Understanding TCP Reverse Connect Flow for AVD using Event Logs

You can Understanding TCP Reverse Connect Flow for AVD using Event Logs. Let’s quickly go through the WVD event logs using TCP Reverse Connect technologies. You can check this internal process of RDP connection through the secure channel from Windows 10 devices.

I have a WVD Troubleshooting Options Tips Tricks – Windows Virtual Desktop in the previous post. There could be many ways to perform WVD troubleshooting as per Microsoft docs.

I’m going to share my experience in this blog post. I was trying to analyze TCP Reverse connect technology used in WVD using the event logs (Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational).

WVD TCP Reverse Connect Technology

We don’t need any inbound ports to be opened for the WVD TCP reverse connect technology. Even the default RDP port, TCP/3389, doesn’t have to be open. Instead, an agent creates an outbound connection using TCP/443 into the WVD management plane. Azure is your reverse proxy for RDP traffic.

Patch My PC

The connection details are explained in the following diagram. This diagram might help to understand the WVD event log flow.

WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10
WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10

WVD Related Events Logs Event ID 229

All the following events are taken from Microsoft-Windows-RemoteDesktopServices-RdpCoreCDV/Operational.

CUM RDP Listener Reverse Connect Tcp Udp

‘Got connection for named pipe’ in CUMRDPListenerReverseConnectTcpUdp::OnNamedPipeConnectionCompleted at 5172 err=[0x0]

Adaptiva

Reverse TCP Connect Context

‘ReverseTCPConnectContext::HandleRequest’ in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::HandleRequest at 4970 err=[0x0]

Adding Additional Headers

Adding an extra header to secure authentication.

WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10
WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10

‘Adding extra header ‘Cookie’=’ARRAffinity=f0ae4aa2de7044dc11cff22d08a382782347f334ad1816b1aa6f1a6e6d72” in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::HandleRequest at 5034 err=[0x0]

Adding extra header ‘ms-wvd-activity-hint’

‘Adding extra header ‘ms-wvd-activity-hint’=’ms-wvd-hp:99c34ceb-9ed1-41a2-c9ea-08d86484831” in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::HandleRequest at 5034 err=[0x0]

Adding extra header ‘X-MS-User-Agent’=’com.microsoft.wvd.agent to get authenticated with WVD RD gateway.

‘Adding extra header ‘X-MS-User-Agent’=’com.microsoft.wvd.agent/1.0.2116.3600” in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::HandleRequest at 5034 err=[0x0]

Contacting WVD RD Gateway

Contacting the nearest WVD RD Gateway in Singapore https://rdgateway-c101-sin-r1.wvd.microsoft.com/

WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10
WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10

‘Starting Reverse Connect GUID=’b13d33bf-e7b1-42u3-b347-f80a7ef98765′ URI=’https://rdgateway-c101-sin-r1.wvd.microsoft.com/api/v2/Connections/reverse/b16dh33bf-e7b1-42e0-b347-f80a7ef12745?RDmiGatewayToken=CfDJ8CK-Jasjdajdhasjkdhby7-g3b2okHpyasdkjuS1_NasdkiJG

Resolving the Name of WVD RD Gateway – DNS?

‘WINHTTP_CALLBACK_STATUS_RESOLVING_NAME name=’rdgateway-c101-sin-r1.wvd.microsoft.com” in CHttpIoRequestWinHttp::StatusCallback at 2528 err=[0x0]

Resolved the Name of WVD RD Gateway to IP

‘WINHTTP_CALLBACK_STATUS_NAME_RESOLVED name=’104.211.242.104′‘ in CHttpIoRequestWinHttp::StatusCallback at 2512 err=[0x0]

WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10
WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10

Connecting to Nearest Azure Backbone

Now Connecting to Nearest Azure Backbone (?) to Reach the VM – From south India it’s reaching out Azure Chennai Region?

‘WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER IP=’104.211.242.104′‘ in CHttpIoRequestWinHttp::StatusCallback at 2520 err=[0x0]

‘WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER IP=’104.211.242.104” in CHttpIoRequestWinHttp::StatusCallback at 2516 err=[0x0]

TCP Reverse Connect Completed

Reverse connect succeededTCP reverse connect completed for WVD completed.

Closing Request Handle=0x6e559840‘ in CHttpIoRequestWinHttp::WebSocketCompleteUpgrade at 1972 err=[0x0]

Sending reply to WVD Agent. Reverse connect succeeded.‘ in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::OnConnectionCompleted at 5106 err=[0x0]

WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10
WVD Event Logs RDP Listener Reverse Connect Tcp Udp Windows 10

Reverse connection (websocket) successfully completed‘ in CUMRDPListenerReverseConnectTcpUdp::OnConnectionCompleted at 5257 err=[0x0]

‘OnConnectionCompleted(TCP reverse connect completed)’ in CUMRDPListenerReverseConnectTcpUdp::OnConnectionCompleted at 5338 err=[0x0]

Set RDPTransportMode to TCP+UDP.‘ in CUMRDPListenerReverseConnectTcpUdp::OnConnectionCompleted at 5382 err=[0x0]

ReverseTCPConnectContext

Sending reply to WVD Agent. Reverse connect succeeded.’ in CUMRDPListenerReverseConnectTcpUdp::ReverseTCPConnectContext::OnConnectionCompleted at 5106 err=[0x0]

CUMRDPListenerReverseConnectTcpUdp
UDP port number for SxS stack not set. UDP listener won’t be enabled.’ in CUMRDPListenerReverseConnectTcpUdp::GetUdpPort at 4703 err=[0x0]

CUMRDPListenerReverseConnectTcpUdp
Reverse connection (websocket) successfully completed‘ in CUMRDPListenerReverseConnectTcpUdp::OnConnectionCompleted at 5257 err=[0x0]

Understanding TCP Reverse Connect Flow for AVD using Event Logs 1

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.