RDP Proxy Configuration
Overview
The RDP Proxying feature allows RDP connections, established using a launcher, to be routed through Secret Server. You can set it up one of two ways:
- Recommended method: The launcher connects to the newer RDP proxy with temporary credentials, and the RDP proxy connects to the remote server using the protected credentials from the secret. This method is preferred because it prevents the secret credentials from reaching the client machine. For this method, you simply configure the RDP proxy.
- Alternative method: The launcher uses an SSH proxy to tunnel a local RDP connection to a remote server. This method does not protect the credential from reaching the client machine. For this method you configure the SSH proxy and enable SSH tunneling.
These two approaches to RDP proxying are not compatible—you may use one or the other but not both. We performance tested both methods. Either can support 100 concurrent connections.
Recommended Method
How It Works
-
The user clicks the RDP launcher in Secret Server.
-
The launcher executes on the client's machine.
-
The launcher establishes a connection to the RDP Proxy using credentials generated for the session.
These credentials are short-lived and can only be used within a 15-minute window. To support reconnects in keeping with the RDP protocol, the window resets upon reconnect. -
Once the launcher has successfully authenticated with the RDP proxy, the RDP proxy looks up the credentials and target hostname to connect to.
The secret credentials do not get served to the client machine in this flow, which improves credential security. -
The RDP proxy connects to the desired remote host with the secret credentials.
-
The RDP session is established.
-
RDP traffic is sent back and forth over the RDP proxy, session keystrokes are monitored if session recording is enabled.
Enable the RDP Proxy
- Navigate to Admin > Proxying.
- Click the RDP Proxy tab.
- Click Edit next to Enable RDP proxy and set it to Yes.
- Click Save.
- Click the Endpoints tab and confirm each participating node, site, and engine is configured for RDP proxying.
Enable RDP Gateway mode
Gateway mode tunnels RDP over HTTPS using the MS-TSGU protocol. It is configured on the same page as direct RDP Proxy and can also be overridden per-site and per-engine. See Per-site and per-engine overrides below.
Procedure:
- Navigate to Admin > Proxying > RDP Proxy.
- Confirm Enable RDP proxy is Yes.
- Click Edit next to Enable RDP Gateway and set it to Yes.
- Click Edit next to RDP Gateway port and enter the listener port.
- Under RDP server certificate, confirm the selected certificate matches the hostname clients will use to reach the gateway. See RDP Proxy Certificate Options.
- Click Save.
Settings Reference
- Enable RDP proxy: Controls whether the RDP proxy feature is active. When set to No, neither direct nor gateway mode is available.
- RDP proxy port: Sets the TCP port on which the direct RDP proxy listens.
- Enable RDP Gateway: Controls whether the MS-TSGU gateway listener is active. Requires Enable RDP proxy to also be Yes.
- RDP Gateway port: Sets the TCP port on which the gateway listens.
- Validate remote certificates: Determines whether the proxy drops the target-side connection if the target certificate fails SSL validation.
- Allow AD site selection (SSH and RDP): Allows site selection at launch time for Active Directory secrets.
- Proxy new secrets by default: Sets proxying to enabled by default on newly created SSH and RDP secrets.
- SSPI authentication method: Selects the authentication method used when the proxy connects to target hosts.
- Days to Keep Operational Logs: Sets the retention period for RDP proxy operational log entries.
- RDP server certificate: Selects the certificate the proxy presents to connecting clients. See RDP Proxy Certificate Options.
Per-Site and Per-Engine Overrides
Each setting on this page can be overridden per distributed engine site and per individual engine. Overrides are optional—any value not set at a lower level inherits from the level above.
Resolution order, highest precedence first:
- Engine override, configured in the Default engine settings modal on the site detail page.
- Site override, configured in the site edit modal.
- Global value, configured on this page.
Per-Site Overrides
On the site's edit modal, the RDP Proxy section contains override fields for Enable RDP proxy, RDP proxy port, RDP Gateway port, and RDP Proxy Certificate. Each port field pairs with an Inherited checkbox. Check it to inherit the global value, and uncheck it to enter a site-specific value. To override the certificate, select a Secret of the PFX template; leave blank to inherit.
Per-Engine Overrides
Per-engine overrides are set in the Default engine settings modal accessed from a site's detail page. The modal exposes RDP Proxy and RDP Gateway toggles, and the Advanced site configuration section lists the corresponding port and certificate overrides.
See Distributed Engine Configuration and Sizing.
Monitoring effective settings
The Admin > Proxying > Endpoints page summarizes the effective ports and enable state for each site and engine after overrides resolve.
Alternative Method
How It Works
-
The user clicks the RDP launcher in Secret Server.
-
The launcher executes on the client's machine.
-
The launcher establishes a connection to the SSH proxy to begin port forwarding.
-
The launcher authenticates with the SSH Proxy.
-
The launcher opens a socket.
-
The launcher listens for a connection on an available ephemeral port (the forwarding port) on the client's machine.
-
RDP launches on the client machine using the secret credentials and connects locally to the forwarding port.
-
All RDP traffic for this session is routed through the SSH tunnel to Secret Server, then forwarded to the target machine.
-
The RDP session is established.
Configuration
- Navigate to the Admin > SSH Proxy.
-
Enable the Tunnel RDP connections option. If enabled, RDP launchers will tunnel through a SSH Proxy if possible. This option predates the RDP Proxy which is now recommended instead.
-
Click the Endpoints tab to ensure that your server nodes, sites, and engines are properly configured.
-
Proxied RDP secrets now launch into the SSH proxy using local port forwarding.
Known Issues
"Could not load file or assembly..." Error
Error appears in Secret Server.log or DE.log. Install the most recent version of the .NET Framework to correct it.
RDP Proxy Does Not Work with FIPS Validation
RDP proxy does not work on machines the have the FIPS validation security policy active. No fix is currently available.
Setting Notes
Changes to "Enable RDP Gateway," "RDP Gateway Port," and the RDP server certificate are picked up by the Secret Server local site immediately on save. Distributed engines detect the change on their next heartbeat (typically within 30 seconds) and restart their RDP proxy listeners with the new settings. No iisreset or engine service restart is required.