*Required URLs for WVD* - to ensure best WVD experience and required for support

%3CLINGO-SUB%20id%3D%22lingo-sub-2012051%22%20slang%3D%22en-US%22%3E*Required%20URLs%20for%20WVD*%20-%20to%20ensure%20best%20WVD%20experience%20and%20required%20for%20support%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2012051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EIntroduction%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMost%20Windows%20Virtual%20Desktop%20customers%20know%20that%20there%20is%20a%20list%20of%20URLs%20that%20are%20very%20important%20to%20WVD.%20What%20some%20people%20don%E2%80%99t%20know%20is%20that%20if%20the%20WVD%20session%20hosts%20(so%20all%20WVD%20VMs)%20cannot%20reach%20these%20URLs%2C%20the%20result%20is%20that%20the%20WVD%20deployment%20is%20in%20an%20unsupported%20state.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Michel_Roth_1-1608722223570.png%22%20style%3D%22width%3A%20707px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F242502i63CAA514F73808CD%2Fimage-dimensions%2F707x195%3Fv%3D1.0%22%20width%3D%22707%22%20height%3D%22195%22%20role%3D%22button%22%20title%3D%22Michel_Roth_1-1608722223570.png%22%20alt%3D%22Michel_Roth_1-1608722223570.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20complete%20list%20of%20required%20URLs%20that%20the%20WVD%20Session%20Hosts%20need%20to%20reach%20is%20listed%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fsafe-url-list%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWindows%20Virtual%20Desktop%20Required%20URL%20list%20-%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EProblems%20when%20required%20URLs%20cannot%20be%20reached%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEven%20if%20you%2C%20for%20whatever%20reason%2C%20are%20not%20keen%20on%20making%20sure%20the%20URL%20list%20is%20reachable%20for%20all%20Session%20Hosts%2C%20you%20really%20should%20because%20it%20negatively%20impacts%20the%20quality%20of%20the%20WVD%20service%20and%20could%20lead%20to%20higher%20costs.%20Here%20are%20some%20problems%20you%20might%20run%20into%20because%20the%20session%20hosts%20cannot%20communicate%20with%20the%20URLs%20on%20the%20list%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20session%20host%20cannot%20communicate%20its%20status%20to%20the%20WVD%20control%20plane.%20Your%20users%20may%20be%20redirected%20to%20a%20server%20that%20is%20offline%2C%20unhealthy%20or%20otherwise%20a%20bad%20choice%20for%20a%20user%20connection.%20Obviously%2C%20this%20will%20result%20in%20a%20bad%20user%20experience.%3C%2FLI%3E%0A%3CLI%3EAdding%20hosts%20to%20a%20host%20pool%20either%20via%20the%20WVD%20blade%20in%20the%20Azure%20Portal%2C%20via%20a%20script%20or%20even%20via%20autoscaling%20might%20fail%20or%20may%20provision%20the%20wrong%20amount%20of%20VMs.%20This%20could%20be%20too%20little%20VM%20but%20also%20(way)%20too%20much%20VMs%20leading%20to%20a%20bad%20user%20experience%20or%20unexpected%20high%20costs.%3C%2FLI%3E%0A%3CLI%3EThe%20WVD%20blade%20in%20the%20Azure%20Portal%20may%20show%20the%20wrong%20status%20from%20the%20WVD%20agent%20giving%20you%20inaccurate%20or%20incomplete%20data%20to%20base%20your%20management%20operations%20and%20support%20decisions.%20This%20impacts%20the%20quality%20of%20the%20WVD%20services%20provided%20to%20your%20end%20users%20or%20customers.%3C%2FLI%3E%0A%3CLI%3EYou%20may%20not%20have%20the%20latest%20version%20of%20the%20WVD%20agent(s)%3A%20The%20agents%20are%20auto-updating%20and%20require%20to%20know%20which%20versions%20are%20installed%20or%20that%20there%20is%20a%20new%20version%20available.%20This%20check%20and%20update%20won%E2%80%99t%20be%20possible%2C%20if%20the%20session%20host%20cannot%20communicate%20this%20information%20to%20the%20WVD%20control%20plane.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20just%20some%20examples.%20There%20could%20also%20be%20other%20unexpected%20results.%20In%20fact%2C%20many%20-if%20not%20all-%20future%20WVD%20features%20will%20depend%20on%20accurate%20information%20about%20your%20deployment%20so%20access%20to%20the%20RequiredURL%20list%20is%20critical.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EUnfortunately%2C%20it%E2%80%99s%20not%20always%20easy%20to%20tell%20if%20(one%20or%20more%20of%20)%20the%20required%20URLs%20are%20blocked%20because%20users%20are%20successfully%20connecting.