3.4.3.2 Connection Setup Phase

Figure 20: The RDGUDP client server connection
If a DTLS error or non-DTLS error occurs in the following process, the RDGUDP server ends the connection.
The RDGUDP server decrypts the incoming message as follows:
If the DTLS decrypt message fails with an error that indicates that the DTLS handshake is not complete, the RDGUDP server returns to the DTLS handshake phase again.
If decrypt message fails with an ignorable error, the RDGUDP server ignores the message and waits for another incoming message. For information on ignorable DTLS errors, see [RFC4347].
If the decrypt succeeds, the RDGUDP server MUST end the connection if it is not CONNECT_PKT (section 2.2.11.3) and skip the remaining processing rules.
The RDGUDP server verifies the signature on CONNECT_PKT.authnCookie and decodes it. For information on how to verify the signature, see section 3.6.4
The RDGUDP server maps the decoded message to the AUTHN_COOKIE_DATA data structure.
The RDGUDP server compares AUTHN_COOKIE_DATA.ftExpiryTime with the current time.
If AUTHN_COOKIE_DATA.ftExpiryTime is greater than current time, the RDGUDP server establishes a connection with the target server as described in [MS-RDPEUDP]. Otherwise, if AUTHN_COOKIE_DATA.ftExpiryTime is less than the current time, the RDGUDP server skips steps b and c and sets the result in CONNECT_PKT_RESP to E_ACCESS_DENIED.
While connecting to the target server, the RDGUDP server does not resolve the AUTHN_COOKIE_DATA.szServerName again to find the IP address. Instead it SHOULD use the AUTHN_COOKIE_DATA.szServerIP in AUTHN_COOKIE_DATA.
If the connection to the target server is successful, the RDGUDP server sets CONNECT_PKT_RESP.Result to S_OK.
If the connection to the target server fails, the RDGUDP server sets CONNECT_PKT_RESP. Result to E_PROXY_TS_CONNECT_FAILED.
The RDGUDP server sends the CONNECT_PKT_RESP to the RDGUDP client.
If the Result is S_OK, move the connection state to Connected; otherwise, move it to the Shutdown phase (section 3.4.3.4).