This article covers both firewall and perimeter security considerations when deploying or enhancing an existing WVD Deployment. It would not be wise to deploy a Windows Virtual Desktop solution with users directly connecting to the public network without some form of security provision. In this article, we will look at the options available and some of the considerations needed for deploying the Azure firewall or a third party firewall for Windows Virtual Desktop.
Perimeter security – Why:
Deploying a third party firewall provides the added benefits of content filtering, gateway antivirus and application control features amongst others. Content filtering is a must for some industries and without this, it would not be possible to implement Windows Virtual Desktop. Take Education for example, safeguarding and education friendly content control. This cannot be achieved out of the box with WVD. Some may turn to third party applications to achieve the content filtering objective, however using localised applications for such functions does have a performance cost associated within a host pool.
There are many firewall options available to use and you can find these on the Azure Market place:
Enhancing Security using a third party firewall:
As shown in the image below, you can see that a third party firewall can sit between multiple subnets on a VNet. In this example we have a LAN subnet where local azure resources reside and a WAN subnet where we assign Azure Public IP addresses and NAT across.
You will note that the security features can inspect locally between services as well as ingress and egress traffic to and from the public network. The added value of IPS and packet inspection should be noted.
Using Azure’s Firewall:
You don’t have to use a third party firewall, There is the option to use Microsoft Azure’s Firewall. Microsoft recently published information relating using Windows Virtual Desktop with the Azure Firewall around the 5th of May 2020.
There are some differences to a third party firewall including the security features mentioned above. Azure’s Firewall does provide the ability to send user internet traffic to an on-premises proxy. There are implications in doing this and a possible impact to user performance. Azure’s firewall also offer’s feautres like Microsoft threat intelligence and application / network rules. One of the key benefits of the Azure firewall is that it is vastly scalable enabling automation.
Issues you may experience if the firewall is not configured / correctly:
There are many issues that can occur when a firewall is not configured correctly for Windows Virtual Desktop. The two most common issues when deploying a firewall to Azure are DNS and KMS related. My suggestion would be to check all the required ports and URL’s for each Azure service before deploying when a firewall is in play. I have listed the URL’s and ports required for Windows Virtual Desktop below.
The following is not a extensive list of issues you may see / experience. however, for those who are having issues, it may help:
- Windows 10 not Activated – KMS
- Unable to access the internet – DNS
- Unable to connect to a Host pool – Service traffic blocked
- Azure authenticator not working – service blocked
- Agent and SXS stack not updating – check rules, service being blocked or DNS issue.
To Diagnose issues, you can use PSPING to test a FQDN and port.
WVD required Firewall Rules:
Here is the list of Azure firewall rules you should include as allowed in your firewall configuration.
|Address||Outbound TCP port||Purpose||Service Tag|
|*.wvd.microsoft.com||443||Service traffic||Windows Virtual Desktop|
|mrsglobalsteus2prod.blob.core.windows.net||443||Agent and SXS stack updates||AzureCloud|
|wvdportalstorageblob.blob.core.windows.net||443||Azure portal support||AzureCloud|
|*.microsoftonline.com||443||Authentication to MS Online Services||None|
|http://www.msftconnecttest.com||443||Detects if the OS is connected to the internet||None|
|login.windows.net||443||Login to MS Online Services, Office 365||None|
|*.sfx.ms||443||Updates for OneDrive client software||None|
|*.digicert.com||443||Certificate revocation check||None|
RD Client rules:
This is the list of rules that should be applied to the RD Client, Company endpoint device to ensure no client related issues.
|Address||Outbound TCP port||Purpose||Client(s)|
|aka.ms||443||Microsoft URL shortener||All|
|query.prod.cms.rt.microsoft.com||443||Client updates||Windows Desktop|
This article covers both Azure Firewall and third party firewall deployments with Windows Virtual Desktop. Both Options have been covered and I have provided a high level insight into diagnosing issues related WVD firewall issues.
I personally prefer to use a third party firewall with Windows Virtual desktop as it can allow you to standardise a firewall technology across platforms / multi cloud. However For those who just need a firewall or are looking for a technology which is scalable and can be automated, the Azure Firewall is the one for you.