SMB over VPN gateway not possible

%3CLINGO-SUB%20id%3D%22lingo-sub-3006047%22%20slang%3D%22en-US%22%3ESMB%20over%20VPN%20gateway%20not%20possible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3006047%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20with%20connecting%20SMB%20network%20shares%20from%20an%20on-premise%20Server%20to%20a%20VM%20located%20in%20azure%20over%20a%20Site-to-Site%20VPN%20and%20VPN%20gateway.%3C%2FP%3E%3CP%3EWe%20tried%20everything%20but%20it%20seems%20that%20these%20and%20other%20protokolls%20are%20natively%20blockeed%20from%20the%20Azure%20vpn%20gateway%2C%20is%20this%20correct%3F%3C%2FP%3E%3CP%3EAre%20there%20any%20solutions%20to%20this%20problem%20or%20did%20I%20miss%20something%20in%20the%20configuration%20or%20connection%2Fauthentication%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20and%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3006047%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enetwork%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eshare%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esite-to-site%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESMB%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVPN%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVPN%20Gateway%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3012192%22%20slang%3D%22en-US%22%3ERe%3A%20SMB%20over%20VPN%20gateway%20not%20possible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3012192%22%20slang%3D%22en-US%22%3EHmm%2C%20it%20should%20work%20(SMB%20is%20one%20of%20the%20ports%2C%20that%20AD%20needs%20for%20SYSVOL%20replication%20-%20if%20you%20have%20a%20domain%20controller%20in%20Azure%2C%20is%20it%20replicating%20properly%20with%20your%20on-premises%20machines%3F)%2C%20as%20long%20as%20the%20site%20to%20site%20connection%20is%20up%20and%20running%20and%20the%20firewall%20allows%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-files-configure-s2s-vpn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-files-configure-s2s-vpn%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20check%20the%20route%20back%20to%20on-premises%20from%20Azure%2C%20check%20the%20Windows%20Firewall%20configuration%20and%20your%20third%20party%20firewall%20configuration%20actually%20allows%20SMB%20through.%3CBR%20%2F%3E%3CBR%20%2F%3EOn%20a%20side%20note%2C%20have%20you%20looked%20at%20Azure%20File%20Sync%20(%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffile-sync%2Ffile-sync-deployment-guide%3Ftabs%3Dazure-portal%252Cproactive-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffile-sync%2Ffile-sync-deployment-guide%3Ftabs%3Dazure-portal%252Cproactive-portal%3C%2FA%3E%20)%2C%20maybe%20a%20more%20suitable%20option%3F%3C%2FLINGO-BODY%3E
Contributor

Hi,

I have a problem with connecting SMB network shares from an on-premise Server to a VM located in azure over a Site-to-Site VPN and VPN gateway.

We tried everything but it seems that these and other protokolls are natively blockeed from the Azure vpn gateway, is this correct?

Are there any solutions to this problem or did I miss something in the configuration or connection/authentication?

 

Thanks and regards

2 Replies

Hmm, it should work (SMB is one of the ports, that AD needs for SYSVOL replication - if you have a domain controller in Azure, is it replicating properly with your on-premises machines?), as long as the site to site connection is up and running and the firewall allows it.

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-s2s-vpn

I would check the route back to on-premises from Azure, check the Windows Firewall configuration and your third party firewall configuration actually allows SMB through.

Can you connect to a fileserver using its IP address?

On a side note, have you looked at Azure File Sync ( https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-porta... ), maybe a more suitable option?

 

I tested this with the Microsoft Support and currently the situation is that all traffic is going through the vpn gateway but not something with port 445 or 135, so SMB and DNS and this traffic is not even reaching the vpn gateway tunnel.
It is working when coming from on-prem to Azure but only not from the other side even when setting the VM right next to the gateway with nothing in between.
SMB is eve nworking from one VM to anthoer VM in a peered network.
MS support hat also no clue whats going on there so we deployed a new vpn gateway in the remote network and there SMB is working but this is only temporary and the problem is still not solved atm.