Rdp Microsoft Azure



-->

This article provides detailed troubleshooting steps to diagnose and fix complex Remote Desktop errors for Windows-based Azure virtual machines.

This video demonstrates how to create and deploy a windows server virtual machine on Microsoft Azure cloud using Azure portal.This method provides a browser. Azure Remote Desktop Services takes the benefits of RDS and expands the offering by providing RDS on a global enterprise-grade cloud platform. With the Microsoft Azure platform, organizations can rapidly deploy a cost-effective, redundant and scalable platform to host Windows desktops and applications. Recently, I got several requests from my students regarding the Remote Desktop connection issue. Earlier, it was very easy to connect to our cloud computers using RDP, but in the updated Azure portal, it is quite difficult to connect to the Remote Server using RDP. Remote Desktop to Azure AD Joined Computer Unfortunately, at this time it isn’t quite as easy as “open up a new RDP connection, type in the computer, type my email, and connect”. If it were, this post wouldn’t be here.

Important

To eliminate the more common Remote Desktop errors, make sure to read the basic troubleshooting article for Remote Desktop before proceeding.

You may encounter a Remote Desktop error message that does not resemble any of the specific error messages covered in the basic Remote Desktop troubleshooting guide. Follow these steps to determine why the Remote Desktop (RDP) client is unable to connect to the RDP service on the Azure VM.

If you need more help at any point in this article, you can contact the Azure experts on the MSDN Azure and the Stack Overflow forums. Alternatively, you can also file an Azure support incident. Go to the Azure Support site and click Get Support. For information about using Azure Support, read the Microsoft Azure Support FAQ.

Components of a Remote Desktop connection

The following components are involved in an RDP connection:

Before proceeding, it might help to mentally review what has changed since the last successful Remote Desktop connection to the VM. For example:

  • The public IP address of the VM or the cloud service containing the VM (also called the virtual IP address VIP) has changed. The RDP failure could be because your DNS client cache still has the old IP address registered for the DNS name. Flush your DNS client cache and try connecting the VM again. Or try connecting directly with the new VIP.
  • You are using a third-party application to manage your Remote Desktop connections instead of using the connection generated by the Azure portal. Verify that the application configuration includes the correct TCP port for the Remote Desktop traffic. You can check this port for a classic virtual machine in the Azure portal, by clicking the VM's Settings > Endpoints.

Preliminary steps

Before proceeding to the detailed troubleshooting,

  • Check the status of the virtual machine in the Azure portal for any obvious issues.
  • Follow the quick fix steps for common RDP errors in the basic troubleshooting guide.
  • For custom images, make sure that your VHD is properly prepared prior to upload it. For more information, see Prepare a Windows VHD or VHDX to upload to Azure.
Rdp Microsoft Azure

Try reconnecting to the VM via Remote Desktop after these steps.

Detailed troubleshooting steps

The Remote Desktop client may not be able to reach the Remote Desktop service on the Azure VM due to issues at the following sources:

Source 1: Remote Desktop client computer

Verify that your computer can make Remote Desktop connections to another on-premises, Windows-based computer.

If you cannot, check for the following settings on your computer:

  • A local firewall setting that is blocking Remote Desktop traffic.
  • Locally installed client proxy software that is preventing Remote Desktop connections.
  • Locally installed network monitoring software that is preventing Remote Desktop connections.
  • Other types of security software that either monitor traffic or allow/disallow specific types of traffic that is preventing Remote Desktop connections.

In all these cases, temporarily disable the software and try to connect to an on-premises computer via Remote Desktop. If you can find out the actual cause this way, work with your network administrator to correct the software settings to allow Remote Desktop connections.

Source 2: Organization intranet edge device

Stick defense. Verify that a computer directly connected to the Internet can make Remote Desktop connections to your Azure virtual machine.

If you do not have a computer that is directly connected to the Internet, create and test with a new Azure virtual machine in a resource group or cloud service. For more information, see Create a virtual machine running Windows in Azure. You can delete the virtual machine and the resource group or the cloud service, after the test.

If you can create a Remote Desktop connection with a computer directly attached to the Internet, check your organization intranet edge device for:

  • An internal firewall blocking HTTPS connections to the Internet.
  • A proxy server preventing Remote Desktop connections.
  • Intrusion detection or network monitoring software running on devices in your edge network that is preventing Remote Desktop connections.

Work with your network administrator to correct the settings of your organization intranet edge device to allow HTTPS-based Remote Desktop connections to the Internet.

