Jump Desktop rdp Gateway

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.

We call it clientless because no plugins or client software are required.

Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

Latest release: 1.4.0 [released on 2022-01-01 21:20:13 -0800]

• Because the Guacamole client is an HTML5 web application, use of your computers is not tied to any one device or location. As long as you have access to a web browser, you have access to your machines.

• Desktops accessed through Guacamole need not physically exist. With both Guacamole and a desktop operating system hosted in the cloud, you can combine the convenience of Guacamole with the resilience and flexibility of cloud computing.

• Apache Guacamole is and will always be free and open source software. It is licensed under the Apache License, Version 2.0, and is actively maintained by a community of developers that use Guacamole to access their own development environments.

  We feel this sets us apart from other remote desktop solutions, and gives us a distinct advantage.

• Apache Guacamole is built on its own stack of core APIs which are thoroughly documented, including basic tutorials and conceptual overviews in the online manual. These APIs allow Guacamole to be tightly integrated into other applications, whether they be open source or proprietary.

• For enterprises, dedicated commercial support is also available through third party companies.

• Use this Quick Start to automatically set up the following RD Gateway environment on AWS:

  • A highly available architecture that spans two Availability Zones.*
  • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
  • An internet gateway to allow access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic.*
  • Managed network address translation [NAT] gateways to allow outbound internet access for resources in the private subnets.*
  • In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each instance is assigned an Elastic IP address so it’s reachable directly from the internet.
  • A Network Load Balancer to provide RDP access to the RD Gateway instances.
  • A security group for Windows-based instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address. After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead.
  • An empty application tier for instances in private subnets. If more tiers are required, you can create additional private subnets with unique CIDR ranges.
  • AWS Secrets Manager to securely store credentials used for accessing the RD Gateway instances.
  • AWS Systems Manager to automate the deployment of the RD Gateway Auto Scaling group.

  The Quick Start also installs a self-signed SSL certificate and configures RD CAP and RD RAP policies.
  

  *  The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

• Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  
  

  View deployment guide for details

• You are responsible for the cost of the AWS services and any paid third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

  The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

  This Quick Start launches the Amazon Machine Image [AMI] for Microsoft Windows Server 2012 R2 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require Client Access Licenses [CALs] and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.
  

The Remote Desktop Gateway [RDG] is used to access your on-campus Windows computer from another remote computer. It provides additional security for our connections with university computing resources.

Note: It is not recommended that you transfer files between the computers connected with RDG. No large file transfers or playing of video content on the destination machine should be attempted. Small files such as documents and spreadsheets are acceptable. For larger transfers, use Office 365's OneDrive cloud storage [instructions here], or usf.box.com.

Step 1: Requirements and Setup

Destination Computer:

The computer you are connecting to must be running Windows 7 or above; you cannot use RDG to connect to a Mac, though you can connect from a Mac.

You will need to know the computer's name [ends in forest.usf.edu], or its IP address. You can find instructions in our knowledgebase, here.

Step 2: Connecting

Initiating Computer:

You can use most modern web browsers to access the Gateway [Chrome, Firefox or Microsoft's]. Just make sure your browser is the most recent version.

 If you are connecting from a Mac, you can view detailed instructions in our knowledgebase, here.

If you are connecting from an iPad, you can view detailed instructions in our knowledgebase, here.

PSM can be configured to work with the Microsoft Remote Desktop Gateway. All information that is transferred between the user and the PSM proxy machine is encrypted and protected by the HTTPS protocol. This enables secure cross-network and remote access.

Alternatively, you can configure PSM to work with an HTML5 gateway which tunnels the session between the end user and the PSM proxy machine using a secure WebSocket protocol. For details about configuring the PSM to work with HTML5, refer to Secure Access with an HTML5 Gateway.

Overview

Connecting through RD Gateway requires additional authentication by the end user to the RD Gateway itself.

If the connection is made through the PVWA portal, it is possible to enable single sign-on so users automatically authenticate to the RD Gateway. However, this type of connection is supported only when connecting with ActiveX and does not support RDP files, the RemoteApp user experience, or connections directly from users’ desktops.

Connect with an RDP client application

When the connection is made directly from the users' desktop, the RDP client application can be configured to use the RD Gateway. For more information refer to the documentation of the RDP client application you are using.

Connect using the PVWA portal

When the connection is made through the PVWA portal, you will need to configure access through the RD Gateway.

Before configuration

For more information, refer to Microsoft documentation.

For more information on how to configure the RD Gateway, refer to Microsoft Remote Desktop Gateway documentation.

