Live-share: Enforce Connection Mode Direct

@cwoodworth Hey! Thanks for reaching out. We’ve heard this request a few times, and definitely want to enable team/organization-wide policy enforcement in the future. In the meantime, blocking our cloud relay may be the best way to guarantee that only direct mode can be used. If it would be valuable, we could provide you with the DNS hosts of the Live Share relays, so that you didn’t need to block Azure Service Bus entirely.

@jasongin Can you think of a better recommendation? Also, could you confirm that if our relay was blocked by a firewall, that it wouldn’t prevent a direct connection from successfully happening? (e.g. would the Share operation fail if it couldn’t reach the relay?)

Can you think of a better recommendation?

Nothing right now. As mentioned, we have discussed how we might build support for these sort of enterprise policies in the future, but there are no immediate plans.

could you confirm that if our relay was blocked by a firewall, that it wouldn’t prevent a direct connection from successfully happening?

Yes. The direct connection is attempted first, so blocking the relay servers will not cause any problem for direct connections.

@jasongin Thanks for confirming that!

@cwoodworth We’ll use this issue to track implementing the centralized policy enforcement. In the meantime, it would be great to know if blocking the relay servers would be an acceptable workaround for your team to adopt Live Share. Let me know if it would be helpful to get the specific list of DNS hosts, or if blocking *.servicebus.windows.net:443 is sufficient. Thanks!

Sorry I need to correct my statement above. (For some reason I was thinking only about the potential of joining being blocked.)

If the relay servers are blocked, then the share operation will fail when using the default "auto" connection mode. VSLS hosts would have to change their connection mode to "direct" in order to successfully share. And then VSLS on the join side would automatically detect that is the only possible way to connect to the session, so it would not even try connecting to the relay.

@lostintangent It would be great if I could get the specific DNS servers as my team was very against blocking the entire set of relays. Thanks for all your help, and the quick response.

@jasongin @lostintangent Any update on this? Let me know if another forum for communication is preferred.

@cwoodworth Hey! Sorry for the late reply. Yeah, let's follow up over e-mail ([email protected]). That way we can talk about the specific details, and how to best unblock your organization. Thanks!

@lostintangent is there any update on a process for organizations enforcing direct mode or should I email you?

Now that VS2019 is out and ships with this by default, I'm also interested in an administrative way to block the relay. Is blocking *.servicebus.windows.net:443 still the best option here?

Yes @lostintangent, it would be very helpful to have the specific list of DNS hosts to block. We looked into blocking *.servicebus.windows.net:443, but that's a bid of a broad brush and we had other services that relied on that.

Hello!
@lostintangent Are there any updates on centralized policy enforcement, that would not rely on blocking network trafic since that is not always possible with our remote workers, who are numerous in this period of time =). We use our corporate Azure AD accounts to connect to liveshare, so the best solution for our organization might be to rely on that to inherit some mandatory settings such as Direct-connect mode. Thank you for your help!

Hello!
Same as @mfjerome here.