Page tree
Skip to end of metadata
Go to start of metadata


This document outlines how to configure a point-to-site connection from a client computer that needs to interact with Prinergy running in an Azure VM.  

Instructions are provided for both Windows and Mac clients.


Point-to-site gateway configured with:

  • tunnel type of IKEv2 and OpenVPN (SSL)
  • SKU of VpnGw1 or better

Installation & Configuration

  1. Create root certificate and client certificates:
    1. Mac:
      1. Open Terminal (under Application→Utilities) and install openssl if it is not already installed.
      2. Execute commands to create root certificate:

        # Generate root private key 
        openssl genrsa -aes256 -out RootAzureVPN.key 2048
        # Generate a root certificate valid for 5 years
        openssl req -x509 -sha256 -new -key RootAzureVPN.key -out RootAzureVPN.cer -days 1825 -subj /CN=RootAzureVPN
      1. Execute commands to create client certificate: 

        # Generate a certificate request
        openssl genrsa -out clientCert.key 2048
        openssl req -new -out clientCert.req -key clientCert.key -subj /CN=ClientAzureVPN
        # Generate a certificate from the certificate request and sign it as the CA that you are.
        openssl x509 -req -sha256 -in clientCert.req -out clientCert.cer -CAkey RootAzureVPN.key -CA RootAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial
        # Pack key and certificate in a .pfx (pkcs12 format)
        openssl pkcs12 -export -out clientCert.pfx -inkey clientCert.key -in clientCert.cer -certfile RootAzureVPN.cer
    1. Windows 10 and Windows Server 2016:
        • Note: 2016 theoretically should work but certificate could not be installed in Azure when tested previously
        • The following commands are executed in Powershell in ‘Run as administrator’ mode
        • Replace P2SRootCert and P2SChildCert with something appropriate for the site such as <SiteName>RootCert and <SiteName>ClientCert where <SiteName> is replaced with the actual site name.
      2. Create a self-signed root certificate:

        $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
        -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
        -HashAlgorithm sha256 -KeyLength 2048 -NotAfter ((Get-Date).AddYears(5)) `
        -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

        IMPORTANT: `in each command line tells Powershell the command continues into next the line

      3. Create a client certificate:

        New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
        -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
        -HashAlgorithm sha256 -KeyLength 2048  -NotAfter ((Get-Date).AddYears(5)) `
        -CertStoreLocation "Cert:\CurrentUser\My" `
        -Signer $cert -TextExtension @("{text}")
      4. Check that at least the two generated/registered certificates are listed:

        PS C:\> Get-ChildItem -Path "Cert:\CurrentUser\My"
        Thumbprint                                Subject
        ----------                                -------
        F3C3B23CDCBFC90AA606446966E2FAAD49B70AC5  CN=P2SRootCert
        44E1451EE36DBCD82A1B752ECC854CBE0271C520  CN=P2SChildCert
      5. Export the root certificate from Certificate Manager (certmgr.msc).  Options:
        • No Private key
        • Base 64 certificate (.cer) file
      6. Export the client certificate.  Options:
        • Include private key
        • Personal Information Exchange - PKCS #12 (.PFX) format
        • Select a secure password and write it down.  It will be needed to install the client certificate in the client later.
  2. Install root certificate in Azure:
    1. Connect to the Azure Portal from the client where the certificates were generated from.
    2. Open the root certificate .cerfile in a TextEdit (Mac) or Notepad (Windows) and copy the parts between the -----BEGIN CERTIFICATE-----and -----END CERTIFICATE-----lines from the generated certificate.

      Be sure the editor you use does not alter the formatting of the content.
    3. Navigate to VNET Gateway’s Point-to-site configuration in the Portal and add it to the root certificate list.
    4. Save the change.
  3. Install client certificate on the client – Windows & Mac:
  4. Download VPN config from Azure Portal to client.
    1. Login to Azure Portal from the client
    2. Navigate to the VNET Gateway’s Point-to-site configuration
    3. Click the ‘Download VPN client’ button:
  5. Install VPN config on client:
    1.  Mac:
      1. IKEv2:
      2. OpenVPN: 
    2.  Windows:
      1. OpenVPN:
  6. Optional: Add a host file entry with the primary servers private IP if you want to reference it by name from the client
    1.  Mac:
      1. Launch the Terminal application found in Applications/Utilities
      2. Type: sudo nano /etc/hosts<Enter>
      3. Enter Administrator password when prompted and hit Enter
      4. Add an entry for the primary server – eg: PrinergyPrimaryName
      5. Save the file: Control+O
      6. Exit nano: Control+X
    1. Windows:
      1. Edit C:\Windows\System32\drivers\etc\hosts
      2. Add an entry for the primary server – eg: PrinergyPrimaryName
      3. Save the file

Using Kodak Workshop and other workflow software from the client

       Important Note: Prinergy server Private IP address must be inserted in hosts file on each client (Windows or Mac) connected through Workshop

  1. Connect the Azure VPN if not already connected
  2. If Workshop is not already installed map a drive the Workshop installer on the Azure VM and install Workshop and related software
  3. Start Workshop.
  4. If it does not automatically find the primary server, enter the name or IP address

RDC to an Azure VM from the client

  1. Connect the Azure VPN if not already connected
  2. Login to Azure Portal from the client
  3. Power on the VM if it is currently stopped:
  4. From Security Center request ‘Just in time VM access’:
  5. Request access on port 3389 from the IP address assigned to your VPN connection:
  6. Remote Desktop to the VM using the internal IP address:

  • No labels