After enabling the Deep Security Agent (DSA) Firewall, users are unable to login to the Amazon WorkSpaces due to its "Unhealthy" status.
This issue can be caused by blocked incoming traffic via Port 4172. To verify, check the firewall events and see if the incoming traffic via Port 4172 is being blocked. Based on the AWS document, Port 4172 inbound traffic should be allowed.
To resolve the issue, create a firewall rule that will allow inbound traffic (both TCP and UDP) to Port 4172 on your WorkSpaces machine.