-->
This article describes how Microsoft Edge supports Microsoft Defender Application Guard (Application Guard).
Description This extension provides a powerful content searching tool for you to easily find the relevant tab among many open ones. Like all search engines, this extension supports search operators like 'AND' and 'OR'. You can use this extension to find the relevant content when there are many open tabs like a normal tab manager extension. Make Microsoft Edge your own with extensions that help you personalize the browser and be more productive. IoT Edge has three components. IoT Edge modules are containers that run Azure services, third-party services, or custom code. They are deployed to IoT Edge-enabled devices and execute locally on those devices. The IoT Edge runtime runs on each IoT Edge-enabled device and manages the modules deployed to each device. The cloud-based interface remotely monitors and manages IoT Edge-enabled.
Note
This article applies to Microsoft Edge version 77 or later.
Overview
Security architects in the enterprise must deal with the tension that exists between productivity and security. It's relatively easy to lock down a browser and only allow a handful of trusted sites to load. This approach will improve the overall security posture but is arguably less productive. If you make it less restrictive to improve productivity, you increase the risk profile. It's a hard balance to strike!
It's even harder to keep up with new emerging threats in this constantly changing threat landscape. Browsers remain the primary attack surface on client devices because the browser's basic job is to let users access, download, and open untrusted content from untrusted sources. Malicious actors are constantly working to social engineer new forms of attacks against the browser. Security incident prevention or detection/response strategies can't guarantee 100% safety.
A key security strategy to consider is the Assume Breach Methodology, which means there's an acceptance that an attack is going to succeed at least once regardless of efforts to prevent it. This mindset requires building defenses to contain the damage, which ensures that corporate network and other resources remain protected in this scenario. Deploying Application Guard for Microsoft Edge fits right into this strategy.
About Application Guard
Designed for Windows 10 and Microsoft Edge, Application Guard uses a hardware isolation approach. This approach lets untrusted site navigation launch inside a container. Hardware isolation helps enterprises safeguard their corporate network and data in case users visit a site that is compromised or is malicious.
The enterprise administrator defines what are trusted sites, cloud resources, and internal networks. Everything that's not in the trusted sites list is considered untrusted. These sites are isolated from the corporate network and data on the user's device.
For more information:
- watch our video Microsoft Edge browser isolation using Application Guard
- read What is Application Guard and how does it work?
The next screenshot shows an example of Application Guard's message showing that the user is browsing in a safe space.
What's new
Application Guard support in the new Microsoft Edge browser has functional parity with Microsoft Edge Legacy and includes several improvements.
Extension support inside the container
Extension support inside the container has been one of the top requests from the customers. Scenarios ranged from wanting to run ad-blockers inside the container to boost browser performance to having the ability to run custom home-grown extensions inside the container.
Extension installs in the container is now supported, starting from Microsoft Edge version 81. This support can be controlled via policy. The updateURL that gets used in ExtensionInstallForcelist policy should be added as Neutral Resources in the Network Isolation policies used by Application Guard.
Some examples of container support include the following scenarios:
- Force installs of an extension on the host
- Removing an extension from the host
- Extensions blocked on the host
Note
It's also possible to manually install individual extensions inside the container from the extension store. Manually installed extensions will only persist in the container when Allow Persistence policy is enabled.
Identifying Application Guard traffic via Dual Proxy
Some enterprise customers are deploying Application Guard with a specific use case where they need to identify web traffic coming out of a Microsoft Defender Application Guard container at the proxy level. Starting with Stable Channel version 84, Microsoft Edge will support dual proxy to address this requirement. You can configure this functionality using the ApplicationGuardContainerProxy policy.
The following drawing shows the dual proxy architecture for Microsoft Edge.
Diagnostic page for troubleshooting
Another user pain point is troubleshooting the Application Guard configuration on a device when a problem is reported. Microsoft Edge has a diagnostics page (edge://application-guard-internals) to troubleshoot user issues. One of these diagnostics is being able to check the URL trust based on the configuration on the user's device.
The next screenshot shows a multiple tab diagnostics page to help diagnose user reported issues on the device.
Microsoft Edge updates in the container
Microsoft Edge Legacy updates in the container are part of the Windows OS update cycle. Because the new version of Microsoft Edge updates itself independent of the Windows OS, there is no longer any dependency on container updates. The channel and version of the host Microsoft Edge is replicated inside the container.
Prerequisites
The following requirements apply to devices using Application Guard with Microsoft Edge:
Windows 10 1809 (RS5) and above.
Only Windows client SKUs
Note
Application Guard is only supported on Windows 10 Pro and Windows 10 Enterprise SKUs.
One of the management solutions described in Software requirements
How to install Application Guard
The following articles provide the information you need to install, configure, and test Application Guard with Microsoft Edge.
Frequently Asked Questions
Does Application Guard work in IE Mode?
