Setup Fudo Enterprise - bastion scenario (recommended)

The Bastion scenario is the recommended setup for the RDS feature, as it requires minimal manual configuration on Fudo. In this scenario, you need to:

• create users via the RDS functionality to correspond with Active Directory users,
• add all servers included in the RDS Collection,
• configure an account for server authentication,
• set up a single listener in bastion mode paired with this account.

Note

This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.

Configure external authentication method:

1. Login into your Fudo Enterprise Admin Panel.

2. Select Settings > Authentication.
3. In the External authentication tab click Add an external authentication source.

4. From the Type drop down list select Active Directory.
5. In the Host field provide the Domain Controller IP address (e.g., 10.0.136.1).
6. Leave default port number: 389.
7. Set the Bind address to Any.
8. Provide the name of the domain which will be used for authenticating users in Active Directory (e.g., mk.local).
9. In the Login, Secret, and Repeat secret fields provide the privileged account’s login credentials used to access the Domain Controller.

10. Click Save.

Create User in Fudo:

1. Select Management > Users and then click Add user.

2. Enter the user name that matches the chosen user account in Active Directory (e.g., ‘user1’).
3. In the Settings tab, under the Safes section, select portal.

4. Click Save.

5. Go to the Authentication section and from the Add authentication method drop down list select External authentication.

6. Chose created in previous steps Active Directory method and click Save.

7. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.

8. Click Save and close.

Configure Server with the role of Connection Broker:

1. Select Management > Servers and then click + Add server.

2. Enter server’s unique name (e.g., Broker).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.

5. Select the TLS enabled and the NLA enabled options.

6. In the Destination section select IPv4 and enter IP address of the server selected during RDS setup for the RD Broker role (in our example, RDB server with IP 10.0.136.2).

7. Click Save and close.

Configure Servers with the role of Session Hosts:

1. Select Management > Servers and then click + Add server.

2. Enter server’s unique name (e.g., HOST1).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.

5. Select the TLS enabled and the NLA enabled options.

6. In the Destination section select IPv4 and enter server’s IP address (in our example, 10.0.136.4).

7. Click Save and close.

8. Repeat all the above steps to create second server with name HOST2 and IP address 10.0.136.5.

Configure Pool:

1. Select Management > Pools and then click + Add pool

2. Enter pool’s unique name (e.g., RDS-pool).
3. In the Settings tab select servers to be added to the pool including the broker (e.g., HOST1, HOST2, BROKER).
4. In the Permissions section, add users allowed to manage this object (e.g., user1).

6. Click Save and close

Configure Account:

1. Select Management > Accounts and then click Add.

2. Define object’s name (e.g., user1).
3. Select forward from the Type drop-down list.
4. Go to the Server / Pool section and from the drop down list select Pool created in previous step (e.g., RDS-pool) to assign created account to this server pool.

5. In the Credentials section select Forward domain option to have the domain name included in the string identifying the user.
6. Click Save.

Configure Listener

1. Select Management > Listeners and then click Add listener.

2. Enter listener’s unique name (e.g.,``rdp-broker-bastion``).
3. Go to Permissions tab and add users allowed to manage this listener (e.g., user1).

4. Go to Settings tab and press the RDP button in the Protocol field.
5. Select the TLS enabled option to enable encryption.
6. Check the NLA enabled option for additional security.

7. In the Connection mode section, select bastion.
8. Set the local address to 10.0.58.238 or Any, and port 3389.

9. In the CA certificate field, click Generate certificate to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click Upload to upload server certificate file with private key pasted at the end of the file.
10. Click Save and close.

Configure Safe:

1. Select Management > Safes and then click Add.

2. Enter safe’s unique name (e.g.,``rdp-safe``).

3. Go to the Users tab to assign users allowed to access accounts assigned to this safe.

   • Click Add user.
   • Click i next to the users’ names to enable their server access through the monitored safe (e.g., user1).
   • Click ok to close the modal window.

4. Select Accounts tab to add accounts accessible through this safe.

   • Click Add account.
   • Click . next to the accounts’ names to add it (e.g., user1).
   • Click ok to close the modal window.
   • Click . in the Listeners column, next click . to assign selected listener to account (e.g.,``rdp-broker-bastion``).
   • Click ok to close the modal window.

5. Click Save to save the safe configuration.

Establish a connection through the Access Gateway:

Warning

When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.

1. Log in to the Fudo Enterprise Access Gateway using user1 as the username and password corresponding to the one configured in the Active Directory.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

2. Hover the cursor over the user1 account name, select Native client and click the Connect button to download the .rdp configuration file.

3. Open the downloaded file to establish a connection.
4. Enter the password for the user1 account to log in to the server.

Redirect the connection through Fudo using RDP native client:

1. In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
2. Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
3. Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.

4. In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

5. Connect to the added PC by providing the bastion login string in Username field and password in the Password field.

Note

• Please use the following pattern for the bastion login string: user name # account login on the target server # target server address (e.g., user1#user1#10.0.136.4).

You may specify the IP address of any server within the RDS collection as the target server address in the login string, and the broker will handle the connection redirection in accordance with RDS rules.

• You can skip the account login if it’s the same as the user name, e.g, user1##10.0.136.4

6. Remote Desktop client will establish connection with one of the servers from the RDS collection.

View the established session in the Fudo Enterprise Admin Panel:

1. Login into your Fudo Enterprise Admin Panel.

2. Select Management > Sessions.
3. Find desired session and click i.

Related topics:

• Setup Fudo Enterprise - bastion scenario (recommended)
• RDP in bastion mode
• Authentication
• Network interfaces configuration