the error message Windows protected your PC - Windows Defender SmartScreen prevented an
unrecognized app from starting... occurs , click More info and Run anyway.
If the message Do you want to allow this app from an unknown publisher to make changes to your
device? occurs , click Yes.
Click Yes to start the installation.
Note: The name of the VPN connection is client-specific and will differ:
12. To navigate to the VPN connection settings, right-click the Start button, click Settings, click Network &
Internet, then click VPN.
13. A newly added VPN connection is displayed. The name starts with SIPROTEC_DigitalTwin_ followed by
three letters and at least six characters:
14. Select the connection, click Connect and confirm the adaptation of the routing table with Continue.
Note: you can select not to show this message again for this connection.
Note: if you were requested to create a password before (in step 9), enter your connection password:
Now the VPN connection is installed and running. Follow the installation instructions for the SoftEther VPN
Client.
Note: Do not disconnect the VPN during installation.
Disconnecting the VPN connection

When the VPN connection to SIPROTEC DigitalTwin is not used anymore, you can disconnect your local
computer by clicking Disconnect.
If you need the VPN functionality again, reconnect it.

Removing the VPN configuration

If desired, you can remove the VPN profile by clicking Remove.
Troubleshooting of VPN
For users of ADFS

If you are using a Microsoft ADFS authentification (e.g. Siemens Corporate Entitlement), you might not be able
to use it at the same time as an active VPN of SIPROTEC Digital Twin:
Navigate to the path C:\Users\<YOUR-

ACCOUNT>\AppData\Roaming\Microsoft\Network\Connections\Pbk and open the file rasphone.pbk with
the notepad, find all the values UseRasCredentials and set it to 0.
On the same file take note of the value “PhoneNumber” (there's one for each VPN connection known to
the system), it will be something like azuregateway-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-
xxxxxxxxxxxx.vpn.azure.com 
Navigate now to the folder C:\Users\<YOUR-
ACCOUNT>\AppData\Roaming\Microsoft\Network\Connections\Cm\xxxxxxxx-xxxx-xxxx-xxxx-
xxxxxxxxxxxx-xxxxxxxxxxxx, open the file xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.pkb and modify
the value UseRasCredentials to 0.
Inside the same folder open the file xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-xxxxxxxxxxxx.cms and modify the
value DontUseRasCredentials to 1.
For VPN connection errors
Connection pending
if connection is not established within 10s, Cancel the connection and connect again.
Once successful, the password is validated and the VPN is connecting.
Error 0x80092013
"The revocation function was unable to check revocation because the revocation server was offline."
Causes
This error message occurs if the client cannot access http://crl3.digicert.com/ssca-sha2-g1.crl  and
http://crl4.digicert.com/ssca-sha2-g1.crl . The revocation check requires access to both to these two sites. This
problem typically happens on the client that has proxy server configured. In some environments, if the requests
are not passed through the proxy server, they will be denied at the Edge Firewall.
Solution:
Check the proxy server settings, make sure that the client can access http://crl3.digicert.com/ssca-sha2-g1.crl 
and http://crl4.digicert.com/ssca-sha2-g1.crl .
Error 720
"A connection to the remote computer could not be established. You might need to change the network
settings for this connection."
Solution :
Open the Explorer (<Windows> + E).

Right-click on This PC, and select Manage.
In the Computer Management dialog, click Device Manager
Under Network Adapters, uninstall all adapters starting with "WAN Miniport" by right-clicking them and
selecting Uninstall from the context menu.
After uninstallation, right-click Network Adapters and select Scan for Hardware Changes from the
context menu; these adapters will reinstall automatically without restarting.
Reinstall the Azure VPN.
Error 798
"A certificate could not be found that can be used with this Extensible Authentification Protocol".
Download again the VPN_Client.zip file and install the newer certificate, valid for 1 more year.

1 Setup Azure VPN Client

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 Setup Azure VPN Client

Uploaded by

Copyright:

Available Formats

2/17/2020 Setup Azure VPN Client - Overview

Setup Azure VPN Client

Purpose of configuring the VPN

Upload of SIM file

DIGSI 5 (including online CFC Debugging and Test suite)

Technical view of the VPN

Setting Up the Azure VPN Client

5. Select Current User as store location and click Next.

7. Enter the Password to install the certificate. The password is SIPROTEC_DigitalTwin.

Note: Setting the directory allows efficient management of installed certificates.

11. Navigate to the AzureVpnProfile folder where you find 3 directories:

Generic: Contains general files to create the VPN client configuration

Double-click on the respective file.

Disconnecting the VPN connection

If you need the VPN functionality again, reconnect it.

Removing the VPN configuration

For users of ADFS

Navigate to the path C:\Users\<YOUR-

For VPN connection errors

Once successful, the password is validated and the VPN is connecting.

Open the Explorer (<Windows> + E).

You might also like