• About documentation
  • Layout themes of the Admin Panel
  • Introduction
    • System overview
      • Session Monitoring & Recording
      • Secret Management
      • Just-in-Time (JIT) Access
      • Single Sign-On (SSO)
      • Agentless Convenient Access
      • AI-Powered Prevention
      • Productivity Analyzer
      • Rapid Deployment
      • Compliance Support
    • Available GUI Languages
    • Licensing
    • Supported protocols
      • HTTP
      • Modbus
      • MS SQL (TDS)
      • MySQL
      • RDP
      • SSH
      • Telnet 3270
      • Telnet 5250
      • Telnet
      • VNC
      • X11
      • TCP
      • Secret Checkout
    • Deployment scenarios
    • Connection modes
    • User authentication methods and modes
    • Security measures
      • Data encryption
      • Backups
      • Permissions
      • Sandboxing
      • Reliability
      • Cluster configuration
    • Data model
    • Dashboard
      • Widgets
      • Adding, customizing and removind dashlets
      • Hard drives status information
    • Third-Party Licenses
  • System deployment
    • Requirements
    • Hardware overview
    • System initiation
      • Virtual machine
    • Accessing Fudo Enterprise Portals
      • Admin Panel
      • User Access Gateway
      • Supported Web Browsers
  • Quick start
    • SSH
      • Prerequisites
      • Configuration
      • Establishing connection
      • Viewing user session
    • SSH in bastion mode
      • Prerequisites
      • Configuration
      • Establishing connection
      • Viewing user session
    • SSH in Bastion Mode with Jump Host Option
      • Prerequisites
      • Configuration
      • Establishing a Connection
    • RDP
      • Prerequisites
      • Configuration
      • Establishing an RDP connection with a remote host
      • Viewing user session
    • RDP in bastion mode
      • Prerequisites
      • Configuration
      • Establishing an RDP connection with a remote host
      • Viewing user session
    • Telnet
      • Prerequisites
      • Configuration
      • Establishing a telnet connection with the remote host
      • Viewing user’s session
    • Telnet 5250
      • Prerequisites
      • Configuration
      • Establishing a telnet connection with the remote host
      • Viewing user’s session
    • MySQL
      • Prerequisites
      • Configuration
      • Establishing connection with a MySQL database
      • Viewing user session
    • MS SQL
      • Prerequisites
      • Configuration
      • Establishing connection with a MS SQL database
      • Viewing user session
    • HTTP
      • Prerequisites
      • Configuration
      • Connecting to remote resource
      • Viewing user session
    • VNC
      • Prerequisites
      • Configuration
      • Establishing connection
      • Viewing user session
    • User authentication against external LDAP server
      • Prerequisites
      • Configuration
  • Users
    • Creating a user
    • Copying user grants
    • Editing a user
    • Blocking a user
    • Unblocking a user
    • Deleting a user
    • Authentication failures counter
    • Roles
    • Users synchronization
  • Servers
    • Creating a server
      • Creating an HTTP server
      • Creating a Modbus server
      • Creating a MS SQL server
      • Creating a MySQL server
      • Creating an RDP server
      • Creating an SSH server
      • Creating a Telnet server
      • Creating a Telnet 3270 server
      • Creating a Telnet 5250 server
      • Creating a VNC server
      • Creating a TCP server
    • Importing a server list from CSV file
    • Editing a server
    • Blocking a server
    • Unblocking a server
    • Deleting a server
  • Pools
    • Creating a pool
    • Deleting a pool
  • Remote Applications
    • Adding Remote Application
    • Adding Arguments
    • Connecting to Remote Application via Access Gateway
    • Deleting Remote Application
  • Accounts
    • Creating an account
      • Creating an anonymous account
      • Creating a forward account
      • Creating a regular account
    • Editing an account
    • Blocking an account
    • Unblocking an account
    • Deleting an account
    • Managing security alerts
      • Triggering password change
      • Ignoring security alert
  • Listeners
    • Creating a listener
      • Setting up the SSH listener
      • Setting up the RDP listener
      • Setting up the VNC listener
      • Setting up the HTTP listener
      • Setting up the Modbus listener
      • Setting up the MySQL listener
      • Setting up the TCP listener
      • Setting up the MS SQL listener
      • Setting up the Telnet listener
      • Setting up the Telnet 3270 listener
      • Setting up the Telnet 5250 listener
    • Editing a listener
    • Blocking a listener
    • Unblocking a listener
    • Deleting a listener
  • Safes
    • Creating a safe
    • Editing a safe
    • Blocking a safe
    • Unblocking a safe
    • Deleting a safe
  • Discovery
    • Creating a rule
      • Creating a rule for accounts
      • Creating a rule for servers
    • Managing rules
    • Creating a scanner
      • Creating a scanner for Domain Controller Accounts
      • Creating a scanner for Domain Controller Servers
      • Creating a scanner for local accounts
    • Managing scanners
    • Managing discovered accounts
    • Managing discovered servers
  • Password changers
    • Password changer policy
      • Defining a password changer policy
      • Editing a password changer policy
      • Deleting a password changer policy
    • Custom password changers
      • Defining a custom password changer
      • Editing a custom password changer
      • Deleting a custom password changer
    • Importing and exporting password changers
      • Exporting a password changer
      • Importing a password changer
    • Connection modes
      • SSH
      • LDAP
      • Telnet
      • WinRM
    • Setting up password changing on a Unix system
  • Policies
    • AI module-based policy
    • AI module-based policy examples
    • Regular expression-based policy
  • Downloads
    • Sessions
    • Files
  • Account activity in the Access Gateway
  • Access requests
    • Awaiting requests
    • Active requests
    • Archived requests
  • Sessions
    • Filtering sessions
      • Defining filters
      • Managing user defined filter definitions
      • Full text search
    • Viewing sessions
    • Pausing connection
    • Terminating connection
    • Joining live session
    • Sharing sessions
    • Commenting sessions
    • Sessions’ retention lockdown
    • Exporting sessions
      • Export Session File Formats
