The Ultimate Hack for RDP Shortpath

00:07:36
https://www.youtube.com/watch?v=k2FdqfIpiWs

概要

TLDRThe video discusses the complexities of RDP short path, particularly focusing on challenges users face with features and security when implementing this on public networks. A key issue highlighted is the symmetric NAT problem that arises when using STUN protocol alongside NAT Gateways and firewalls. The detailed explanation involves how STUN and TURN protocols function in network management: STUN acts as an access manager by identifying valid users, while TURN serves as a communication facilitator, relaying connections. To resolve symmetric NAT issues with RDP, users should enable the validation pool setting in Microsoft's Azure Virtual Desktop (AVD) portal to utilize the TURN protocol effectively. Additionally, the video discusses practical steps like opening necessary UDP ports and setting up group policies for managing secure port ranges, thus addressing security concerns that arise from opening high port ranges. The information is supplemented by recommendations to update AVD clients and use a new troubleshooting tool for checking STUN and TURN efficiency. This aids in maintaining operational stability and compatibility, especially during the ongoing development transition. Ultimately, the video equips viewers with the knowledge to optimize RDP short path setups through informed configurations and highlights potential paths depending on specific user needs.

収穫

  • 🔑 Understanding symmetric NAT issues is crucial for using STUN servers effectively.
  • 🛡️ Azure firewall supports RDP short path but requires careful NAT configuration.
  • 🔄 Using TURN protocol can bypass symmetric NAT problems.
  • ⚙️ Enable validation pool settings in AVD to solve connection issues.
  • 🔗 STUN acts as an initial caller identification protocol in network setups.
  • 🌀 TURN serves as a continuous connection relay, similar to a communication proxy.
  • 🆙 Updating AVD clients ensures compatibility with TURN during previews.
  • 🔍 A new troubleshooting tool helps verify TURN and STUN setup efficiency.
  • 🔧 Custom port settings via group policies can manage security and network efficiency.
  • 📘 Further resources available in video for detailed setup and troubleshooting.

タイムライン

  • 00:00:00 - 00:07:36

    The video begins with the speaker receiving many questions about RDP Short Path related to its features and security, highlighting difficulties viewers face in implementing it, especially when using it for public networks with STUN. A conversation illustrates a common issue: the use of Azure Firewall and NAT, causing problems with STUN due to symmetric NAT, which only understands IPs making it incompatible. The speaker suggests using TURN in conjunction, as TURN can handle the proxying required when NAT is present, allowing better connectivity for users.

マインドマップ

Mind Map

よくある質問

  • What common issue do people face with RDP short path on public networks?

    The common issue is with symmetric NAT, which causes problems when using STUN protocol with a NAT Gateway or firewall.

  • What is the role of STUN in network connections?

    STUN acts like a bouncer, ensuring the right people can access the network after a security check.

  • How does TURN differ from STUN?

    TURN functions more like a proxy, relaying connections until a session is completed, unlike STUN which only does initial handshakes.

  • How can symmetric NAT issues be resolved?

    By enabling the validation pool setting in the AVD portal, which allows the use of TURN protocol.

  • What happens after the TURN preview phase?

    Once the TURN preview phase is over, the setup will be integrated into the STUN setup and require no additional configuration.

  • What ports need to be opened for STUN and TURN to work?

    STUN requires opening high UDP ports and UDP 3478, while TURN only needs UDP 3478 open.

  • Is Azure firewall supported in this setup?

    Yes, Azure firewall is supported, but care must be taken with symmetric NAT.

  • How can group policies help manage port configurations?

    Group policies can set specific port ranges for short path or unmanaged networks to manage security concerns.

  • What is required for using TURN during its preview phase?

    During the preview, only Windows clients are supported, and they must be updated to version 1.2.3488 or newer.

  • What tool can aid in troubleshooting TURN and STUN setups?

    A new troubleshooting tool is available for ensuring TURN and STUN setups are working as expected.

