Filter outgoing traffic

By default, students do not have internet connection during their exam. Any internet access that is required must be specifically whitelisted.

The outgoing network is filtered locally by the Windows Firewall running on the sessionhosts. Therefore, it is essential that students do not gain admin privileges on their sessionhost.

The firewall is configured to block all outgoing traffic. The only exceptions are:

AVD traffic: required for Azure Virtual Desktop to function properly.
Sessionhost proxy traffic: HTTP(s) connections to the Sessionhost Proxy. Described later in detail.
Schoolyear VDI Browser: Network connections made by the Schoolyear VDI browser, since this browser already applies a whitelist itself.

Exceptions 1 and 2 are configured by allowing connections to the “Services” subnet (10.0.16.0/19) in the Windows Firewall. If you change the VNET or subnet configurations, make sure to update this firewall rule.

Exception 3 is configured by whitelisting the path of the Schoolyear VDI Browser executable.

Sessionhost proxy

Some applications do require an internet connection to function properly. For example, Windows needs access to Azure Entra and Office requires access to its license server.

To filter this traffic, the default template sets up a Sessionhost Proxy. This is an HTTP(s) proxy that enforces a whitelist of outgoing traffic and is configured as the default proxy in Windows. Except for the VDI Browser, this proxy is the only way for sessionhosts to connect to the internet.

The default deployment template and the default images set up this Sessionhost Proxy correctly by default, so you don’t have to set up anything yourself to make this work.

However, you can use this Sessionhost proxy whitelist to enable HTTP(s) connections that are required to make software work correctly.

Keep in mind that this proxy only supports HTTP(s) traffic, not plain TCP/UDP traffic commonly used by LAN-based license servers.