Azure Virtual Desktop RDP Shortpath (preview)

Important

RDP Shortpath is currently in public preview. This preview is provided without a service level agreement, and we don't recommend using it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency.

Key benefits

  • RDP Shortpath transport is based on top of highly efficient Universal Rate Control Protocol (URCP). URCP enhances UDP with active monitoring of the network conditions and provides fair and full link utilization. URCP operates at low delay and loss levels as needed by Remote Desktop. URCP achieves the best performance by dynamically learning network parameters and providing protocol with a rate control mechanism.
  • RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session.
  • The removal of additional relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods.
  • RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through a Differentiated Services Code Point (DSCP) marks
  • RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.

Connection security

RDP Shortpath is extending RDP multi-transport capabilities. It doesn't replace reverse connect transport but complements it. All of the initial session brokering is managed through the Azure Virtual Desktop infrastructure.

UDP port 3390 is used only for the incoming Shortpath traffic that is authenticated over reverse connect transport. RDP Shortpath listener ignores all connection attempts to the listener unless they match the reverse connect session.

RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority. For more information about certificate configurations, see Windows Server documentation.

RDP Shortpath connection sequence

After installing the reverse connect transport, the client and session host establish the RDP connection and negotiate multi-transport capabilities. Additional steps described below:

  1. The session host sends the list of its private and public IPv4 and IPv6 addresses to the client.
  2. The client starts the background thread to establish a parallel UDP-based transport directly to one of the host's IP addresses.
  3. While the client is probing the provided IP addresses, it continues the initial connection establishment over the reverse connect transport to ensure no delay in the user connection.
  4. If the client has a direct line of sight and the firewall configuration is correct, the client establishes a secure TLS connection with session host.
  5. After establishing the Shortpath transport, RDP moves all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection to the new transport.
  6. If a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.

The diagram below gives a high-level overview of the RDP Shortpath network connection.

Diagram of RDP Shortpath Network Connections

Requirements

To support RDP Shortpath, the Azure Virtual Desktop client needs a direct line of sight to the session host. You can get a direct line of sight by using one of the following technologies:

If you're using other VPN types to connect to the Azure virtual network, we recommend using UDP-based VPN for the best results. While the majority of TCP-based VPN solutions encapsulate all IP packets, including UDP, they add inherited overhead of TCP congestion control that would slow down RDP performance.

The direct line of sight means that firewalls aren't blocking UDP port 3390 and the client can connect directly to the session host.

Enabling RDP Shortpath preview

To participate in the preview of RDP Shortpath, you need to enable RDP Shortpath listener on the session host. You can enable RDP Shortpath on any number of session hosts used in your environment. There's no requirement to enable RDP Shortpath on all hosts in the pool. To enable Shortpath listener, you need to configure the following registry values:

Warning

Serious problems might occur if you modify the registry incorrectly using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

  1. On the session host, Start Regedit.exe, and then navigate to the following location:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
    
  2. Create a new DWORD value named fUseUdpPortRedirector and set it to 1 (decimal)

  3. Create a new DWORD value named UdpPortNumber and set it to 3390 (decimal)

  4. Quit Registry Editor.

  5. Restart session host

You can also run the following cmdlets in an elevated PowerShell window to set these registry values:

$WinstationsKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations'
New-ItemProperty -Path $WinstationsKey -Name 'fUseUdpPortRedirector' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 1 -Force
New-ItemProperty -Path $WinstationsKey -Name 'UdpPortNumber' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 3390 -Force

You can also use PowerShell to configure Group policy

# Replace $domainName value with the name of your Active Directory domain
# Replace $policyName value with the name of existing Group Policy Object
$domainName = "contoso.com"
$policyName = "RDP Shortpath Policy"
Set-GPPrefRegistryValue -Key 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' -ValueName 'fUseUdpPortRedirector' -Value 1 -Type:DWord  -Action:Create -Context:Computer -Name $policyName -Domain $domainName
Set-GPPrefRegistryValue -Key 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' -ValueName 'UdpPortNumber' -Value 3390 -Type:DWord  -Action:Create -Context:Computer -Name $policyName -Domain $domainName

Configure Windows Defender Firewall with Advanced Security

To allow inbound network traffic for RDP Shortpath, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules.

  1. Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security.
  2. In the navigation pane, select Inbound Rules.
  3. Select Action, and then select New rule.
  4. On the Rule Type page of the New Inbound Rule Wizard, select Custom, and then select Next.
  5. On the Program page, select This program path, and type "%SystemRoot%\system32\svchost.exe' then select Next.
  6. On the Protocol and Ports page, select the UDP protocol type. In the Local port, select "Specific ports" and type in 3390.
  7. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select Next.
  8. On the Action page, select Allow the connection, and then select Next.
  9. On the Profile page, select the network location types to which this rule applies, and then select Next.
  10. On the Name page, type a name and description for your rule, and then select Finish.

