Products and Services PRODUCTS & SERVICES

Protecting the Cloud: Securing Windows Virtual Desktop

How to deploy and secure your virtual desktops with Sophos Intercept X and Sophos XG Firewall

A popular solution for organizations looking to enable employees to work remotely, virtual desktops have come a long way from the clunky VPN sessions you may be used to. Services such as Windows Virtual Desktop delivered on Azure provide users with access to all the applications and services that they require for their day-to-day work.

Deploying Windows Virtual Desktop

When run on a virtual machine hosted with a cloud provider such as Azure, a large part of the virtual desktop solution is managed by the cloud provider. While this lightens the admin load, you still need to secure the service against cyber threats, and ensure compliance with your organization’s web browsing and data loss prevention policies.

To help you get started, we’ve created two demo videos to help you get setup quickly. The first guides you through deploying Windows Virtual Desktop in an Azure Subnet from Azure marketplace and securing it with Sophos Intercept X. The second walks you through configuring Windows Virtual Desktop to route traffic to your XG Firewall.

VDI or RDS – which virtual desktop deployment is right for you?

During deployment of your virtual desktop environment you’ll be asked to decide between two options, each with cloud provider cost implications.

  • RDS (Remote Desktop Session) – also known as ‘Pooled’ or ‘Multi Session’. RDS utilizes the Windows Server operating system (Windows 10 multi-session) to support multiple user sessions on the same virtual machine, sharing the same resources (pool). This is the most cost-effective solution as one virtual machine is used by multiple users.
  • VDI (Virtual Desktop Infrastructure) – also known as ‘Personal’. VDI utilizes the Windows client operating system (Windows 10 Enterprise) to provides a single user with a dedicated workstation experience. This means the solution will also use a single virtual machine for each user which can become costly but may be required for resource hungry users.

Securing Virtual Desktops with Sophos Intercept X

Virtual desktops are susceptible to the same threats as physical laptops and desktops such as malware and exploits. You can protect them with Sophos Intercept X for Server or Sophos Intercept X for Endpoint: which license you need will depend on whether you choose RDS or VDI.

Protecting RDS environments

In RDS environments you need to secure the session host i.e. the virtual machine used to run virtual desktops sessions for your user. As a result the Windows Virtual Desktop is detected as Windows Server in Sophos Central, our security management platform, and is protected with Sophos Intercept X for Server. Simply apply one server license for each virtual machine (VM).

The table below shows the default number of VMs provisioned based on usage profile and number of users:

Users Usage VMs / Sophos licenses Usage VMs / Sophos licenses Usage VMs / Sophos licenses
100 Light 5 Medium 11 Heavy 21
250 Light 11 Medium 16 Heavy 32
500 Light 21 Medium 32 Heavy 63


Protecting VDI environments

VDI is a little different, as here we’re securing an individual user. Therefore, to secure VDI environments you need Sophos Intercept X for Endpoint – one licence per user.

Applying Sophos protection to Virtual Desktop for Azure

In our setup video, we selected Pooled (or RDS) as this is the most common scenario. After the initial setup of Virtual Desktop for Azure, the next step is to download the Intercept X for Server agent to protect your multi-session environment.

The second half of the demo video covers downloading the Sophos Intercept X for Server installer from Sophos Central, running the installer on the session host, and configuring your policy to protect users.

Securing the network with XG Firewall

Once your host session is secure, you now need to secure traffic going out to the internet, or to other networks. Sophos XG Firewall will secure the inbound and outbound traffic to your virtual desktop environments and enable your teams to enforce compliance on a network level.

Watch the second demo video to see how to configure Windows Virtual Desktop to route traffic to your XG Firewall and get best practices for configuring the XG Firewall to protect the Windows Virtual Desktop environment.

Helpful Resources:



Leave a Reply

Your email address will not be published. Required fields are marked *