How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Back to Blog

How to improve Remote Desktop performance for remote users through an RDS Gateway Server

Do you have a Remote Desktop Server (properly) configured with the Gateway Role in your environment? In this configuration, all traffic is secured via SSL (port 443), and clients connecting over the internet to your internal RDS host(s) will be encrypted (and not necessarily identifiable as RDS traffic from the outside).  But did you also know that you can improve Remote Desktop performance (especially for streaming video, etc.) through this gateway simply by enabling port 3391 UDP inbound to the RDS Gateway server?  No? I’m not surprised, since most people I’ve talked to just stare at me with a blank face when I mention it to them.

Here’s the quick background for you, then we’ll move in to the setup & configuration steps. In the days of Windows Sever 2008 R2 and Windows 7, RDS supported the Gateway role, which uses RPC over HTTP. But WS 2012/R2 quietly included two new UDP side channels (both reliable & best effort), which also leverage SSL (DTLS), over UDP port 3391. The new protocol is much more efficient than RPC over HTTP, but of course if you don’t enable the new option, you would probably not notice, since RPC over HTTP will continue to work also (it is supported for legacy clients). Turning UDP on, however, should enable a superb connection and video experience for compatible RDP clients, as well as RemoteFX, if your setup supports it.

Step-by-step instructions

First, ensure that you have the rules enabled on the Windows Server(s) that hosts your Gateway role. Probably this will be on by default.

Next, on the perimeter firewall (the setting most people miss) be sure to include port 3391 UDP inbound (as well as leaving port 443 TCP in place), to your Gateway server. Note: All firewalls will look a little different, this screenshot happens to be from a WatchGuard.

Finally, open the RD Gateway Manager and check the Properties of your Gateway Server. On the Transport Settings tab, be sure the UDP Transport Settings are enabled.

Now when a client connects (must be RDP 8.1 or later), you will be able to verify that the connection info has updated. Click on the connection icon at the top of the RDP window to see for yourself.

Windows 10 clients (or even Windows 8.1 if those still exist anywhere) will be able to leverage this by default.  But Windows 7 would require some additional updating to get the latest RDP client, and some GPO configuration (which will require a reboot). Namely:

  • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment
    • Enable Remote Desktop Protocol 8.0 set to Enabled
  • …Remote Desktop Session Host > Connections
    • Select RDP Transport Protocols set to Use both UDP and TCP

I encourage you to try playing a YouTube video in your session before and after setting this up. The difference should be noticeable.

Comments (9)

  • Kristen Reply

    Hi and thank you for great articles !
    Is there a performance improvement if I only run a remote app on the server instead of connecting to the remote desktop ?

    February 7, 2018 at 9:34 am
    • Alex Reply

      I don’t know the “for certain” answer here but my gut feeling says there probably isn’t any difference between the whole desktop vs. just an app. But I could be wrong? I haven’t experienced major differences when using RemoteApps vs. Desktop anyway.

      February 11, 2018 at 7:20 pm
  • Jesse Reply

    Found something worth noting; I actually did this on a server that wasnt using the RD Gateway role. I installed the role, set up the self signed cert, changed the settings, and it worked. Nothing else special required. I’m going to test this out a bit more for some other clients to see how it goes, so far so good on the first one though. Thanks

    March 14, 2018 at 3:00 pm
  • rdsslave Reply

    When changing port 443 to 8443 for exemple, the connection time take 23 seconds instead of 3 seconds.
    When i change it to 443, it’s faster. Even with 3391 udp or not.
    I tried the port forwarding in the firewall and also changed the 443 port in the gateway properties.

    When I make a packet capture, I see that my computer try to connect on 443 even if I put in my rds link setup (gateway part).

    Any idea?

    August 5, 2018 at 3:16 am
    • Alex Reply

      Why change ports? Just use 443…

      August 5, 2018 at 3:16 pm
      • Rdsslave Reply

        Sûre, but this port is used by another application and i cannot take more ip

        August 5, 2018 at 3:27 pm
    • Marcos Reply

      Maybe the internet provider applying traffic shaping on uncommon ports/protocols.

      March 25, 2020 at 6:00 pm
  • Rob Cunningham Reply

    Hi Alex,

    Consider this scenario; two RDS session hosts in Azure with an RD-Gateway VM in front of them. The client has a IPSEC tunnel between the office and the Azure setup, so they can connect to the RDS environment directly, or go through the RD-Gateway. Which would provider the faster, more reliable connection? RD-Gateway (with UDP Transport), or connecting directly via the private IP of the RD-Gateway across the IPSEC tunnel? I believe RD-Gateway would be better, but was curious what you thought.

    November 13, 2019 at 4:29 pm
    • Alex Reply

      Gateway. But one thing is, WVD is probably a better bet, because they will host the gateway for you, and it is better protected than one that you stand up on your own (unless you have a virtual firewall appliance in Azure that does the IPS, AV, and other “edge” stuff).

      November 13, 2019 at 6:42 pm

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.