You can verify that the new rule matches the screenshots below: Screenshot of the General tab for Firewall configuration for RDP Shortpath Network Connections

Screenshot of the Programs and Services tab for Firewall configuration for RDP Shortpath Network Connections

Screenshot of the Protocols and Ports tab for Firewall configuration for RDP Shortpath Network Connections

You can also use PowerShell to configure Windows Firewall:

New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP'  -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True

Using PowerShell to configure Windows Defender Firewall

You can also use PowerShell to configure Group policy

# Replace $domainName value with the name of your Active Directory domain
# Replace $policyName value with the name of existing Group Policy Object
$domainName = "contoso.com"
$policyName = "RDP Shortpath Policy"
$gpoSession = Open-NetGPO -PolicyStore "$domainName\$policyName"
New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True -GPOSession $gpoSession
Save-NetGPO -GPOSession $gpoSession

Configuring Azure Network Security Group

To allow access to the RDP Shortpath listener across network security boundaries, you need to configure Azure Network Security Group to allow inbound UDP port 3390. Follow the network security group documentation to create an inbound security rule allowing traffic with following parameters:

  • Source - Any or the IP range where the clients are residing
  • Source port ranges - *
  • Destination - Any
  • Destination port ranges - 3390
  • Protocol - UDP
  • Action - Allow
  • Optionally change the Priority. The priority affects the order in which rules are applied: the lower the numerical value, the earlier the rule is applied.
  • Name - - RDP Shortpath

Disabling RDP Shortpath for a specific subnet

If you need to block specific subnets from using the RDP Shortpath transport, you can configure additional network security groups specifying the Source IP ranges.

Verifying the connectivity

Using Connection Information dialog

To verify that connections are using RDP Shortpath, open the “Connection Information” dialog by clicking on the antenna icon in the connection toolbar.

Image of Remote Desktop Connection Bar

Image of Remote Desktop Connection Info dialog

Using event logs

To verify that session is using RDP Shortpath transport:

  1. Connect to the desktop of the VM using Azure Virtual Desktop client.
  2. Launch the Event Viewer and navigate to the following node: Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreCDV > Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational
  3. To determine if RDP Shortpath transport is used, look for event ID 131.

Using Log Analytics to verify Shortpath connectivity

If you are using Azure Log Analytics, you can monitor connections by querying the WVDConnections table. A column named UdpUse, indicates whether Azure Virtual Desktop RDP Stack uses UDP protocol on current user connection. The possible values are:

  • 0 - user connection isn't using RDP Shortpath
  • 1 - user connection is using RDP Shortpath

The following query list lets you review connection information. You can run this query in the Log Analytics query editor. For each query, replace userupn with the UPN of the user you want to look up.

let Events = WVDConnections | where UserName == "userupn" ;
Events
| where State == "Connected"
| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated, UdpUse, SessionHostName, SessionHostSxSStackVersion
| join (Events
| where State == "Completed"
| project EndTime=TimeGenerated, CorrelationId, UdpUse)
on CorrelationId
| project StartTime, Duration = EndTime - StartTime, ResourceAlias, UdpUse,  SessionHostName, SessionHostSxSStackVersion
| sort by StartTime asc

Troubleshooting

Verify Shortpath listener

To verify that UDP listener is enabled, use the following PowerShell command on the session host:

Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filter "name = 'TermService'").ProcessId)  -LocalPort 3390

If enabled, you'll see the output like the following

LocalAddress                             LocalPort
------------                             ---------
::                                       3390
0.0.0.0                                  3390

If there is a conflict, you can identify the process occupying the port using the following command

Get-Process -id (Get-NetUDPEndpoint  -LocalPort 3390 -LocalAddress 0.0.0.0).OwningProcess

Disabling RDP Shortpath

In some cases, you may need to disable RDP Shortpath transport. You can disable RDP Shortpath by using the group policy.

Disabling RDP Shortpath on the client

To disable RDP Shortpath for a specific client, you can use the following Group Policy to disable the UDP support:

  1. On the client, Run gpedit.msc.
  2. Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.
  3. Set the “Turn Off UDP On Client” setting to Enabled

Disabling RDP Shortpath on the session host

To disable RDP Shortpath for a specific session host, you can use the following Group Policy to disable the UDP support:

  1. On the Session Host Run gpedit.msc.
  2. Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Host > Connections.
  3. Set the “Select RDP Transport Protocols” setting to TCP Only

Public preview feedback

We'd like to hear from you about your experiences with this public preview!

Next steps