Skip to main content
Solved

Windows 365 or Azure Virtual Desktop and Netskope Client - Best Practices

  • November 28, 2022
  • 4 replies
  • 3 views
S
Forum|alt.badge.img+8

In order to ensure the correct functioning of the Azure Virtual Desktop or Windows 365 machine when deploying the Netskope Agent on it we have to take care of some Steering Exceptions:

  1. MANDATORY: Destination Location Steering Exceptions for Azure Virtual Desktop RDGateways IPs (Remote Desktop Gateways service tags related IPs)

  2. OPTIONAL: Destination Location Steering Exceptions for Azure Virtual Desktop Monitoring IPs (Azure Monitor service tags related IPs)

  3. OPTIONAL: Application/Process (Certificate Pinned Application) Steering Exceptions for Azure Virtual Desktop agents running on the Virtual Desktop

Destination Location Steering Exceptions

Microsoft provides a Json file with all the Azure destinations at the address: https://www.microsoft.com/en-us/download/details.aspx?id=56519

Unfortunately though this list contains all the destinations used by the Azure infrastructure, divided by β€œService Tags” (services). As we definitely don’t want to exclude all the Azure destination from the steering we must only take the destinations involved with the Virtual Desktop infrastructure.

The Service Tags we must consider for the steering exclusions are the following:

  1. The IP addresses of the Virtual Desktop Gateways that can be found under the β€œWindowsVirtualDesktop” Service Tag.

  2. To the above we must additionally add the traffic destined to the IPs 169.254.169.254/32 and 168.63.129.16/32 (these 2 addresses are common for AVD and Windows 365 deployments)

  3. The IP addresses of the monitoring traffic that can be found under the β€œAzureMonitor” Service Tag.

All the above Service Tags (and IPs) are mentioned on the article: https://docs.microsoft.com/en-us/azure/virtual-desktop/safe-url-list

Manually extracting the IPs from the Microsoft Service Tag document can be challenging, hence we’ve developed a Python script that will help in creating from the Microsoft Json file a simple CSV file that can be used to create the appropriate exceptions. Please find the python script attached to this blog.

To use the Python script:

  1. Download the latest Json file from the Microsoft Website at the address: Azure IP Ranges and Service Tags – Public Cloud

  1. Place the Json file and the Python script under the same folder, and rename the Json file as β€œAzureIPs.json”

  2. Run the Python script from a privileged command prompt (tested both on MAC and Windows machines)

  3. Verify the content of the file β€œAzureWVD.csv” that should have been created on the same folder. It be a 2-lines file where the first line starts with "AzureWVD" and the second with "AzureMonitor"

Once we have the CSV, in order to create the desired steering exceptions with it do the following:

  1. On the Netskope UI select β€œPolicies” - β€œNetwork Locations”

  2. Select β€œNew Network Location” - β€œMultiple Objects”

  3. Upload the file β€œAzureWVD.csv”

  4. Verify the newly created β€œAzureWVD” and β€œAzureMonitor” network location to see if they contain the imported IPs

  5. Apply the changes clicking on β€œApply changes”

  6. Open the Netskope Setting UI and navigate to β€œSecurity Cloud Platform” - β€œSteering Configuration”, select the Steering Configuration (by default the β€œDefault tenant config”) and select the β€œEXCEPTIONS” tab

  7. Select β€œNew Exception” - β€œDestination Location”

  8. Select the β€œAzureWVD” destination location.

  9. OPTIONALLY, if you want to exclude from steering the Virtual Desktop Agent traffic for monitoring purposes select the β€œAzureMonitor” destination location too. By default we don’t recommend to exclude this traffic to avoid excluding too many destinations that may be used or repurposed in the future for more activities that we would like to monitor.

