I get the custom property, but if I set the A record for the RDG FQDN to 127.0.0.1, isn't that going to confuse the remote ssh endpoint when it tries to establish the tunnel? I'm trying to wrap my head around this to fully understand it. Learn about modern infrastructure roles in RDS - BRK3021 It is nice because you don't need to open incoming ports to the RDSH servers and the various RDS infrastructure roles are not joined to the domain. Outgoing TCP 443 connection to the RDG, which forwards the traffic to the client via the established connection. The client first authenticates against AzureĪD, with Multi Factor and conditional access policies enforced if desired, then only if this is successful does client connect to RDG, and then target RDSH makes The RDG is not domain-joined, and reverse connect is used instead. You may be interested in the RD Gateway component that is part of the upcoming Remote Desktop modern infrastructure (RDmi). RD Gateway would send public certificate with matching subject of, or perhaps wildcard *., so the RD Client would not balk because the certificate is a match. The RD Client would look up the address of and get back 127.0.0.1, connect to that, and communicate with the RD Gateway via the tunnel. For example, you could make it .Īs far as the RD Client is concerned, it is connecting to :48950. The SSH tunnel would need to be configured for different FQDN. Is there a way we can use an RDS deployment pool using local port redirection like I described or is this just something outside the scope of RDS current design? Tells me they'll think it's a step backwards). ![]() Putting the RD Gateway on the DMZ edge might work in theory, but I believe our ISSO would no-sir it since the initial handshakes would be using system certificates instead of user keypairs (which might also violate HSPD-12, but even if it doesn't my instinct rdp file from the RDWA portal and modifying it to use the localhost address assignment, but doing that corrupts the file, it seems. Smart card authentication, and RDWA doesn't support that. RDWA isn't an option because we have to comply with HSPD-12 requirements of entering our network boundary via We're trying to explore using Server 2012 R2's more flexible session collection assignments and host pools to streamline the user process, but are encountering some problems thanks to this fairly rigid port assignment scheme for instance, trying to useĪn RD Gateway server fails because the RDP client balks at using a different address name than the RD Gateway server returns with its certificate. ssh client is configured to tunnel localhost:48590 -> :3389 for access to a terminal server, and the user tells their RDP client to connect via localhost:48950. ![]() ![]() As part of this, we have typically performed some scripting that tunnels a local port in theĤ0k range on the user's machine into a relevant service port on an internal system i.e. Our system security plan mandates that all connections into our internal boundary be encrypted over SSH tunnels to ensure no hijacking or eavesdropping can occur. Things to establish a feasible connection. I'm working on a project that is slightly unconventional compared to most RDS deployment scenarios and am encountering some issues due to the assumptions made by the base scenario information was hoping I could get some insight on how best to configure
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |