Azure Virtual Desktop Session Host Routing

Question

Hi, has anyone ever set up a route table on Azure so that the route to Microsoft Login subnets goes out through Cato? When we tried doing this, to make sure our AVD users are protected by Cato, users stopped being able to connect to session hosts through the AVD FQDN (broker).

I suspect that its either TLS Inspection being enabled for Microsoft Login app (has never been an issue for our laptop users), or that AVD brokering system needs Microsoft Login traffic to go through the internet instead of a private route for some reason.

andy · Answer

HiWe also have an Azure Virtual Desktop Environment with Internet Access over Cato.I think you have to make sure that IP 168.63.129.16 is routed with an UDR to "Internet"Plus what I forgot first: KMS activation IPs&nbsp;20.118.99.224&nbsp;and&nbsp;40.83.235.53 must be routed too to "Internet"Default route points to Cato.Best regards,Andy&nbsp;

cato_fan_2024 · Answer

we tried paring back to only routing the subnets below (Microsoft Login app) and still were unable to connect through the AVD FQDN. Only the subnets below were being routed through Cato and that was enough to stop authentication in its tracks. I'm going to try disabling TLS inspection to the Microsoft Login app to see if maybe that's interfering with the Windows 365 client app.

20.190.128.0/18
40.126.0.0/18
20.20.32.0/19
20.231.128.0/19

Forum Discussion

Azure Virtual Desktop Session Host Routing

2 Replies

Recent Discussions

Azure Virtual Desktop Session Host Routing

TLS Inspection and RBI

Network routing

Regarding the Q&A from today's CASB live session

Additional South Africa POP