3.1 RDP/VNC Proxy

rdp/vnc proxy https //archbee io/docs/1s a8r9fnbldt7zdyf13d/pajdtgalutnivxukikuxa#rdpvnc proxy the single connect rdp/vnc proxy feature can be used to log and monitor remote sessions rdp device properties for rdp proxies, after adding a windows device (see also managing device), some properties are set on the device log in to the single connect web gui navigate to device management > device inventory right click on the device and select the “show properties” option set the related properties property definition remotedesktop domain the domain to use when attempting authentication, if any this parameter is optional remotedesktop security the security mode to use for the rdp connection this mode dictates how data will be encrypted and what type of authentication will be performed, if any by default, standard rdp encryption is requested, as it is the most widely supported possible values are rdp standard rdp encryption this is the default and should be supported by all rdp servers nla network level authentication this mode requires login information, and performs an authentication step before the remote desktop session actually starts if the username and password are not given, the connection cannot be made tls tls encryption tls (transport layer security) is the successor to ssl any allow the server to choose the type of security remotedesktop ignore cert if set to "true", the certificate returned by the server will be ignored, even if that certificate cannot be validated this is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self signed) remotedesktop server layout the server side keyboard layout this is the layout of the rdp server and has nothing to do with the keyboard layout in use on the client side the kron remote desktop client is independent of keyboard layout possible values are tr tr qwerty turkish keyboard en us qwerty english (us) keyboard de de qwertz german keyboard (qwertz) fr fr azerty french keyboard (azerty) fr ch qwertz swiss french keyboard (qwertz) it it qwerty italian keyboard ja jp qwerty japanese keyboard sv se qwerty swedish keyboard failsafe unknown keyboard this option sends only unicode events and should work for any keyboard, though not necessarily on all rdp servers or applications if your server's keyboard layout is not yet supported, this option should work in the meantime remotedesktop color depth the color depth to request, in bits per pixel this parameter is optional if specified, its value must be either 8, 16, or 24 regardless of what value is chosen here, if a particular update uses less than 256 colors, kron remote desktop client will always send that update as a 256 color png remotedesktop width the width of the display to request, in pixels this parameter is optional if this value is not specified, the width of the connecting client display will be used instead remotedesktop height the height of the display to request, in pixels this parameter is optional if this value is not specified, the height of the connecting client display will be used instead remotedesktop dpi the desired effective resolution of the client display, in dpi this parameter is optional if this value is not specified, the resolution and size of the client display will be used together to determine, heuristically, an appropriate resolution for the rdp session remotedesktop resize method the method to use to update the rdp server when the width or height of the client display changes this parameter is optional if this value is not specified, no action will be taken when the client display changes size normally, the display size of an rdp session is constant and can only be changed when initially connecting as of rdp 8 1, the "display update" channel can be used to request that the server change the display size for older rdp servers, the only option is to disconnect and reconnect with the new size possible values are display update uses the "display update" channel added with rdp 8 1 to signal the server when the client display size has changed reconnect automatically disconnects the rdp session when the client display size has changed, and reconnects with the new size remotedesktop disable audio audio is enabled by default in both the client and in libguac client rdp if you are concerned about bandwidth usage, or the audio is causing problems, you can explicitly disable audio by setting this parameter to "true" remotedesktop enable audio input if set to "true", audio input support (microphone) will be enabled, leveraging the standard "audio input" channel of rdp by default, audio input support within rdp is disabled remotedesktop enable printing printing is disabled by default, but with printing enabled, rdp users can print to a virtual printer that sends a pdf containing the document printed to the kron remote desktop client enable printing by setting this parameter to "true" remotedesktop enable drive file transfer is disabled by default, but with file transfer enabled, rdp users can transfer files to and from a virtual drive which persists on the kron single connect server enable file transfer support by setting this parameter to "true" remotedesktop remote app specifies the remoteapp to start on the remote desktop if supported by your remote desktop server, this application, and only this application, will be visible to the user vnc device properties for vnc proxy, after adding a device (see also managing device), some properties are set on the device log in to the single connect web gui navigate to device management > device inventory right click on the device and select the “show properties” option set the related properties property definition remotedesktop enable sftp if file transfer should be enabled if set to "true", the user will be allowed to upload or download files from the specified server using sftp if omitted, sftp will be disabled