IE Mode supports Application Guard functionality, but we don't anticipate much use of this feature in IE Mode. IE Mode is recommended to be deployed for a list of trusted internal sites, and Application Guard is for untrusted sites only. Make sure all the IE mode sites or IP addresses are also added to the Network Isolation policy to be considered as trusted resource by Application Guard.
Do I need to install the Application Guard Chrome extension?
No, the Application Guard feature is natively supported in Microsoft Edge. In fact, the Application Guard Chrome extension isn't a supported configuration in Microsoft Edge.
Are there any other platform related FAQs?
Yes. Frequently asked questions - Microsoft Defender Application Guard
See also
-->This article describes the important system requirements for your Microsoft Azure Stack Edge Pro solution and for the clients connecting to Azure Stack Edge Pro. We recommend that you review the information carefully before you deploy your Azure Stack Edge Pro. You can refer back to this information as necessary during the deployment and subsequent operation.
The system requirements for the Azure Stack Edge Pro include:
- Software requirements for hosts - describes the supported platforms, browsers for the local configuration UI, SMB clients, and any additional requirements for the clients that access the device.
- Networking requirements for the device - provides information about any networking requirements for the operation of the physical device.
Supported OS for clients connected to device
Here is a list of the supported operating systems for clients or hosts connected to your device. These operating system versions were tested in-house.
| Operating system/platform | Versions |
|---|---|
| Windows Server | 2012 R2 2016 2019 |
| Windows | 8, 10 |
| SUSE Linux | Enterprise Server 12 (x86_64) |
| Ubuntu | 16.04.3 LTS |
| CentOS | 7.0 |
| Mac OS | 10.14.1 |
Microsoft Edge Containers For Students
Supported protocols for clients accessing device
Here are the supported protocols for clients accessing your device.
| Protocol | Versions | Notes |
|---|---|---|
| SMB | 2.X, 3.X | SMB 1 isn't supported. |
| NFS (currently in preview) | 3.0, 4.1 | Mac OS is not supported with NFS v4.1. |
Supported storage accounts
Here is a list of the supported storage accounts for your device.
| Storage account | Notes |
|---|---|
| Classic | Standard |
| General Purpose | Standard; both V1 and V2 are supported. Both hot and cool tiers are supported. |
Supported storage types
Here is a list of the supported storage types for the device.
| File format | Notes |
|---|---|
| Azure block blob | |
| Azure page blob | |
| Azure Files |
Supported browsers for local web UI
Here is a list of the browsers supported for the local web UI for the virtual device.
| Browser | Versions | Additional requirements/notes |
|---|---|---|
| Google Chrome | Latest version | |
| Microsoft Edge | Latest version | |
| Internet Explorer | Latest version | If Enhanced Security features are enabled, you may not be able to access local web UI pages. Disable enhanced security, and restart your browser. |
| FireFox | Latest version |
Networking port requirements
Port requirements for Azure Stack Edge Pro
The following table lists the ports that need to be opened in your firewall to allow for SMB, cloud, or management traffic. In this table, in or inbound refers to the direction from which incoming client requests access to your device. Out or outbound refers to the direction in which your Azure Stack Edge Pro device sends data externally, beyond the deployment, for example, outbound to the internet.
| Port no. | In or out | Port scope | Required | Notes |
|---|---|---|---|---|
| TCP 80 (HTTP) | Out | WAN | No | Outbound port is used for internet access to retrieve updates. The outbound web proxy is user configurable. |
| TCP 443 (HTTPS) | Out | WAN | Yes | Outbound port is used for accessing data in the cloud. The outbound web proxy is user configurable. |
| UDP 123 (NTP) | Out | WAN | In some cases See notes | This port is required only if you're using an internet-based NTP server. |
| UDP 53 (DNS) | Out | WAN | In some cases See notes | This port is required only if you're using an internet-based DNS server. We recommend using a local DNS server. |
| TCP 5985 (WinRM) | Out/In | LAN | In some cases See notes | This port is required to connect to the device via remote PowerShell over HTTP. |
| UDP 67 (DHCP) | Out | LAN | In some cases See notes | This port is required only if you're using a local DHCP server. |
| TCP 80 (HTTP) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. Accessing the local UI over HTTP will automatically redirect to HTTPS. |
| TCP 443 (HTTPS) | Out/In | LAN | Yes | This port is the inbound port for local UI on the device for local management. |
| TCP 445 (SMB) | In | LAN | In some cases See notes | This port is required only if you are connecting via SMB. |
| TCP 2049 (NFS) | In | LAN | In some cases See notes | This port is required only if you are connecting via NFS. |
Port requirements for IoT Edge
Azure IoT Edge allows outbound communication from an on-premises Edge device to Azure cloud using supported IoT Hub protocols. Inbound communication is only required for specific scenarios where Azure IoT Hub needs to push down messages to the Azure IoT Edge device (for example, Cloud To Device messaging).
