Network Address Translation (NAT) is a staple network communication technology that has allowed IPv4 networks to function for much longer than otherwise due to IP pressure and it has allowed a better security posture for modern IP networks. However, NAT’ed networks and firewall devices can present challenges when it comes to relaying data through intermediary devices like firewalls or proxy servers. There is a protocol that is designed to help with this called Traversal Using Relays around NAT (TURN) that helps to ease the challenges. Recently, Microsoft has recently announced enhanced RDP communications using TURN. Let’s learn more about this protocol and how it is being used to enhance RDP.
What is TURN?
First of all, let’s talk about what Traversal Using Relays around NAT (TURN) protocol is. It is a protocol that is designed to help with communication between devices in complicated networks with NATs in between and traffic filtered by firewalls.
The TURN protocol is closely related to the STUN protocol (Simple Traversal of UDP through NAT) that many are familiar with if they have administered Voice over IP (VOIP) systems. Also, applications like Skype, Zoom, and Microsoft Teams use STUN to help with communicating between users for voice and video calls.
TURN though helps in cases where STUN cannot. STUN helps devices discover the public IP addresses they are communicating with but doesn’t help with communication of devices behind very restrictive NATs or firewalls. The TURN protocol is important when other types of communication are not possible and often acts as a fallback for other protocols like STUN.
It does this by relaying communications through an intermediate server. By doing this, it allows the TURN protocol to relay information even with line of sight communication is not possible between two nodes.
Why TURN is important
TURN is an important network communication protocol in today’s world of hybrid networks and modern communication apps. Note the following reasons why it is essential:
- VoIP and Video Conferencing: As mentioned, TURN is important for voice and video-centric apps like Zoom, Skype, and Microsoft Teams. These have to have a stable, low-latency connection.
- Online Gaming: Multiplayer games connect players from different network environments. TURN can help in this realm to allow smooth gameplay and make sure all players stay connected.
- Remote Desktop Access: For remote desktops, a stable connection is the key to performance. TURN provides admins with a fallback protocol in networks where direct connections are not possible.
Overview of how TURN works
As we have alluded to earlier, TURN allows devices to communicate by relaying traffic between the devices that can’t directly send data. Clients that attempt to connect and then realize that direct communication is blocked will fall back to using a TURN server. The TURN server proxies the connection, relaying packets between the two devices.
In the example of a video call, a client would first try to connect directly. If the connection fails due to NAT restrictions, the client will send packets to a TURN server. The TURN server then forwards them to the other client. This relayed connection makes sure that the call can continue even without direct communication.
Downsides to using TURN
Even though TURN has many great benefits for organizations to use today, we need to mention the downsides. The process of relaying data through a TURN server will introduce a bit of latency to the connection. Performance will depend on the server’s location in context to the communication as well as its load.
However, the benefits will still outweigh this performance hit if direct connections are not possible. Having a stable and relatively performant connection is desirable compared to connectivity not being possible.
Microsoft’s Relayed RDP Shortpath for Public Networks
Microsoft has announced that RDP Shortpath with TURN has gone GA. It now is in full functionality for public networks. You can read that recent blog post here: Relayed RDP Shortpath. This new release will help to enhance the functionality of the Remote Desktop Protocol (RDP) by using the TURN protocol.
This protocol implementation will improve performance and reliability of RDP sessions that take place over the public Internet. Even if direct connections are blocked, which is likely the case for most or the connection isn’t optimal, TURN will allow RDP communications to succeed.
RDP Shortpath Features
- Better performance: In the traditional sense, RDP has relied on TCP, which doesn’t do well in high latency environments and when it experiences packet loss. With the new Shortpath feature, RDP can establish a UDP connection using TURN. This will help to reduce latency and provide a better experience.
- Better reliability: When direct UDP communication is blocked or when the path is not good for communication, the TURN server will act as a reliable fallback. This will make sure that the RDP session is active and stable.
- Improved security: With RDP Shortpath the connection is made more secure by using Microsoft’s Azure infrastructure. This will give businesses an additional layer of security and compliance if they are relying on RDP for remote work.
How do you “turn” this on?
The configuration requirements for using the RDP Shortpath functionality are pretty simple. You need to allow the subnets Microsoft has earmarked for Azure Virtual Desktop along with UDP port 3478. The subnets that will be used for this functionality are as follows:
The first subnet listed from the top down is the current subnet that is shared with other Azure services. However, in the very near future, Microsoft is moving to the dedicated subnet 51.5.0.0/16.
Organizations will want to allow both subnets for now to enable a seamless transition between the two.
IP Subnet | Ports | Use State | Subnet Exclusive to Windows 365 and Azure Virtual Desktop? | Subnet Use |
---|---|---|---|---|
20.202.0.0/16 | UDP: 3478 | Current (as of September 2024) | No | Windows 365, Azure Virtual Desktop, Azure Communication Services |
51.5.0.0/16 | UDP: 3478 | Planned | Yes | Windows 365, Azure Virtual Desktop |
Real-World Impact and Use Cases
Let’s look at a scenario where a user working from a hotel room tries to connect to their work desktop using RDP. We have probably all been in a scenario where the hotel has implemented very stringent network firewall rules that block direct UDP connections. The session may have high latency or even disconnect, making it basically unusable. Now, with Relayed RDP Shortpath, the RDP client can revert to a TURN server to relay the connection over UDP. This will bypass the restrictions and allow for a smooth working connection.
Requirements
- Network Configuration: To use the Relayed RDP Shortpath, the client’s network must allow outbound UDP traffic. Admins may need to configure their firewalls to permit this traffic.
- Client and Server Compatibility: This feature is available on Windows 11 and Windows Server 2022. IT admins will need to make sure their environments are updated to these versions of Windows to take advantage of the new capabilities.
- TURN Servers: Microsoft’s TURN servers are part of the Azure infrastructure. These servers are placed around the globe to be geo-efficient and help to minimize latency. Organizations using this feature will automatically connect to the nearest TURN server for the best performance.
Hybrid and remote work here to stay
The bolstering of remote protocols and technologies by Microsoft in the case of the recent addition of RDP Shortpath signals a continued trend that hybrid and remote work environments are here to stay. Since security has been front and center of remote work discussions, RDP Shortpath helps to make this much less of an issue.
Introducing TURN into RDP sessions emphasizes the importance from Microsoft’s perspective to have resilient network protocols underpinning technologies like Azure Virtual Desktops (AVDs).
Wrapping up
Microsoft introducing the RDP Shortpath connectivity option is a really great enhancement to remote desktop technologies that Azure Virtual Desktop is built around. With TURN integrated into RDP to AVD, Microsoft is helping to ease connectivity challenges that admins may have struggled with using complex network topologies and bolstering remote or hybrid worker connectivity. Overall, it will lead to less issues for the IT helpdesk and a smoother experience for end users.