RDP Shortpath and Multipath
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering RDP Shortpath and Multipath for Azure Virtual Desktop
Introduction: The Architecture of Performance
When we talk about Azure Virtual Desktop (AVD), the user experience is almost entirely defined by the quality of the connection between the client device and the virtual machine. For years, the standard approach involved routing all Remote Desktop Protocol (RDP) traffic through the Azure Gateway service. While reliable, this "middleman" approach introduces latency, as every packet must travel from the user to the gateway, and then to the session host. In a world where high-definition video, real-time collaboration, and complex graphical applications are the norm, this extra hop often feels like a bottleneck.
RDP Shortpath is the architectural solution to this problem. It allows the RDP connection to establish a direct path between the client and the session host, bypassing the gateway once the initial connection is authenticated. By creating a direct User Datagram Protocol (UDP) stream, Shortpath significantly reduces latency, decreases the load on the Azure Gateways, and improves the overall fluidity of the desktop session. Understanding how to plan, implement, and troubleshoot RDP Shortpath is not just a technical exercise; it is the single most effective way to ensure your end users feel like they are working on a local machine rather than a distant server.
In this lesson, we will dissect the mechanics of RDP Shortpath, explore the nuances of Multipath, and provide a clear roadmap for implementing these technologies in your production environment.
Understanding the Mechanics: How RDP Shortpath Works
To appreciate RDP Shortpath, we must first understand the standard RDP flow. Under normal conditions, AVD uses a TCP-based connection that is proxied through the Azure Gateway. The gateway handles the heavy lifting of authentication and session brokering. Once the session is established, all input and output data—keyboard strokes, mouse movements, and screen updates—travel over this TCP tunnel.
RDP Shortpath changes the game by introducing a secondary transport layer. When a client connects, it attempts to discover a direct path to the session host. If the network configuration allows it, the client and the host negotiate a direct UDP connection. This direct path exists alongside the existing TCP connection. If the UDP path experiences packet loss or becomes unavailable, the session automatically falls back to the TCP path without the user ever noticing a disconnection.
The Three Pillars of Connectivity
RDP Shortpath is not a single feature, but rather a set of transport capabilities. It is important to distinguish between them as they apply to different network architectures:
- RDP Shortpath for Managed Networks: This is designed for scenarios where the client device has a direct line of sight to the session host, such as a user working from a corporate office connected via ExpressRoute or a Site-to-Site VPN.
- RDP Shortpath for Public Networks: This is the most common use case for remote workers. It uses Interactive Connectivity Establishment (ICE) to negotiate a path through NAT (Network Address Translation) and firewalls, allowing a direct connection over the public internet.
- Multipath: This allows the RDP session to utilize multiple transport paths simultaneously. If one path is faster or more stable, the protocol intelligently routes the traffic to ensure the best possible performance.
Callout: The Role of UDP vs. TCP TCP (Transmission Control Protocol) is designed for reliability. It ensures every packet arrives in order, but the "acknowledgment" process creates overhead that manifests as latency. UDP (User Datagram Protocol) is designed for speed. It sends packets without waiting for confirmation of receipt. For real-time applications like desktop remoting, UDP is superior because a slightly dropped frame is better than a "frozen" screen waiting for a retransmission.
Planning Your Network Infrastructure
Before you flip the switch on RDP Shortpath, you must evaluate your network security posture. Because Shortpath relies on direct communication, you need to ensure that your firewalls and network security groups (NSGs) are configured to permit this traffic.
Prerequisites for Success
- UDP Ports: You must open the UDP port range 3390 on your session hosts' NSGs. This is the heartbeat of the Shortpath connection.
- Public IP or NAT: For public network connectivity, the session host must be reachable, or the client must be able to initiate an outbound connection that the session host can respond to through a STUN (Session Traversal Utilities for NAT) server.
- Client Compatibility: Ensure your users are running a supported version of the Windows Remote Desktop client. Legacy clients or web-based clients may not support the full Shortpath feature set.
- Azure Firewall/NVAs: If you use Azure Firewall or third-party Network Virtual Appliances, you must ensure that they are not performing deep packet inspection on RDP traffic, as this will break the encryption and cause the connection to fail.
Implementing RDP Shortpath for Public Networks
Implementing Shortpath for users connecting over the internet is the most common requirement. This implementation relies on the STUN protocol, which helps the client and the host "find" each other despite being behind routers and firewalls.
Step-by-Step Configuration
- Verify Host Pool Requirements: Ensure your host pool is set to "Pooled" or "Personal" and that you have enabled "RDP Shortpath" in the host pool properties via the Azure Portal or PowerShell.
- Update NSGs: Locate the Network Security Group associated with your session host subnet. Add an inbound security rule.
