Reaching a TFS server not hosted on the client PC, when applying an Azure “point to site” VPN

Having created a “developer desktop” VM within my Azure virtual network (a Windows SSTP-based VPN enabled server pool), the whole point is to connect the VM to the local LAN – and its “private” cloud servers. This includes enabling the visual studio client on the desktop to access the source files server, known as TFS – that is hosted on a host other than my client PC, in a different subnet furthermore. And, my client PC connects to the the subnet itself over a VPN, using the Cisco AnyConnect/ASA (SSL over UDP) tool chain..

Being a client to site VPN (vs. site to site), the remote gateway does not inject server side routes mapping my various subnets. There is one and one only: the network of 1 host: my connecting PC.  To make the solution work, I added ip port forwarding to the PC, so it exposes a port on its binding address to which the visual studio port can reach (over the windows VPN). This in turn captures layer 4 PDUs and forwards them to the true server on the subnet, unreachable directly, using local knowledge that allows the segment forwarding process.


This gets us to





Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in azure. Bookmark the permalink.