Source 3: Cloud service endpoint and ACL

Important

Classic VMs will be retired on March 1, 2023.

If you use IaaS resources from ASM, please complete your migration by March 1, 2023. We encourage you to make the switch sooner to take advantage of the many feature enhancements in Azure Resource Manager.

For more information, see Migrate your IaaS resources to Azure Resource Manager by March 1, 2023.

Rdp Microsoft Azure

For VMs created using the Classic deployment model, verify that another Azure VM that is in the same cloud service or virtual network can make Remote Desktop connections to your Azure VM.

Note

For virtual machines created in Resource Manager, skip to Source 4: Network Security Groups.

If you do not have another virtual machine in the same cloud service or virtual network, create one. Follow the steps in Create a virtual machine running Windows in Azure. Delete the test virtual machine after the test is completed.

If you can connect via Remote Desktop to a virtual machine in the same cloud service or virtual network, check for these settings:

  • The endpoint configuration for Remote Desktop traffic on the target VM: The private TCP port of the endpoint must match the TCP port on which the VM's Remote Desktop service is listening (default is 3389).
  • The ACL for the Remote Desktop traffic endpoint on the target VM: ACLs allow you to specify allowed or denied incoming traffic from the Internet based on its source IP address. Misconfigured ACLs can prevent incoming Remote Desktop traffic to the endpoint. Check your ACLs to ensure that incoming traffic from your public IP addresses of your proxy or other edge server is allowed. For more information, see What is a Network Access Control List (ACL)?

To check if the endpoint is the source of the problem, remove the current endpoint and create a new one, choosing a random port in the range 49152–65535 for the external port number. For more information, see How to set up endpoints to a virtual machine.

Source 4: Network Security Groups

Network Security Groups allow more granular control of allowed inbound and outbound traffic. You can create rules spanning subnets and cloud services in an Azure virtual network.

Use IP flow verify to confirm if a rule in a Network Security Group is blocking traffic to or from a virtual machine. You can also review effective security group rules to ensure inbound 'Allow' NSG rule exists and is prioritized for RDP port(default 3389). For more information, see Using Effective Security Rules to troubleshoot VM traffic flow.

Source 5: Windows-based Azure VM

Follow the instructions in this article. This article resets the Remote Desktop service on the virtual machine:

  • Enable the 'Remote Desktop' Windows Firewall default rule (TCP port 3389).
  • Enable Remote Desktop connections by setting the HKLMSystemCurrentControlSetControlTerminal ServerfDenyTSConnections registry value to 0.

Try the connection from your computer again. If you are still not able to connect via Remote Desktop, check for the following possible problems:

  • The Remote Desktop service is not running on the target VM.
  • The Remote Desktop service is not listening on TCP port 3389.
  • Windows Firewall or another local firewall has an outbound rule that is preventing Remote Desktop traffic.
  • Intrusion detection or network monitoring software running on the Azure virtual machine is preventing Remote Desktop connections.

For VMs created using the classic deployment model, you can use a remote Azure PowerShell session to the Azure virtual machine. First, you need to install a certificate for the virtual machine's hosting cloud service. Go to Configure Secure Remote PowerShell Access to Azure Virtual Machines and download the InstallWinRMCertAzureVM.ps1 script file to your local computer.

Next, install Azure PowerShell if you haven't already. See How to install and configure Azure PowerShell.

Next, open an Azure PowerShell command prompt and change the current folder to the location of the InstallWinRMCertAzureVM.ps1 script file. To run an Azure PowerShell script, you must set the correct execution policy. Run the Get-ExecutionPolicy command to determine your current policy level. For information about setting the appropriate level, see Set-ExecutionPolicy.

Next, fill in your Azure subscription name, the cloud service name, and your virtual machine name (removing the < and > characters), and then run these commands.

You can get the correct subscription name from the SubscriptionName property of the display of the Get-AzureSubscription command. You can get the cloud service name for the virtual machine from the ServiceName column in the display of the Get-AzureVM command.

Check if you have the new certificate. Open a Certificates snap-in for the current user and look in the Trusted Root Certification AuthoritiesCertificates folder. You should see a certificate with the DNS name of your cloud service in the Issued To column (example: cloudservice4testing.cloudapp.net).

Next, initiate a remote Azure PowerShell session by using these commands.

Rdp Microsoft Download

After entering valid administrator credentials, you should see something similar to the following Azure PowerShell prompt:

The first part of this prompt is your cloud service name that contains the target VM, which could be different from 'cloudservice4testing.cloudapp.net'. You can now issue Azure PowerShell commands for this cloud service to investigate the problems mentioned and correct the configuration.

