Great job as always. Few things to note: 1) There are many new PaaS gateway services recently added to Azure for WVD w/ more regions on the roadmap, so the latency will be minimalized via gateway transversal, meaning, delivering a good UX does not have a hard requirement to use short path 2) UDP best optimizes the delivery of real-time audio/video content where TCP’s reliability checking and retransmitting can be extraneous (ideal UDP scenarios: server-side rendered video, in-band VoIP, graphics intensive apps like CAD) 3) media optimization for Teams does not require nor benefit from RDP short path and UDP as AV content is from client-to-client out of band from the RDP display protocol
Love this, customers are asking for how to use ER in WVD, I always said there is no need to do that because of reverse connection. But now they can utilize their existing ER circuit. Looking forward to Denny DevOps episode 3.
Thanks…then, here is a fun comment for you. Thanks for taking the RDP ShortPath with me, Please share the video with others and subscribe and take all the short paths to Azure 😉🤪
Thank you for this awesome video! I am not a network specialist ;-) I wonder what additional costs are there for my Site2Site VPN? Is there any outbound traffic from the VPN?
Dean, I was revisiting this episode and I have a question. I understand that Windows Virtual Desktop uses the Azure Traffic Manager, which checks the location of the user's DNS server to find the nearest Windows Virtual Desktop service instance. But I really want to know what exactly all available WVD Service Locations are. The specific scenario is I have a customer who wants to manually register Host Pools in Azure China(completely separated environment from Global Azure, but it now has Win 10 multisession images available) to WVD Azure Global Service, I successfully tested it, but the latency is around 150ms, I wonder if there is any WVD Services in East Asia(HK), I also wonder if I can decrease the latency by enabling RDP Shortcut + VPN/ER. Apart from the latency, any potential risks you can think of? I also wonder, if this scenario works, how about Azure Stack, what if I deploy Win 10 multi-session(technically) in Azure Stack, then register them into WVD manually. Sorry that I think too much on this. Thanks.
Lots of things here...WVD doesn’t use traffic manager...Azure Front Door is in front of the WVD PaaS Service, but yes the service geolocation works that way. There are 2 parts to the WVD Service latency 1. Is talking to the WVD gateway and the other is connecting to the session host. With RDP ShortPath you do not connect to the gateway...but the client connects directly to the session host VM...so YES this would be reduced latency. Finally YES WVD can work on Azure Stack o the WVD service...not sure if RDP ShortPath works with Azure Stack.
Hello Dean,thanks for your video it made me to better understand RDP shortpath I am missing one point here ,if we go with RDP shortpath client will get connection to session host directly. So are we skipping the RD Gateway component (core components of AVD)?. Directly connects using ER ?
IF you had a NSG it would depend how restrictive it was. If you had a rule that blocked everything except what you explicitly allow the it would not work at all
Hi Dean, Great video. I have implemented several times from within my Azure network and I have a DC in the cloud. Is my assumption correct that RDP Short Path will only work in a hybrid environment? After implementing in my DEV environment. I still get TCP only.
RDP ShortPath will work over your internal private network including any client vpn that you have and reverse connect will still work over the public internet
@AzureAcademy , i have the shortpath set correctly , but when i Connect to the public network its redirecting to the web instead of the RDP shortpath. How can i revert this coz i want to use shortpath not the web.
I'm trying to grasp the UDP port 3390 inbound connection at the client side; imagine that a user is at this home behind a regular home-grade (NAT) router, should it then have port forwarding configured for udp/3390, and if so how does that work if there are several users using WVD? (but maybe I missed the point in the video)
RDPShort path is a WVD session host feature that accepts UDP and a direct connection from the client when on a private network. You only need to open ports for UDP is something is blocking it, but in general home connections allow all outbound traffic, so no action needed...normally.
Hey Dean! First of all thanks :) is that official supported? Do you think we can see something less manual configuration and more automatic? The last question you talk about bandwidth... If I correct understanding you tell that with udp you use more bandwidth... Is that true or I don't understand? Sorry for all question 😭
RDP ShortPath is in public preview today. So not production supported but if you have any issues or feedback etc, the product group would love to hear it! My comments about bandwidth were to start you thinking. If you have for example 2000 users on you Azure point to site VPN to a single gateway...is the gateway of a high enough SKU to support the load, or if the users are in a remote office...and they all have dual 4K monitors and want to use GPU powered VMs for CAD work but are on a satellite internet connection... using RDP ShortPath may put more of a bottleneck on those then reverse connect
The gateway isn’t exactly skipped with RDP short path. It’s still necessary to establish a connection for the session host. RDP, short path bypasses the gateway in the session host connection as the last step of the process.
