Table of Contents

In this blog, we are going to look at the process of enabling a new feature of the RDP protocol called RDP Short Path..

Overview

The standard way your clients connect to your session hosts is something called reverse connect which creates a TCP outbound connection to your client through the AVD gateway to keep things secure, as highlighted below in Red arrows...
reverse connect which creates a TCP outbound connection to your client through the AVD gateway
This is a great solution but since you’re using TCP the connection can result in higher latency
RDP short path, on the other hand, uses the UDP protocol on port 3390 and allows you to connect directly to your session hosts, as highlighted below in Yellow arrows… this greatly reduces latency since UDP is a much more efficient protocol for this kind of traffic but there’s more to RDP short path than just turning on UDP.
RDP short path uses the UDP protocol on port 3390
RDP short path was only allowed on private connections like over an express route or VPN but as of today all that changes
Now you can use RDP short path over the public internet to achieve lower latency to your AVD environments and i’ll show you step by step how you can test it different options to roll it out  and how to secure it and then how to monitor it which will help you validate if your users are using it

Enable RDP ShortPath for AVD Clients that uses Public Network

The setup here is very easy all you have to do is add one registry key and then you’re all ready to start
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" /v ICEControl /t REG_DWORD /d 2 /f
Or you can just download the registry file from the following link and merge it to your AVD session host

Network Configuration

by default RDP ShortPath works without any additional configuration unless you have firewall restrictions, you have to configure your firewall to allow some ports and IPs over UDP protocol for outbound connection. please follow the below tables to configure set the required rules on the session host network and client network

Session host virtual network

Name
Source
Destination Port
Protocol
Destination
Action
RDP Shortpath Server Endpoint
VM Subnet
1024-65535
UDP
*
Allow
STUN Access
VM Subnet
3478
UDP
Allow

Client network

Name
Source
Destination Port
Protocol
Destination
Action
RDP Shortpath Server Endpoint
Client network
1024-65535
UDP
Public IP addresses assigned to NAT Gateway or Azure Firewall
Allow
STUN Access
Client network
3478
UDP
Allow

Network Security group – Setting

Your VM/SNET Network Security group should look like the below screenshot.
Network Security group for RDP ShortPath

User-Defined Routing for AVD

Also, it’s recommended to configure your session host UDR to be routed directly to the internet, as shown in the below screenshot
Improve your End-User Experience with RDP ShortPath for AVD

Monitor RDP Shortpath Using Log Analytics

You can, go into the Log Analytics console and run the following query
//You can verify if RDP Shortpath is enabled for a specific user session by running the following Log Analytics query:
WVDCheckpoints 
|where Name contains "Shortpath"
On the results where it says “ShortpathRequested” and Parameters says (udpType : ShorthPathPublic)
Monitor RDP Shortpath Using Log Analytics

Testing and validating RDP ShortPath for AVD Clients that uses Public Network 

To validate the RDP ShortPath functionality in the connection bar at the top of the AVD session, when you click this icon, you can see you’re using the udp protocol and we’re getting low latency
Testing and validate RDP ShortPath for AVD Clients that uses Public Network

Troubleshooting RDP Shortpath STUN Connectivity Using PowerShell

If you’re unable to establish the connection using the RDP Shortpath transport, you use the following PowerShell script to validate connectivity to STUN servers
As shown in the below screenshot I’m able to reach one of STUN Server IPs 
Verifying STUN Server Connectivity for AVD Session host
Share:

administrator

Sr. Cloud Solutions Architect with over ten years of experience in Microsoft Solutions and Digital Transformation, Blogger, Speaker, and #ArWVDUG Community leader. Focus on Azure, Cloud Security, Modern Workspace, Azure WVD, AVD, Infrastructure as Code, Endpoint Management, Office 365, EMS.