To manually correct the Remote Desktop Services listening TCP port

At the remote Azure PowerShell session prompt, run this command.

The PortNumber property shows the current port number. If needed, change the Remote Desktop port number back to its default value (3389) by using this command.

Verify that the port has been changed to 3389 by using this command.

Exit the remote Azure PowerShell session by using this command.

Verify that the Remote Desktop endpoint for the Azure VM is also using TCP port 3398 as its internal port. Restart the Azure VM and try the Remote Desktop connection again.

Additional resources

Rdp Microsoft Azure -->

Important

RDP Shortpath is currently in public preview.This preview is provided without a service level agreement, and we don't recommend using it for production workloads. Certain features might not be supported or might have constrained capabilities.For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

RDP Shortpath is a feature of Windows Virtual Desktop that establishes a direct UDP-based transport between Remote Desktop Client and Session host. RDP uses this transport to deliver Remote Desktop and RemoteApp while offering better reliability and consistent latency.

Key benefits

  • RDP Shortpath transport is based on top of highly efficient Universal Rate Control Protocol (URCP). URCP enhances UDP with active monitoring of the network conditions and provides fair and full link utilization. URCP operates at low delay and loss levels as needed by Remote Desktop. URCP achieves the best performance by dynamically learning network parameters and providing protocol with a rate control mechanism.
  • RDP Shortpath establishes the direct connectivity between Remote Desktop client and Session Host. Direct connectivity reduces the dependency on the Windows Virtual Desktop gateways, improves the connection's reliability, and increases the bandwidth available for each user session.
  • The removal of additional relay reduces the round-trip time, which improves user experience with latency-sensitive applications and input methods.
  • RDP Shortpath brings support for configuring Quality of Service (QoS) priority for RDP connections through a Differentiated Services Code Point (DSCP) marks
  • RDP Shortpath transport allows limiting outbound network traffic by specifying a throttle rate for each session.

Connection security

RDP Shortpath is extending RDP multi-transport capabilities. It doesn't replace reverse connect transport but complements it. All of the initial session brokering is managed through the Windows Virtual Desktop infrastructure.

UDP port 3390 is used only for the incoming Shortpath traffic that is authenticated over reverse connect transport. RDP Shortpath listener ignores all connection attempts to the listener unless they match the reverse connect session.

RDP Shortpath uses a TLS connection between the client and the session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority. For more information about certificate configurations, see Windows Server documentation.

RDP Shortpath connection sequence

Twitter is like..... After installing the reverse connect transport, the client and session host establish the RDP connection and negotiate multi-transport capabilities. Additional steps described below:

  1. The session host sends the list of its private and public IPv4 and IPv6 addresses to the client.
  2. The client starts the background thread to establish a parallel UDP-based transport directly to one of the host's IP addresses.
  3. While the client is probing the provided IP addresses, it continues the initial connection establishment over the reverse connect transport to ensure no delay in the user connection.
  4. If the client has a direct line of sight and the firewall configuration is correct, the client establishes a secure TLS connection with session host.
  5. After establishing the Shortpath transport, RDP moves all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection to the new transport.
  6. If a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.

The diagram below gives a high-level overview of the RDP Shortpath network connection.

Requirements

To support RDP Shortpath, the Windows Virtual Desktop client needs a direct line of sight to the session host. You can get a direct line of sight by using one of the following technologies:

If you're using other VPN types to connect to the Azure virtual network, we recommend using UDP-based VPN for the best results. While the majority of TCP-based VPN solutions encapsulate all IP packets, including UDP, they add inherited overhead of TCP congestion control that would slow down RDP performance.

The direct line of sight means that firewalls aren't blocking UDP port 3390 and the client can connect directly to the session host.

Enabling RDP Shortpath preview

To participate in the preview of RDP Shortpath, you need to enable RDP Shortpath listener on the session host. You can enable RDP Shortpath on any number of session hosts used in your environment. There's no requirement to enable RDP Shortpath on all hosts in the pool.To enable Shortpath listener, you need to configure the following registry values:

Warning

Serious problems might occur if you modify the registry incorrectly using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

  1. On the session host, Start Regedit.exe, and then navigate to the following location:

  2. Create a new DWORD value named fUseUdpPortRedirector and set it to 1 (decimal)

  3. Create a new DWORD value named UdpPortNumber and set it to 3390 (decimal)

  4. Quit Registry Editor.

  5. Restart session host

You can also run the following cmdlets in an elevated PowerShell window to set these registry values:

You can also use PowerShell to configure Group policy

Configure Windows Defender Firewall with Advanced Security

To allow inbound network traffic for RDP Shortpath, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules.

