The RDS Proxy (Aka Remote Desktop Service) Proxy or Remote Desktop Protocol Proxy feature is a gateway that allows externals users or internals users accessing to Microsoft RDP services .
It acts as the gateway into which RDP connections from an external network connects through to access a Remote Desktop server (Terminal Server) located on the corporate or private network.
¶ Artica's RDS proxy solves the boring NAT method
Remote Desktop Servers typically use port 3389.
To enable Remote Desktop Servers to be accessed over the internet, you must enable/forward TCP Port 3389 to the Remote Desktop Server.
If you have more RD servers than you have internet Public IP addresses, you will have to start port forwarding other ports to the other RD Servers, i.e. forward TCP Port 3390 on your firewall to Port 3389 on your second RD Server, forward TCP Port 3391 to Port 3389 on your third RD server and so on.
This can be quite confusing for clients because they have to remember what port to connect to.
With RDS PROXY installed, you can give your clients the address or DNS name of the gateway server.
Give them a virtual account, create acls that you want your client to connect to.
It doesn’t matter that the name of the RD Server is not resolvable on the internet or the IP address is from a private range.
As long as the RDS PROXY can resolve the name, and the appropriate rights are given to the user credentials which your clients are using, they can connect to the Remote Desktop Server.
You can create groupings of servers and allow only certain virtual users or groups access to particular servers.
¶ Features
- Centralize and log each connection
- Automatically ban addresses against dictionnary attacks.
- Define schedules to access to a pool of server.
- Hide real TSE services credentials and addresses
- Record session into video mp4 format
- Can use Active Directory to link members and TSE services
¶ Install the RDS Proxy Service
Ensure you have updated your RDS Proxy service to 9.x or above.
- To install the RDS Proxy service, on the left menu, choose “Your system” / “Features” On the search box, type “RDS”
- Click on the install button
After installation, you should have RDS Proxy in the left menu. The status should show you 2 services that are running
- RDSP proxy is the main Remote Desktop service gateway.
- RDSP Proxy authenticator is the ACL manager that allows or disallows connections to targeted servers.
¶ Set the Certificate
- Before playing with the RDS proxy service, on the status, in right pane, choose a certificate in the “Use a certificate from Certificate Center”
- Click on Apply button.
¶ Videos Retention
On the “Video recording” section, ensure that your hard drive have disk space to store all videos if you plan to save sessions in video format.
If you have added a second disk, change the “Storage directory” to the best one.
By default, videos are stored during 365 days, according to your disk size, modify the Retention time to remove old videos files.
¶ Policies
Policies establish the link between RDP users to RDP targeted server.
Without policy, you cannot use the RDS proxy correctly.
¶ Create Target Servers
- On the left menu, choose “RDS Proxy” / “Policies”
- Select the tab “Targets”
- Click on the “New target” button
- Alias: A name of the target server, not the real name but a tag that define the server.
- Description: a description of the server that will be displayed on the available servers list.
- Protocol: Choose RDP
- Hostname: the real host name of the target server.
- Address: optional the IP address of the server.
- Remote port: the port of the RDP service on the target server.
- Username: the real user name that will be used to establish the RDP session.
It can username@domain to ensure use the right account - Password: The real password that will be used to establish the RDP session.
Do the same for all TSE service you want to share through the RDP Proxy.
¶ Create masked Members
Members are “Virtual members” for security reasons, Members that can connect to the remote TSE services did know what is the real member that can be used to access to the real target RDP server.
- Open the “Members” tab
- Click on “New Member”
You will set credentials by adding the:
User Name: the account used to be connected to the Artica service.
End Of Life: define the expire period, when reach the expire period, the user cannot login to the proxy.
- Add all your users in this table
¶ Create Policies
Policies make the link between your created users and your targeted proxies with some conditions.
- Select the “Policies” tab.
- Click on New Policy.
- Give the name of the Policy in “Rule Name”
- Set the Policy description.
- Turn On/off Video recording option if you want to save sessions in mp4 format
- Define the Session Time: means the maximal time a user can be logged to target servers.
- Click on Add button
¶ Set Authorized Networks
By default, the policy refuse any connection, you have to define from which networks users can log on the proxy.
- Click on Networks tab
- Click on Add a new Network
- If you did not know which network add 0.0.0.0/0 that means ALL networks.
¶ Link Members
- Click on Members tab
- Click on Link members and add your added users.
¶ Link Targets
- Click on Targets tab
- Click on Link targets to add TSE remote servers you want to allow in this policy.
¶ Periods
Time/schedule section allows you to restrict user to be connected to the RDP proxy using periods. You can for example force remote user to only connect during working day
When the period is over, users are automatically disconnected from the proxy.
¶ Monitoring
¶ Display Sessions
The “Sessions” in the left menu shows you which user is connected (with the connected Ip address) and where it is connected.
A unlink button allows you to disconnect automatically the established session.
¶ Download Saved Videos
If your rules have “video recording” enabled option, you will be able to download saved video in mp4 format from a compressed zip file.
¶ Maintenance
¶ Upgrade or downgrade the RDS Proxy Service.
- See this this article to display the upgrade procedure.
¶ FAQ
¶ Is RDS Proxy is fail to ban compatible ?
Yes RDS Proxy is automatically monitored by fail To ban. If there are too much rejected RDP sessions, the fail to ban service will add automatically the source IP address in the local Firewall.
¶ Can i define some members temporary?
Yes you can define a End Of life of each account associated to a policy.
End of life, is a maximal date a user can use the proxy. If the time is expired, the user is disabled and cannot use the RDS proxy anymore.
¶ Can i filter remote public addresses by countries ?
This feature is planned, priority of this feature depends on the amount of the Enterprise License project.
¶ Can i manage RDS Proxy using REST API ?
This feature is planned, priority of this feature depends on the amount of the Enterprise License project