It looks like UDP Shortpath for public networks was automatically enabled for our customer. We can see external traffic bypassing the RD gateway and using UDP.
We have also noticed (and this seems to be going against the documentation) when it does the STUN negotiation, it actually feeds the connection internally through the VPN as though its a managed network. This was never enabled and doesn't describe this in the documentation.
Is this supposed to happen, as it will be getting double encrypted, we thought it should go out via our external firewalls to the public internet directly to the client regardless if they are at home or in the office. What is determining the route?