RDP Shortpath configures your session hosts to establish a direct connection between the RDP client and AVD session host servers using the UDP protocol. By default, AVD uses a TCP-based Reverse Connect when it connects to the end user client. With a few simple steps, you can enable RDP Shortpath on your session hosts. In this post, I’m discussing the architecture of the RDP Shortpath, how to enable it and to monitor the difference when compared to TCP Reverse Connect.
TCP Reverse Connect to UDP Direct connect.
AVD uses the RDP protocol to carry out remote display and input capabilities between the client and the session host. It has continuously evolved over time since its first release with Windows NT. Azure Virtual Desktop uses Reverse Connect to establish the connection with the client over RDP. Conventional on-premises RDS solutions use TCP listeners to receive incoming RDP connections. However, AVD uses outbound connectivity to gateway and broker services. Each AVD session host has an agent called remote desktop loader service, which establishes the outbound persistent communication with the broker using secure TLS to orchestrate a connection to the RDP client.
RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and a session host. Since it’s based on UDP, it offers better connection reliability and more consistent latency. Also, RDP Shortpath establishes a direct connection between the client and the session host, avoiding AVD gateways. This will improve overall connection reliability and increase the bandwidth.
There are two ways to enable RDP Shortpath,
- RDP Shortpath for private networks
When enabled for private networks, it will create a direct connection from the RDP client to the session host over the private network. If the client is connecting from an on-premises RDS host, it will use the Express route or site-to-site VPN. In this scenario, since we trust the network and this won’t be a Reverse Connect, it’s a connection from the RDP client to the AVD session host. So, you need to open incoming UDP traffic to the VM.
- RDP Shortpath for public networks
When enabled for public networks, it uses the same Reverse Connect concept over UDP and creates a direct connection from the session host to the RDP client. In AVD, your session hosts reside in a private network; they don’t have a public IP address assigned. When a Reverse Connection establishes over the public internet, it needs source Network Address Translation (SNAT) for the return traffic to reach the session host. Azure Virtual Desktop STUN Server on the public internet and communication is done by sending a small UDP packet to port 3478
Enable RDP Shortpath over the public networks
Network configurations
As I mentioned before, RDP Shortpath over public networks uses Reverse Connect over UDP and you don’t want to open anything to the session host network, however, if your VM resides behind a firewall, you need to open the following port for outbound connections.
Each RDP client needs the below outbound access
Enable RDP Shortpath for public networks
RDP Shortpath for public networks can be enabled from a simple configuration change, you can set this up using a registry key, ADDS group policy, Local policy, or Intune device policy.
Registry key
You need to add this registry key to the session host.
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" /v ICEControl /t REG_DWORD /d 2 /f
This can be automated using a Group policy, or you can add this registry change to the golden image.
After adding the registry change, restart the target host. Click the connection properties, and you can see UDP is enabled, and round-trip latency is reduced when compared to TCP communication.
RDP Shortpath is rolling out for general availability, which means it will be enabled by default on your AVD environment. While it is rolling out, it may still be necessary to configure a registry value to enable RDP Shortpath for public networks.
Hope this post is useful.
