Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps you generate, distribute, and install an updated VPN client profile for point-to-site (P2S) connections. These instructions are necessary when you make changes to your gateway configuration, or when your gateway requires migration of its root certificate. This article applies to both Azure VPN Gateway and Virtual WAN.
For more information about gateway root certificate migration, see VPN Gateway - About gateway root certificate migration or Virtual WAN - About gateway root certificate migration.
General workflow
- Generate a new VPN client profile for each affected gateway.
- Distribute the updated profile to all end users who connect by using point-to-site VPN.
- Install the new profile on each client device.
- Verify connectivity.
Generate a new VPN client profile
Use the tabs to select instructions for your gateway.
- In the Azure portal, go to your virtual network gateway resource.
- In the left pane, under Settings, select Point-to-site configuration.
- On the Point-to-site configuration page, at the top of the page, select Download VPN client.
- Save the downloaded ZIP file to your local machine. This ZIP file contains the updated client profile for all supported VPN client types.
- Extract the ZIP file to a local directory. The extracted folder contains the necessary files.
Distribute and install the updated profile
After generating the new profile, distribute it to all end users and install the new client profiles and all server certificates on their client devices.
The installation steps depend on the authentication method, tunnel type, client OS, and VPN client software you're using. For detailed installation instructions for your specific configuration:
- For Microsoft Entra ID or Certificate-based authentication, see the table in Configure Azure VPN Client for P2S certificate authentication connections - Windows.
- For RADIUS-based authentication, see the "VPN Client Configuration" section in the Point-to-Site RADIUS VPN Gateway article.
Note
If a connection profile for this gateway already exists on the client device, you need to add the new configuration to the client.
Verify connectivity
After installing the updated profile on a client device:
- Establish a P2S VPN connection by using the updated profile.
- Verify end-to-end connectivity with Azure resources.
If the connection fails:
- Confirm that you downloaded the new profile after receiving notice that the updated profile is available.
- Verify that the new profile configuration file and all necessary root certificates were imported for your client type.
- Troubleshoot by using the Azure VPN troubleshooting documentation.
- If issues persist, create an Azure support request.
Verify all clients are updated
After distributing the updated profile, monitor your gateway to confirm all clients have been updated. Make sure that all client profiles are updated well in advance of the scheduled migration.
Known issues
The Azure VPN Client for Linux doesn't have a supported update method at this time. If you're using the Azure VPN Client on Linux, there's currently no supported migration path for updating the client profile during a certificate migration. Monitor this page for updates.