Wonderful Video, but i have to ask since this is new to me. Why would i need to do this? My users today use "regular" tcp and i even checked the infograph on rdp it said 40ms and 5mb/s, which normaly is bad. But i dont notice any performance issues at all? Is it on heavier workloads its more noticible?
Thanks Zurelia! Great question. Latency and Bandwidth are something to consider, but one of the biggest reasons for RDP ShortPath is to keep all the data of the user session on my private network, and off the public internet, which reverse connect does.
Hello Dean thank you so much for sharing this video! So does RDP short path falls back to TCP 443 if UDP 3390 is not available? So I can only allow RDP short path for the connections from the corporate location meanwhile users working from home will continue using TCP 443 reverse connection?
Correct, if they are on your private network they will use RDP ShortPath in that includes your VPN even point to site or client VPN. If they are over the public Internet they will use reverse connect
What does WVD RDP Shortpath do if the client where the RDP App runs on is not on the S2S VPN / Express Route? For example the client PC is at home. Does It switch to the normal mechanism?
If you are at home running on your VPN you are effectively on your corporate network so RDP ShortPath would function if you are at a coffee shop not on a VPN then you would be using reverse connect
I've implemented this a few days ago and it works fine .. sometimes :( I'm getting mixed results, one time it connects using UDP, logout and login (same source computer and same destination WVD) and then it's on TCP. Any thoughts on this?
@@AzureAcademy It took some time (other things got a bit in the way). But after checking everything over 5 times your description in the video and through MS docs (docs.microsoft.com/en-us/azure/virtual-desktop/shortpath) it's still not working. The only thing I could find was using the PowerShell cmd to check the UDP listener (Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filter "name = 'TermService'").ProcessId) -LocalPort 3390) And the result of that is the following : Get-NetUDPEndpoint : No matching MSFT_NetUDPEndpoint objects found by CIM query for instances of the ROOT/StandardCimv2 /MSFT_NetUDPEndpoint class on the CIM server: SELECT * FROM MSFT_NetUDPEndpoint WHERE ((LocalPort = 3390)) AND ((Owni ngProcess = 1072)). Verify query parameters and retry. At line:1 char:1 + Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filt ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (MSFT_NetUDPEndpoint:String) [Get-NetUDPEndpoint], CimJobException + FullyQualifiedErrorId : CmdletizationQuery_NotFound,Get-NetUDPEndpoint Just using Get-NetUDPEndpoint results in : LocalAddress LocalPort ------------ --------- :: 65501 ::1 54018 fe80::1002:9bed:267d:ab9f%2 54017 :: 5355 ::1 5353 :: 5353 :: 3389 fe80::1002:9bed:267d:ab9f%2 1900 ::1 1900 :: 123 0.0.0.0 65500 127.0.0.1 63400 127.0.0.1 62069 127.0.0.1 61580 127.0.0.1 61578 127.0.0.1 61394 127.0.0.1 60755 127.0.0.1 54104 127.0.0.1 54020 192.168.10.9 54019 127.0.0.1 52331 127.0.0.1 52138 0.0.0.0 49550 127.0.0.1 49495 192.168.10.9 49246 0.0.0.0 5355 192.168.10.9 5353 0.0.0.0 5353 0.0.0.0 3389 192.168.10.9 1900 127.0.0.1 1900 192.168.10.9 138 192.168.10.9 137 0.0.0.0 123 I'm lost and have given up also knowing it's a preview so maybe later it will be solved. TCP works fine, UDP would be the cherry on the cake.
sorry to hear you have run into so many issues Patrick. Did you try setting the reg key directly or the GPO, Also verify that those settings are present? Also do you have a NSG or firewall that needs to have UDP 3390 open?
How does Short Path handle if you have users both inside and outside the corporate network. will still use 443 reverse connection for those that do not have line of site via Express Route?
I struggled/failed to get it working, tried creating brand new VM, still TCP only. When setting the firewall the error is : "Windows services have been restricted with rules that allow expected behaviour only. Rules that specify host processes such as svchost.exe, might not work as expected because they can conflict with Windows service-hardening rules". I tried disabling firewalls completely - still only got TCP I set UdpPortNumber to 3390 (decimal): ( Could you give me a pointer where to look to sort out...? Many Thanks
@@AzureAcademy I did permit UDP port 3390 in VM firewall and same in Azure console. In the end I disabled the firewall completely on VM and I got UDP. Not ideal - but fine for my testing.. Thanks
My users have a basic vpn gateway, and they are complaining that opening office applications/submitting files in outlook takes a while, would this solution help them?
