Port 3391: Unassigned — Microsoft's Unofficial RDP Shortcut

Port 3391 sits in the registered port range (1024–49151), the middle tier of the port numbering system. IANA coordinates assignments in this range, but registration isn't mandatory. Anyone can use an unassigned port — and Microsoft did.

What the Registered Range Means

The 65,535 ports are divided into three tiers:

• Well-known ports (0–1023): Reserved for core Internet services. HTTP gets 80, SSH gets 22, DNS gets 53. These require IANA assignment.
• Registered ports (1024–49151): Services can request registration with IANA, but don't have to. Many major software products just pick a number and ship.
• Dynamic/ephemeral ports (49152–65535): Temporary ports your operating system assigns for outgoing connections.

Port 3391 is registered range, unassigned. On paper, it belongs to no one.

Microsoft's Unofficial Claim

In practice, Microsoft's Remote Desktop Gateway (RD Gateway) has used UDP/3391 since Windows Server 2012 — by default, without any IANA registration.

Here's the context: RD Gateway normally tunnels RDP traffic over TCP 443 (HTTPS), which works everywhere and punches through most firewalls. But TCP has overhead. When Microsoft introduced RDP 8, they added UDP side channels to improve performance — lower latency, smoother video, better RemoteFX support.

Those UDP channels run on port 3391.

The connection uses DTLS (Datagram Transport Layer Security, the UDP equivalent of TLS), so the traffic is encrypted. When a modern RDP client connects through RD Gateway, it negotiates two UDP channels alongside the existing TCP tunnel:

• RDP-UDP-R: Reliable delivery — for data where order matters
• RDP-UDP-L: Best-effort delivery — for real-time data like audio and video frames where a dropped packet is better than a delayed one

If UDP/3391 is blocked at the firewall, RD Gateway falls back to TCP/443 only. The session still works — it's just slower, especially over high-latency links. Many administrators never open 3391 and never notice, because the fallback is silent.¹

Security Considerations

UDP/3391 has appeared in a handful of notable security advisories. In January 2020, critical Remote Code Execution vulnerabilities in RD Gateway affected both TCP/3389 and UDP/3391 traffic paths.² If you run RD Gateway and haven't patched regularly, both ports deserve scrutiny.

Some firewall administrators block 3391 deliberately — accepting the performance penalty in exchange for a smaller attack surface. That's a reasonable tradeoff depending on your environment.

Checking What's Listening on This Port

To see if anything is bound to port 3391 on your system:

On Linux/macOS:

ss -ulnp | grep 3391
lsof -i UDP:3391

On Windows:

netstat -ano | findstr :3391

If you're running Windows Server with the Remote Desktop Gateway role installed and UDP transport enabled, you'll find it there. On any other system, 3391 should be silent.

Why Unassigned Ports Matter

Every unassigned port is a small ambiguity in the port system. Software ships, habits form, firewall rules get written — and suddenly a "blank" port has real-world conventions attached to it that never made it into the official registry.

Port 3391 is a minor example of how the Internet actually works: official assignment and actual use are two different things, often maintained by two different organizations moving at two different speeds.