Azure Virtual Desktop RDP Shortpath for managed networks

RDP Shortpath for managed networks is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency.

Key benefits

  • RDP Shortpath transport is based on top of highly efficient Universal Rate Control Protocol (URCP). URCP enhances UDP with active monitoring of the network conditions and provides fair and full link utilization. URCP operates at low delay and loss levels as needed by Remote Desktop. URCP achieves the best performance by dynamically learning network parameters and providing protocol with a rate control mechanism.
  • RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session.
  • The removal of extra relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods.
  • RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through a Differentiated Services Code Point (DSCP) marks
  • RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.

Connection security

RDP Shortpath is extending RDP multi-transport capabilities. It doesn't replace reverse connect transport but complements it. All of the initial session brokering is managed through the Azure Virtual Desktop infrastructure.

Your deployment will only use the user-configured UDP port for incoming Shortpath traffic authenticated over reverse connect transport. The RDP Shortpath listener will ignore all connection attempts unless they match the reverse connect session.

RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority. For more information about certificate configurations, see Windows Server documentation.

RDP Shortpath connection sequence

After establishing the reverse connect transport, the client and session host starts the RDP connection and negotiates the multi-transport capabilities.

Here's how the session host negotiates multi-transport capabilities:

  1. The session host sends the list of its private and public IPv4 and IPv6 addresses to the client.
  2. The client starts the background thread to establish a parallel UDP-based transport directly to one of the host's IP addresses.
  3. While the client is probing the provided IP addresses, it continues the initial connection establishment over the reverse connect transport to ensure no delay in the user connection.
  4. If the client has a direct line of sight, the client establishes a secure TLS connection with the session host.
  5. After establishing the Shortpath transport, RDP moves all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection, to the new transport.
  6. If a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.

The diagram below gives a high-level overview of the RDP Shortpath network connection.

Diagram of RDP Shortpath Network Connections

Requirements

To support RDP Shortpath, the Azure Virtual Desktop client needs a direct line of sight to the session host. You can get a direct line of sight by using one of these methods:

If you're using other VPN types to connect to the Azure, we recommend using a User Datagram Protocol (UDP)-based VPN. While most Transmission Control Protocol (TCP)-based VPN solutions support nested UDP, they add inherited overhead of TCP congestion control, which slows down RDP performance.

Having a direct line of sight means that the client can connect directly to the session host without being blocked by firewalls.

Configure RDP Shortpath for managed networks

To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpath listener on the session host. You can enable RDP Shortpath on any number of session hosts used in your environment. However, there's no requirement to enable RDP Shortpath on all hosts in your host pool.

To enable the RDP Shortpath listener:

  1. First, install administrative templates that add rules and settings for Azure Virtual Desktop. Download the Azure Virtual Desktop policy templates file (AVDGPTemplate.cab) and extract the contents of the .cab file and .zip archive.

  2. Copy the terminalserver-avd.admx file, then paste it into the %windir%\PolicyDefinitions folder.

  3. Copy the en-us\terminalserver-avd.adml file, then paste it into the %windir%\PolicyDefinitions\en-us folder.

  4. To confirm the files copied correctly, open the Group Policy Editor and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Azure Virtual Desktop.

  5. You should see one or more Azure Virtual Desktop policies, as shown in the following screenshot

    Screenshot of the group policy editor

    Note

    You can also install administrative templates to the group policy Central Store in your Active Directory domain. For more information about Central Store for Group Policy Administrative Templates, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

  6. Open the "Enable RDP Shortpath for managed networks" policy and set it to "Enabled". If you enable this policy setting, you can also configure the port number that the Azure Virtual Desktop session host will use to listen for incoming connections. The default port is 3390.

  7. Restart your session host to apply the changes.

Configure Windows Defender Firewall with Advanced Security

To allow inbound network traffic for RDP Shortpath, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules.

  1. Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security.
  2. In the navigation pane, select Inbound Rules.
  3. Select Action, and then select New rule.
  4. On the Rule Type page of the New Inbound Rule Wizard, select Custom, and then select Next.
  5. On the Program page, select This program path, and type "%SystemRoot%\system32\svchost.exe" then select Next.
  6. On the Protocol and Ports page, select the UDP protocol type. In the Local port, select "Specific ports" and enter the configured UDP port. If you've left the default settings on, the port number will be 3390.
  7. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select Next.
  8. On the Action page, select Allow the connection, and then select Next.
  9. On the Profile page, select the network location types to which this rule applies, and then select Next.
  10. On the Name page, enter a name and description for your rule, then select Finish.

