SOLVED

poblem provisioning a host pool behind proxy

%3CLINGO-SUB%20id%3D%22lingo-sub-1001954%22%20slang%3D%22en-US%22%3Epoblem%20provisioning%20a%20host%20pool%20behind%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001954%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20provision%20a%20host%20pool%20to%20a%20subnet%20which%20is%20firewalled.%20All%20virtual%20machines%20(including%20session%20hosts)%20are%20supposed%20to%20have%20internet%20access%20through%20a%20proxy%20server.%3CBR%20%2F%3Eproblem%20is%20that%20WVD%20host%20pool%20provisioning%20uses%20DSC%20VM%20extension%20and%20tries%20to%20download%20the%20configuration%20from%20a%20source%20that%20is%20not%20accessible%20by%20VMs.%3CBR%20%2F%3EWondering%20if%20there%20is%20any%20workaround%20for%20this%20problem.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065587%22%20slang%3D%22en-US%22%3ERe%3A%20poblem%20provisioning%20a%20host%20pool%20behind%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454990%22%20target%3D%22_blank%22%3E%40vadood2120%3C%2FA%3E%26nbsp%3B%3A%20At%20the%20moment%2C%20we%20do%20not%20support%20proxies%20for%20the%20deployment%20stage.%20For%20now%2C%20I%20would%20recommend%20two%20options%3A%3C%2FP%3E%0A%3CP%3E1.%20If%20you're%20early%20in%20testing%2C%20I%20would%20start%20with%20manual%20provisioning%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-powershell%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E2.%20If%20you're%20beginning%20to%20push%20towards%20pilot%2FPOC%2Fproduction%20pilot%2C%20I%20would%20recommend%20forking%20our%20GitHub%20repo%20indicated%20here%20in%20the%20ARM%20template%20steps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-arm-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-arm-template%3C%2FA%3E%26nbsp%3B.%20You%20can%20then%20host%20local%20versions%20of%20the%20files%2C%20then%20edit%20the%20_artifactsLocation%20parameter%20to%20point%20to%20your%20local%20versions.%20Unfortunately%2C%20this%20means%20you%20won't%20get%20all%20of%20the%20changes%20immediately%2C%20but%20you%20can%20manually%20keep%20your%20repo%20in%20sync%20with%20ours.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073300%22%20slang%3D%22en-US%22%3ERe%3A%20poblem%20provisioning%20a%20host%20pool%20behind%20proxy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F454990%22%20target%3D%22_blank%22%3E%40vadood2120%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ENow%2C%20I%20face%20the%20problem%20same%20you.%20my%20organization%20want%20to%20make%20WVD%20on%20Private%20Network%2C%20so%20i%20use%20AzureFW%20to%20fillter%20outbound.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20Pic1%201st%206%20rules%20is%20on%20WVD%20doccument%20recommend%20to%20open%20outbound.%20After%20that%20for%20Log-Analytic%20and%20Automation%20services.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%2C%20we%20open%20rule%20follow%20on%20Pic1%20for%20connect%20to%20WVD%20services%2C%20we%20can%20reach%20and%20work%20(if%20we%20already%20deploy%20hostpool%20already.)%20but%20we%20will%20issue%20on%20deploy%20new%20hostpool%2C%20deployment%20will%20failed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20i%20try%20to%20query%20on%20AzureF%20Firewall%20service%20log%20and%20get%20some%20FQDN%20traffic%20when%20deploying.%20On%20Pic2%20that%20is%20Additional%20FQDN%20that%20i%20found%20and%20add%20more%20to%20allow%20Firewall.%20so%20I%20can%20suscces%20deploy%20hostpool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%2C%20for%20safe%20you%20maybe%20open%20all%20443%20outbound.%20because%20the%20fqdn%20vary%20every%20month%20or%20week%20because%20i%20just%20add%20more%20fqdn%20on%20this%20week.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPic%3A1%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162477iABB71CE2017F067A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162478i447EC0908261CED4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

 

I am trying to provision a host pool to a subnet which is firewalled. All virtual machines (including session hosts) are supposed to have internet access through a proxy server.
problem is that WVD host pool provisioning uses DSC VM extension and tries to download the configuration from a source that is not accessible by VMs.
Wondering if there is any workaround for this problem.

2 Replies
best response confirmed by Eva Seydl (Microsoft)
Solution

@vadood2120 : At the moment, we do not support proxies for the deployment stage. For now, I would recommend two options:

1. If you're early in testing, I would start with manual provisioning (https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-powershell).

2. If you're beginning to push towards pilot/POC/production pilot, I would recommend forking our GitHub repo indicated here in the ARM template steps: https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-arm-template . You can then host local versions of the files, then edit the _artifactsLocation parameter to point to your local versions. Unfortunately, this means you won't get all of the changes immediately, but you can manually keep your repo in sync with ours.

@vadood2120 
Now, I face the problem same you. my organization want to make WVD on Private Network, so i use AzureFW to fillter outbound.

 

On Pic1 1st 6 rules is on WVD doccument recommend to open outbound. After that for Log-Analytic and Automation services.

 

Although, we open rule follow on Pic1 for connect to WVD services, we can reach and work (if we already deploy hostpool already.) but we will issue on deploy new hostpool, deployment will failed.

 

So, i try to query on AzureF Firewall service log and get some FQDN traffic when deploying. On Pic2 that is Additional FQDN that i found and add more to allow Firewall. so I can suscces deploy hostpool.

 

but, for safe you maybe open all 443 outbound. because the fqdn vary every month or week because i just add more fqdn on this week. 

 

Pic:1

clipboard_image_0.png

 

clipboard_image_1.png