Forum Discussion
MicrosoftOptimizing RDP Connectivity for Windows 365
PaulCollingeis there no way to achieve this with only URLs instead of having the quality of our enterprise VDI environment reliant on an IP list that is regularly changing and needs maintained monthly like a pet?
MicrosoftThe answer depends on the solution you're using, some VPN/SWG software allows configuration using wildcard FQDNs, where that's possible you can use *.wvd.microsoft.com. Others don't support wildcard FQDNs so you'll have to use the IP list. We're working on consolidating the IP space into a small number of subnets which won't change regularly which will resolve this particular challenge, however that will take some considerable time to complete.
PaulCollingeThank you so much for the speedy response and the clarification! Apologies, it was not clear for me from the article that either the IP's OR the URL are used, but both are not needed. We are using zscaler so URLs are supported (step #b confused me since it mentioned using the IPs, but I guess that was included for informational purposes and is not required). When we create an exclusion for *.wvd.microsoft.com do we also still need to exclude 169. 254.169.254 and 168.63.129.16 or does that URL cover them as well?
If we do still exclude those 2 IPs, is there any potential for them to ever change?- PaulCollingeZscaler cannot use wildcard FQDNs in the config above, hence why IPs are used in the example. You should also include the two IPs mentioned in addition as they are both not included in the RDP IP information. I don't expect them to change as they are used pervasively within Azure.
PaulCollingeYes, haha, I found out the hard way wild cards are not supported when I tried to add it!
I have engaged with our Zscaler team and added the context that this impacting our entire agency cloud VDI journey. They informed me they do already have an existing ER (enhancement request), and they added us to it. Anyone reading this that is a customer, please do call in and get added to the ER. They also are researching internally with the engineering team to see if there is any other way they could exclude wildcard based traffic from ZIA and I will share here if they come up with anything.
Also, since URL exceptions are supported by zscaler, I'm wondering if there is any way we could find out the appropriate itemized non-wildcard URLs, would the AVD URL checker do the trick?
https://learn.microsoft.com/en-us/azure/virtual-desktop/required-url-check-tool