I have a virtual firewall (Palo Alto) in Azure that is used for Internet traffic for our servers and Azure virtual desktops. We have an IPSec VPN between the Palo and Zscaler cloud. Traffic is filtered through the tunnel to Azure.
Unlike traditional virtual desktop applications in a datacenter (Citrix, etc), Microsoft has the AVD traffic come in through their own IP’s and firewall (whatever that is). However return traffic back to the client for AVD goes through my firewall, and therefore, Zscaler. This does not work. You can’t even connect to the desktop with the Zscaler VPN enabled probably because it breaks stateful traffic. When I disable Zscaler redirection, it works fine.
We cannot use the ZCC as that does not work either. Zscaler documentation says it won’t work on a multi-user server, and our testing confirms that. Does anyone have a solution for this?
Edit: I got it working. By using the service tag WindowsVirtualDesktop on the route table leading to my network vnet (with the firewalls), I can redirect that traffic out to the Internet via Azure’s “normal” Internet. It’s then exempt from Zscaler filtering.
Lots of customers use this with ZCC, and you just have to bypass a bunch of MS IPs from the tunnel. I was on months of troubleshooting calls with MS when customers first started rolling this out, and there are a few bugs on the MS side right now that cause errors… supposedly they are working on fixes.
The other issue is that MS didn’t use contiguous IP space, so you have to bypass a bunch of /32s lol. Classic Microsoft, painting themselves into a corner.
I tried that and it didn’t work. There are MS/Azure EDL’s out there I can import in the firewall to use as a bypass list for Zscaler. The problem is I need the opposite of that. I think I need to bypass the public IP of the client, which is impossible to automate.
The other part is that Zscaler doesn’t make a VPN product, so there won’t be a way for the AVD to be “on the network”, and it’s designed to be unreachable.
From when I’ve set this up before, it was always through ZIA (ZIA is essentially a NGFW in the cloud), but much of the traffic has to be bypassed from Zscaler until MS releases some bug fixes. I haven’t seen anyone roll this out without ZCC though, as this will be trickier without the ability to shape traffic at that level.