Virtual private network requirements for deploying Office 365 with single sign-on and Azure Virtual Machines
Applies to: Office 365
Summary: Describes the features that your on-premises VPN device must support when you deploy Office 365 with single sign-on using Azure Virtual Machines.
We're listening to your feedback and consolidating all our Office 365 deployment content. On July 1st, 2015, all information in this guide will be moved to https://support.office.com/, and these pages will be removed from TechNet. As you review the content still on TechNet, you'll notice many have links pointing to the new content already on https://support.office.com/.
To explore content available on https://support.office.com/, start with the Office 365 for business - Admin Help page.
To connect the on-premises network to the Azure Virtual Machines, you must configure a cross-premises Azure virtual network. This requires that you have a VPN device on the premises that’s directly connected to the Internet and using a public IP address. Network address translation (NAT) isn’t supported at this time.
On-premises VPN requirements
The on-premises VPN device must support the following features:
Internet Key Exchange v1 (IKEv1).
Establish Internet Protocol Security (IPsec) associations in tunnel mode.
NAT traversal (NAT-T).
AES 128-bit encryption function, the SHA-1 hashing function, and Diffie-Hellman Perfect Forward Secrecy in Group 2 mode.
The VPN device must fragment packets before it encapsulates the data with the VPN headers.
Important
The VPN device cannot be behind a NAT. The VPN device must have an Internet-facing public IPv4 address.
For a list of supported devices, see About VPN Devices for Virtual Network.