In today’s Zero Trust networking scenarios, many organizations opt to only allow specific web locations to be accessible to their systems. This is problematic with addresses that act as redirect locations to actual web locations, because the actual web location needs to be allowlisted in the firewall to be accessible.
A common scenario is an isolated networking environment with highly sensitive resources, whose systems need to be able to access specific web resources. This can be:
- Updating and upgrading vendor-specific appliances
- Downloading vendor-specific ISO files to an internal VMware datastore
- (regularly) validating licenses in use with vendors
The scenario I recently encountered was having to download a Windows Server 2025 trial ISO file to use in Azure VMware Solution from a Windows 365 device located on a dedicated network. The network and its systems process sensitive data. The organization has a Microsoft-first, cloud-first approach.
Of course, I knew how to navigate a browser to Windows Server 2025’s download page on Microsoft’s Evaluation Center website, but the links here are all https://go.microsoft.com/fwlink?linkid=… redirect URIs…
Obviously, adding go.microsoft.com for HTTPS in the Azure Firewall does not provide the ability to download the ISO. The actual URI where the *.iso file is located would still not be accessible, because that wouldn’t be allow-listed. We need to allow-list the actual URI to this purpose.
Here’s how to locate the actual URI. I’m using PowerShell to do this, as it is available on every device within this organization.
This is the line of PowerShell I used for the Windows Server 2025 ISO EN-US:
(Invoke-WebRequest -uri “https://go.microsoft.com/fwlink/?linkid=2293312&clcid=0x409&culture=en-us&country=us” -MaximumRedirection 0 -ErrorAction SilentlyContinue).RawContent
The output of this line of PowerShell provides the redirected URI for Location.
The *iso file was located on software-static.download.prss.microsoft.com.
I added go.microsoft.com and this URI to the allow-list for HTTPS for the Azure Firewall, after which I could download the *.iso file and upload it to the datastore of the Azure VMware Solution.
Sometimes, one Windows built-in tool doesn’t provide the information we need (Microsoft Edge), but another one does (Microsoft PowerShell). 👍