  10. Select β€œTreat like local IP address” and provide a description like β€œMicrosoft Azure VDI”

  11. Click β€œSave”

OPTIONAL - Application Steering Exceptions

Azure Virtual Desktops are installed with an Azure agent that runs several services performing many connections to different Azure services for different purposes. Excluding these agents from the traffic steering will ensure that the Azure communications performed by the agent won’t flow through Netskope. That said excluding the Azure agents traffic may lead to some loss of visibility as there can be some activities performed by the Azure agents we’d like to monitor. It’s not fully clear to us what potential activities the agents could perform, so we don’t recommend to exclude them from the steering, and we recommend to include the following exceptions only if the customer wants to send to Netskope the bare minimum of Azure traffic.

This optional second step is to configure a series of exclusions for specific Azure Virtual Desktop processes that run on the machine. Despite those are not properly Certificate Pinned Applications, as their traffic can technically be inspected, we can treat them as such to allow a bypass based on the service rather than sources/destinations.

The list of processes that we want optionally to exclude from steering is the following:

  1. WindowsAzureGuestAgent.exe: Azure VM Agent service
  2. WaAppAgent.exe: Azure RD Agent service
  3. WindowsAzureNetAgent.exe: Azure Network Agent service
  4. WindowsAzureTelemetryService.exe: Azure Telemetry Service
  5. metricsextension.native.exe: Azure Monitor Agent
  6. rdagentbootloader.exe: Azure Agent Bootloader

In order to create the Steering Exceptions

  1. On the Netskope Settings UI navigate to β€œSecurity Cloud Platform” - β€œSteering Configuration”, select the Steering Configuration (by default the β€œDefault tenant config”) and select the β€œEXCEPTIONS” tab
  2. Click on β€œNew Exception” and select β€œCertificate Pinned Application”
  3. Click on the field β€œCertificate Pinned App = None” and select the β€œ+” button to add the Application
  4. On the β€œNew Certificate Pinned Application” window select β€œWindows” as β€œPLATFORM” and starting from the first application from the list above fill the β€œDEFINITION” field with the service name and the β€œAPPLICATION NAME” field on top with the description and click β€œSave”
  5. At this point select the newly created application on the β€œCertificate Pinned App” field and write β€œ*” (star) as β€œCustom Apps Domains” to include all the traffic that the application would generate, then optionally provide a description like β€œMicrosoft Azure VDI”, and lastly click β€œSave”
  6. Repeat the steps above for all the 6 processes listed above

Maintenance of the Network Destination lists

Microsoft will change/update the list of destinations in their Service Tags file and publish a new version of it. This update is quite frequent, in the other of weeks.
It is our experience with tests and working with customers that the IP addresses of the Remote Desktop Gateways don’t almost change, or they may change very infrequently. For this reason we’d recommend to update the list of exclusions only if the customer’s experiencing disconnections from the Virtual Desktop upon login, which may indicate that the connection to the RD Gateway is not being excluded, possibly because Microsoft has added or modified the list of RD Gateways IPs.

Please also note that this procedure effectively removes the current steering bypass and a new one must be created !

In order to update the β€œAzureWVD” and β€œAzureMonitor” Network Destination lists do the following:

  1. Download the latest Json file from the Microsoft Website at the address:Azure IP Ranges and Service Tags – Public Cloud

  1. Place the Json file and the Python script under the same folder, and rename the Json file as β€œAzureIPs.json”

  2. Run the Python script from a privileged command prompt (tested both on MAC and Windows machines)

  3. Verify the content of the file β€œAzureWVD.csv” that should have been created on the same folder. It be a 2-lines file where the first line starts with "AzureWVD" and the second with "AzureMonitor"

Once we have the CSV, in order to create the desired steering exceptions with it do the following:

  1. In the Netskope UI select β€œPolicies” - β€œNetwork Locations”

  2. Select β€œNew Network Location” - β€œMultiple Objects”

  3. Upload the file β€œAzureWVD.csv”. You’ll notice that the UI seems to indicate there are duplicated entries for β€œAzureVWD” and β€œAzureMonitor”. This is ok, the new ones will actually overwrite the old ones upon Applying the config !

  4. Verify the newly created β€œAzureWVD” and β€œAzureMonitor” network location to see if they contain the newly imported IPs

  5. Apply the changes clicking on β€œApply changes”. You will notice that the duplicated entries will disappear as the new lists will overwrite the old ones

  6. We must re-create the Steering Exceptions as the previous ones would be deleted upon the destination Location overwrite !