- Source: Any
- Destination Port Range: 3390
- Protocol: UDP
- Action: Allow
- Enable STUN/TURN: In most modern AVD deployments, this is enabled by default. If you are using a strictly locked-down environment, verify that your session hosts can reach the Microsoft STUN server endpoints.
- Group Policy Configuration: You may need to apply a Group Policy Object (GPO) to your session hosts to force the use of UDP. While the system usually negotiates this automatically, a GPO ensures consistency across your fleet.
Example: PowerShell Configuration
You can use the Az module in PowerShell to enable Shortpath for your host pool. This is often faster than clicking through the portal.
# Connect to your Azure account
Connect-AzAccount
# Update the host pool to enable RDP Shortpath
Update-AzWvdHostPool -ResourceGroupName "YourResourceGroup" `
-Name "YourHostPoolName" `
-PublicNetworkAccess Enabled `
-RdpProperty "enablerdpshortpath:i:1;"
# Note: The 'enablerdpshortpath:i:1' property is the key to activating the feature.
Warning: Security Considerations Opening port 3390 (UDP) might seem like a security risk, but keep in mind that RDP Shortpath still requires the initial authentication via the Azure Gateway. Even if a bad actor scans port 3390 on your session host, they cannot access the desktop without the encrypted session token provided by the AVD service.
Understanding Multipath
Multipath is the next evolution of transport stability. In a standard Shortpath setup, the system chooses the "best" path. With Multipath, the system can utilize both the reliable TCP path (through the gateway) and the high-speed UDP path (direct) simultaneously.
Why would you want this? Imagine a user on a home Wi-Fi connection that experiences occasional jitter. If the connection relies solely on UDP, a sudden spike in congestion could cause the session to stutter. With Multipath, the RDP protocol can intelligently send critical control data over the stable TCP path while sending the bandwidth-heavy display data over the UDP path. This hybrid approach provides the best of both worlds: the responsiveness of direct UDP and the reliability of TCP.
Implementing Multipath
Multipath is largely handled by the RDP client and the session host automatically once RDP Shortpath is enabled. However, you can influence its behavior via the RDP properties of your host pool.
- Transport Order: You can specify whether the client should prefer UDP or TCP as the primary transport.
- Bandwidth Estimation: The client continuously monitors the round-trip time (RTT) and packet loss on both paths. If the UDP path degrades significantly, the client will automatically shift more traffic to the TCP path.
Best Practices for Production Environments
Implementing these technologies is not a "set it and forget it" task. To maintain a high-quality experience, follow these industry-standard recommendations:
- Monitor Latency: Use Azure Monitor and Log Analytics to track the RDP transport type for your users. You can query the
WVDConnectionstable to see which sessions are using "UDP" (Shortpath) versus "TCP" (Gateway). - Avoid Double-NAT: If your session hosts are behind a complex chain of NAT devices, the STUN negotiation may fail. Try to keep your session host networking as flat as possible.
- Optimize for Wi-Fi: Many users work from home on Wi-Fi. Encourage the use of 5GHz bands, as 2.4GHz is notoriously susceptible to interference, which can cause UDP packets to drop and negate the benefits of Shortpath.
- Test with Real-World Conditions: Use tools that simulate packet loss and latency (such as network emulators) to see how your AVD session behaves when the network is not perfect.
- Keep Clients Updated: Since the intelligence for path negotiation lives on the client, ensure your users are prompted to update their Remote Desktop client regularly.
Common Pitfalls and Troubleshooting
Even with a perfect configuration, things can go wrong. Here are the most common issues administrators face and how to address them.
Pitfall 1: The "Everything is TCP" Problem
If you check your connection information and see that every user is connecting via TCP, your UDP path is likely blocked.
- Solution: Check the NSGs again. Are there any "Deny" rules that might be overriding your "Allow" rule? Is there a local firewall on the VM image itself (e.g., Windows Firewall) that is blocking UDP 3390?
Pitfall 2: Asymmetric Routing
In complex hub-and-spoke network architectures, traffic might leave the session host via one path and attempt to return via another. This causes firewalls to drop the traffic because the stateful inspection sees an "out-of-order" packet.
- Solution: Ensure that your return traffic is symmetric, especially if you are using ExpressRoute or complex VPN tunnels.
Pitfall 3: STUN Failure
If your session hosts are in an isolated subnet with no egress to the public internet, STUN will fail.
- Solution: While you don't necessarily need a public IP on the VM, the VM must be able to reach the Microsoft STUN endpoints. Review your egress filtering rules.
Note: Troubleshooting Command Within an active AVD session, you can open the "Connection Information" dialog by clicking the connection bar at the top of the screen. Look for the "Transport" field. If it says "UDP," you are successfully using Shortpath. If it says "TCP," you are falling back to the gateway.