When you're done, verify that the new rule matches the format in the following screenshot. Screenshot of the General tab for Firewall configuration for RDP Shortpath Network Connections with Allow the connection option selected

Screenshot of the Programs and Services tab for Firewall configuration for RDP Shortpath Network Connections with Remote Desktop Services selected

Screenshot of the Protocols and Ports tab for Firewall configuration for RDP Shortpath Network Connections with UDP port 3390 configured

You can also use PowerShell to configure Windows Firewall:

New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP'  -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True

Using PowerShell to configure Windows Defender Firewall

You can also use PowerShell to configure the group policy by running the following cmdlet.

# Replace $domainName value with the name of your Active Directory domain
# Replace $policyName value with the name of existing Group Policy Object
$domainName = "contoso.com"
$policyName = "RDP Shortpath Policy"
$gpoSession = Open-NetGPO -PolicyStore "$domainName\$policyName"
New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True -GPOSession $gpoSession
Save-NetGPO -GPOSession $gpoSession

Configuring Azure Network Security Group

To allow access to the RDP Shortpath listener across network security boundaries, you need to configure Azure Network Security Group to allow inbound UDP port 3390. Follow the network security group documentation to create an inbound security rule allowing traffic with following parameters:

  • Source - Any or the IP range where the clients are residing
  • Source port ranges - *
  • Destination - Any
  • Destination port ranges - 3390
  • Protocol - UDP
  • Action - Allow
  • Optionally change the Priority. The priority affects the order in which rules are applied: the lower the numerical value, the earlier the rule is applied.
  • Name - - RDP Shortpath

Disabling RDP Shortpath for a specific subnet

If you need to block specific subnets from using the RDP Shortpath transport, you can configure another network security group that specifies the correct Source IP ranges.

Verify your network connectivity

Next, you'll need to make sure your network is using RDP Shortpath. You can do this with either a "Connection Information" dialog or by using Log Analytics.

Connection Information dialog

Make sure connections are using RDP Shortpath, open the "Connection Information" dialog by going to the Connection tool bar on the top of the screen and selecting the antenna icon, as shown in the following screenshot.

Image of Remote Desktop Connection Bar

Image of Remote Desktop Connection Info dialog

Using event logs

To make sure your session is using RDP Shortpath transport:

  1. Use the Azure Virtual Desktop client of your choice to connect to your VM desktop.
  2. Open Event Viewer, then go to Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreCDV > Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational.
  3. If you can see Event ID 131, then your network is using RDP Shortpath transport.

Use Log Analytics

If you're using Azure Log Analytics, you can monitor connections by querying the WVDConnections table. A column named UdpUse indicates whether Azure Virtual Desktop RDP Stack is using UDP protocol on the current user connection. The possible values are:

  • 0 - user connection isn't using RDP Shortpath
  • 1 - THe user connection is using RDP Shortpath for managed networks.

The following query list lets you review connection information. You can run this query in the Log Analytics query editor. For each query, replace userupn with the UPN of the user you want to look up.

let Events = WVDConnections | where UserName == "userupn" ;
Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated, UdpUse, SessionHostName, SessionHostSxSStackVersion
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId, UdpUse)
on CorrelationId
| project StartTime, Duration = EndTime - StartTime, ResourceAlias, UdpUse,  SessionHostName, SessionHostSxSStackVersion
| sort by StartTime asc

Troubleshooting

Verify Shortpath listener

To verify that UDP listener is enabled, use the following PowerShell command on the session host:

Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filter "name = 'TermService'").ProcessId)  -LocalPort 3390

If enabled, you'll see the output like the following

LocalAddress                             LocalPort
------------                             ---------
::                                       3390
0.0.0.0                                  3390

If there's a conflict, you can identify the process that's blocking the port by running the following command:

Get-Process -id (Get-NetUDPEndpoint  -LocalPort 3390 -LocalAddress 0.0.0.0).OwningProcess

Disabling RDP Shortpath

In some cases, you may need to disable RDP Shortpath transport. You can disable RDP Shortpath by using the group policy.

Disabling RDP Shortpath on the client

To disable RDP Shortpath for a specific client, you can use the following Group Policy to disable the UDP support:

  1. On the client, run gpedit.msc.
  2. Go to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.
  3. Set the "Turn Off UDP On Client" setting to Enabled

Disable RDP Shortpath on the session host

To disable RDP Shortpath for a specific session host, you can use the following Group Policy to disable the UDP support:

  1. On the Session Host Run gpedit.msc.
  2. Go to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.
  3. Set the "Select RDP Transport Protocols" setting to TCP Only.

Next steps