  1. Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security.
  2. In the navigation pane, select Inbound Rules.
  3. Select Action, and then select New rule.
  4. On the Rule Type page of the New Inbound Rule Wizard, select Custom, and then select Next.
  5. On the Program page, select This program path, and type '%SystemRoot%system32svchost.exe' then select Next.
  6. On the Protocol and Ports page, select the UDP protocol type. In the Local port, select 'Specific ports' and type in 3390.
  7. On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select Next.
  8. On the Action page, select Allow the connection, and then select Next.
  9. On the Profile page, select the network location types to which this rule applies, and then select Next.
  10. On the Name page, type a name and description for your rule, and then select Finish.

You can verify that the new rule matches the screenshots below:

You can also use PowerShell to configure Windows Firewall:

Using PowerShell to configure Windows Defender Firewall

You can also use PowerShell to configure Group policy

Configuring Azure Network Security Group

To allow access to the RDP Shortpath listener across network security boundaries, you need to configure Azure Network Security Group to allow inbound UDP port 3390.Follow the network security group documentation to create an inbound security rule allowing traffic with following parameters:

  • Source - Any or the IP range where the clients are residing
  • Source port ranges - *
  • Destination - Any
  • Destination port ranges - 3390
  • Protocol - UDP
  • Action - Allow
  • Optionally change the Priority. The priority affects the order in which rules are applied: the lower the numerical value, the earlier the rule is applied.
  • Name - - RDP Shortpath

Disabling RDP Shortpath for a specific subnet

If you need to block specific subnets from using the RDP Shortpath transport, you can configure additional network security groups specifying the Source IP ranges.

Verifying the connectivity

Using Connection Information dialog

To verify that connections are using RDP Shortpath, open the “Connection Information” dialog by clicking on the antenna icon in the connection toolbar.

Using event logs

To verify that session is using RDP Shortpath transport:

  1. Connect to the desktop of the VM using Windows Virtual Desktop client.
  2. Launch the Event Viewer and navigate to the following node: Applications and Services Logs > Microsoft > Windows > RemoteDesktopServices-RdpCoreCDV > Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational
  3. To determine if RDP Shortpath transport is used, look for event ID 131.

Using Log Analytics to verify Shortpath connectivity

If you are using Azure Log Analytics, you can monitor connections by querying the WVDConnections table. A column named UdpUse, indicates whether Windows Virtual Desktop RDP Stack uses UDP protocol on current user connection.The possible values are:

  • 0 - user connection isn't using RDP Shortpath
  • 1 - user connection is using RDP Shortpath

The following query list lets you review connection information. You can run this query in the Log Analytics query editor. For each query, replace userupn with the UPN of the user you want to look up.

Troubleshooting

Verify Shortpath listener

To verify that UDP listener is enabled, use the following PowerShell command on the session host:

If enabled, you'll see the output like the following

If there is a conflict, you can identify the process occupying the port using the following command

Disabling RDP Shortpath

In some cases, you may need to disable RDP Shortpath transport. You can disable RDP Shortpath by using the group policy.

Disabling RDP Shortpath on the client

To disable RDP Shortpath for a specific client, you can use the following Group Policy to disable the UDP support:

  1. On the client, Run gpedit.msc.
  2. Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client.
  3. Set the “Turn Off UDP On Client” setting to Enabled

Disabling RDP Shortpath on the session host

To disable RDP Shortpath for a specific session host, you can use the following Group Policy to disable the UDP support:

  1. On the Session Host Run gpedit.msc.
  2. Navigate to Computer Configuration > Administration Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Host > Connections.
  3. Set the “Select RDP Transport Protocols” setting to TCP Only

Microsoft Azure Rdp Free

Public preview feedback

Rdp Microsoft Azure Training

We'd like to hear from you about your experiences with this public preview!

  • For questions, requests, comments, and other feedback, use this feedback form.

Next steps

Azure Rdp Server

  • To learn about Windows Virtual Desktop network connectivity, see Understanding Windows Virtual Desktop network connectivity.
  • To get started with Quality of Service (QoS) for Windows Virtual Desktop, see Implement Quality of Service (QoS) for Windows Virtual Desktop.