%20As%20you%20can%20tell%20from%20the%20example%20problems%2C%20the%20fact%20that%20users%20can%20successfully%20connect%20to%20their%20session%20does%20not%20mean%20that%20there%20are%20not%20problems%20looming%20%E2%80%93%20also%20with%20the%20supported%20state%20of%20your%20WVD%20deployment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMaking%20sure%20the%20required%20URLs%20can%20be%20reached%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESo%2C%20to%20be%20proactive%2C%20it%E2%80%99s%20important%20to%20make%20sure%20that%20communication%20from%20the%20session%20hosts%20to%20the%20required%20URL%20list%20can%20flow.%20Since%20almost%20all%20ports%20the%20WVD%20agents%20uses%20to%20communicate%20with%20the%20control%20plane%20are%20web%20ports%2C%20be%20sure%20to%20exclude%20the%20traffic%20from%20any%20kind%20of%20proxy%20inspection%2Finterception%20as%20well%2C%20in%20additional%20to%20firewalls%2C%20NVAs%20and%20other%20usual%20suspects.%20A%20good%20example%20on%20how%20to%20configure%20a%20firewall%20with%20Windows%20Virtual%20Desktop%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Ffirewall%252Fprotect-windows-virtual-desktop%26amp%3Bdata%3D04%257C01%257CMichel.Roth%2540microsoft.com%257Cec1fbe17041944b427e608d8961f5ac7%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C1%257C637424408697201649%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DrGmrjnq4tiOMNwX8eIWp%252Bp2C1aMk5FJba6S588eLwtU%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EUse%20Azure%20Firewall%20to%20protect%20Windows%20Virtual%20Desktop%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20In%20this%20article%20Azure%20Firewall%20is%20used%2C%20but%20the%20same%20design%20pattern%20is%20also%20applicable%20to%20other%20Firewalls.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20made%20sure%20the%20required%20URLs%20are%20reachable%20from%20the%20session%20hosts%20you%20should%20check%20it%2C%20just%20to%20make%20sure%20it%20works.%20One%20quick%20and%20easy%20way%20to%20verify%20if%20the%20WVD%20agents%20can%20reach%20the%20required%20URLs%20is%20by%20checking%20the%20event%20log%20for%20source%20%E2%80%9CWVD-Agent%E2%80%9D%20on%20a%20representative%20session%20host%20(use%20a%20production%20session%20host%2C%20not%20a%20test%20session%20host).%20When%20all%20is%20well%2C%20you%20will%20only%20see%20Event%20ID%203701%20like%20the%20example%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Michel_Roth_0-1608722177333.png%22%20style%3D%22width%3A%20577px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F242501i504795ADDCF51BBB%2Fimage-dimensions%2F577x563%3Fv%3D1.0%22%20width%3D%22577%22%20height%3D%22563%22%20role%3D%22button%22%20title%3D%22Michel_Roth_0-1608722177333.png%22%20alt%3D%22Michel_Roth_0-1608722177333.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20something%20is%20wrong%20you%20will%20see%20warnings%20with%20Event%20ID%203702%20or%20errors%20with%20event%20ID%203703%20showing%20which%20URLs%20cannot%20be%20reached.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20option%20for%20customers%20using%20the%20ARM%20release%2C%20is%20to%20check%20Azure%20Advisor%20(which%20is%20always%20a%20good%20idea).%20In%20case%20there%20the%20WVD%20agents%20cannot%20reach%20the%20required%20URLs%2C%20you%20will%20see%20this%20message%20under%20the%20Operational%20Excellence%20section%3A%20%E2%80%9C%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Fvirtual-desktop%252Fazure-advisor-recommendations%2523not-enough-links-are-unblocked-to-successfully-implement-your-vm%26amp%3Bdata%3D04%257C01%257CMichel.Roth%2540microsoft.com%257Cec1fbe17041944b427e608d8961f5ac7%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C1%257C637424408697201649%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DyDv7Ql2QL%252BK%252BCsekizUKSFA2%252BlrQAlGdTJK%252FUCXjkqo%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ENot%20enough%20links%20are%20unblocked%20to%20successfully%20implement%20your%20VM%3C%2FA%3E%E2%80%9D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20future%20you%20can%20expect%20more%20help%20from%20us%20in%20making%20it%20easier%20to%20see%20when%20the%20required%20URLs%20cannot%20be%20reached%2C%20but%20it%20will%20always%20be%20a%20best%20practice%20to%20make%20sure%20the%20required%20URLs%20are%20reachable%20from%20the%20session%20hosts%20right%20from%20the%20very%20start%20of%20your%20Windows%20Virtual%20Desktop%20deployment.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Introduction

