Adding an RDP Zero Trust Application

Prerequisite

Make sure you have the credentials to access the application over RDP.

To add an RDP Zero Trust Application:

  1. Access the Harmony SASE Administrator Portal and click Private Access > Applications.

  2. Click Add Application.

    The Add application window appears.

  3. In the General Settings section, enter these:

    1. Application Name - Name of the application.

    2. Protocol - RDP

    3. Icon - Icon for the application.

    4. Host - Internal IP address of the server to which you want to connect.

    5. Port - 3389

    6. Network - Network that hosts the application.

    7. Max number of connections - Maximum number of concurrent RDP sessions.

    8. Ignore server certificate - Select Yes to ignore the SSL certificate, unless you activate RDP over SSL.

    9. Admin console - Select the checkbox to connect directly to the console session on the Windows server.

    10. (Optional) Display Application Icon at Login Screen - Displays the application icon for the member in the login page.

    11. (Optional) Enable copy-paste from RDP to clipboard - Enables to copy data from RDP to clipboard.

    12. (Optional) Enable printing from RDP - Enables to print data from RDP.

    13. (Optional) URL Alias - URL for members to access the application.

      Important - You cannot add a URL alias after you create the application.

    14. In the External Domain (CNAME) field, enter a CNAME associated with your domain.

    15. From the SSL Certificate list, select the application domain SSL certificate uploaded in Certificate Manager.

    16. Go to your DNS administrator (for example, GoDaddy or R53 in AWS).

      Under your domain, use the CMANE specified in the previous step and point it to the application FQDN. The FQDN appears in the application settings after you click Apply.

  4. From the Select Security Mode list, select a security mode. It indicates the encryption and authentication mode.

    • Any (default) - Select the security mode automatically based on the security protocols supported by the client and the server.

    • Network Level Authentication (NLA) - Uses the TLS encryption and requires credentials to access the application. Also referred to as hybrid or CredSSP (the protocol that drives NLA).

    • Extended Network Level Authentication (NLA-EXT) - Sends Early User Authorization Result from the server to the client after the NLA handshake.

    • Transport Layer Security (TLS) - RDP authentication and encryption through TLS (RDPTLS). This is suitable for load balancing where the primary RDP server redirects the connection to secondary servers.

    • VMconnect - Selects a security mode supported by Hyper-V or VMConnect automatically based on the supported protocol by client and server.

    • Remote Desktop Protocol (RDP) - Suitable for machines running old Windows version where a login screen is required.

  5. In the Authentication section, enter these:

    1. Username and Password - Credentials of the server.

    2. Domain - Your active directory FQDN.

      Note - If you disable Authentication, then the member must enter the credentials when accessing the application.

  6. In the Access Groups and Members section, in the Groups and Members list, select the member groups that can access the application.

  7. (Recommended) In the Policy Name list, select an application policy.

  8. Click Apply.

    The system lists the application in the Applications page and enables it by default.

  9. For members to access the application, see Accessing an Application by a Member.

Additional Registry Configuration

Windows 7

  1. Open the Registry Editor.

  2. Navigate to HKEY_LOCAL_MACHINE > Software > Microsoft > Windows NT > Terminal Services.

  3. Select fServerEnableRDP8.

  4. Set the value type to REG_DWORD.

  5. Set the value to 1.

  6. Reboot the machine.

Windows Server 2016

  1. Open the Registry Editor.

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

  3. Select SecurityLayer and change the value to 1.

  4. Select UserAuthentication and change the value to 0.

Windows Server 2019

  1. Open the Registry Editor.

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

  3. Select SecurityLayer and change the value to 0.

  4. Reboot the machine.

Troubleshooting

Upstream Error

  1. If Authentication is enabled (see Authentication ), verify the credentials.

    If it is disabled, change the security mode to Transport Layer Security (TLS).

Additional Troubleshooting Steps

  1. Disable NLA on the remote machine:

    1. Open the Control Panel.

    2. Click System and Security and under System, click Allow remote access.

      The System Properties window appears.

  2. Go to the Remote tab and in the Remote Desktop section, clear the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) checkbox.

  3. Click OK.