RDP ShortPath would give them a “more direct” connection path to WVD. But as for if the VPN has enough bandwidth for your users...that depends on what they are doing and how much bandwidth you have.
no, not exactly. RDP Shortpath is more about connection from the user to the VM, not the user in the session getting to an internet service like Office 365. Remember the Shortpath allows you to bypass the WVD Internet gateway service to the Session Hosts you get to connect directly to them. ..hope this helps.
Great job as always. Few things to note: 1) There are many new PaaS gateway services recently added to Azure for WVD w/ more regions on the roadmap, so the latency will be minimalized via gateway transversal, meaning, delivering a good UX does not have a hard requirement to use short path 2) UDP best optimizes the delivery of real-time audio/video content where TCP’s reliability checking and retransmitting can be extraneous (ideal UDP scenarios: server-side rendered video, in-band VoIP, graphics intensive apps like CAD) 3) media optimization for Teams does not require nor benefit from RDP short path and UDP as AV content is from client-to-client out of band from the RDP display protocol
👍👍
Love this, customers are asking for how to use ER in WVD, I always said there is no need to do that because of reverse connection. But now they can utilize their existing ER circuit. Looking forward to Denny DevOps episode 3.
Cool...what do you want to see Denny cover?
This is great!! and love to read Q&A comments with your reply. Thank you
Thanks…then, here is a fun comment for you.
Thanks for taking the RDP ShortPath with me, Please share the video with others and subscribe and take all the short paths to Azure 😉🤪
Great summarisation of how Short Path works and how to configure it, short and sweet!
Thanks Jamie
Short & clear explanations, we like 😎
thanks!
Great stuff dean. Plz continue to create more and more videos
Thanks Shekhar!
Super video! I applauded for CA$2.00 👏
Thank you for your support Michel!
Your video made me understand better
Thanks
Thanks Faddy! Please share it with everyone on social media
Excellent explanation, Great work
Thanks! Please share with others ☺️
looking at this now, there's new policies in the AVD policy template I wonder if they do the same as the Regedit key's you added.
Yes they do. ALMOST all GPOs turn into regkeys on the VM
Nice and detailed explanation 👍
Thanks!
Is this GPO policy targeting the local device or the remote desktop machine? @Azure Academy
The remote Session host
Thank you for this awesome video!
I am not a network specialist ;-)
I wonder what additional costs are there for my Site2Site VPN? Is there any outbound traffic from the VPN?
Depends on your VPN setup and how your clients connect to it and through it to WVD.
Dean, I was revisiting this episode and I have a question.
I understand that Windows Virtual Desktop uses the Azure Traffic Manager, which checks the location of the user's DNS server to find the nearest Windows Virtual Desktop service instance.
But I really want to know what exactly all available WVD Service Locations are.
The specific scenario is I have a customer who wants to manually register Host Pools in Azure China(completely separated environment from Global Azure, but it now has Win 10 multisession images available) to WVD Azure Global Service, I successfully tested it, but the latency is around 150ms, I wonder if there is any WVD Services in East Asia(HK), I also wonder if I can decrease the latency by enabling RDP Shortcut + VPN/ER.
Apart from the latency, any potential risks you can think of?
I also wonder, if this scenario works, how about Azure Stack, what if I deploy Win 10 multi-session(technically) in Azure Stack, then register them into WVD manually.
Sorry that I think too much on this. Thanks.
Lots of things here...WVD doesn’t use traffic manager...Azure Front Door is in front of the WVD PaaS Service, but yes the service geolocation works that way.
There are 2 parts to the WVD Service latency
1. Is talking to the WVD gateway and the other is connecting to the session host. With RDP ShortPath you do not connect to the gateway...but the client connects directly to the session host VM...so YES this would be reduced latency. Finally YES WVD can work on Azure Stack o the WVD service...not sure if RDP ShortPath works with Azure Stack.
Hello Dean,thanks for your video it made me to better understand RDP shortpath
I am missing one point here ,if we go with RDP shortpath client will get connection to session host directly. So are we skipping the RD Gateway component (core components of AVD)?. Directly connects using ER ?
Not skipping the gateway exactly...but the gateway tells the connection broker to have your client and the session host communicate directly.
What would happen if we were using RDP shortpath but didn't add the rule to our NSG? Would it work and have disconnects or just not work at all?
IF you had a NSG it would depend how restrictive it was. If you had a rule that blocked everything except what you explicitly allow the it would not work at all
Hi Dean, Great video. I have implemented several times from within my Azure network and I have a DC in the cloud. Is my assumption correct that RDP Short Path will only work in a hybrid environment? After implementing in my DEV environment. I still get TCP only.
RDP ShortPath will work over your internal private network including any client vpn that you have and reverse connect will still work over the public internet
@AzureAcademy , i have the shortpath set correctly , but when i Connect to the public network its redirecting to the web instead of the RDP shortpath. How can i revert this coz i want to use shortpath not the web.
Sounds like it isn’t set up correctly…take a look at this video for why
th-cam.com/video/k2FdqfIpiWs/w-d-xo.htmlsi=X_HmAiOBJYHbh3sV
I'm trying to grasp the UDP port 3390 inbound connection at the client side; imagine that a user is at this home behind a regular home-grade (NAT) router, should it then have port forwarding configured for udp/3390, and if so how does that work if there are several users using WVD? (but maybe I missed the point in the video)
RDPShort path is a WVD session host feature that accepts UDP and a direct connection from the client when on a private network.
You only need to open ports for UDP is something is blocking it, but in general home connections allow all outbound traffic, so no action needed...normally.
Hey Dean! First of all thanks :) is that official supported? Do you think we can see something less manual configuration and more automatic? The last question you talk about bandwidth... If I correct understanding you tell that with udp you use more bandwidth... Is that true or I don't understand? Sorry for all question 😭
RDP ShortPath is in public preview today. So not production supported but if you have any issues or feedback etc, the product group would love to hear it!
My comments about bandwidth were to start you thinking. If you have for example 2000 users on you Azure point to site VPN to a single gateway...is the gateway of a high enough SKU to support the load, or if the users are in a remote office...and they all have dual 4K monitors and want to use GPU powered VMs for CAD work but are on a satellite internet connection... using RDP ShortPath may put more of a bottleneck on those then reverse connect
Thanks again 🙏
anytime!
@5:20 You set your DWORD for UdpPortNumber in hex to 3390, hence it's actually 13200 decimal :/
Did I...oh nice catch...☺️
but I did set it up correctly in the GPO
@@AzureAcademy very true...! Great video, I tried it with a P2S VPN yesterday and it worked well. So easy to configure too...
Awesome, glad I was able to help!
Hi all, at 9:03, why gateway name is visible when in gateway hop is skipped can sh connects directly to the client?
The gateway isn’t exactly skipped with RDP short path. It’s still necessary to establish a connection for the session host. RDP, short path bypasses the gateway in the session host connection as the last step of the process.
hi if my AVD always use internet as connection method. Does this RDP Short Path helps in any way? so I don't configure it
If your clients only connect over the Internet directly then no RDP short path will not help you today however, it will help in the future…stay tuned!
@3:00 - Have you tried doing it with QUIC ???
I have not...WVD only works over TCP reverse connect and UDP RDP ShortPath.
Wonderful Video, but i have to ask since this is new to me.
Why would i need to do this? My users today use "regular" tcp and i even checked the infograph on rdp it said 40ms and 5mb/s, which normaly is bad. But i dont notice any performance issues at all?
Is it on heavier workloads its more noticible?
Thanks Zurelia! Great question. Latency and Bandwidth are something to consider, but one of the biggest reasons for RDP ShortPath is to keep all the data of the user session on my private network, and off the public internet, which reverse connect does.
@@AzureAcademy ahh so the connection is going threw my onsite vpn instead of routing via public internet?
correct, RDP Shortpath will take a direct private path to the session hosts if it is availabile...if it isn't then it will fallback on Reverse Connect
Hello Dean thank you so much for sharing this video!
So does RDP short path falls back to TCP 443 if UDP 3390 is not available? So I can only allow RDP short path for the connections from the corporate location meanwhile users working from home will continue using TCP 443 reverse connection?
Correct, if they are on your private network they will use RDP ShortPath in that includes your VPN even point to site or client VPN. If they are over the public Internet they will use reverse connect
Thank you so much! I am going to try it tomorrow.
👍👍
What does WVD RDP Shortpath do if the client where the RDP App runs on is not on the S2S VPN / Express Route? For example the client PC is at home. Does It switch to the normal mechanism?
If you are at home running on your VPN you are effectively on your corporate network so RDP ShortPath would function if you are at a coffee shop not on a VPN then you would be using reverse connect
I've implemented this a few days ago and it works fine .. sometimes :(
I'm getting mixed results, one time it connects using UDP, logout and login (same source computer and same destination WVD) and then it's on TCP. Any thoughts on this?
You got me there...I would check the monitoring logs for WVD and see what happened.
