Merge pull request #228849 from dknappettmsft/avd-rdp-shortpath-tweaks

AVD RDP Shortpath minor tweaks

Author: prmerger-automator[bot]

articles/virtual-desktop/configure-rdp-shortpath.md

@@ -20,8 +20,11 @@ Before you can enable RDP Shortpath, you'll need to meet the prerequisites. Sele
 # [Managed networks](#tab/managed-networks)
 
 - A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.
+
 - Direct line of sight connectivity between the client and the session host. Having direct line of sight connectivity means that the client can connect directly to the session host on port 3390 (default) without being blocked by firewalls (including the Windows Firewall) or Network Security Group, and using a managed network such as:
+
   - [ExpressRoute private peering](../expressroute/expressroute-circuit-peerings.md).
+
   - Site-to-site or Point-to-site VPN (IPsec), such as [Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md).
 
 # [Public networks](#tab/public-networks)
@@ -30,8 +33,13 @@ Before you can enable RDP Shortpath, you'll need to meet the prerequisites. Sele
 > RDP Shortpath for public networks with STUN or TURN will work automatically without any additional configuration, providing networks and firewalls allow the traffic through and RDP transport settings in the Windows operating system for session hosts and clients are using their default values. The steps to configure RDP Shortpath for public networks are provided for session hosts and clients in case these defaults have been changed. 
 
 - A client device running the [Remote Desktop client for Windows](users/connect-windows.md), version 1.2.3488 or later. Currently, non-Windows clients aren't supported.
-- Internet access for both clients and session hosts. Session hosts require outbound UDP connectivity from your session hosts to the internet or connections to STUN and TURN servers. To reduce the number of ports required, you can [limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md). For more information you can use to configure firewalls and Network Security Groups, see [Network configurations for RDP Shortpath](rdp-shortpath.md#network-configuration).
+
+- Internet access for both clients and session hosts. Session hosts require outbound UDP connectivity from your session hosts to the internet or connections to STUN and TURN servers. To reduce the number of ports required, you can [limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md).
+
+   RDP Shortpath doesn't support Symmetric NAT. For more information you can use to configure firewalls and Network Security Groups, see [Network configurations for RDP Shortpath](rdp-shortpath.md?tabs=public-networks#network-configuration).
+
 - Check your client can connect to the STUN and TURN endpoints and verify that basic UDP functionality works by running the executable `avdnettest.exe`. For steps of how to do this, see [Verifying STUN/TURN server connectivity and NAT type](troubleshoot-rdp-shortpath.md#verifying-stunturn-server-connectivity-and-nat-type).
+
 - To use TURN, the connection from the client must be within a supported location. For a list of Azure regions that TURN is available, see [supported Azure regions with TURN availability](rdp-shortpath.md#turn-availability-preview).
 
 > [!IMPORTANT]
@@ -51,14 +59,12 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 1. Download the [Azure Virtual Desktop administrative template](https://aka.ms/avdgpo) and extract the contents of the .cab file and .zip archive.
 
-1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Copy and paste the **terminalserver-avd.admx** file to the Central Store for your domain, for example `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`, where *contoso.com* is your domain name. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
+1. Depending on whether you want to configure Group Policy centrally from your AD domain, or locally for each session host:
+
+   1. **AD Domain**: Copy and paste the **terminalserver-avd.admx** file to the Central Store for your domain, for example `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`, where *contoso.com* is your domain name. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
    1. Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
 
-   **Locally**:
-   1. Copy and paste the **terminalserver-avd.admx** file to `%windir%\PolicyDefinitions`. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
+   1. **Locally**: Copy and paste the **terminalserver-avd.admx** file to `%windir%\PolicyDefinitions`. Then copy the **en-us\terminalserver-avd.adml** file to the `en-us` subfolder.
    1. Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop, as shown in the following screenshot:
@@ -67,10 +73,9 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 1. Open the policy setting **Enable RDP Shortpath for managed networks** and set it to **Enabled**. If you enable this policy setting, you can also configure the port number that Azure Virtual Desktop session hosts will use to listen for incoming connections. The default port is **3390**.
 
-1. If you need to configure Windows Firewall to allow port 3390, run one of the following commands, depending on whether you want to configure Windows Firewall using Group Policy centrally from your domain, or locally for each session host:
+1. If you need to configure Windows Firewall to allow port 3390, run one of the following commands, depending on whether you want to configure Windows Firewall using Group Policy centrally from your AD domain, or locally for each session host:
 
-   **AD Domain**:
-   1. Open an elevated PowerShell prompt and run the following command, replacing the value for `$domainName` with your own domain name, the value for `$writableDC` with the hostname of a writeable domain controller, and the value for `$policyName` with the name of an existing Group Policy Object:
+   1. **AD Domain**: Open an elevated PowerShell prompt and run the following command, replacing the value for `$domainName` with your own domain name, the value for `$writableDC` with the hostname of a writeable domain controller, and the value for `$policyName` with the name of an existing Group Policy Object:
 
       ```powershell
       $domainName = "contoso.com"
@@ -83,8 +88,7 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
       Save-NetGPO -GPOSession $gpoSession
       ```
 