Use the following table for port configuration for the servers hosting Azure IoT Edge runtime:
| Port no. | In or out | Port scope | Required | Guidance |
|---|---|---|---|---|
| TCP 443 (HTTPS) | Out | WAN | Yes | Outbound open for IoT Edge provisioning. This configuration is required when using manual scripts or Azure IoT Device Provisioning Service (DPS). |
For complete information, go to Firewall and port configuration rules for IoT Edge deployment.
URL patterns for firewall rules
Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
Note
- The device (source) IPs should always be set to all the cloud-enabled network interfaces.
- The destination IPs should be set to Azure datacenter IP ranges.
URL patterns for gateway feature
| URL pattern | Component or functionality |
|---|---|
| https://*.databoxedge.azure.com/* https://*.servicebus.windows.net/* https://login.windows.net | Azure Stack Edge / Data Box Gateway service Azure Service Bus Authentication Service |
| http://*.backup.windowsazure.com | Device activation |
| http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* | Certificate revocation |
| https://*.core.windows.net/* https://*.data.microsoft.com http://*.msftncsi.com | Azure storage accounts and monitoring |
| http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://go.microsoft.com http://dl.delivery.mp.microsoft.com https://dl.delivery.mp.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com | Microsoft Update servers |
| http://*.deploy.akamaitechnologies.com | Akamai CDN |
| https://*.partners.extranet.microsoft.com/* | Support package |
| http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
URL patterns for compute feature
| URL pattern | Component or functionality |
|---|---|
| https://mcr.microsoft.com https://*.cdn.mscr.io | Microsoft container registry (required) |
| https://*.azurecr.io | Personal and third-party container registries (optional) |
| https://*.azure-devices.net | IoT Hub access (required) |
URL patterns for gateway for Azure Government
| URL pattern | Component or functionality |
|---|---|
| https://*.databoxedge.azure.us/* https://*.servicebus.usgovcloudapi.net/* https://login.microsoftonline.us | Azure Stack Edge / Data Box Gateway service Azure Service Bus Authentication Service |
| http://*.backup.windowsazure.us | Device activation |
| http://crl.microsoft.com/pki/* http://www.microsoft.com/pki/* | Certificate revocation |
| https://*.core.usgovcloudapi.net/* https://*.data.microsoft.com http://*.msftncsi.com | Azure storage accounts and monitoring |
| http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://wustat.windows.com http://ntservicepack.microsoft.com http://*.ws.microsoft.com https://*.ws.microsoft.com http://*.mp.microsoft.com | Microsoft Update servers |
| http://*.deploy.akamaitechnologies.com | Akamai CDN |
| https://*.partners.extranet.microsoft.com/* | Support package |
| http://*.data.microsoft.com | Telemetry service in Windows, see the update for customer experience and diagnostic telemetry |
URL patterns for compute for Azure Government
| URL pattern | Component or functionality |
|---|---|
| https://mcr.microsoft.com https://*.cdn.mscr.com | Microsoft container registry (required) |
| https://*.azure-devices.us | IoT Hub access (required) |
| https://*.azurecr.us | Personal and third-party container registries (optional) |
Internet bandwidth
The devices are designed to continue to operate when your internet connection is slow or gets interrupted. In normal operating conditions, we recommend that you use:
- A minimum of 10-Mbps download bandwidth to ensure the device stays updated.
- A minimum of 20-Mbps dedicated upload and download bandwidth to transfer files.
Compute sizing considerations
Use your experience while developing and testing your solution to ensure there is enough capacity on your Azure Stack Edge Pro device and you get the optimal performance from your device.
Factors you should consider include:
Facebook Container For Microsoft Edge
Container specifics - Think about the following.
- How many containers are in your workload? You could have a lot of lightweight containers versus a few resource-intensive ones.
- What are the resources allocated to these containers versus what are the resources they are consuming?
- How many layers do your containers share?
- Are there unused containers? A stopped container still takes up disk space.
- In which language are your containers written?
Size of the data processed - How much data will your containers be processing? Will this data consume disk space or the data will be processed in the memory?
Expected performance - What are the desired performance characteristics of your solution?
To understand and refine the performance of your solution, you could use:
Microsoft Edge Tab Containers
The compute metrics available in the Azure portal. Go to your Azure Stack Edge resource and then go to Monitoring > Metrics. Look at the Edge compute - Memory usage and Edge compute - Percentage CPU to understand the available resources and how are the resources getting consumed.
The monitoring commands available via the PowerShell interface of the device such as:
dkrstats to get a live stream of container(s) resource usage statistics. The command supports CPU, memory usage, memory limit, and network IO metrics.dkr system dfto get information regarding the amount of disk space used.dkr image [prune]to clean up unused images and free up space.dkr ps --sizeto view the approximate size of a running container.
For more information on the available commands, go to Monitor and troubleshoot compute modules.
Multi Account Containers For Edge
Finally, make sure that you validate your solution on your dataset and quantify the performance on Azure Stack Edge Pro before deploying in production.
Next step