Firewall Considerations – Windows Virtual Desktop (WVD)

Introduction:

This article covers both firewall and perimeter security considerations when deploying or enhancing an existing WVD Deployment. It would not be wise to deploy a Windows Virtual Desktop solution with users directly connecting to the public network without some form of security provision. In this article, we will look at the options available and some of the considerations needed for deploying the Azure firewall or a third party firewall for Windows Virtual Desktop.

Perimeter security – Why:

Deploying a third party firewall provides the added benefits of content filtering, gateway antivirus and application control features amongst others. Content filtering is a must for some industries and without this, it would not be possible to implement Windows Virtual Desktop. Take Education for example, safeguarding and education friendly content control. This cannot be achieved out of the box with WVD. Some may turn to third party applications to achieve the content filtering objective, however using localised applications for such functions does have a performance cost associated within a host pool.

There are many firewall options available to use and you can find these on the Azure Market place:

Enhancing Security using a third party firewall:

As shown in the image below, you can see that a third party firewall can sit between multiple subnets on a VNet. In this example we have a LAN subnet where local azure resources reside and a WAN subnet where we assign Azure Public IP addresses and NAT across.

You will note that the security features can inspect locally between services as well as ingress and egress traffic to and from the public network. The added value of IPS and packet inspection should be noted.

Using Azure’s Firewall:

You don’t have to use a third party firewall, There is the option to use Microsoft Azure’s Firewall. Microsoft recently published information relating using Windows Virtual Desktop with the Azure Firewall around the 5th of May 2020.

There are some differences to a third party firewall including the security features mentioned above. Azure’s Firewall does provide the ability to send user internet traffic to an on-premises proxy. There are implications in doing this and a possible impact to user performance. Azure’s firewall also offer’s feautres like Microsoft threat intelligence and application / network rules. One of the key benefits of the Azure firewall is that it is vastly scalable enabling automation.

Firewall overview — Azure Firewall Overview

Issues you may experience if the firewall is not configured / correctly:

There are many issues that can occur when a firewall is not configured correctly for Windows Virtual Desktop. The two most common issues when deploying a firewall to Azure are DNS and KMS related. My suggestion would be to check all the required ports and URL’s for each Azure service before deploying when a firewall is in play. I have listed the URL’s and ports required for Windows Virtual Desktop below.

The following is not a extensive list of issues you may see / experience. however, for those who are having issues, it may help:

Windows 10 not Activated – KMS
Unable to access the internet – DNS
Unable to connect to a Host pool – Service traffic blocked
Azure authenticator not working – service blocked
Agent and SXS stack not updating – check rules, service being blocked or DNS issue.

To Diagnose issues, you can use PSPING to test a FQDN and port.

WVD required Firewall Rules:

Here is the list of Azure firewall rules you should include as allowed in your firewall configuration.

Address	Outbound TCP port	Purpose	Service Tag
*.wvd.microsoft.com	443	Service traffic	Windows Virtual Desktop
mrsglobalsteus2prod.blob.core.windows.net	443	Agent and SXS stack updates	AzureCloud
*.core.windows.net	443	Agent traffic	AzureCloud
*.servicebus.windows.net	443	Agent traffic	AzureCloud
prod.warmpath.msftcloudes.com	443	Agent traffic	AzureCloud
catalogartifact.azureedge.net	443	Azure Marketplace	AzureCloud
kms.core.windows.net	1688	Windows activation	Internet
wvdportalstorageblob.blob.core.windows.net	443	Azure portal support	AzureCloud
*.microsoftonline.com	443	Authentication to MS Online Services	None
*.events.data.microsoft.com	443	Telemetry Service	None
http://www.msftconnecttest.com	443	Detects if the OS is connected to the internet	None
*.prod.do.dsp.mp.microsoft.com	443	Windows Update	None
login.windows.net	443	Login to MS Online Services, Office 365	None
*.sfx.ms	443	Updates for OneDrive client software	None
*.digicert.com	443	Certificate revocation check	None

RD Client rules:

This is the list of rules that should be applied to the RD Client, Company endpoint device to ensure no client related issues.

Address	Outbound TCP port	Purpose	Client(s)
*.wvd.microsoft.com	443	Service traffic	All
*.servicebus.windows.net	443	Troubleshooting data	All
go.microsoft.com	443	Microsoft FWLinks	All
aka.ms	443	Microsoft URL shortener	All
docs.microsoft.com	443	Documentation	All
privacy.microsoft.com	443	Privacy statement	All
query.prod.cms.rt.microsoft.com	443	Client updates	Windows Desktop

Summary:

This article covers both Azure Firewall and third party firewall deployments with Windows Virtual Desktop. Both Options have been covered and I have provided a high level insight into diagnosing issues related WVD firewall issues.

I personally prefer to use a third party firewall with Windows Virtual desktop as it can allow you to standardise a firewall technology across platforms / multi cloud. However For those who just need a firewall or are looking for a technology which is scalable and can be automated, the Azure Firewall is the one for you.