NGFW (managed by Panorama and Strata Cloud Manager)
Prisma Access (managed by Panorama and Strata Cloud
Manager)
GlobalProtect 6.2.6-c857 and later 6.2.x releases or 6.3.2
and later 6.3.x releases
A Windows 365 Cloud PC is a virtual machine that provides a Windows desktop
experience in the cloud. You can deploy GlobalProtect on Cloud PCs to enhance
network security for cloud-based virtual desktop environments. Windows and macOS
users can connect to the cloud PC via the Remote Desktop (RDP) protocol, enabling
them to access private applications hosted in the cloud. GlobalProtect routes
network traffic through Prisma Access, providing additional defense against
unauthorized access and cyber threats.
Follow the steps below to deploy GlobalProtect on a Windows 365 Cloud PC:
During this step, you add the GlobalProtect app to Intune and configure the
deployment settings. The system then pushes the GlobalProtect installation
to the designated Cloud PCs based on the settings and groups you've
specified. The GlobalProtect app is installed when the Cloud PC receives and
processes this deployment instruction from Intune.
It is recommended that you set the User Switch Tunnel Rename
Timeout to the maximum value to avoid GlobalProtect getting
disconnected when the RDP tunnel is disconnected or closed. The
User Switch Tunnel Rename Timeout value range is
as follows:
GlobalProtect version 6.2.x releases till 6.2.8: 0 to 600
seconds
GlobalProtect version 6.2.8 and later: 0 to 7200 seconds
For an uninterrupted RDP stream between the host and cloud PC, you must
exclude Microsoft network traffic in one of the following ways:
Exclude Wildcard FQDN (*.wvd.microsoft.com) and the Windows Virtual
Desktop service tags. You can obtain IP information for the Windows
Virtual Desktop service tag manually with the Azure IP Ranges JSON
file. For more information, refer to Azure IP Ranges and Service Tags
– Public Cloud. You can also use a PowerShell script to
get the IPs in a CSV format.
Since the IP address count exceeds
200 entries, you may need to use advanced split
tunneling. It is recommended that you configure
bypass with wildcard FQDNs since FQDNs do not change over time.
You can also add other service endpoints to your optimized path.
For more information, refer to the Microsoft Network
Requirements. If your solution does not support
wildcard FQDNs, you can use IP addresses for the bypass
configuration. Currently, Microsoft only provides IP addresses
for RDP connectivity.
Exclude the following access routes and domains:
Enforcer exclusion list:
40.64.144.0/20
20.202.0.0/16
51.5.0.0/16
*.wvd.microsoft.com
Split tunneling exclusion list:
40.64.144.0/20
20.202.0.0/16
51.5.0.0/16
*.wvd.microsoft.com
The table below provides more details on the
exclusion list:
Bypass Type
Value
Description
Notes
FQDN
*.wvd.microsoft.com
TCP Based RDP Bypass
TCP Only (UDP subnet/s needs to be added as
required)
IP
40.64.144.0/20
TCP Based RDP Bypass
The IP range is anticipated to be fully
utilized by the end of January 2025 (consolidating
from current ~380 /32s)
IP
20.202.0.0/16
UDP based RDP bypass via TURN (Current)
The TURN relays are currently used and will be
discontinued once the 51.5.0.0/16 subnet is in
use.
Check with
Microsoft to confirm whether any additional subnets or
domains are required to exclude RDP traffic.
TURN traffic for RDP
Shortpath will bypass split tunnel configuration and
subsequently to enforce the split tunnel configuration
you need to implement Security Policy to block the
sessions across the tunnel.
Review the event logs on the Windows host and the managed app logs on Intune to
confirm that the GlobalProtect app was deployed successfully on the Cloud
PC.
Supported Features and Limitations
For a list of GlobalProtect features supported on Windows 365 Cloud PC, see the
Compatibility Matrix.
Connect Before Logon is not supported on Windows 365 Cloud PC. This is because
the Remote Desktop Protocol (RDP) session to the Cloud PC is established using
pre-authenticated credentials, allowing the user to log in directly without
using the Windows login screen. In addition, the RDP session closes as soon as
the user logs out. This is expected behavior of the Microsoft Cloud PC
architecture. Since Connect Before Logon requires the Windows login screen to
function, it is not compatible in this environment.
Pre-Logon is supported on Windows 365 Cloud PC for the following scenarios:
Cloud PC reboot - after a reboot, the cloud PC establishes the prelogon
tunnel until the user logs in.
Cloud PC sign out - when the user is signed out from the PC, the
prelogon tunnel is established and remains connected until the user
signs back in.
Disconnecting from the Cloud PC or closing the Cloud PC window are treated as
lock events. As a result, GlobalProtect continues to use the user-logon tunnel
and does not switch to the pre-logon tunnel. This is expected behavior.