-   **Locally**:
-   1. Open an elevated PowerShell prompt and run the following command:
+   1. **Locally**: Open an elevated PowerShell prompt and run the following command:
    
       ```powershell
       New-NetFirewallRule -DisplayName 'Remote Desktop - RDP Shortpath (UDP-In)'  -Action Allow -Description 'Inbound rule for the Remote Desktop service to allow RDP Shortpath traffic. [UDP 3390]' -Group '@FirewallAPI.dll,-28752' -Name 'RemoteDesktop-UserMode-In-RDPShortpath-UDP' -PolicyStore PersistentStore -Profile Domain, Private -Service TermService -Protocol UDP -LocalPort 3390 -Program '%SystemRoot%\system32\svchost.exe' -Enabled:True
@@ -96,13 +100,11 @@ To enable RDP Shortpath for managed networks, you need to enable the RDP Shortpa
 
 If you need to configure session hosts and clients to enable RDP Shortpath for public networks because their default settings have been changed, follow these steps. You can do this using Group Policy, either centrally from your domain for session hosts that are joined to an Active Directory (AD) domain, or locally for session hosts that are joined to Azure Active Directory (Azure AD).
 
-1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
+1. Depending on whether you want to configure Group Policy centrally from your AD domain, or locally for each session host:
+
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your session hosts.
    
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Connections**.
 
@@ -124,7 +126,9 @@ The steps to ensure your clients are configured correctly are the same regardles
 To configure managed and unmanaged Windows clients using Group Policy:
 
 1. Depending on whether you want to configure managed or unmanaged clients:
+
     1. For managed clients, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your clients.
+
     1. For unmanaged clients, open the **Local Group Policy Editor** on the client.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
@@ -139,7 +143,7 @@ To configure managed Windows clients using Intune:
 
 1. Sign in to the [Endpoint Manager admin center](https://endpoint.microsoft.com/).
 
-1. Create or edit a configuration profile for **Windows 10 and later** devices, using Administrative templates.
+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, using Administrative templates.
 
 1. Browse to **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
 
@@ -213,8 +217,11 @@ If you're using [Azure Log Analytics](./diagnostics-log-analytics.md), you can m
 The possible values are:
 
 - **1** - The user connection is using RDP Shortpath for managed networks.
+
 - **2** - The user connection is using RDP Shortpath for public networks directly using STUN.
+
 - **4** - The user connection is using RDP Shortpath for public networks indirectly using TURN.
+
 - For any other value, the user connection isn't using RDP Shortpath and is connected using TCP.
 
 The following query lets you review connection information. You can run this query in the [Log Analytics query editor](../azure-monitor/logs/log-analytics-tutorial.md#write-a-query). For each query, replace `[email protected]` with the UPN of the user you want to look up.
@@ -254,12 +261,10 @@ To disable RDP Shortpath for managed networks on your session hosts, you need to
 Alternatively, you can block port **3390** (default) to your session hosts on a firewall or Network Security Group.
 
 1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
 
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
+
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**. You should see policy settings for Azure Virtual Desktop providing you have the administrative template from when you enabled RDP Shortpath for managed networks.
 
@@ -277,12 +282,10 @@ To disable RDP Shortpath for public networks on your session hosts, you can set
 Alternatively, if you want to disable RDP Shortpath for public networks only, you'll need to block access to the STUN endpoints on a firewall or Network Security Group. The IP addresses for the STUN endpoints can be found in the table for [Session host virtual network](rdp-shortpath.md#session-host-virtual-network).
 
 1. Depending on whether you want to configure Group Policy centrally from your domain, or locally for each session host:
-   
-   **AD Domain**:
-   1. Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
 
-   **Locally**:
-   1. Open the **Local Group Policy Editor** on the session host.
+   1. **AD Domain**: Open the **Group Policy Management Console** (GPMC) and edit the existing policy that targets your session hosts.
+
+   1. **Locally**: Open the **Local Group Policy Editor** on the session host.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Connections**.
 
@@ -298,13 +301,15 @@ On client devices, you can disable RDP Shortpath for managed networks and public
 
 > [!IMPORTANT]
 > If you have previously set RDP traffic to attempt to use both TCP and UDP protocols using Group Policy or Intune, ensure the settings don't conflict.
-> 
+
 #### Disable RDP Shortpath on managed and unmanaged Windows clients using Group Policy
 
 To configure managed and unmanaged Windows clients using Group Policy:
 
 1. Depending on whether you want to configure managed or unmanaged clients:
+
     1. For managed clients, open the **Group Policy Management Console** (GPMC) and create or edit a policy that targets your clients.
+
     1. For unmanaged clients, open the **Local Group Policy Editor** on the client.
 
 1. Browse to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.
@@ -319,7 +324,7 @@ To configure managed Windows clients using Intune:
 
 1. Sign in to the [Endpoint Manager admin center](https://endpoint.microsoft.com/).
 
-1. Create or edit a configuration profile for **Windows 10 and later** devices, using Administrative templates.
+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, using Administrative templates.
 
 1. Browse to **Windows Components** > **Remote Desktop Services** > **Remote Desktop Connection Client**.