Tip: Why is port 8550 being queried when starting an RDP session & what effect does this have on the RDP session?

Document ID : KB000047151
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

Port 8550 is used for communication between CA PAM & the Socket Filter Agent (SFA) that may be installed on the target device. When starting the RDP connection CA PAM first queries this port to check for the existence of the SFA on the target device. After clicking the 'RDP' link for a server it may be noted that there is a delay where blue splash screen will be displayed before the RDP session window opens. This delay is caused by the querying of port 8550. CA PAM sends a query packet to port 8550 and waits for a response. If there is no SFA on the target then the packet will not be picked up and the default behavior would be to 'DROP' the packet. When the packet is 'DROPPED' CA PAM has no idea whether it ever reached the device and will retry the connection a few times. This is the point where the delay occurs; while CA PAM is waiting for a response it will hold off on starting the RDP session.

If SFA is installed and running on the target device then this delay should not occur (or at least would have less of an effect) since the query packet would be responded to.

Instructions:

To speed up the RDP connection initialization the best solution is to ensure that the 8550 query packet is 'REJECTED' instead of 'DROPPED'. When a packet is 'REJECTED' the sender is actually notified and will not continue to retry the connection. This will speed up the initialization because CA PAM will no longer hold off the RDP session to wait for a response.

In lab testing the initialization time went from ~5 seconds to <1 second.

Note: this should not be done if SFA is being used on the target device.

Additional Information:

If using the Windows Firewall it should be noted that the default behavior is to 'DROP' packets instead of 'REJECT'. This is intended to hide information from potential attackers. It is possible to change this behavior, however as this can effect security you may need to consult with your Windows, Networking &/or Security Administrators before making this change. See the link below for more info:

https://msdn.microsoft.com/en-us/library/ff720058.aspx

Note: This tip assumes the use of the default Socket Filter Agent (SFA) port: 8550. If a different port is listed under Policy > Manage Policies > Manage Filters > Socket Filter Config > Agent Port: then you should REJECT that port instead.