In this blog, we are going to look at the process of enabling a new feature of the RDP protocol called RDP Short Path..
Overview
The standard way your clients connect to your session hosts is something called reverse connect which creates a TCP outbound connection to your client through the AVD gateway to keep things secure, as highlighted below in Red arrows...
This is a great solution but since you’re using TCP the connection can result in higher latency
RDP short path, on the other hand, uses the UDP protocol on port 3390 and allows you to connect directly to your session hosts, as highlighted below in Yellow arrows… this greatly reduces latency since UDP is a much more efficient protocol for this kind of traffic but there’s more to RDP short path than just turning on UDP.
RDP short path was only allowed on private connections like over an express route or VPN but as of today all that changes
Now you can use RDP short path over the public internet to achieve lower latency to your AVD environments and i’ll show you step by step how you can test it different options to roll it out and how to secure it and then how to monitor it which will help you validate if your users are using it
Enable RDP ShortPath for AVD Clients that uses Public Network
The setup here is very easy all you have to do is add one registry key and then you’re all ready to start
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" /v ICEControl /t REG_DWORD /d 2 /f
Or you can just download the registry file from the following link and merge it to your AVD session host
Source Code Link: DOCs/RDPShortPath_ICEControl.reg at master · 3tallah/DOCs (github.com)
Network Configuration
by default RDP ShortPath works without any additional configuration unless you have firewall restrictions, you have to configure your firewall to allow some ports and IPs over UDP protocol for outbound connection. please follow the below tables to configure set the required rules on the session host network and client network
Session host virtual network
| Name | Source | Destination Port | Protocol | Destination | Action |
|---|---|---|---|---|---|
| RDP Shortpath Server Endpoint | VM Subnet | 1024-65535 | UDP | * | Allow |
| STUN Access | VM Subnet | 3478 | UDP | Allow |
Client network
| Name | Source | Destination Port | Protocol | Destination | Action |
|---|---|---|---|---|---|
| RDP Shortpath Server Endpoint | Client network | 1024-65535 | UDP | Public IP addresses assigned to NAT Gateway or Azure Firewall | Allow |
| STUN Access | Client network | 3478 | UDP | Allow |
Network Security group – Setting
Your VM/SNET Network Security group should look like the below screenshot.
User-Defined Routing for AVD
Also, it’s recommended to configure your session host UDR to be routed directly to the internet, as shown in the below screenshot
Monitor RDP Shortpath Using Log Analytics
You can, go into the Log Analytics console and run the following query
//You can verify if RDP Shortpath is enabled for a specific user session by running the following Log Analytics query: WVDCheckpoints |where Name contains "Shortpath"
Source Code Link: DOCs/Verify_RDP_Shortpath_Using_LogAnalytics at master · 3tallah/DOCs (github.com)
On the results where it says “ShortpathRequested” and Parameters says (udpType : ShorthPathPublic)
Testing and validating RDP ShortPath for AVD Clients that uses Public Network
To validate the RDP ShortPath functionality in the connection bar at the top of the AVD session, when you click this icon, you can see you’re using the udp protocol and we’re getting low latency
Troubleshooting RDP Shortpath STUN Connectivity Using PowerShell
If you’re unable to establish the connection using the RDP Shortpath transport, you use the following PowerShell script to validate connectivity to STUN servers
As shown in the below screenshot I’m able to reach one of STUN Server IPs
Check out my Udemy course for AZ-140 Azure Virtual Desktop
Use This link for 80% OFF
Use This link for 80% OFF