  7. Open the Netskope Setting UI and navigate to β€œSecurity Cloud Platform” - β€œSteering Configuration”, select the Steering Configuration (by default the β€œDefault tenant config”) and select the β€œEXCEPTIONS” tab

  8. Select β€œNew Exception” - β€œDestination Location”

  9. Select the β€œAzureWVD” destination location.

  10. OPTIONALLY, if you want to exclude from steering the Virtual Desktop Agent traffic for monitoring purposes select the β€œAzureMonitor” destination location too. By default we don’t recommend to exclude this traffic to avoid excluding too many destinations that may be used or repurposed in the future for more activities that we would like to monitor.

  11. Select β€œTreat like local IP address” and provide a description like β€œMicrosoft Azure VDI”

  12. Click β€œSave”

Best answer by sartioli

Apparently the download doesn't work. Here is the Python script:

import json import csv f = open('AzureIPs.json') data = json.load(f) f.close() def solve(key, val, lis): return next((i for i, d in enumerate(lis) if d[key] == val), None) WVD_index=solve('id', 'WindowsVirtualDesktop', data['values']) MNT_index=solve('id', 'AzureMonitor', data['values']) print(WVD_index) print(MNT_index) with open('AzureWVD.csv', mode='w+') as csv_file: f = csv.writer(csv_file, delimiter=',', lineterminator=' ') WVD = data["values"][WVD_index]["properties"]["addressPrefixes"] MNT = data["values"][MNT_index]["properties"]["addressPrefixes"] WVD_Full = ["AzureWVD","168.63.129.16/32","169.254.169.254/32"] WVD_Full.extend(WVD) f.writerow(WVD_Full) MNT_Full = ["AzureMonitor"] MNT_Full.extend(MNT) f.writerow(MNT_Full)

    4 replies

    K
    Forum|alt.badge.img+2
    • kshkc874
    • May 17, 2023

    Hi team,

     

    Everything is fine however I am not able to find the Python Script attachment anywhere.

     

    Can someone help me to get it.

     

    Thank you.

     

    Regards,

    KC

      S
      Forum|alt.badge.img+8
      • sartioli
      • Author
      • May 19, 2023

      Hi KC,

      aren't you able to download the file "AzureWVD.zip" at the bottom of the article ?

       

      Regards,

      Stefano Artioli

      K

      i cannot download the python file can you help

        S
        Forum|alt.badge.img+8
        • sartioli
        • Author
        • Answer
        • June 26, 2023

        Apparently the download doesn't work. Here is the Python script:

        import json import csv f = open('AzureIPs.json') data = json.load(f) f.close() def solve(key, val, lis): return next((i for i, d in enumerate(lis) if d[key] == val), None) WVD_index=solve('id', 'WindowsVirtualDesktop', data['values']) MNT_index=solve('id', 'AzureMonitor', data['values']) print(WVD_index) print(MNT_index) with open('AzureWVD.csv', mode='w+') as csv_file: f = csv.writer(csv_file, delimiter=',', lineterminator=' ') WVD = data["values"][WVD_index]["properties"]["addressPrefixes"] MNT = data["values"][MNT_index]["properties"]["addressPrefixes"] WVD_Full = ["AzureWVD","168.63.129.16/32","169.254.169.254/32"] WVD_Full.extend(WVD) f.writerow(WVD_Full) MNT_Full = ["AzureMonitor"] MNT_Full.extend(MNT) f.writerow(MNT_Full)

        Badge Winners

        • Solutions - 10
          mkoyfmanhas earned the badge Solutions - 10
        • Solutions - 10
          sshifletthas earned the badge Solutions - 10
        • Solutions - 10
          VarunKhas earned the badge Solutions - 10
        • Solutions - 2
          mkoyfmanhas earned the badge Solutions - 2
        • Solutions - 2
          rosshas earned the badge Solutions - 2
        View All

        Not finding what you're looking for?

        Don't be shy and let us know about your challenge.

        Ask your question here!
        Terms & ConditionsAccessibility statement