Out of the box Windows Server 2012 has 2 firewall rules related to Remote Desktop – 1 for TCP, another for UDP. Both rules specify %SystemRoot%\system32\svchost.exe on "Programs and Services" tab. Both rules are enabled.
This server is on Amazon EC2 and default security group that Amazon creates only contains 1 rule for Remote Desktop – TCP on port 3389. There is no rule for UDP – how come?
I want to switch to alternative RD port (say, 4389).
I tried creating new Windows firewall rule for port 4389 but when I specified %SystemRoot%\system32\svchost.exe on "Programs and Services/This program:" I received this warning:
So I picked "All programs that meet the specified conditions" instead which by default means "All programs and services".
Was that correct selection (to skip ahead – it works for what I want but I am still not sure if it was what I should have picked)? Other options are (I haven't tried them for the fear of being locked out):
1) Ignore warning and leave %SystemRoot%\system32\svchost.exe on "Programs and Services/This program:"
2) Press "Settings" next to "Specify the services.." and pick "Apply to this service", then pick "Remote Desktop Services" on the list:
I then changed RD port # in the registry to 4389, created additional TCP rule for port 4389 in Amazon EC2 security rule, rebooted Windows instance and everything seems to be working.
But do I also need to create Windows Firewall and Amazon EC2 rulee for UDP at 4389?
Best Answer
Normally, RDP uses TCP protocol only. So you don't need to create a rule for UDP.
However, last RDP version (8.0/8.1) can use TCP only, or TCP and UDP.
It seems that Microsoft has added UDP to improve the user experience, by supporting real time traffic over high latency networks, or, as they say :
Reading : http://glennmatthys.wordpress.com/2013/12/27/improve-the-windows-server-2012-remote-desktop-experience-by-using-udp/
In a RDS deployment, UDP protocol for RDP is also used by RD Gateway Server for internal traffic.
Further reading :
Cheers