RDP Proxy - Understanding Certificate Options
Remote Desktop Protocol utilizes SSL to secure connections. To enable this process, all Windows machines present an RDP Server SSL certificate when a client initiates the process to establish a connection.
In a default configuration, this is a self-signed certificate generated by Windows when the RDP service is first enabled.
RDP Proxy context
The Secret Server RDP Proxy also has a default, shared, self-signed SSL certificate, with the facility to create a new self-signed certificate, or to provide your own. In the case of RDP Proxy, Remote Certificates refers to the target machine specified at the time of secret launch.
Configuration
Secret Server provides 2 distinct area of configuration for SSL Certificates in relation to the RDP Proxy. This page describes what their configuration means, along with the options available to best utilize or mitigate user experience objections.
Accessing the RDP Server Certificate
-
Access Secret Server.
-
Access Settings > Proxying > RDP and locate RDP Server Certificate on the page, next to it is the downloadable
.pfxfile. This is always in use when utilising the RDP Proxy.
This is the SSL certificate presented by the RDP Proxy to the user’s RDP Client (MSTSC.exe or Connection Manager) when a user launches from a secret.
Figure 1. RDP Server certificate – presented by the RDP Proxy to the connecting client.
Validating Remote Certificates
-
Access Settings > Proxying > RDP.
-
On the RDP Proxy tab find Validate Remote Certificates. This option determines whether the RDP Proxy should validate the launch target’s RDP certificate.
-
Yes – the target’s RDP certificate will under go the SSL validation process – failure to validate will cause the connection to be dropped.
-
No – the target’s RDP certificate will not be subject to validation checks – any failure to connect will not be due to target RDP-certificate validation.
-
Figure 2. Normal Remote Certificate Validation for RDP Proxy
Disabling Remote Certificate Validation for RDP Proxy
Delinea recommends that you operate in an environment where RDP server certificates are created by a controlled CA and are trusted by machines in the domain. If that is not possible, you can disable remote certificate validation to allow connection to machines that do not serve trusted certificates.
To change the certificate settings, in Windows:
-
Go to Console Root\Certificates(Local Computer)\Remote Desktop\Certificates. The Console appears:
-
Note that these remote server Remote Desktop certificates are self-signed by default.
Secret Server RDP proxy cannot validate these unless one of two conditions apply:
-
Each target server certificate is imported in to all the servers hosting RDP proxy.
-
Trusted RDP certificates are deployed.
Microsoft describes a process for the second condition in Using certificates in Remote Desktop Services.
-
Creating Self-Signed Certificates with Multiple Aliases
To create a self-signed certificate that can be used with multiple domain names and IP addresses, use the following PowerShell command. This example demonstrates how to specify multiple aliases for the certificate:
New-SelfSignedCertificate `
-Subject "DelineaSecretServer" `
-DnsName `
"phobos",
"phobos.hkdr.co.uk",
"mars1",
"mars1.hkdr.co.uk",
"deimos1",
"deimos1.hkdr.co.uk",
"10.12.60.X",
"10.12.60.X",
"10.12.60.X" `
-CertStoreLocation "cert:\LocalMachine\My" `
-HashAlgorithm SHA256 `
-KeyLength 4096 `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-NotAfter (Get-Date).AddYears(10)
Parameters Explained:
-
subject: Specifies the subject name of the certificate. -
DnsName: Lists the domain names and IP addresses the certificate will be valid for. Replace these with your own values. -
CertStoreLocation: Defines where the certificate will be stored. -
HashAlgorithm: Sets the hash algorithm to be used. -
KeyLength: Determines the length of the cryptographic key. -
Provider: Specifies the cryptographic provider. -
NotAfter: Sets the expiration date of the certificate.