Most Windows Virtual Desktop customers know that there is a list of URLs that are very important to WVD. What some people don’t know is that if the WVD session hosts (so all WVD VMs) cannot reach these URLs, the result is that the WVD deployment is in an unsupported state.

Michel_Roth_1-1608722223570.png

The complete list of required URLs that the WVD Session Hosts need to reach is listed here: Windows Virtual Desktop Required URL list - Azure | Microsoft Docs

 

Problems when required URLs cannot be reached

Even if you, for whatever reason, are not keen on making sure the URL list is reachable for all Session Hosts, you really should because it negatively impacts the quality of the WVD service and could lead to higher costs. Here are some problems you might run into because the session hosts cannot communicate with the URLs on the list:

 

  • The session host cannot communicate its status to the WVD control plane. Your users may be redirected to a server that is offline, unhealthy or otherwise a bad choice for a user connection. Obviously, this will result in a bad user experience.
  • Adding hosts to a host pool either via the WVD blade in the Azure Portal, via a script or even via autoscaling might fail or may provision the wrong amount of VMs. This could be too little VM but also (way) too much VMs leading to a bad user experience or unexpected high costs.
  • The WVD blade in the Azure Portal may show the wrong status from the WVD agent giving you inaccurate or incomplete data to base your management operations and support decisions. This impacts the quality of the WVD services provided to your end users or customers.
  • You may not have the latest version of the WVD agent(s): The agents are auto-updating and require to know which versions are installed or that there is a new version available. This check and update won’t be possible, if the session host cannot communicate this information to the WVD control plane.

 

These are just some examples. There could also be other unexpected results. In fact, many -if not all- future WVD features will depend on accurate information about your deployment so access to the RequiredURL list is critical.


Unfortunately, it’s not always easy to tell if (one or more of ) the required URLs are blocked because users are successfully connecting. As you can tell from the example problems, the fact that users can successfully connect to their session does not mean that there are not problems looming – also with the supported state of your WVD deployment.

 

Making sure the required URLs can be reached

So, to be proactive, it’s important to make sure that communication from the session hosts to the required URL list can flow. Since almost all ports the WVD agents uses to communicate with the control plane are web ports, be sure to exclude the traffic from any kind of proxy inspection/interception as well, in additional to firewalls, NVAs and other usual suspects. A good example on how to configure a firewall with Windows Virtual Desktop can be found here: Use Azure Firewall to protect Windows Virtual Desktop | Microsoft Docs. In this article Azure Firewall is used, but the same design pattern is also applicable to other Firewalls.

 

Once you have made sure the required URLs are reachable from the session hosts you should check it, just to make sure it works. One quick and easy way to verify if the WVD agents can reach the required URLs is by checking the event log for source “WVD-Agent” on a representative session host (use a production session host, not a test session host). When all is well, you will only see Event ID 3701 like the example below:

Michel_Roth_0-1608722177333.png

 

When something is wrong you will see warnings with Event ID 3702 or errors with event ID 3703 showing which URLs cannot be reached.

 

Another option for customers using the ARM release, is to check Azure Advisor (which is always a good idea). In case there the WVD agents cannot reach the required URLs, you will see this message under the Operational Excellence section: “Not enough links are unblocked to successfully implement your VM

 

In the future you can expect more help from us in making it easier to see when the required URLs cannot be reached, but it will always be a best practice to make sure the required URLs are reachable from the session hosts right from the very start of your Windows Virtual Desktop deployment.

0 Replies