Azure Virtual Desktop RDP Shortpath (preview)
RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency.
- RDP Shortpath transport is based on top of highly efficient Universal Rate Control Protocol (URCP). URCP enhances UDP with active monitoring of the network conditions and provides fair and full link utilization. URCP operates at low delay and loss levels as needed by Remote Desktop. URCP achieves the best performance by dynamically learning network parameters and providing protocol with a rate control mechanism.
- RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session.
- The removal of additional relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods.
- RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through a Differentiated Services Code Point (DSCP) marks
- RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.
RDP Shortpath is extending RDP multi-transport capabilities. It doesn't replace reverse connect transport but complements it. All of the initial session brokering is managed through the Azure Virtual Desktop infrastructure.
UDP port 3390 is used only for the incoming Shortpath traffic that is authenticated over reverse connect transport. RDP Shortpath listener ignores all connection attempts to the listener unless they match the reverse connect session.
RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority. For more information about certificate configurations, see Windows Server documentation.
RDP Shortpath connection sequence
After installing the reverse connect transport, the client and session host establish the RDP connection and negotiate multi-transport capabilities. Additional steps described below:
- The session host sends the list of its private and public IPv4 and IPv6 addresses to the client.
- The client starts the background thread to establish a parallel UDP-based transport directly to one of the host's IP addresses.
- While the client is probing the provided IP addresses, it continues the initial connection establishment over the reverse connect transport to ensure no delay in the user connection.
- If the client has a direct line of sight and the firewall configuration is correct, the client establishes a secure TLS connection with session host.
- After establishing the Shortpath transport, RDP moves all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection to the new transport.
- If a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.
The diagram below gives a high-level overview of the RDP Shortpath network connection.
To support RDP Shortpath, the Azure Virtual Desktop client needs a direct line of sight to the session host. You can get a direct line of sight by using one of the following technologies:
- The remote client machines must be running either Windows 10 or Windows 7 and have the Windows Desktop client installed. Currently, the web client is not supported.
- ExpressRoute private peering
- Site-to-Site VPN (IPsec based)
- Point-to-Site VPN (IPsec based)
- Public IP address assignment
If you're using other VPN types to connect to the Azure virtual network, we recommend using UDP-based VPN for the best results. While the majority of TCP-based VPN solutions encapsulate all IP packets, including UDP, they add inherited overhead of TCP congestion control that would slow down RDP performance.
The direct line of sight means that firewalls aren't blocking UDP port 3390 and the client can connect directly to the session host.
Enabling RDP Shortpath preview
To participate in the preview of RDP Shortpath, you need to enable RDP Shortpath listener on the session host. You can enable RDP Shortpath on any number of session hosts used in your environment. There's no requirement to enable RDP Shortpath on all hosts in the pool. To enable Shortpath listener, you need to configure the following registry values:
Serious problems might occur if you modify the registry incorrectly using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
On the session host, Start Regedit.exe, and then navigate to the following location:
Create a new DWORD value named fUseUdpPortRedirector and set it to 1 (decimal)
Create a new DWORD value named UdpPortNumber and set it to 3390 (decimal)
Quit Registry Editor.
Restart session host
You can also run the following cmdlets in an elevated PowerShell window to set these registry values:
$WinstationsKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' New-ItemProperty -Path $WinstationsKey -Name 'fUseUdpPortRedirector' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 1 -Force New-ItemProperty -Path $WinstationsKey -Name 'UdpPortNumber' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 3390 -Force
You can also use PowerShell to configure Group policy
# Replace $domainName value with the name of your Active Directory domain # Replace $policyName value with the name of existing Group Policy Object $domainName = "contoso.com" $policyName = "RDP Shortpath Policy" Set-GPPrefRegistryValue -Key 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' -ValueName 'fUseUdpPortRedirector' -Value 1 -Type:DWord -Action:Create -Context:Computer -Name $policyName -Domain $domainName Set-GPPrefRegistryValue -Key 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' -ValueName 'UdpPortNumber' -Value 3390 -Type:DWord -Action:Create -Context:Computer -Name $policyName -Domain $domainName
Configure Windows Defender Firewall with Advanced Security
To allow inbound network traffic for RDP Shortpath, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules.
- Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security.
- In the navigation pane, select Inbound Rules.
- Select Action, and then select New rule.
- On the Rule Type page of the New Inbound Rule Wizard, select Custom, and then select Next.
- On the Program page, select This program path, and type "%SystemRoot%\system32\svchost.exe' then select Next.
