Merge pull request #226993 from dknappettmsft/avd-rdp-shortpath-firewall-edits

prmerger-automator[bot] · web-flow · commit e102e38393db · 2023-02-10T16:52:52.000Z
AVD RDP Shortpath ports
diff --git a/articles/virtual-desktop/rdp-shortpath.md b/articles/virtual-desktop/rdp-shortpath.md
@@ -69,7 +69,7 @@ All connections begin by establishing a TCP-based [reverse connect transport](ne
 
 1. While the client is probing the provided IP addresses, it continues to establish the initial connection over the reverse connect transport to ensure there's no delay in the user connection.
 
-1. If the client has a direct connection to the session host, the client establishes a secure connection using TLS over Reliable UDP.
+1. If the client has a direct connection to the session host, the client establishes a secure connection using TLS over reliable UDP.
 
 1. After establishing the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection, are moved to the new transport. However, if a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.
 
@@ -128,7 +128,7 @@ All connections begin by establishing a TCP-based [reverse connect transport](ne
 
 1. After the session host and client exchange their candidate lists, both parties attempt to connect with each other using all the gathered candidates. This connection attempt is simultaneous on both sides. Many NAT gateways are configured to allow the incoming traffic to the socket as soon as the outbound data transfer initializes it. This behavior of NAT gateways is the reason the simultaneous connection is essential. If STUN fails because it's blocked, an indirect connection attempt is made using TURN.
 
-1. After the initial packet exchange, the client and session host may establish one or many data flows. From these data flows, RDP chooses the fastest network path. The client then establishes a secure connection using TLS over Reliable UDP with the session host and initiates RDP Shortpath transport.
+1. After the initial packet exchange, the client and session host may establish one or many data flows. From these data flows, RDP chooses the fastest network path. The client then establishes a secure connection using TLS over reliable UDP with the session host and initiates RDP Shortpath transport.
 
 1. After RDP establishes the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection move to the new transport.
 
@@ -177,14 +177,16 @@ TURN is available in the following Azure regions:
 
 | Name | Source | Source Port | Destination | Destination Port | Protocol | Action |
 |---|---|:---:|---|:---:|:---:|:---:|
-| STUN/TURN UDP | VM subnet | Any | 20.202.0.0/16 | 3478-3481 | UDP | Allow |
+| RDP Shortpath Server Endpoint | VM subnet | Any | Any | 1024-65535<br />(*default 49152-65535*) | UDP | Allow |
+| STUN/TURN UDP | VM subnet | Any | 20.202.0.0/16 | 3478 | UDP | Allow |
 | STUN/TURN TCP | VM subnet | Any | 20.202.0.0/16 | 443 | TCP | Allow |
 
 #### Client network
 
 | Name | Source | Source Port | Destination | Destination Port | Protocol | Action |
 |---|---|:---:|---|:---:|:---:|:---:|
-| STUN/TURN UDP | Client network | Any | 20.202.0.0/16 | 3478-3481 | UDP | Allow |
+| RDP Shortpath Server Endpoint | Client network | Any | Public IP addresses assigned to NAT Gateway or Azure Firewall (provided by the STUN endpoint) | 1024-65535<br />(*default 49152-65535*) | UDP | Allow |
+| STUN/TURN UDP | Client network | Any | 20.202.0.0/16 | 3478 | UDP | Allow |
 | STUN/TURN TCP | Client network | Any | 20.202.0.0/16 | 443 | TCP | Allow |
 
 ### Teredo support
@@ -218,7 +220,7 @@ The port used for each RDP session depends on whether RDP Shortpath is being use
 
 - **Public networks**: each RDP session uses a dynamically assigned UDP port from an ephemeral port range (49152–65535 by default) that accepts the RDP Shortpath traffic. You can also use a smaller, predictable port range. For more information, see [Limit the port range used by clients for public networks](configure-rdp-shortpath-limit-ports-public-networks.md).
 
-RDP Shortpath uses a secure connection using TLS over Reliable UDP between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. You can also deploy centrally managed certificates issued by an enterprise certification authority. For more information about certificate configurations, see [Remote Desktop listener certificate configurations](/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations).
+RDP Shortpath uses a secure connection using TLS over reliable UDP between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the operating system during the deployment. You can also deploy centrally managed certificates issued by an enterprise certification authority. For more information about certificate configurations, see [Remote Desktop listener certificate configurations](/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations).
 
 > [!NOTE]
 > The security offered by RDP Shortpath is the same as that offered by TCP reverse connect transport.
