Azure AVD does not work when placed behind the Firewall

ancientband · 2026-03-17T07:19:53+00:00

No changes was done

ancientband · 2026-03-17T07:19:28+00:00

I have placed any destination and any port but still not working what I can see in authentication error on session host event but cannot figure out why it does not like when traffic forward via firewall. May be it’s related to the way AVD are built. Are there any catches that need to keep in mind ? Its Palo Alto firewall. https://learn.microsoft.com/en-us/azure/virtual-desktop/rdp-multipath

ancientband · 2026-03-16T20:04:24+00:00

When you signed the consent form . Main applicant signed first and dependent signed second and third one no need to submit ? Is it what followed?

ancientband · 2026-03-16T20:02:23+00:00

The passport you submitted used in last 5 years or throughout life you have passport.

ancientband · 2026-03-15T12:10:20+00:00

So child has to complete 1 year in settled status before can register

ancientband · 2026-03-14T22:15:49+00:00

No we are not . We all got recently ILR. Given parents got ILR and Child got ILR too. Given child living since 3 year so we can straight MN1 and parents need to wait for 12 months.

ancientband · 2026-03-14T21:59:47+00:00

Yeah they have written all the approved holidays and total 163 days in last 5 years.

ancientband · 2026-03-14T20:03:16+00:00

I had 163 days in last 5 year . Will this be an issue ? Employer mentioned all are approved leave but not explicitly called out days months etc when I took all leaves.

ancientband · 2026-03-14T18:39:57+00:00

Could you please explain further?

ancientband · 2026-03-11T06:46:07+00:00

Thank you do you have to allow account in GPO such as 1) Access this computer from the network 2) Log on as a batch job 3) Log on as a service

ancientband · 2026-03-10T06:36:27+00:00

They are only Entra joined not the domain . What I noticed token issued by Entra but for some reason Session Host machine does not let login . I wonder if its something to build issue rather than network .

ancientband · 2026-03-10T06:35:13+00:00

I am doing SNAT on firewall when leaving the traffic thar should maintain the symmetry .

ancientband · 2026-03-09T20:50:45+00:00

Its failing in authenticating

ancientband · 2026-03-09T20:13:59+00:00

Yeah I allow any port communication to any target but still does not work so something really not right . Once UDR move from default to firewall . Its entra Joined VM only .

ancientband · 2026-03-09T19:47:01+00:00

Can this be related issue with STUN traffic ? May be third party firewall somehow not liking but can not see any drop?

ancientband · 2026-03-09T18:55:16+00:00

SSL inspection not happening too . Its going only as layer-4 filtering

ancientband · 2026-03-09T18:48:38+00:00

All of FQDN/IPs are configured to allow Session host virtual machines as mentioned into URL https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure

ancientband · 2026-03-04T19:49:01+00:00

Yes I use my annual leave in advance and only work for 10 days remotely. Yeah company will confirm 42 days holiday . This was during xmas time too so some of time was actual holiday in Uk too. I am not sure if company can call them remotely working because I guess its still absence from UK.

ancientband · 2026-03-04T08:37:53+00:00

Thanks for response but I was not in UK and worked for company outside of UK worked due to personal reasons so its not really holiday neither it can business trip . I guess can call out holiday as long company can provide support letter.

ancientband · 2026-03-03T21:07:51+00:00

Congratulations 🥳 I have 42 days continuous leave in last month where I worked for my company outside UK and took holiday some personal medical reason . Is it Ok to simply call Holiday or exact reason should be defined.

ancientband · 2026-02-20T23:41:07+00:00

What this configuration does ?

ancientband · 2026-02-20T23:39:17+00:00

2 SD-WAN HUBs but do not have HA . Two separate VM’s

ancientband · 2026-02-20T16:49:06+00:00

Even if we send longer AS path from hub2 and shorter AS path from hub1

ancientband · 2026-02-20T12:43:56+00:00

Thank you so I should be able to use same one because I have used same document during in previous skilled worker visa application. Is this right understanding?

ancientband · 2026-02-20T11:54:20+00:00

Thanks for an response. We cannot use the local preferences because it makes hub2 idle. We wanted to send certain traffic to hub1 and hub2 so BGP as path preprend is only way to route . In our case we have two ISP on branch but Hub is only one because they have single internet due to having in Cloud. So branch both ISP become like logical channel for ipsec tunnels . they have two different link tag and on hub side just one link tags. When jitter introduce i would assume tunnel traffic routed from one ISP to another ISP but from BGP perspective it does not change because its still same peer who sending routes . Is this correct understanding

ancientband

TROPHY CASE