Point-to-site VPN authentication logging
When a client has their VMs inside VNets, and those VMs are not exposed to Internet, the only option to get to them is P2S VPN. But it uses certificates for authentication (which is not a good idea either). What's worse (!), there NO LOGGING!!! I mean, come on Azure team! This is like a security whole. No one knows who, when and from where got inside a perimeter??? This shouldn't even be here, this should be done from the very beginning.
Dillon Brown commented
Vahan Galachyan commented
Ok, so keeping track of access to enterprise networks is a basic security control which we shouldn't be asking for in year 2018. If we deploy P2S/Virtual Network Gateway w/IKEv2 in its current state, we open our networks to the internet and have no idea who logs into it and from where. There are basically NO events logged for an authenticated user. In addition, the "Connection Count" doesn't increment. So If I have 100 users connect via IKEv2, Connection Count still shows 0.
THIS IS A SIGNIFICANT SECURITY HOLE.
Microsoft - this product shouldn't have been released, not in its current state. WTF are you people thinking!?
James Maxson commented
Tossing in my own votes. This apparently has been known for a while, and it's a bit of a headache that the VPN doesn't track P2S connections at all. No way to know when someone's connected to it, what IP address is connected, etc. Only method of knowing a connection has happened is if there's suddenly a new certificate trust on the VPN.
Peter Selch Dahl commented
There is some room for improvement when in comes to Point-to-site VPN authentication and also logging. I would be nice, if the backend RRAS service would support authenticating users with password and users name.