RDP Shortpath for Azure Virtual Desktop

Connections to Azure Virtual Desktop use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). RDP Shortpath is a feature of Azure Virtual Desktop that establishes a direct UDP-based transport between a supported Windows Remote Desktop client and session host. Remote Desktop Protocol (RDP) by default uses a TCP-based reverse connect transport as it provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections. However, if RDP Shortpath can be used instead, this UDP-based transport offers better connection reliability and more consistent latency.

RDP Shortpath can be used in two ways:

  • Managed networks, where direct connectivity is established between the client and the session host when using a private connection, such as a virtual private network (VPN).

  • Public networks, where direct connectivity is established between the client and the session host through a NAT gateway, provided as part of the Azure Desktop service, when using a public connection.

The transport used for RDP Shortpath is based on the Universal Rate Control Protocol (URCP). URCP enhances UDP with active monitoring of the network conditions and provides fair and full link utilization. URCP operates at low delay and loss levels as needed.

Key benefits

Using RDP Shortpath has the following key benefits:

  • Using URCP to enhance UDP achieves the best performance by dynamically learning network parameters and providing the protocol with a rate control mechanism.
  • The removal of extra relay points reduces round-trip time, which improves connection reliability and user experience with latency-sensitive applications and input methods.
  • In addition, for managed networks:
    • RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through Differentiated Services Code Point (DSCP) marks.
    • The RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.

How RDP Shortpath works

To learn how RDP Shortpath works for managed networks and public networks, select each of the following tabs.

You can achieve the direct line of sight connectivity required to use RDP Shortpath with managed networks using the following methods. Having direct line of sight connectivity means that the client can connect directly to the session host without being blocked by firewalls.

Note

  • If you're using other VPN types to connect to Azure, we recommend using a UDP-based VPN. While most TCP-based VPN solutions support nested UDP, they add inherited overhead of TCP congestion control, which slows down RDP performance.

To use RDP Shortpath for managed networks, you must enable a UDP listener on your session hosts. By default, port 3390 is used, although you can use a different port.

The following diagram gives a high-level overview of the network connections when using RDP Shortpath for managed networks and session hosts joined to an Active Directory domain.

Diagram of network connections when using RDP Shortpath for managed networks.

Connection sequence

All connections begin by establishing a TCP-based reverse connect transport over the Azure Virtual Desktop Gateway. Then, the client and session host establish the initial RDP transport, and start exchanging their capabilities. These capabilities are negotiated using the following process:

  1. The session host sends the list of its IPv4 and IPv6 addresses to the client.

  2. The client starts the background thread to establish a parallel UDP-based transport directly to one of the session host's IP addresses.

  3. While the client is probing the provided IP addresses, it continues to establish the initial connection over the reverse connect transport to ensure there's no delay in the user connection.

  4. If the client has a direct connection to the session host, the client establishes a secure TLS connection.

  5. After establishing the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection, are moved to the new transport. However, if a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.

If your users have both RDP Shortpath for managed network and public networks available to them, then the first algorithm found will be used. Whichever connection gets established first is what the user will use for that session.

Connection security

RDP Shortpath extends RDP multi-transport capabilities. It doesn't replace the reverse connect transport but complements it. Initial session brokering is managed through the Azure Virtual Desktop service and the reverse connect transport. All connection attempts are ignored unless they match the reverse connect session first. RDP Shortpath is established after authentication, and if successfully established, the reverse connect transport is dropped and all traffic flows over the RDP Shortpath.

The port used for each RDP session depends on whether RDP Shortpath is being used for managed networks or public networks:

  • Managed networks: only the specified UDP port (3390 by default) will be used for incoming RDP Shortpath traffic.

  • Public networks: each RDP session uses a dynamically assigned UDP port from an ephemeral port range (49152–65535 by default) that accepts the RDP Shortpath traffic. You can also use a smaller, predictable port range. For more information, see Limit the port range used by clients for public networks.

RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. You can also deploy centrally managed certificates issued by an enterprise certification authority. For more information about certificate configurations, see Remote Desktop listener certificate configurations.

Note

The security offered by RDP Shortpath is the same as that offered by reverse connect transport.

Next steps