PSM connections via PVWA through RD Gateway without Single Sign-On

Configuring PSM connection through RD Gateway without SSO is done in the connection component level. When a connection using this connection component is established, the user will be prompted to enter credentials to authenticate to the RD Gateway.

Once this authentication is completed successfully, the user will be automatically authenticated to the remote machine.

Configure a connection component to use RD gateway

In the PVWA:

1. Click ADMINISTRATION, then in the System Configuration page click Options; the Web Access Options are displayed.

2. Expand Connection Components and select the connection component In which to set connection through RDGateway.

3. Click on Component Parameters and add the following parameters:

   1. promptcredentialonce:i - Set this parameter to 0 to not reuse the RDGateway authentication credentials on the target.

   2. gatewayusagemethod:i - Set this parameter to 1 to enforce a connection through RD Gateway.

   3. gatewayprofileusagemethod:i - Set this parameter to 1 to use the explicit setting for RD Gateway authentication.

   4. gatewayhostname:s - Set this parameter to the DNS Name or IP address of the RD Gateway machine.

   5. gatewaycredentialssource:i - Set this parameter to 0 to enforce password authentication to the RD Gateway, or to 1 to enforce smart card authentication on the RD Gateway, or to 4 to allow the end user to choose.

4. Click Apply to save the new configurations and apply them immediately,

   or,

   Click Save to save the new configurations and apply them after the period of time specified in the RefreshPeriod parameter.

PSM connections via PVWA through RD Gateway with Single Sign-On

When enabling single sign-on, users are automatically authenticated to the RD Gateway and the remote machine. However, this type of connection is supported only when connecting with ActiveX. In addition, RDP files, the RemoteApp user experience, or connections directly from users’ desktops are not supported.

Configure PSM connections via PVWA through RD Gateway with Single Sign-On

In the PVWA:

1. In the System Configuration page, click Options; the Web Access Options are displayed.

2. In the Privileged Session Management parameters, display the Configured PSM Servers, and select the PSM Server for which you will define the Remote Desktop Gateway.

3. In the Connection Details section, select TS Gateway.

4. If the RD Gateway is installed on the PSM server machine, the PSM parameters will be configured by default. However, if the RD Gateway is installed on a different machine, specify the following parameters:

   • The Address parameter specifies the address of the Remote Desktop gateway machine used by passwords associated with this platform.

   • The Domain parameter specifies the name of the domain of the Remote Desktop gateway machine that will be used to connect to the remote machine.

   • The Safe, Folder, and Object parameters specify the location of the password for the logon account for the Remote Desktop gateway.

     This logon account is retrieved from the Vault by the internal PVWA application user [by default, PVWAAppUser]. Therefore, make sure that the application user has permissions to retrieve this account.

   • The Enable parameter determines whether or not the Remote Desktop gateway is enabled.

5. Specify the logon account user who can authenticate to the RD Gateway, in your RD Gateway server, using the Remote Desktop Gateway Manager.

6. Connection via the PVWA portal through RD Gateway with SSO is supported only when connecting with ActiveX. To configure the PSM to always use ActiveX to connect to remote machines:

   • In the Privileged Session Management UI parameters, set ConnectPSMWithRDPActiveX to Always.

   • Configure the PSM to work with the older PSM Protocol 1

     Customers who install PSM v9.2 or higher, must manually add the settings below to allow PSM connectivity.

     Update the PVConfiguration.xml file in the Vault

     1. Log onto the PrivateArk Client with an administrative user.

     2. Open the PVWAConfig Safe, the retrieve and open the PVConfiguration.xml configuration file.

     3. Identify the PSMServers node by looking for the PSMServers string.

     4. In this node, identify the node of your PSM server according to its address.

     5. Change the PSMProtocolVersion property of this PSM server to 1, as shown in the following example:

     6. Save the PVConfiguration.xml file and return it to the PVWAConfig Safe.

     7. On the PVWA machine, run iisreset.

     Update the basic_psm.ini file on the PSM server machine

     1. On the PSM server machine, display the contents of the PSM installation folder. By default, this is C:\Program Files [x86]\CyberArk\PSM.

     2. Open the basic_psm.ini file and add the following parameter:

     3. Save the basic_psm.ini file and close it.

     4. Restart the PSM service.

     Update the Remote Desktop Users Group on the PSM Server

     On the PSM machine, add the PSMConnect and PSMAdminConnect users to the Remote Desktop Users group. Do as follows:

     1. In the Server Manager, select Configuration, then Local Users and Groups.

     2. Select Remote Desktop Users, then right-click Add to Group.

     3. In the Members section, click Add, then locate the PSMConnect and PSMAdminConnect users that are used to connect to your PSM server.

     4. Click OK to add the users to the group.