    • Deleting sessions
    • OCR processing sessions
    • Session data replication
    • Timestamping selected sessions
    • Cancelling sessions timestamping
    • Require approval for access
      • Approving pending user requests
      • Declining pending requests
    • AI sessions processing
      • Content models
      • Session scoring
      • Quantitive models
  • Reports
  • Productivity
    • Overview
    • Sessions analysis
    • Activity comparison
  • Administration
    • System
      • Date and time
      • SSL certificates
      • SSH access
      • Sensitive features
      • System update
        • Updating system
        • Restoring previous system version
        • Deleting upgrade snapshot
      • License
      • Hotfix
      • Diagnostics
      • Configuration encryption
      • Password changers - active cluster node
        • Cluster Password Changers
    • Login Timeout
    • Network settings
      • Network interfaces configuration
        • Managing physical interfaces
        • Defining IP address using system console
        • Setting up a network bridge
        • Setting up virtual networks (VLANs)
        • Setting up LACP link aggregation
      • Labeled IP addresses
      • Routing configuration
      • DNS configuration
      • ARP table configuration
    • Notifications
    • Artificial Intelligence - AI
      • Configuring models trainers
      • Behavioral analysis models
    • Trusted time-stamping
    • Certificate-based authentication scheme
    • Authentication
      • External authentication server definition
      • OpenID Connect authentication definition
      • Global authentication settings
        • Default domain
        • Deny new connections
        • Password complexity
        • OATH authentication definition
        • SMS authentication definition
        • DUO authentication definition
        • Single Sign On
        • Kerberos authentication settings
    • External passwords repositories
      • CyberArk Credential Provider
      • Thycotic Secret Server
      • Local Administrator Password Solutions (LAPS)
    • Resources
      • RDP/SSH/VNC login screen configuration
      • User portal configuration
        • Login Screen Configuration
        • Predefined Keyboard Layout
    • System version restore
    • System restart
    • SNMP
      • Configuring SNMP
      • Configuring SNMPv3 TRAP
      • SNMP MIBs
      • Getting SNMP readings using snmpwalk
      • Fudo Enterprise specific SNMP extensions
    • Backup and retention
      • Session data backup
      • Data retention
    • External storage
      • Configuring external storage
      • Expanding external storage device
    • Exporting/importing system configuration
      • Exporting system configuration
      • Importing system configuration
    • Cluster configuration
      • Initiating cluster
      • Adding cluster nodes
      • Editing cluster nodes
      • Deleting cluster nodes
      • Redundancy groups
    • Events log
      • Filtering logs by date and time
      • External syslog servers
      • Exporting events log
    • Changing encryption passphrase
    • Integration with CERB server
    • System maintenance
      • Backing up encryption keys
      • Monitoring system condition
      • Health Check
        • API Health Check
      • Call Home
        • Data Collected by Call Home Service
        • The Benefits of Using Call Home
        • Enable/Disable Call Home
      • Hard drive replacement
      • Resetting configuration to default settings
  • Reference information
    • RDP connections broker
    • Log messages
    • Footer Information
  • Fudo Officer 2.0
    • Configuration
    • Managing Profiles
      • Add New Profile
      • Switch Profiles
      • Edit Profile
      • Delete Profile
    • Managing Session Requests
      • Awaiting Requests
      • Active Requests
      • Revoking Request
      • Archived requests
    • Settings
      • Biometric Authentication
      • Change PIN code
      • Language
  • Fudo ShareAccess
    • Data Model
    • Pairing Fudo Enterprise with Fudo shareaccess
    • License
      • Trial License Activation
      • Requesting a License
      • Uploading License File
    • Manage Fudo ShareAccess Members
      • Inviting Members
      • Verifying Members Status
      • Creating an Account Without an Invitation
      • Revoking Members Status
      • Deleting Members
    • Manage Access to Resources
  • AAPM (Application to Application Password Manager)
    • Compiling fudopv tool
      • Python
      • Virtual environment
      • Fetching dependencies
      • Package creation script
    • Deploying fudopv without compiling source files
    • Using fudopv
    • Authentication methods
      • Static password
  • Client applications
    • PuTTY
    • Microsoft Remote Desktop
    • TightVNC Viewer
    • SQL Server Management Studio
  • Troubleshooting
    • Booting up
    • Connecting to servers
    • Logging to administration panel
    • Session playback
    • Cluster configuration
    • Trusted timestamping
    • Support mode
  • Use Cases
    • Two-factor OATH authentication with Google Authenticator
      • Protocols Supporting OATH Authentication Method
      • Configuring the OATH Authentication Method
    • OpenID Connect authentication definition with Microsoft Entra (Azure)
    • Remote Desktop Services configuration on Windows Server for Fudo Enterprise
      • Setup Remote Desktop Services (RDS) on Windows
      • Setup Fudo Enterprise - bastion scenario (recommended)
      • Setup Fudo Enterprise - proxy scenario
    • Managing RPD Server certificates in Windows Server
      • Locating the Server Certificate in Windows Server
      • Providing the CA Certificate
    • Configuring the Single Sign On (SSO)
      • SSO configuration on Windows Server 2019
      • Setup Fudo Enterprise
      • Setup and check user workstation - Windows2010 Client
    • Handling Local Account Password Changes Using a Domain Account with WinRM Password Changer
      • Hostname and DNS Server Configuration
      • Adding a KDC Server
      • Server Configuration
    • Configuring Kerberos Constrained Delegation for MSSQL(TDS) Server
      • Kerberos Authentication Configuration on Windows Server
      • Setup Fudo Enterprise
      • Establish a Connection
  • Frequently asked questions
  • Glossary
API Documentation
User Access Gateway
PDF PL
Fudo Enterprise 5.5
  • Start »
  • Use Cases »
  • Remote Desktop Services configuration on Windows Server for Fudo Enterprise »
  • Setup Fudo Enterprise - bastion scenario (recommended)

Setup Fudo Enterprise - bastion scenario (recommended)¶

The Bastion scenario is the recommended setup for the RDS feature, as it requires minimal manual configuration on Fudo. In this scenario, you need to:

  • create users via the RDS functionality to correspond with Active Directory users,
  • add all servers included in the RDS Collection,
  • configure an account for server authentication,
  • set up a single listener in bastion mode paired with this account.

Note

This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.

Configure external authentication method:

  1. Login into your Fudo Enterprise Admin Panel.
  1. Select Settings > Authentication.
  2. In the External authentication tab click Add external authentication.
  1. Enter unique name (e.g., ActiveDirectory01).
  2. Set the Bind address to Any.
  1. In the General section select Active Directory.
  1. In the Host field provide the Domain Controller IP address (e.g., 10.0.136.1).
  2. Leave default port number: 389.
  3. Provide the name of the domain which will be used for authenticating users in Active Directory (e.g., mk.local).
  4. In the Credentials fields provide the privileged account’s login credentials used to access the Domain Controller.
  1. Click Save.

Create User in Fudo:

  1. Select Management > Users and then click Add user.
  1. Enter the user name that matches the chosen user account in Active Directory (e.g., ‘user1’).
  2. In the Settings tab, under the Safes section, select portal.
  1. Click Save.
  1. Go to the Authentication section and from the Add authentication method drop down list select External authentication.
  1. Chose created in previous steps Active Directory method and click Save.
  1. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.
  1. Click Save and close.

Configure Server with the role of Connection Broker:

  1. Select Management > Servers and then click + Add server.
  1. Enter server’s unique name (e.g., Broker).
  2. In the Permissions section, add users allowed to manage this object.
  3. In the Settings section on the list of available protocols select RDP.
  1. Select the TLS enabled and the NLA enabled options.
  1. In the Destination section select IPv4 and enter IP address of the server selected during RDS setup for the RD Broker role (in our example, RDB server with IP 10.0.136.2).
  1. Click Save and close.