Comparison: Connection Methods
| Feature | Standard RDP (Gateway) | RDP Shortpath (Managed) | RDP Shortpath (Public) |
|---|---|---|---|
| Path | Proxied (Gateway) | Direct (Internal) | Direct (via STUN/NAT) |
| Protocol | TCP | UDP | UDP |
| Performance | Moderate | Excellent | Excellent |
| Complexity | Low | Low | Medium |
| Requirement | None | ExpressRoute/VPN | STUN/NAT Traversal |
Detailed Configuration Example: GPO Settings
While you can manage RDP properties via the Azure Portal, Group Policy Objects (GPOs) are essential for managing settings at scale. To ensure that your session hosts prioritize the correct transport, you can configure the following policy:
Path: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
Setting: Select network transport protocols for Remote Desktop
- Set this to "Use both UDP and TCP".
- This ensures that the system doesn't accidentally disable UDP, which would force the session to use the slower TCP-only path.
Setting: Configure RDP transport protocol
- While not always required, you can explicitly enable UDP here to ensure the policy is enforced across all domain-joined machines.
Scaling and Performance Considerations
As your AVD environment grows, the impact of RDP Shortpath becomes more pronounced. In a scenario with 500 concurrent users, routing all traffic through the Azure Gateway adds significant overhead to your gateway infrastructure. By shifting the bulk of this traffic to direct paths, you reduce the CPU and memory utilization on your gateway VMs, potentially allowing you to support more users per gateway or reducing the need to scale the gateway tier.
However, keep in mind that Shortpath does not reduce the actual bandwidth consumption. In fact, because UDP is more responsive, users may perceive the session as "faster" and interact with it more aggressively, which can actually increase the total volume of data transmitted. Ensure your network bandwidth is sufficient to handle the peak load, especially if your users are working with high-resolution graphics or video content.
Advanced Scenario: The "Double-Hop" Problem
Some organizations use a "jump box" or a secondary firewall layer. If you are implementing a strict "Zero Trust" model, you might be tempted to terminate all connections at a security appliance. Be aware that terminating RDP traffic at an appliance will strip away the benefits of Shortpath. If you must inspect traffic, ensure your security appliance is "RDP-aware" and supports UDP flow management. If the appliance treats the UDP stream as generic noise, it will likely drop the packets, leading to a degraded user experience.
Best Practices for Security Auditing
When implementing direct paths, your security team might raise concerns about opening ports to the internet. Address these concerns by:
- Logging: Ensure that your NSG flow logs are enabled. You can use these logs to audit which IP addresses are connecting to your session hosts via UDP.
- Conditional Access: Continue to enforce strict Conditional Access policies for AVD. Shortpath only handles the transport; it does not bypass the authentication or authorization requirements.
- Host Hardening: Since the session hosts are now potentially reachable via a direct UDP path, ensure they are hardened according to CIS benchmarks. Disable unnecessary services and ensure that the only open port is 3390.
Summary: A Checklist for Implementation
To wrap up, here is a concise checklist to guide your implementation of RDP Shortpath and Multipath:
- Review Network Topology: Ensure your NSGs permit UDP 3390.
- Verify STUN/TURN Connectivity: Confirm that session hosts can reach Microsoft STUN endpoints.
- Configure Host Pools: Set the
enablerdpshortpathproperty to1. - Update Clients: Ensure all users are on the latest Windows Desktop Client.
- Monitor: Use Log Analytics to verify that "UDP" is the dominant transport type.
- Test: Verify the connection info in the client while on a remote network.
- Refine: Adjust GPOs if necessary to ensure consistent transport behavior.
Key Takeaways
- Latency is the Enemy: The primary goal of RDP Shortpath is to minimize latency by creating a direct, UDP-based path between the user and the virtual desktop, bypassing the Azure Gateway.
- UDP is Essential: Unlike traditional web traffic, RDP benefits significantly from the lightweight nature of UDP, which allows for faster screen updates and smoother input handling.
- Multipath Provides Stability: By using both TCP and UDP simultaneously, Multipath ensures that the connection remains stable even when network conditions fluctuate.
- Security is Not Compromised: Shortpath does not bypass authentication. All traffic remains encrypted, and the initial connection must still pass through the AVD gateway service.
- Configuration Matters: Success depends on correct NSG configuration, proper host pool properties, and ensuring that network appliances do not interfere with the UDP stream.
- Monitoring is Mandatory: Without proper logging and monitoring, you will not know if your users are actually utilizing the Shortpath feature or falling back to the slower TCP gateway path.
- Client-Side Intelligence: Much of the heavy lifting for path negotiation happens on the client device; keeping client software updated is critical for long-term performance and compatibility.
By following these guidelines, you can transform your AVD deployment from a functional remote desktop solution into a high-performance experience that rivals local hardware. The combination of RDP Shortpath and Multipath is the foundation of a modern, responsive virtual desktop infrastructure.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons