Firewall Considerations – Windows Virtual Desktop (WVD)


Introduction:

This article covers both firewall and perimeter security considerations when deploying or enhancing an existing WVD Deployment. It would not be wise to deploy a Windows Virtual Desktop solution with users directly connecting to the public network without some form of security provision. In this article, we will look at the options available and some of the considerations needed for deploying the Azure firewall or a third party firewall for Windows Virtual Desktop.

Perimeter security – Why:

Deploying a third party firewall provides the added benefits of content filtering, gateway antivirus and application control features amongst others. Content filtering is a must for some industries and without this, it would not be possible to implement Windows Virtual Desktop. Take Education for example, safeguarding and education friendly content control. This cannot be achieved out of the box with WVD. Some may turn to third party applications to achieve the content filtering objective, however using localised applications for such functions does have a performance cost associated within a host pool.

There are many firewall options available to use and you can find these on the Azure Market place:

Azure Marketplace – Firewalls

Enhancing Security using a third party firewall:

As shown in the image below, you can see that a third party firewall can sit between multiple subnets on a VNet. In this example we have a LAN subnet where local azure resources reside and a WAN subnet where we assign Azure Public IP addresses and NAT across.

You will note that the security features can inspect locally between services as well as ingress and egress traffic to and from the public network. The added value of IPS and packet inspection should be noted.

Third Party Firewall Example Deployment

Using Azure’s Firewall:

You don’t have to use a third party firewall, There is the option to use Microsoft Azure’s Firewall. Microsoft recently published information relating using Windows Virtual Desktop with the Azure Firewall around the 5th of May 2020.

There are some differences to a third party firewall including the security features mentioned above. Azure’s Firewall does provide the ability to send user internet traffic to an on-premises proxy. There are implications in doing this and a possible impact to user performance. Azure’s firewall also offer’s feautres like Microsoft threat intelligence and application / network rules. One of the key benefits of the Azure firewall is that it is vastly scalable enabling automation.

Windows Virtual Desktop architecture
Windows Virtual Desktop architecture
Firewall overview
Azure Firewall Overview

Issues you may experience if the firewall is not configured / correctly:

There are many issues that can occur when a firewall is not configured correctly for Windows Virtual Desktop. The two most common issues when deploying a firewall to Azure are DNS and KMS related. My suggestion would be to check all the required ports and URL’s for each Azure service before deploying when a firewall is in play. I have listed the URL’s and ports required for Windows Virtual Desktop below.

The following is not a extensive list of issues you may see / experience. however, for those who are having issues, it may help:

  • Windows 10 not Activated – KMS
  • Unable to access the internet – DNS
  • Unable to connect to a Host pool – Service traffic blocked
  • Azure authenticator not working – service blocked
  • Agent and SXS stack not updating – check rules, service being blocked or DNS issue.

To Diagnose issues, you can use PSPING to test a FQDN and port.

WVD required Firewall Rules:

Here is the list of Azure firewall rules you should include as allowed in your firewall configuration.

AddressOutbound TCP portPurposeService Tag
*.wvd.microsoft.com443Service trafficWindows Virtual Desktop
mrsglobalsteus2prod.blob.core.windows.net443Agent and SXS stack updatesAzureCloud
*.core.windows.net443Agent trafficAzureCloud
*.servicebus.windows.net443Agent trafficAzureCloud
prod.warmpath.msftcloudes.com443Agent trafficAzureCloud
catalogartifact.azureedge.net443Azure MarketplaceAzureCloud
kms.core.windows.net1688Windows activationInternet
wvdportalstorageblob.blob.core.windows.net443Azure portal supportAzureCloud
*.microsoftonline.com443Authentication to MS Online ServicesNone
*.events.data.microsoft.com443Telemetry ServiceNone
http://www.msftconnecttest.com443Detects if the OS is connected to the internetNone
*.prod.do.dsp.mp.microsoft.com443Windows UpdateNone
login.windows.net443Login to MS Online Services, Office 365None
*.sfx.ms443Updates for OneDrive client softwareNone
*.digicert.com443Certificate revocation checkNone

RD Client rules:

This is the list of rules that should be applied to the RD Client, Company endpoint device to ensure no client related issues.

AddressOutbound TCP portPurposeClient(s)
*.wvd.microsoft.com443Service trafficAll
*.servicebus.windows.net443Troubleshooting dataAll
go.microsoft.com443Microsoft FWLinksAll
aka.ms443Microsoft URL shortenerAll
docs.microsoft.com443DocumentationAll
privacy.microsoft.com443Privacy statementAll
query.prod.cms.rt.microsoft.com443Client updatesWindows Desktop

Summary:

This article covers both Azure Firewall and third party firewall deployments with Windows Virtual Desktop. Both Options have been covered and I have provided a high level insight into diagnosing issues related WVD firewall issues.

I personally prefer to use a third party firewall with Windows Virtual desktop as it can allow you to standardise a firewall technology across platforms / multi cloud. However For those who just need a firewall or are looking for a technology which is scalable and can be automated, the Azure Firewall is the one for you.

Further reading:

https://docs.microsoft.com/en-us/azure/virtual-desktop/overview

https://docs.microsoft.com/en-us/azure/firewall/overview

https://docs.microsoft.com/en-us/azure/firewall/protect-windows-virtual-desktop

https://documentation.help/PsTools/PsPing.htm

https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=firewall&page=1

One thought on “Firewall Considerations – Windows Virtual Desktop (WVD)

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: