How to improve Remote Desktop performance for remote users through an RDS Gateway Server

22. November 2017 Technical 0

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable as RDS traffic from the outside).  But did you also know that you can improve Remote Desktop performance (especially for streaming video, etc.) through this gateway simply by enabling port 3391 UDP inbound to the RDS Gateway server?  No? I’m not surprised, since most people I’ve talked to just stare at me with a blank face when I mention it to them.

Here’s the quick background for you, then we’ll move in to the setup & configuration steps. In the days of Windows Sever 2008 R2 and Windows 7, RDS supported the Gateway role, which uses RPC over HTTP. But WS 2012/R2 quietly included two new UDP side channels (both reliable & best effort), which also leverage SSL (DTLS), over UDP port 3391. The new protocol is much more efficient than RPC over HTTP, but of course if you don’t enable the new option, you would probably not notice, since RPC over HTTP will continue to work also (it is supported for legacy clients). Turning UDP on, however, should enable a superb connection and video experience for compatible RDP clients, as well as RemoteFX, if your setup supports it.

Step-by-step instructions

First, ensure that you have the rules enabled on the Windows Server(s) that hosts your Gateway role. Probably this will be on by default.

Next, on the perimeter firewall (the setting most people miss) be sure to include port 3391 UDP inbound (as well as leaving port 443 TCP in place), to your Gateway server. Note: All firewalls will look a little different, this screenshot happens to be from a WatchGuard.

Finally, open the RD Gateway Manager and check the Properties of your Gateway Server. On the Transport Settings tab, be sure the UDP Transport Settings are enabled.

Now when a client connects (must be RDP 8.1 or later), you will be able to verify that the connection info has updated. Click on the connection icon at the top of the RDP window to see for yourself.

Windows 10 clients (or even Windows 8.1 if those still exist anywhere) will be able to leverage this by default.  But Windows 7 would require some additional updating to get the latest RDP client, and some GPO configuration (which will require a reboot). Namely:

  • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment
    • Enable Remote Desktop Protocol 8.0 set to Enabled
  • …Remote Desktop Session Host > Connections
    • Select RDP Transport Protocols set to Use both UDP and TCP

I encourage you to try playing a YouTube video in your session before and after setting this up. The difference should be noticeable.


Leave a Reply

Your email address will not be published. Required fields are marked *