Configure Servers with the role of Session Hosts:

  1. Select Management > Servers and then click + Add server.
  1. Enter server’s unique name (e.g., HOST1).
  2. In the Permissions section, add users allowed to manage this object.
  3. In the Settings section on the list of available protocols select RDP.
  1. Select the TLS enabled and the NLA enabled options.
  1. In the Destination section select IPv4 and enter server’s IP address (in our example, 10.0.136.4).
  1. Click Save and close.
  1. Repeat all the above steps to create second server with name HOST2 and IP address 10.0.136.5.

Configure Pool:

  1. Select Management > Pools and then click + Add pool
  1. Enter pool’s unique name (e.g., RDS-pool).
  2. In the SETTINGS tab select servers to be added to the pool including the broker (e.g., HOST1, HOST2, BROKER).
  3. In the PERMISSIONS section, add users allowed to manage this object (e.g., user1).
../../_images/rds_fudo_pool.png
  1. Click Save and close

Configure Account:

  1. Select Management > Accounts and then click Add account.
  1. Define object’s name (e.g., user1).
  1. In the Type section select FORWARD.
  2. In the Target section click Pool, and from the drop down list select Pool created in previous step (e.g., RDS-pool) to assign created account to this server pool.
  3. Select Forward domain option to have the domain name included in the string identifying the user.
  4. In the Credentials section provide domain’s name (e.g., ml.local).
  5. Click Save.

Configure Listener

  1. Select Management > Listeners and then click Add listener.
  1. Enter listener’s unique name (e.g.,``rdp-broker-bastion``).
  2. Go to PERMISSIONS tab and add users allowed to manage this listener (e.g., user1).
  1. Go to SETTINGS tab and press the RDP button in the Protocol field.
  2. Select the TLS enabled option to enable encryption.
  3. Check the NLA enabled option for additional security.
  4. In the Connection mode section, select bastion.
  1. Set the local address to 10.0.58.238 or Any, and port 3389.
  1. In the CA certificate field, click Generate certificate to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click Upload to upload server certificate file with private key pasted at the end of the file.
  2. Click Save and close.

Configure Safe:

  1. Select Management > Safes and then click Add safe.

  2. Enter safe’s unique name (e.g.,``rdp-safe``).

  3. Click Save to save the object and proceed with further configuration.

  4. Go to the Users tab to assign users allowed to access accounts assigned to this safe.

    • Click Manage users.
    • Mark the checkbox in front of the users’ names to enable their server access through the monitored safe (e.g., user1).
    • Click Save to close the modal window.
  5. Select Accounts tab to add accounts accessible through this safe.

    • Click Manage accounts.
    • Mark the checkbox in front of the accounts’ names to add it  (e.g., user1).
    • Click Save to close the modal window.
    • Select added account and click Manage listeners to assign listener (e.g.,``rdp-broker-bastion``).
    • Click Save to close the modal window.
  6. Click Save and close to save the safe configuration.

Establish a connection through the Access Gateway:

Warning

When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.

  1. Log in to the Fudo Enterprise Access Gateway using user1 as the username and password corresponding to the one configured in the Active Directory.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

../../_images/rds_fudo_ip.png
  1. Hover the cursor over the user1 account name, select Native client and click the Connect button to download the .rdp configuration file.
  1. Open the downloaded file to establish a connection.
  2. Enter the password for the user1 account to log in to the server.

Redirect the connection through Fudo using RDP native client:

  1. In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
  2. Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
  3. Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.
../../_images/rds_mrd_add_pc.png
  1. In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.
../../_images/rds_mrd_config.png

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

../../_images/rds_fudo_ip.png
  1. Connect to the added PC by providing the bastion login string in Username field and password in the Password field.

Note

  • Please use the following pattern for the bastion login string: user name # account login on the target server # target server address (e.g., user1#user1#10.0.136.4).

You may specify the IP address of any server within the RDS collection as the target server address in the login string, and the broker will handle the connection redirection in accordance with RDS rules.

  • You can skip the account login if it’s the same as the user name, e.g, user1##10.0.136.4
../../_images/rds_mrd_bastion_string.png
  1. Remote Desktop client will establish connection with one of the servers from the RDS collection.

View the established session in the Fudo Enterprise Admin Panel:

  1. Login into your Fudo Enterprise Admin Panel.
  1. Select Management > Sessions.
  2. Find desired session and click i.
../../_images/rds_fudo_sessionview_1.png

../../_images/rds_fudo_sessionview_2.png

Related topics:

  • Setup Fudo Enterprise - bastion scenario (recommended)
  • RDP in bastion mode
  • Authentication
  • Network interfaces configuration
Next Previous

© Copyright 2024, Fudo Security Inc.