Monday, July 11, 2022

RDP Shortpath in action!

 What is RDP Shortpath?

RDP Shortpath is all about offering better reliability and consistent latency for Azure Virtual Desktop (AVD). For a regular AVD session, all traffic is always tunneled through a gateway that is hosted by Microsoft as part of the AVD Service in Azure. RDP Shortpath allows direct RDP traffic from client to host and, after authentication and authorization, essentially bypasses the Gateway.

You might be familiar with the RD Gateway role as part of Remote Desktop Services. This role provides a similar service as it also tunnels RDP Traffic from the RD Client towards the RD Session host by only requiring outbound TCP traffic over 443 (SSL). There are distinct differences however. First, the AVD Gateway is hosted and controlled by Microsoft so you don’t see it in your subscription and it is managed and maintained for you. Second, AVD Gateway does not require you to open port 3389 from gateway to host as the AVD Agent on the host only requires outbound ports. The latter is called reverse connect and allows full separation between the gateway and host. Very important from a security standpoint of course.

Why is this important to the topic of RDP Shortpath? The AVD Gateway only support RDP-TCP, meaning we cannot leverage RDP-UDP. If you’ve worked with RDS before, you’ll know that having RDP-UDP available significantly boosts the overall RDP experience. This is especially the case how graphics intensive applications or applications that are latency-sensitive. Ever since the release of AVD (and before that WVD), there has been a big ask for RDP-UDP and it has been on the radar and roadmap for some time.

With RDP Shortpath, Microsoft delivered this promise. This allows for direct communication from the AVD Client to the AVD host. This reduces round-trip time, improving user experience, especially with latency-sensitive applications. RDP Shortpath does not replace reverse connect as all session brokering is still performed by the AVD Control Plane.

RDP Shortpath comes in two different options

The first option is RDP Shortpath for managed networks. For this option your AVD Clients needs direct TCP port 3389 to the host. This option is mostly ment for trusted connections like Express Route and Site-To-Site VPN. You can also use a public IP on the host, but for security reasons I would advise against that. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for managed networks.

The second option is Azure Virtual Desktop RDP Shortpath for public networks, which is currently into public preview. For this option, no TCP port 3389 to the host is required and as a result, a private network like Express Route or Site-To-Site VPN is also not required. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for public networks (preview).

Although RDP Shortpath for public networks is still into public preview (Microsoft recommends to not use it for production yet and configure it on a validation host pool), my experiences with the feature have been super great so far.

Enable RDP Shortpath for public networks preview

To participate in the RDP Shortpath for public networks preview, all you have to do is add the registry entry ICEControl as shown below.

REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” /v ICEControl /t REG_DWORD /d 2 /f

And to disable RDP Shortpath for public networks preview, simply remove the ICEControl registry entry as shown below.

REG DELETE “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” /v ICEControl /f

Confirm RDP Shortpath is operational

Once enabled, the easier way to confirm that RDP Shortpath for public network is working (also applies to managed networks) is by clicking on the Connection information in the blue bar. As you can see below, it says ‘UDP is enabled’ and the further down states UDP as the transport protocol.


Putting RDP Shortpath to action

Over time, I have performed several tests with RDP Shortpath both for Public as well as for private networks, even when RDP Shortpath was still in technical preview. A subset of those videos are available on my YouTube channel.

In my most recent test from last week, I took RDP Shortpath for Public Networks to the test using an NVads A10 v5-series Session Host in Azure Virtual Desktop. These VM’s are powered by a NVIDIA A10 GPU. What’s also great about the NVads A10 v5 series is that it allows you to select models with a partial GPU. So for scenarios where a full A10 GPU is not required, you can also select a size with 1/2, 1/3 or even 1/6 of a GPU. Back in March of this year, when this new series was still ito preview, Michel Roth (Microsoft Azure HPC team), wrote a great article called Why the NVads A10 v5 series lowers AVD costs even further which contains interesting insights into the benefits and costs.

Back to my test case. To testdrive RDP Shortpath on the GPU enabled machine in a fun way, I used GTA5 running inside the AVD Session Host! The results were amazing. As you can see in the screenshot below the round trip latency was only 8ms and 49 frames per second. During this test run the frames per second fluctuated between 46 and 50 frames per second.

Want to see it in action? below is a link to the video I published last week! AVD — GPU — RDP Shortpath demo, with GTA — YouTube






Tuesday, July 5, 2022

Parallels RAS 19 Expression based filtering and Multiple Multi-factor Authentication (MFA) providers!

 This is article number three in a series I’m publishing on Parallels Remote Application Server version 19. In the previous two articles I discussed support for Let’s Encrypt and integration with MSIX app attach.

Expression based filtering & policies

Multiple Multi-factor Authentication (MFA) providers.