I recently wrote about the advantages of using RDP Shortpath over the public internet and how it enhances connectivity to your Cloud PC. Enabling it is highly recommended, as it offers a lot of benefits. However, within this whole flow, there is one aspect that’s not within your control. The STUN server. Which is managed by Microsoft. Let me show you how you can prevent your Cloud PC from accepting UDP connections if you have issues with STUN or TURN. This works for AVD as well.
If you’re not familiar with RDP Shortpath, I recommend reading my previous article on that topic first.
Why use UDP?
To facilitate a direct UDP connection between your physical client and the Cloud PC, Microsoft provides different TURN servers globally where client and Cloud PC can exchange information. This information is then used to establish a direct connection OR a relayed UDP connection over that server.
TURN Relay availability
I recently had a customer approach me telling the user was using UDP but the connection was not reliable. This could be because the client was too far away from the TURN server. Currently, these TURN servers are available in the following Azure regions:
- Australia Southeast
- Central India
- East US
- East US 2
- France Central
- Japan West
- North Europe
- South Central US
- Southeast Asia
- UK South
- UK West
- West Europe
- West US
- West US 2
The list is not small and Microsoft is constantly expanding on this. But it could be that a TURN server is too far away to work smoothly. The solution here seemed simple, disable UDP.
Unmanaged devices
Another reason could be that your use case specifically involves providing Windows 365 access to external users, where you have no control over the policies applied to their devices. If you want to disable UDP on those devices, you simply can’t.
In my previous post, I showed that you need to disable UDP by using the “Turn Off UDP On Client” which basically sets the “fClientDisableUDP” regkey to value “1”. This is true, but pushing this setting on the Cloud PC won’t work.
It was not as simple as pushing a reg-kley “fServerDisableUDP”, which does not exist, to the Cloud PC, but there are options to determine what kind of connections are allowed.
Manage these settings with Intune or GPO
Microsoft Intune offers two settings that allow you to manage UDP flows. Both can be configured through the settings catalog, accessible via Configuration Profiles and should be pushed on device level.
Turn Off UDP On Server
Setting number 1 – Select Transport Type – allows you to tell the Cloud PC to only allow connections over TCP, which will prevent any connection coming from any Client, even if they try to establish a UDP connection.
This is the setting that you’ll need to configure on the Cloud PC or AVD Session host level. Make sure to push this setting on device level and not on user level. This allows you to control the traffic even if you do not control the settings applied to the device trying to connect to your environment.
The configuration options you have here are:
- Use both UDP and TCP: This is the recommended value
- Use only TCP: This is the setting that you need if you want to disable incoming UDP connections.
- Use either UDP or TCP: If the UDP connection is successful, most of the RDP traffic will use UDP.
Turn Off UDP On Client
Setting number 2 – Turn Off UDP On Client – allows you to control the UDP traffic on your physical client. You can also apply this to a Cloud PC, but it will only affect outgoing sessions from that Cloud PC or AVD Session host.
This is the setting that you apply to your managed endpoints. This will prevent them from connecting to a Cloud PC or AVD Session host even if the destination supports UDP.
Let’s wrap up
If required, although not recommended, you can disable UDP directly on the Cloud PC or AVD session host. This requires a different configuration than simply disabling UDP at the client level. If you have use-cases which require you to disable UDP, feel free to let me know in the comments.
Leave a Reply