ビデオをもっと見る

AIを活用したYouTubeの無料動画要約に即アクセス!
字幕
en
オートスクロール:
  • 00:00:00
    ever since my first video on RDP short
  • 00:00:02
    path I have gotten a ton of questions on
  • 00:00:05
    features and security and many of you
  • 00:00:08
    are looking for help because it wasn't
  • 00:00:10
    always working out for you as easily as
  • 00:00:12
    I showed in the video and short path is
  • 00:00:14
    even more complicated now because you
  • 00:00:17
    can set it for private or public
  • 00:00:19
    networks or use it with or without stun
  • 00:00:22
    not to mention questions on short path
  • 00:00:24
    or private link in fact I've had a lot
  • 00:00:27
    of conversations that go something like
  • 00:00:29
    this hey what's going on it guy hey
  • 00:00:31
    Microsoft guy I'm trying to use RDP
  • 00:00:34
    short path for public networks with that
  • 00:00:36
    new stun server but I can't get it to
  • 00:00:38
    work can you help me out really did you
  • 00:00:41
    watch the Azure academies video on short
  • 00:00:43
    path of course doesn't everybody yeah I
  • 00:00:46
    wish but did the sun server setup ever
  • 00:00:48
    work for you no but if I remove all of
  • 00:00:52
    the stun and short path settings the
  • 00:00:54
    users can connect
  • 00:00:56
    okay well do you have a firewall or some
  • 00:00:59
    kind of nat device in your environment
  • 00:01:00
    yeah I'm using the Azure firewall why is
  • 00:01:04
    it not supported for some reason yeah
  • 00:01:05
    Azure firewall is totally supported
  • 00:01:07
    however with short path for public
  • 00:01:10
    networks that's using the stun protocol
  • 00:01:12
    and stun combined with the NAT Gateway
  • 00:01:15
    or a firewall can cause symmetric Nat
  • 00:01:18
    and that's probably why it's not working
  • 00:01:20
    okay hold on stop the video for a second
  • 00:01:22
    let me explain why this is happening Nat
  • 00:01:25
    as you probably know stands for Network
  • 00:01:27
    address translation it's a feature in
  • 00:01:30
    your routers that translates your
  • 00:01:32
    private IP addresses into public ones
  • 00:01:34
    and that has really helped as the number
  • 00:01:37
    of devices in the world has just
  • 00:01:39
    exploded but it's not without its issues
  • 00:01:41
    like Microsoft guy said the problem here
  • 00:01:44
    is symmetric Nat and symmetric Nat
  • 00:01:46
    translates both the IP and the port
  • 00:01:49
    between your endpoints and the stun
  • 00:01:52
    server but stun only understands IPS so
  • 00:01:55
    it can't work with symmetric Nat but
  • 00:01:58
    that's okay because there are other
  • 00:01:59
    tools tools that we can pull off the
  • 00:02:01
    shelf and make this work I mean you
  • 00:02:03
    could just get rid of your firewall or
  • 00:02:05
    your net Gateway right and wrong instead
  • 00:02:08
    let's use stun with turn now stun is
  • 00:02:12
    like a bouncer at the club he stands at
  • 00:02:14
    the door checks the names and makes sure
  • 00:02:16
    just the right people can get in and
  • 00:02:18
    once stun does its whole handshake
  • 00:02:20
    process it's really out of the picture
  • 00:02:22
    turn is much more like the weight staff
  • 00:02:25
    they're hoping the orders get from the
  • 00:02:27
    kitchen out to the guests so it
  • 00:02:29
    functions a lot more like a proxy
  • 00:02:31
    relaying everything until your session
  • 00:02:33
    is done now that you know what's going
  • 00:02:35
    on let's get back to the video
  • 00:02:37
    now fixing the symmetric Nat issue is
  • 00:02:39
    actually really easy
  • 00:02:41
    in the avd portal go to your host pool
  • 00:02:44
    properties then just make sure that the
  • 00:02:46
    validation pool setting is enabled and
  • 00:02:49
    this will let you use the turn protocol
  • 00:02:51
    which should resolve the symmetric Nat
  • 00:02:53
    issue and the coolest part is once the
  • 00:02:55
    preview for turn is over you won't even
  • 00:02:57
    need to do this it'll all just be baked
  • 00:03:00
    right into your stun setup wow that's
  • 00:03:02
    super easy anything else yeah now you've
  • 00:03:05
    probably already done this but I'll just
  • 00:03:07
    put this dock here in the video
  • 00:03:08
    description anyway now for stun you're
  • 00:03:11
    going to need to open these UDP High
  • 00:03:13
    ports to the destination of any and
  • 00:03:16
    you'll also need to open
  • 00:03:18
    UDP 3478 over to
  • 00:03:22
    20.202.0.0 16 and that's required for
  • 00:03:26
    stun to work on the other hand things
  • 00:03:29
    are simpler with turn you only need UDP
  • 00:03:33
    3478 open to that same address and your
  • 00:03:36
    client may need those ports open on
  • 00:03:38
    their side as well especially if you use
  • 00:03:40
    some kind of client VP en or a client
  • 00:03:42
    proxy just add those rules and you
  • 00:03:44
    should be good yeah it sounds good but
  • 00:03:48
    um but what is it tell me Well my
  • 00:03:50
    security team doesn't like it that you
