Setup Fudo Enterprise - bastion scenario (recommended)¶
The Bastion scenario is the recommended setup for the RDS feature, as it requires minimal manual configuration on Fudo. In this scenario, you need to:
- create users via the RDS functionality to correspond with Active Directory users,
- add all servers included in the RDS Collection,
- configure an account for server authentication,
- set up a single listener in bastion mode paired with this account.
Note
This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.
Configure external authentication method:
- Login into your Fudo Enterprise Admin Panel.
- Select
> .- In the External authentication tab click
.
- Enter unique name (e.g.,
ActiveDirectory01
).- Set the Bind address to Any.
- In the General section select
- In the Host field provide the Domain Controller IP address (e.g.,
10.0.136.1
).- Leave default port number:
389
.- Provide the name of the domain which will be used for authenticating users in Active Directory (e.g.,
mk.local
).- In the Credentials fields provide the privileged account’s login credentials used to access the Domain Controller.
- Click
.
Create User in Fudo:
- Select
> and then click .
- Enter the user name that matches the chosen user account in Active Directory (e.g., ‘user1’).
- In the Settings tab, under the Safes section, select portal.
- Click
.
- Go to the Authentication section and from the Add authentication method drop down list select External authentication.
- Chose created in previous steps Active Directory method and click
.
- If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.
- Click
.
Configure Server with the role of Connection Broker:
- Select
> and then click .
- Enter server’s unique name (e.g.,
Broker
).- In the Permissions section, add users allowed to manage this object.
- In the Settings section on the list of available protocols select
RDP.
- Select the TLS enabled and the NLA enabled options.
- In the Destination section select
IPv4
and enter IP address of the server selected during RDS setup for the RD Broker role (in our example,RDB
server with IP10.0.136.2
).
- Click
.
Configure Servers with the role of Session Hosts:
- Select
> and then click .
- Enter server’s unique name (e.g.,
HOST1
).- In the Permissions section, add users allowed to manage this object.
- In the Settings section on the list of available protocols select
RDP.
- Select the TLS enabled and the NLA enabled options.
- In the Destination section select
IPv4
and enter server’s IP address (in our example,10.0.136.4
).
- Click
.
- Repeat all the above steps to create second server with name
HOST2
and IP address10.0.136.5
.
Configure Pool:
Configure Account:
- Select
> and then click .
- Define object’s name (e.g.,
user1
).
- In the Type section select
- In the Target section click
, and from the drop down list select Pool created in previous step (e.g.,RDS-pool
) to assign created account to this server pool.- Select Forward domain option to have the domain name included in the string identifying the user.
- In the Credentials section provide domain’s name (e.g.,
ml.local
).- Click
.
Configure Listener
- Select
> and then click .
- Enter listener’s unique name (e.g.,``rdp-broker-bastion``).
- Go to PERMISSIONS tab and add users allowed to manage this listener (e.g.,
user1
).
- Go to SETTINGS tab and press the
button in the Protocol field.- Select the TLS enabled option to enable encryption.
- Check the NLA enabled option for additional security.
- In the Connection mode section, select
.
- Set the local address to
10.0.58.238
orAny
, and port3389.
- In the CA certificate field, click
to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click to upload server certificate file with private key pasted at the end of the file.- Click
.
Configure Safe:
Select
> and then click .Enter safe’s unique name (e.g.,``rdp-safe``).
Click
to save the object and proceed with further configuration.Go to the Users tab to assign users allowed to access accounts assigned to this safe.
- Click
.- Mark the checkbox in front of the users’ names to enable their server access through the monitored safe (e.g.,
user1
).- Click
to close the modal window.Select Accounts tab to add accounts accessible through this safe.
- Click
.- Mark the checkbox in front of the accounts’ names to add it (e.g.,
user1
).- Click
to close the modal window.- Select added account and click
to assign listener (e.g.,``rdp-broker-bastion``).- Click
to close the modal window.Click
to save the safe configuration.
Establish a connection through the Access Gateway:
Warning
When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.
- Log in to the Fudo Enterprise Access Gateway using
user1
as the username and password corresponding to the one configured in the Active Directory.Note
You can find the Access Gateway address in the
> menu tab.![]()
- Hover the cursor over the
user1
account name, select Native client and click the button to download the.rdp
configuration file.
- Open the downloaded file to establish a connection.
- Enter the password for the
user1
account to log in to the server.
Redirect the connection through Fudo using RDP native client:
- In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
- Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
- Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.
![]()
- In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.
![]()
Note
You can find the Access Gateway address in the
> menu tab.![]()
- Connect to the added PC by providing the bastion login string in Username field and password in the Password field.
Note
- Please use the following pattern for the bastion login string: user name # account login on the target server # target server address (e.g.,
user1#user1#10.0.136.4
).You may specify the IP address of any server within the RDS collection as the
target server address
in the login string, and the broker will handle the connection redirection in accordance with RDS rules.
- You can skip the account login if it’s the same as the user name, e.g,
user1##10.0.136.4
![]()
- Remote Desktop client will establish connection with one of the servers from the RDS collection.
View the established session in the Fudo Enterprise Admin Panel:
Related topics: