RDP Proxy

The RDP proxy feature in Secret Server enhances security by routing Remote Desktop Protocol (RDP) connections through Secret Server, ensuring that secret credentials are protected during remote access sessions. The RDP Proxy supports two operating modes for customer clients: a direct connection to the RDP Proxy port and a gateway mode that tunnels RDP over HTTPS using the Microsoft Terminal Services Gateway (MS-TSGU) protocol. Gateway mode removes NTLM (NT LAN Manager) from the client-to-proxy network leg, helping satisfy compliance requirements that restrict NTLM use.

Operating Modes

• Direct RDP Proxy. Clients connect to Secret Server or a distributed engine on the RDP proxy port. The proxy simulates an RDP handshake, retrieves temporary credentials, and forwards the session to the target.
• RDP Gateway. Clients tunnel RDP over HTTPS to the gateway listener and authenticate to Secret Server. Secret Server then forwards the inner RDP stream to the target.
• SSH tunneling. RDP tunneled inside an SSH proxy connection. This is retained for compatibility and is not recommended for new deployments.

Delinea recommends gateway mode for new deployments, because it consolidates inbound ports to standard HTTPS and removes NTLM from the client-to-proxy hop.

Configuration Scope

Gateway activation, listener ports, and the certificate can be configured globally or overridden per-site and per-engine. Per-site and per-engine overrides take precedence over the global value. See RDP Proxy Configuration for the full overrides model.

Requirements

RDP proxy requirements:

• Client machines must use an RDP client that implements the remote desktop gateway protocol. The Microsoft Remote Desktop Connection client on a currently supported Windows release is the configuration validated by Delinea.
• Each distributed engine that serves gateway sessions must advertise the RD Gateway capability. Older engines continue to serve direct RDP proxy sessions but cannot accept gateway connections.
• A certificate that uses an RSA key pair, whose subject alternative name matches the hostname client's name is used to reach the gateway. That includes Server Authentication (OID 1.3.6.1.5.5.7.3.1) Enhanced Key Usage that is trusted by the client machine's certificate stores. See RDP Proxy Certificate Options.

• The gateway listens on its own port (443 by default), which must be reachable by client machines and must differ from the RDP proxy port.

Related Topics

See the following for more information

• RDP Proxy Configuration
• RDP Proxy Certificate Options
• RDP Gateway Firewall and Network Requirements
• Troubleshooting RDP Gateway

• RDP Proxy Technical Notes