Setup Fudo Enterprise - proxy scenario

The proxy scenario for RDS requires more manual configuration in Fudo Enterprise compared to the bastion scenario but offers simplified connection method. Each server in the RDS Collection must have its own proxy listener on Fudo Enterprise, assigned a dedicated IP address with port 3389.

In this setup, you need to:

• create users through the RDS functionality to align with Active Directory users,
• add all servers in the RDS Collection,
• configure an account for each server,
• create a listener in proxy mode for each server.

Note

This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.

Configure external authentication method:

1. Login into your Fudo Enterprise Admin Panel.

2. Select Settings > Authentication.
3. In the External authentication tab click Add an external authentication source.

4. From the Type drop down list select Active Directory.
5. In the Host field provide the Domain Controller IP address (e.g., 10.0.136.1).
6. Leave default port number: 389.
7. Set the Bind address to Any.
8. Provide the name of the domain which will be used for authenticating users in Active Directory (e.g., mk.local).
9. In the Login, Secret, and Repeat secret fields provide the privileged account’s login credentials used to access the Domain Controller.

10. Click Save.

Create User in Fudo:

1. Select Management > Users and then click Add user.

2. Enter the user name that matches the chosen user account in Active Directory (e.g., user1).
3. In the Settings tab, under the Safes section, select portal.

4. Click Save.

5. Go to the Authentication section and from the Add authentication method drop down list select External authentication.

6. Chose created in previous steps Active Directory method and click Save.

7. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.

8. Click Save and close.

Configure Server with the role of Connection Broker:

1. Select Management > Servers and then click + Add server.

2. Enter server’s unique name (e.g., Broker).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.

5. Select the TLS enabled and the NLA enabled options.

6. In the Destination section select IPv4 and enter IP address of the server selected during RDS setup for the RD Broker role (in our example, RDB server with IP 10.0.136.2).

7. Click Save and close.

Configure Servers with the role of Session Hosts:

1. Select Management > Servers and then click + Add server.

2. Enter server’s unique name (e.g., HOST1).
3. In the Permissions section, add users allowed to manage this object.
4. In the Settings section on the list of available protocols select RDP.

5. Select the TLS enabled and the NLA enabled options.

6. In the Destination section select IPv4 and enter server’s IP address (in our example, 10.0.136.4).

7. Click Save and close.

8. Repeat all the above steps to create second server with name HOST2 and IP address 10.0.136.5.

Configure Accounts:

1. Select Management > Accounts and then click Add.

2. Define object’s name (e.g., rds-host1-forward).
3. Select forward from the Type drop-down list.
4. Go to the Server / Pool section and from the drop down list select Server created in previous step (e.g., HOST1) to assign created account to this server.

5. Click Save.

6. Repeat all the above steps to create accounts for HOST2 and BROKER servers (e.g., rds-host2-forward, rds-broker-forward).

Configure Listeners

1. Select Management > Listeners and then click Add listener.

2. Enter listener’s unique name (e.g.,``rdp-proxy-01``).
3. Go to Permissions tab and add users allowed to manage this listener (e.g., user1).

4. Go to Settings tab and press the RDP button in the Protocol field.
5. Select the TLS enabled option to enable encryption.
6. Check the NLA enabled option for additional security.

7. In the Connection mode section, select proxy.
8. Set the local address to dedicated IP address (e.g., 10.0.58.238), and port 3389.

Note

To learn how to manage additional IP addresses, please refer to the Network interfaces configuration section.

9. In the CA certificate field, click Generate certificate to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click Upload to upload server certificate file with private key pasted at the end of the file.
10. Click Save and close.

11. Repeat all the above steps to create additional listeners with a dedicated IP address and port 3389 for HOST2 and BROKER servers.

Configure Safe:

1. Select Management > Safes and then click Add.

2. Enter safe’s unique name (e.g.,``rdp-safe``).

3. Go to the Users tab to assign users allowed to access accounts assigned to this safe.

   • Click Add user.
   • Click i next to the users’ names to enable their server access through the monitored safe (e.g., user1).
   • Click ok to close the modal window.

4. Select Accounts tab to add accounts accessible through this safe.

   • Click Add account.
   • Click . next to each account name created in the previous steps to add it (e.g., rds-host1-forward, rds-host2-forward, rds-broker-forward).
   • Click ok to close the modal window.
   • Click . in the Listeners column, next click . to assign a listener to it (e.g.,``rdp-proxy-01, rdp-proxy-02, rdp-proxy-03``). Assign independent listener to each account (e.g.,``rdp-proxy-01, rdp-proxy-02, rdp-proxy-03``).
   • Click ok to close the modal window.

5. Click Save to save the safe configuration.

Establish a connection through the Access Gateway:

Warning

When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.

1. Log in to the Fudo Enterprise Access Gateway using user1 as the username and password corresponding to the one configured in the Active Directory.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

2. Hover the cursor over the user1 account name, select Native client and click the Connect button to download the .rdp configuration file.

3. Open the downloaded file to establish a connection.
4. Enter the password for the user1 account to log in to the server.

Redirect the connection through Fudo using RDP native client:

1. In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
2. Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
3. Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.

4. In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

5. Connect to the added PC by providing the login and password of the user1 set in the Active Directory environment (according to method selected while creating user in Fudo Enterprise).
6. Remote Desktop client will establish connection with one of the servers from the RDS collection.

View the established session in the Fudo Enterprise Admin Panel:

1. Login into your Fudo Enterprise Admin Panel.

2. Select Management > Sessions.
3. Find desired session and click i.

Related topics:

• Setup Fudo Enterprise - bastion scenario (recommended)
• Authentication
• Network interfaces configuration