@@AzureAcademy It took some time (other things got a bit in the way). But after checking everything over 5 times your description in the video and through MS docs (docs.microsoft.com/en-us/azure/virtual-desktop/shortpath) it's still not working.
The only thing I could find was using the PowerShell cmd to check the UDP listener (Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filter "name = 'TermService'").ProcessId) -LocalPort 3390)
And the result of that is the following :
Get-NetUDPEndpoint : No matching MSFT_NetUDPEndpoint objects found by CIM query for instances of the ROOT/StandardCimv2
/MSFT_NetUDPEndpoint class on the CIM server: SELECT * FROM MSFT_NetUDPEndpoint WHERE ((LocalPort = 3390)) AND ((Owni
ngProcess = 1072)). Verify query parameters and retry.
At line:1 char:1
+ Get-NetUDPEndpoint -OwningProcess ((Get-WmiObject win32_service -Filt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (MSFT_NetUDPEndpoint:String) [Get-NetUDPEndpoint], CimJobException
+ FullyQualifiedErrorId : CmdletizationQuery_NotFound,Get-NetUDPEndpoint
Just using Get-NetUDPEndpoint results in :
LocalAddress LocalPort
------------ ---------
:: 65501
::1 54018
fe80::1002:9bed:267d:ab9f%2 54017
:: 5355
::1 5353
:: 5353
:: 3389
fe80::1002:9bed:267d:ab9f%2 1900
::1 1900
:: 123
0.0.0.0 65500
127.0.0.1 63400
127.0.0.1 62069
127.0.0.1 61580
127.0.0.1 61578
127.0.0.1 61394
127.0.0.1 60755
127.0.0.1 54104
127.0.0.1 54020
192.168.10.9 54019
127.0.0.1 52331
127.0.0.1 52138
0.0.0.0 49550
127.0.0.1 49495
192.168.10.9 49246
0.0.0.0 5355
192.168.10.9 5353
0.0.0.0 5353
0.0.0.0 3389
192.168.10.9 1900
127.0.0.1 1900
192.168.10.9 138
192.168.10.9 137
0.0.0.0 123
I'm lost and have given up also knowing it's a preview so maybe later it will be solved. TCP works fine, UDP would be the cherry on the cake.
sorry to hear you have run into so many issues Patrick. Did you try setting the reg key directly or the GPO, Also verify that those settings are present? Also do you have a NSG or firewall that needs to have UDP 3390 open?
How does Short Path handle if you have users both inside and outside the corporate network. will still use 443 reverse connection for those that do not have line of site via Express Route?
RDP ShortPath is an enhancement to your connection strategy so reverse connect will work for everyone external and short path works internally
@azureAcademy , how can i reverse that ? I want to use shortpath instead of web browser while connected to the public network
You need to restrict the short path traffic
Watch this for more info th-cam.com/video/k2FdqfIpiWs/w-d-xo.htmlsi=EPfmUPGxtSYMDhAs
Will this be affecting our current RDP port 3389?
It will not reverse connect functions independently of RDP ShortPath
I struggled/failed to get it working, tried creating brand new VM, still TCP only. When setting the firewall the error is : "Windows services have been restricted with rules that allow expected behaviour only. Rules that specify host processes such as svchost.exe, might not work as expected because they can conflict with Windows service-hardening rules".
I tried disabling firewalls completely - still only got TCP
I set UdpPortNumber to 3390 (decimal): (
Could you give me a pointer where to look to sort out...? Many Thanks
Is there a firewall Or a network security group in Azure if so then you have to allow UDP 3390
@@AzureAcademy I did permit UDP port 3390 in VM firewall and same in Azure console. In the end I disabled the firewall completely on VM and I got UDP. Not ideal - but fine for my testing.. Thanks
definitely not ideal. I wonder if there is some other rule set that was blocking * or UDP that was tripping it up?
My users have a basic vpn gateway, and they are complaining that opening office applications/submitting files in outlook takes a while, would this solution help them?
RDP ShortPath would give them a “more direct” connection path to WVD. But as for if the VPN has enough bandwidth for your users...that depends on what they are doing and how much bandwidth you have.
@@AzureAcademy Thanks for your reply.
@@AzureAcademy i mean "more direct" connection path equals faster performance when calling on office applications don't it?
I believe so...it certainly won't hurt to try it 😁
no, not exactly. RDP Shortpath is more about connection from the user to the VM, not the user in the session getting to an internet service like Office 365. Remember the Shortpath allows you to bypass the WVD Internet gateway service to the Session Hosts you get to connect directly to them. ..hope this helps.