This article describes the most recommended methods for connecting to Microsoft Terminal Services / Remote Desktop Servers via Luminate.
The Windows Servers can be located in any datacenter, physical or virtual, while the accessing user can be located anywhere in the world, without direct network access to the datacenter.
The following diagram depicts the topology of the solution:
The Remote Desktop connection from the users' endpoint devices (PC or Mobile) is securely tunneled through the Luminate Secure Access Cloud using an SSH Tunnel, and is allowed only upon successful Authentication and Authorization. The SSH Tunnel is connecting to a machine running an SSH Server in the datacenter (a.k.a. SSH Bastion), and that machine creates a direct RDP connection to the eventual Windows Server on behalf of the user. This article provides a description of how to set up such a connection using Microsoft's native Remote Desktop clients.
As the Microsoft Remote Desktop client does not support a built-in SSH Tunneling function, for ease of use, we recommend using different Remote Desktop client applications, that make the experience a single-click one.
In this article, we will talk about a number of different solutions, all working using the same principle:
- MobaXterm (Supported on Windows) - a free terminal and RDP Client
- Devolutions Remote Desktop Manager (Supported on Windows, Mac OS X, iOS and Android), including Free and Paid versions
- Royal TS/X (Supported on Windows, Mac OS X)
Remote Desktop Manager and Royal TS/X support advanced management features, such as importing .RDP files, exporting .RDP files and additional "manipulations" for environments with multiple RDP servers/services.
Pre-Conditions to Connecting to Remote Desktop / Terminal Services Servers
Prior to being able to access Windows Servers using Remote Desktop / Terminal Services clients, following conditions need to be satisfied.
- An SSH Server should exist in a datacenter hosting the Windows Servers, with the ability to open network connections to the servers. It could be a dedicated Linux Server, a Container running a containerized version of an SSH Server or even an SSH Server process running on one of the Windows Servers.
- A site representing the datacenter should be defined in the Luminate Administration Portal. More details on how to achieve this step in the following article.
- Luminate Connector should be deployed in the same datacenter with the ability to connect to the SSH Server. More details on how to achieve this step in the following article.
- An SSH application, representing the SSH Server should be configured in the Luminate Administration Portal, and its access policy should allow access for the relevant users. More details on how to achieve this step in the following article.
Once the above configuration steps are completed, the end-user can access the relevant Windows Servers as described below.
Configuring access with MobaXterm
Open a MobaXterm client and create a new RDP session. Please fill the following fields:
1 - Please enter a DNS name or an IP Address of the Remote Desktop / Terminal Services server, that can be accessed from the SSH Bastion.
2 - Please enter a Local/Domain User name for login into the Windows Server
Optionally, if you are using a non-default RDP port or Advanced RDP Settings, the can be configured at this stage.
3 - Please use the name representing the SSH Bastion, as retrieved from the Luminate User Portal
4 - Please use the user name representing the SSH Bastion, as retrieved from the Luminate User Portal
Optionally, if you would like to avoid copying/pasting an Access Token from the Luminate User Portal, if your organizational policy allows this, retrieve and RSA Key from the User Portal and configure the connection to use it.
The connection will create an SSH Tunnel transparently and open a direct RDP connection.
(The screenshot above shows an RDP session embedded in the MobaXterm window. A full-screen mode is also supported)
Configuring access with Devolutions Remote Desktop Manager
In Remote Desktop Manager window create a new session, choose "Microsoft Remote Desktop (RDP)" Type.
In the main Session Settings window, please configure the address of the Remote Desktop/Terminal Services server (to be accessed by an SSH Bastion), Domain, User and, optionally (password). Instead of using Username/Password in the session configuration, the client can be configured to ask for credentials upon each connection.
In the VPN/SSH/Gateway "General" tab, please choose "SSH" in the "Type" field.
In the VPN/SSH/Gateway "Settings" tab, please configure the access to the SSH Server, as described in the Luminate User Portal.
Please note that the Host and the Username should be exactly as provided by the SSH tab in the Luminate User Portal, and the Remote Host should be configured to the address of the Windows Server.
Using a local dynamic port is important when intending to connect to multiple sessions in parallel.
The connection will create an SSH Tunnel transparently and open an RDP Session.
(The screenshot above shows an RDP session embedded in the Remote Desktop Manager window. A full-screen mode is also supported)
Configuring access with Royal TS/X
First step in configuring a remote RDP connection with Royal TS/X is defining a "Secure Gateway" object that will represent the SSH Bastion server.
In "Computer Name", please specify the DNS of the SSH Server, as described in the Luminate User Portal.
As a next phase, either user credentials can be specified in the same window (the "Credentials" section), or a separate "Credentials" object should be created.
The "Username" field should be exactly as the user name provided by the SSH tab in the Luminate User Portal. The system could either be configured to use Temporary Access Tokens, or a Private Key File (downloaded from the Luminate User Portal) can be specified.
After configuring the "Credentials" object, "Secure Gateway" settings should be updated to use this object (the "Credentials" section).
Finally, the "Remote Desktop Connection" object should be created. As the Royal TS/X is built on top of a plugins infrastructure, in order to get this functionality one should install the RDP Plugin (please refer to Royal TS/X documentation for description).
The Computer Name (address) should be configured to an address of the Windows Server in the datacenter, accessible from the SSH Bastion.
The system can be configured either to prompt for Windows Server credentials or to use the existing / pre-defined ones.
Finally, in the "Secure Gateway" section, the system should be instructed to use the "Secure Gateway" object defined earlier:
(The screenshot above shows an RDP session embedded in the Royal TS/X window. A full-screen mode is also supported)