I recently stated to deploy the Azure Point-to-Site VPN client to my users, but before I did I wanted to change a couple of things to improve my users experience.

I wanted to;

  • Changing the icon.
  • Changing the banner image.
  • Add a couple of other routes so once connected via the VPN my users could jump back onto my on premise network and to some services in another Azure region.
  • Change the Application title and the prompts, the default is to display your VNet name. Mine are descriptive to IT but are not very user pretty.
  • Set an idle timeout, the default install will not timeout on idle.
  • The big one. I wanted users and not just administrators to be able to use the client.

Getting Started

I will assume you already have Azure setup and you have a Virtual Gateway with Point-to-site configured.

  • Navigate to your Virtual Gateway and select Point-to-site configuration
  • Select “Download VPN client” at the top
  • Once the download completes extract the zip file.
  • Open a command prompt and drag in the “WindowsAmd64\VpnClientSetupAmd64.exe” installer and add the argument /C
  • When prompted select a folder to extract the installer into and press OK

Changing the icon

  • Navigate into the folder you extracted the installer into.
  • You should see there are type icons azurebox16.ico (16×16 pixels) and azurebox32.ico (32×32 pixels)
  • You simply need to use an editor of your choice (such s GIMP) to replace these files, make sure you don’t change the names.
  • There are plenty of online tools such as http://icoconvert.com/ to convert an image into an ICO if you don’t have a program.

Changing the banner image

  • Again another simple one, just replace the “azurevpnbanner.bmp” with an image one of your choice.

Add additional routes

This section is only appropriate if your users have local admin rights. If not then skip this section and see below. This is because the built in method requires local admin rights to add these routes.

Behind my Azure Virtual Gateway I have site-to-sites VPN and some vnet-to-vnet links. I wanted my users to be able to connect to resources on these network however Microsoft say you need to add routes manually to the clients, however I found all you need to do is add them in the “routes.txt” file.

Note: for this to work you Virtual Gateway’s and remote Site-to-site endpoints generally need to have BGP configured and working.

More info can be found here on Microsoft article “About Point-to-Site VPN routing”

  • Edit the “route.txt” file
  • Copy and existing route and amend it as required
  • Save and close.

Changing the application title and install prompt text

As mentioned above the default is to display your VNet name. I wanted something prettier such as “Company Name Primary VPN”

  • Open the .inf file
  • The settings we want to change start at around line 242
  • Change ServiceName, UninstallAppTitle, BeginPrompt and EndPrompt values as required.
  • Save and close the .inf file
  • Open the .cms file
  • The settings we want to change are around line 46 and 49
  • Change the ServiceName and DUN values as required, they will need to be exactly the same as you set in the inf file. Enclose the name in ” ” if it contains spaces
  • Save and close the .cms file

Setting an idle timeout

The default install would not timeout if left idle.

To change this behaviour you need to change the IdleTimeout setting in the .cmp file. The value needs to be in minutes.

Allow non administrators to use the Azure Point-to-site client

The downloaded client uses the “cmroute” dll to add the routes defined in the “routes.txt” file. The problem with this approach is it does this under the context of the current user, and a standard user can’t make changes to routes. My users as in most companies are just standard users making the client useless.

My solution is not to use cmroute, but instead get the client to trigger a scheduled task which runs as the system account. The schedule task then runs some powershell to add the routes, and as it runs as the system account it has the required permission.

The PowerShell

Deploy the below to the users computer, call it what you like I used something like “azure_route_manager.ps1”

# We need to pass the script the connection name
Param([string]$GLOBAL:alias='Company Name Primary VPN')
$GLOBAL:IpAddresse = Get-NetIPAddress -InterfaceAlias $GLOBAL:alias | Select-Object IPAddress

function RemoveRoutes {
 Get-NetRoute | where {$_.InterfaceAlias -eq $GLOBAL:alias} | Remove-NetRoute -confirm:$false

function AddRoutes {
 RemoveRoutes #Just in case clean up any previous routes for this Interface

 New-NetRoute -DestinationPrefix "" -InterfaceAlias $GLOBAL:alias -NextHop $GLOBAL:IpAddresse.IpAddresse
 New-NetRoute -DestinationPrefix "" -InterfaceAlias $GLOBAL:alias -NextHop $GLOBAL:IpAddresse.IpAddresse
 New-NetRoute -DestinationPrefix "" -InterfaceAlias $GLOBAL:alias -NextHop $GLOBAL:IpAddresse.IpAddresse

#Connect and run the logon script
# We Don't have an IP in our Azure P2S range(s) so let just exit
if ($GLOBAL:IpAddresse -eq $nul){
    exit 1


#Optional: Call the logon script
#Invoke-Expression "\\mydomain\netlogon\Logon_Script.vbs"

The Scheduled Task

Deploy a scheduled task to the users computers, you could use Group Policy Preference if you don’t have anything better.

My task looks a bit like this. The action is powershell.exe -executionbypass -file c:\scripts\azure_route_manager.ps1 -alias “Company Name Primary Connection”

  • You will need to change the path to match your script name and location.
  • Change “Company Name Primary Connection” to match the ServiceName in the .cms file (line 46)

Modify the .cms file to trigger the scheduled task on connection

  • Edie the .cms file
  • Find the [Connect Action] section around line 85
  • Change the section to look like this
[Connect Actions]
0=schtasks /run /tn "Azure VPN Primary Route Management"
0&Description=to update your routing table
  • Make sure the task name matches your scheduled task name. Note: the “flags” line has been removed.
  • Save and close the file

Creating a batch file to install the modified client

  • In the folder with the extracted files create a “install.bat”
  • Edit the install.bat file and past in the below, replacing the .inf filename with your own.
@echo off
cmstp /s /au "f0219wqf-ewb9f-418c-a54f-2748e4a23b04.inf"
  • In this case I am using the parameters /s for a silent install and /au for an all user install. Full arguments can be found here
  • Note CMSTP does not support running from a UNC path so you will need to copy the folder local first before running the batch file. Or build that into the batch file or your deployment process.
  • Note: Even with the /au parameter this will need to be run your each use to add the connection.