  • 00:03:52
    guys want all these high ports open is
  • 00:03:54
    there any way you can change that yeah
  • 00:03:56
    actually there is do you have the avd
  • 00:03:59
    group policies installed I didn't even
  • 00:04:01
    know that there were an official avd GPO
  • 00:04:04
    so this dock is also linked in the video
  • 00:04:07
    description just click right over here
  • 00:04:09
    and download the policies now the way
  • 00:04:11
    that you get these imported is going to
  • 00:04:13
    depend on how you're managing your
  • 00:04:14
    environment whether it's traditional ad
  • 00:04:17
    hybrid or Azure ad join now the last
  • 00:04:20
    video that I had on importing admx files
  • 00:04:22
    into InTune at the time of recording
  • 00:04:25
    these policies aren't supported in there
  • 00:04:28
    yet but the product team is working on
  • 00:04:30
    it so if you're doing Azure ad join full
  • 00:04:32
    Cloud management you can still do this
  • 00:04:35
    but you've got to treat them like local
  • 00:04:37
    policies and if that's you just extract
  • 00:04:39
    all the files then open your Windows
  • 00:04:42
    File Explorer and type percent win dir
  • 00:04:45
    percent slash policy definitions paste
  • 00:04:49
    in your terminal server admx file right
  • 00:04:51
    here and then go back to your extracted
  • 00:04:53
    folder and go to your particular
  • 00:04:55
    language file grab the adml go back here
  • 00:04:59
    to policy definitions scroll up to the
  • 00:05:01
    top find your language folder and drop
  • 00:05:03
    it in there then click Start and type
  • 00:05:06
    gpedit.msc go to the computer
  • 00:05:08
    configuration admin templates Windows
  • 00:05:11
    components remote desktop Services
  • 00:05:13
    remote desktop session host and Azure
  • 00:05:16
    virtual desktop now if you're doing
  • 00:05:18
    hybrid or traditional management once
  • 00:05:20
    you've extracted the files you'll need
  • 00:05:22
    to copy them over to your domain
  • 00:05:24
    controllers see Windows policy
  • 00:05:26
    definitions folder or if you're using
  • 00:05:28
    the central store that'll be located at
  • 00:05:31
    domain name slash sysfall domain name
  • 00:05:34
    slash policy slash policy definitions
  • 00:05:37
    just paste the admx file go back and
  • 00:05:39
    grab the adml from your particular
  • 00:05:41
    language and put it in the right folder
  • 00:05:43
    then open the group policy Management
  • 00:05:45
    console either add a new policy or edit
  • 00:05:48
    an existing one then just go to the same
  • 00:05:50
    location now there's a bunch of goodies
  • 00:05:52
    in here like screen capture protection
  • 00:05:55
    watermarking and then open the use port
  • 00:05:58
    range for short path or unmanaged
  • 00:06:01
    networks enable that and then the base
  • 00:06:03
    Port range is the first High Port that
  • 00:06:06
    you want to use like 38300 and the pool
  • 00:06:10
    size is the number of ports that you
  • 00:06:12
    want to use so you just say a thousand
  • 00:06:14
    so now the highest port that this will
  • 00:06:16
    consume is
  • 00:06:18
    39299 okay now there's two more things
  • 00:06:21
    that you need to know about using turn
  • 00:06:23
    during the preview Windows clients only
  • 00:06:27
    are supported and you need to be at
  • 00:06:29
    version
  • 00:06:31
    1.2.3488 or newer so make sure that
  • 00:06:34
    you're updating your avd clients and
  • 00:06:36
    there's also a new troubleshooting tool
  • 00:06:38
    for turn and stun just to make sure sure
  • 00:06:41
    everything's working as expected and
  • 00:06:43
    this dock here is also linked in the
  • 00:06:45
    video description and you click right
  • 00:06:47
    over there to download it double click
  • 00:06:49
    on it or open it from a command prompt
  • 00:06:51
    and if it looks like this you're good to
  • 00:06:53
    go also when your users are in their
  • 00:06:55
    sessions they can open the connection
  • 00:06:57
    dialog box and if you're using just stun
  • 00:07:00
    the transport protocol will show as UDP
  • 00:07:03
    but if turn is working then you'll see
  • 00:07:05
    it says UDP relay and there's also
  • 00:07:08
    references in the dock here for log
  • 00:07:10
    analytics so that you can go through
  • 00:07:11
    there and see how everyone's connecting
  • 00:07:13
    and that means that you can keep your
  • 00:07:14
    firewall and your NAT Gateway and have
  • 00:07:17
    more control over short paths Port
  • 00:07:19
    ranges all at the same time which does
  • 00:07:21
    make me wonder there are like seven
  • 00:07:23
    different ways that you could set up RDP
  • 00:07:26
    short path for your public networks so
  • 00:07:28
    you should probably watch this video
  • 00:07:30
    next to see which one's right for you
  • 00:07:32
    happy learning
タグ
  • RDP short path
  • Azure
  • STUN server
  • NAT Gateway
  • AVD
  • TURN protocol
  • symmetric NAT
  • firewall
  • network security
  • group policy