RDP Performance over ZPA vs Anyconnect VPN

Has anyone else experienced any performance issues with running RDP sessions over ZPA. Our sessions seem to be significantly slower over ZPA than Cisco AnyConnect VPN when testing on the same source and destination machines over the same connection.

Even the RDP Connection Info bar shows the following for AnyConnect VPN:
The quality of the connection to the remote PC is good.
And when switched over to ZPA shows
The quality of the connection to the remote PC is poor.

The firewall is completely disabled on both destination and source machines.

I note on the following topic a zscaler employee says “ZApp does not handle regular RDP traffic (3389) but it should be able to pass RDP over SSL(443) traffic

If this is the case would RDP still be able to use both TCP and UDP to function?

If i could replace AnyConnect with ZPA it would really solve a lot of problems for me, but the performance difference is so noticeable that I cannot even dream of deploying it at this point.

Hi @MrO,
RDP performance should be great, if you’re seeing issues there may be suboptimal path selection or another factor in play. The Diagnosis in ZPA can help here, latency is logged for all sides in the connection as is a record of the connecter being used for the transaction/session.

Of course, if you need help moving through this you can open support ticket and they can help with diagnostics and live troubleshooting. I’m sure we’ll get to the bottom of this.


Thanks for reaching out!

The note on ZApp “ZApp does not handle regular RDP traffic (3389) but it should be able to pass RDP over SSL(443) traffic” is applicable only in the context of Zscaler Internet Access. Zscaler Private Access supports native RDP. We have several customers who daily access RDP servers over ZPA, so your comment is surprising, but we would like to learn more. Can you please share the Support case #, so that we can investigate your concern? Is your RDP setup to use UDP 3389?

Kunal
Product Manager

The support no is #747453. I need to open another ticket and reference this. It’s very difficult to demonstrate speed issues in RDP via a shared screen session with a Zscaler engineer. They are viewing my shared screen, and I am remotley viewing another machine, so the clear difference that I see between VPN and ZPA may not be clear to them.

You say that latency is logged on all sides on Diagnosis, but the only times I see are the CONNECTOR-APP RTT (0.53 ms) and POLICY PROCESSING (0.10 ms).

Is there any way to get a full latency statistic between my laptop running the Zscaler App and the machine I am connecting to?

Would adding the following times give me an accurate total latency between the end point and application via ZPA?
-ping response time from client to any.broker.prod.zpath.net
-ping response time from connector to any.broker.prod.zpath.net
-ping response time from connector to application

Hello Oliver,

I have reviewed the case you have referenced here - #747453. Back in April, our support team had requested additional information so that they could continue assisting you further. However, the case has since then been put on hold, as we are waiting for your feedback. The support engineer will be reaching out to you shortly so that we can resume troubleshooting. I strongly recommend that additional correspondence on this issue be done via the case, so that all the information is available in one place for review. This will expedite the resolution.