Create an RDP Proxy Service to Access a Device

An RDP Service invokes a local third-party RDP application on a client to connect to a device. Native RDP Client support extends the Access controls to any native RDP client.
3-4
HID_ConfigRDPProxy
An RDP Service invokes a local third-party RDP application on a client to connect to a device. Native RDP Client support extends the Access controls to any native RDP client.
The RDP proxy configuration requires the RDP application configuration.
The RDP proxy service supports the following
Privileged Access Manager
policies:
  • Socket-filtering
  • Auto-login
  • Session-recording
  • Transparent-login
To Create an RDP Proxy Service, follow these steps:
  1. Select
    Services
    ,
    Manage TCP/UDP Services
    .
  2. Select
    Add
    for a new TCP/UDP service.
    • Service Name:
      Enter a name for the service.
    • Local IP:
      Enter a valid local loopback address.
    • Ports:
      Enter
      3389
      (for RDP) and a local port mapping or an asterisk. For example:
      3389:12345 or 3389:* 
    • Protocol should remain set to TCP.
    • Select the
      Enable
      checkbox.
    • Select
      Show in Column
      to show the service as a button on the Access page. Otherwise, Services appear in a drop-down list, which is more compact.
    • For
      Application Protocol
      , select the
      RDP
      option from the drop-down list.
  3. RDP Application:
    Select a previously configured Application Service that enables you to launch Transparent Login using the RDP Proxy service. To configure an application service, go to Services, Application service. This option only appears when you select RDP as the application protocol.
  4. Learn Mode:
    Check this box to provide an option on the Access page to launch Learn Mode using the RDP Proxy Service. During Learn Mode, Privileged Access Manager is taught the credential-processing interfaces of the provisioned RDP application. This process captures the required sequence in a transparent login configuration file that is stored in Privileged Access Manager. When you check this option, the Show In Column is also enabled, which shows a drop-down arrow on the RDP service displayed on the Access page. When you click on the arrow, you can launch the service with or without Learn Mode enabled. the drop-down arrow enables you to differentiate between services which have Learn Mode enabled and which do not on the Access Page. The Learn Mode drop-down arrow is only shown on the Access page for users with Global Administrator or Service Manager privileged and is hidden for all other users. This option only appears when you select RDP as the application protocol.
  5. For
    Client Application
    , enter the path if you want to invoke the client automatically
  6. The path that you specify here is launched when the enabled RDP service is accessed.
    Windows remote desktop application:
    C:\[path]\mstsc.exe [options]/v:<Local IP>:<First Port> 
    These literal strings are substituted at run-time:
    • <Local IP> is replaced with the IP address in the
      Local IP
      field. Do not repeat the local IP here.
    • <First Port> is replaced with the first local port (after the colon) that is defined in
      Ports
  7. Select
    OK
    .
  8. Create a Device that corresponds to the RDP target device that you want to connect to.
    1. In
      Devices
      ,
      Manage Devices
      , create a Device with the target IP address (do not use FQDN) in the
      Address
      field.
    2. On the
      Services
      tab, use the controls to move the service that you created from the Available Services to the Selected Services.
    3. Select
      OK
      .
  9. Create a
    Target Application
    using the target device as
    Host Name
    . See Identify Target Applications and Connectors for more information. 
  10. Create a
    Target Account
    using the target application as
    Application Name
    . The
    Account Name
    is substituted for <User> and the
    Password
    for <Password>. See Add Target Accounts to Target Applications for more information.
  11. Create a
    Policy
    linking the Target Device to a User or Group.
    1. On the
      Services
      tab, select the Service that you created.
    2. In the Target Account column, use the Edit magnifying glass icon to select the Account.
    The RDP Service appears on the Access page for the select User or Group.
Administrator Setup
You can set up your native RDP Service to allow one of the following options:
  • Automatically invoke the RDP application with options through the
    Privileged Access Manager
    Service command line specification (in the
    Client Application
    field)
  • Manual invocation of the RDP application by the user, who applies commands at execution. To invoke the application, select the service link on the Access page.
Manual Invocation
If a TCP/UDP Service is configured to use RDP without specifying the
Client Application
, the user can manually invoke any installed application, such as mstsc.
User Experience
Automatic Invocation
A user on a properly configured client invokes an Access page Service link. The RDP client (PuTTY) executes automatically with the specified switches or commands.
  1. After logging in or auto-connecting to the target, the User can immediately run X11 applications on the target. The application output is forwarded to the workstation.
  2. If a command is specified, the session immediately closes when the command is finished executing.