- On the Protocol and Ports page, select the UDP protocol type. In the Local port, select "Specific ports" and type in 3390.
- On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select Next.
- On the Action page, select Allow the connection, and then select Next.
- On the Profile page, select the network location types to which this rule applies, and then select Next.
- On the Name page, type a name and description for your rule, and then select Finish.
You can also use PowerShell to configure Windows Firewall:
New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)' -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True
Using PowerShell to configure Windows Defender Firewall
You can also use PowerShell to configure Group policy
# Replace $domainName value with the name of your Active Directory domain # Replace $policyName value with the name of existing Group Policy Object $domainName = "contoso.com" $policyName = "RDP Shortpath Policy" $gpoSession = Open-NetGPO -PolicyStore "$domainName\$policyName" New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)' -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True -GPOSession $gpoSession Save-NetGPO -GPOSession $gpoSession
Configuring Azure Network Security Group
To allow access to the RDP Shortpath listener across network security boundaries, you need to configure Azure Network Security Group to allow inbound UDP port 3390. Follow the network security group documentation to create an inbound security rule allowing traffic with following parameters:
- Source - Any or the IP range where the clients are residing
- Source port ranges - *
- Destination - Any
- Destination port ranges - 3390
- Protocol - UDP
- Action - Allow
- Optionally change the Priority. The priority affects the order in which rules are applied: the lower the numerical value, the earlier the rule is applied.
- Name - - RDP Shortpath
Disabling RDP Shortpath for a specific subnet
If you need to block specific subnets from using the RDP Shortpath transport, you can configure additional network security groups specifying the Source IP ranges.
Verifying the connectivity
Using Connection Information dialog
To verify that connections are using RDP Shortpath, open the “Connection Information” dialog by clicking on the antenna icon in the connection toolbar.
Using event logs
To verify that session is using RDP Shortpath transport:
- Connect to the desktop of the VM using Azure Virtual Desktop client.
- Launch the Event Viewer and navigate to the following node: Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreCDV > Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational
- To determine if RDP Shortpath transport is used, look for event ID 131.
Using Log Analytics to verify Shortpath connectivity
If you are using Azure Log Analytics, you can monitor connections by querying the WVDConnections table. A column named UdpUse, indicates whether Azure Virtual Desktop RDP Stack uses UDP protocol on current user connection. The possible values are:
- 0 - user connection isn't using RDP Shortpath
- 1 - user connection is using RDP Shortpath
The following query list lets you review connection information. You can run this query in the Log Analytics query editor. For each query, replace
userupn with the UPN of the user you want to look up.
let Events = WVDConnections | where UserName == "userupn" ; Events | where State == "Connected" | project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated, UdpUse, SessionHostName, SessionHostSxSStackVersion | join (Events | where State == "Completed" | project EndTime=TimeGenerated, CorrelationId, UdpUse) on CorrelationId | project StartTime, Duration = EndTime - StartTime, ResourceAlias, UdpUse, SessionHostName, SessionHostSxSStackVersion | sort by StartTime asc
Verify Shortpath listener
To verify that UDP listener is enabled, use the following PowerShell command on the session host:
Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filter "name = 'TermService'").ProcessId) -LocalPort 3390
If enabled, you'll see the output like the following
LocalAddress LocalPort ------------ --------- :: 3390 0.0.0.0 3390
If there is a conflict, you can identify the process occupying the port using the following command
Get-Process -id (Get-NetUDPEndpoint -LocalPort 3390 -LocalAddress 0.0.0.0).OwningProcess
Disabling RDP Shortpath
In some cases, you may need to disable RDP Shortpath transport. You can disable RDP Shortpath by using the group policy.
Disabling RDP Shortpath on the client
To disable RDP Shortpath for a specific client, you can use the following Group Policy to disable the UDP support:
- On the client, Run gpedit.msc.
- Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.
- Set the “Turn Off UDP On Client” setting to Enabled
Disabling RDP Shortpath on the session host
To disable RDP Shortpath for a specific session host, you can use the following Group Policy to disable the UDP support:
- On the Session Host Run gpedit.msc.
- Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Host > Connections.
- Set the “Select RDP Transport Protocols” setting to TCP Only
Public preview feedback
We'd like to hear from you about your experiences with this public preview!
- For questions, requests, comments, and other feedback, use this feedback form.
- To learn about Azure Virtual Desktop network connectivity, see Understanding Azure Virtual Desktop network connectivity.
- To get started with Quality of Service (QoS) for Azure Virtual Desktop, see Implement Quality of Service (QoS) for Azure Virtual Desktop.