Submit a request

Nerdio Help Center

Required outbound internet access from AVD session host VMs


Applies to: Nerdio Manager for MSP (NMM)


In some Azure environments newly created VMs are restricted from connecting to the internet.  This may be done with custom routing and network security groups (NSG) at the virtual network level or with proxy settings or custom security configurations pushed to the VMs via Active Directory GPO.  

In order for Nerdio Manager to be able to automate the creation and management of AVD session host VMs the following access must be possible.

Address Outbound TCP port Purpose Service Tag
168.63.129.16  All Azure platform services AzureCloud
*.avd.microsoft.com 443 Service traffic AzureVirtualDesktop
mrsglobalsteus2prod.blob.core.windows.net 443 Agent and SXS stack updates AzureCloud
*.core.windows.net 443 Agent traffic AzureCloud
*.servicebus.windows.net 443 Agent traffic AzureCloud
prod.warmpath.msftcloudes.com 443 Agent traffic AzureCloud
catalogartifact.azureedge.net 443 Azure Marketplace AzureCloud

nmwextensions.blob.core.windows.net

443 DSC extension download AzureCloud
kms.core.windows.net 1688 Windows activation Internet

 

IMPORTANT NOTES:

Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM will be stuck at OOBE.

Azure DSC extensions used by the Nerdio Manager leverage PowerShell and WinRM.  Be sure that WinRM is not disabled on session host VMs and that unsigned PowerShell scripts can be run on these VMs.  If there is a GPO restricting WinRM and/or unsigned scripts, exclude the OU that contains the session hosts or create a naming prefix exclusion.

Reference KB articles:

Was this article helpful?
0 out of 0 found this helpful

Comments

Article is closed for comments.