by Niels Kok
This is my take on RDP Shortpath for WVD. In this blogpost I will discuss the pro’s and cons of using this feature. Furthermore, I will talk about the configuration needed and the architecture involved. You can find the configuration below. I will first talk about the architecture and the pro’s and cons. I will then show how I configured this in my test environment.
Architecture
Firstly, the architecture. This is architecture overview from the Microsoft Docs:
The architecture overview shows that it is now possible to connect to your WVD hostpools directly. You can do this is in a number of ways:
- Public IP assignment to your sessionhost (not recommended)
- Via Site to Site VPN
- Via Point to Site VPN
- Express Route
In addition, if you don’t use a solution based on the above this could result in worse performance then without RDP ShortPath.
Furthermore, it is worth noting that this is not a solution which creates a private endpoint for your VM’s. You still connect via the public endpoint for WVD in the microsoft cloud. When you log on using the Remote Desktop client detects that, if configured, that there a “ShortPath” available. Then the client switches over to the UDP connection. For example:
In addition, when the “ShortPath” is not available the Remote Desktop client automatically switches back to the public endpoint connection. This is the connection information for a normal connection:
You can see that the same gateway is used when connected via ShortPath and connected via the “normal” connection.
Pro’s & Cons
The pro’s of the solution are:
- You are now able to fully control the connection to your WVD Sessionhost. Furthermore, you can apply QoS (Quality of Service) to the whole route to your sessionhosts.
- There is more bandwidth available between the clients and the sessionhosts. This results in faster transfer times when copying files from and to the sessionhosts.
- UDP is a protocol with less overhead, as a result, this could lead a much smoother experience for the end users.
The con’s of the solution are:
- All the traffic now routes via the S2S VPN, Express Route or P2S VPN. This could lead to much higher costs. For example: You have Microsoft Teams offloading configured. Which offloads the rendering tasks for Microsoft Teams to the local clients. This takes about 1 Mbit/s of a bandwidth, this does not seem to be much… but if 500 users are doing this at the same time you could be looking at an upgrade for networking solution. This does not even take other applications in to account.
- The Remote Desktop application decides whether Shortpath is being used or not. You can not control this. The application detects the best route and applies it if it thinks it is better.
- RDP ShortPath is only available in the Remote Desktop Client.
Configuration
I have configured RDP ShortPath for WVD like this in my own testing environment:
The green connection represents the ShortPath connection and the red connection represents the normal connection via the public endpoint for WVD from Microsoft.
My “WVD Development” sessionhosts have RDP Shortpath configured and the “WVD Test” sessionhosts do not.
Configuring RDP ShortPath for WVD is fairly easy. Only the sessionhosts need to be configured. There is nothing to be done in the Azure Portal. Microsoft has provided scripts to implement this. You need to configure 2 things.
- Configure 2 registry keys. These enable UDP to be used for the Remote Desktop connection.
- After that you configure the Windows Defender Firewall on the session host to allow the 3390 UDP connection.
This is the script to configure the registry keys:
$WinstationsKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations' New-ItemProperty -Path $WinstationsKey -Name 'fUseUdpPortRedirector' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 1 -Force New-ItemProperty -Path $WinstationsKey -Name 'UdpPortNumber' -ErrorAction:SilentlyContinue -PropertyType:dword -Value 3390 -Force
And this is the script Microsoft made available to configure the Windows Defender Firewall:
New-NetFirewallRule -DisplayName 'Remote Desktop - Shortpath (UDP-In)' -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-Shortpath-UDP' -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol udp -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True
You can also configure this via Group Policy within Active Directory. I personally would put configuration like this in the WVD image so you don’t get a lot of overhead on the configuration. This is fairly easy to integrate in to your image creation process.
References
Microsoft Doc about RDP ShortPath
More Posts about WVD and Azure DevOps:
Automated Bitlocker Encryption on your Session Hosts via Azure DevOps
OneDrive Machine Install Script