remotedesktop sftp directory the default directory to upload files when they are simply dragged and dropped also, the sftp user must be authorized to the directory to use this directory this parameter is optional if omitted, the default upload location of the ssh server providing sftp will be used remotedesktop sftp username the username to authenticate as when connecting to the specified ssh server for sftp this parameter is required remotedesktop sftp password the password to use when authenticating with the specified ssh server for sftp remotedesktop color depth the color depth to request, in bits per pixel this parameter is optional if specified, this must be either 8, 16, or 24 regardless of what value is chosen here, if a particular update uses less than 256 colors, kron remote desktop client will always send that update as a 256 color png note if the sftp user password is used from sapm, define the sftp user as an sapm account and remove the “remotedesktop sftp password” property on device properties device group properties for rdp/vnc proxy property key for rdp/vnc definition addsessionusertouserselection rdp/vnc this property only applies to ssh/telnet proxies and rdp/vnc proxies in session manager modules when the “addsessionusertouserselection” property is set as “true” on a device group, users can connect to target devices in the device group with their own username that is used to log in to single connect approvalrequiredforconnection rdp this property only applies to ssh proxies and rdp proxies in session manager modules when its value is set as “true”, managerial approval via e mail is requested for users to connect to devices in the device group globalusername rdp/vnc the username to use when connecting to all devices covered by the device group this username must be pre defined as a user on all devices in the device group globalpassword rdp it is the password of the globalusername the password to use when connecting to all devices covered by device group reasonrequiredforconnection rdp this property only applies to ssh proxy and rdp proxy in session manager modules when its value is set as “true”, a comment/reason field appears when users try to connect the devices in the device group the text entered here will appear in the session logs and managerial approval emails and notifications (if enabled) sessiondurationlimitminute rdp/ssh the property only applies to ssh proxies and rdp proxies in session manager modules user's sessions can be limited based on the sessions duration connection to device with current user a device can be assigned to different device groups and a user can have authorized to access to all of these device groups if the device groups have different global usernames, the single connect user chooses the user that connects to the target rdp device if the user wants to connect to a device with their own username, the “addsessionusertouserselection” property must be set as “true” on the device group that has the target device managerial approval for user connecting to device to enable managerial approval via e mail for users connecting to devices, the “approvalrequiredforconnection” property must be set as “true” on a device group that has the target devices rdp idle time settings to calculate idle time for rdp connections in a defined time limit, follow the steps below log in to the single connect web gui navigate to administration > system config man set required parameter nsso remote desktop idle threshold = “millisecond” (time limit to start calculation of idle time) note if the “nsso remote desktop idle threshold” property isn’t set at system config mang , this property’s value is set at 30000ms(30seconds) as default rdp idle session timeout settings user's sessions can be terminated based on their idle duration to set a timeout limit, follow the steps below log in to the single connect web gui navigate to the administration > system config man set the following parameters; rdp idle session timeout=”millisecond” rdp sessions duration based limitation settings user's sessions can be limited based on the session’s duration to set a time limit, follow the steps below log in to the single connect web gui navigate to device groups right click device group, and click the “show properties” option set the “ set the “nsso remote desktop session duration limit warning before min” parameter (time limit for warning message before ending session) ocr language settings to get ocr logs in required language, set ocr language by following the steps below log in to the single connect web gui navigate to administration > system config man set the following parameter; nsso remote desktop ocr lang= lang1+lang2+lang3 supported languages code dutch, flemish nld english eng german deu italian ita japanese jpn korean kor portuguese por russian rus serbian srp spanish spa turkish tur settings to disable rdp key logging for a while key logger of rdp sessions logs all the key motions in clear text when users enter their critical information like passwords, the critical information is recorded to obsecure certain data, follow the steps below log in to the singleconnect web gui navigate to administration > system config man set the “ set the “ when users press the defined key twice in 500 milliseconds, keys pressed after are not logged up to the defined hidden key limit the default key is esc potential keys that can be set up in system config man are; \[alt] \[f10] \[f8] \[print] \[begin] \[f11] \[f9] \[right] \[break] \[f12] \[home] \[scroll lock] \[ctrl] \[f2] \[insert] \[shift] \[delete] \[f3] \[left] \[shift lock] \[down] \[f4] \[num lock] \[tab] \[end] \[f5] \[page down] \[up] \[esc] \[f6] \[page up] \[f1] \[f7] \[pause] note if “nsso remote desktop key logger hidden key limit” is not defined manually at system config man , the hidden key limit is 15 keys as default logs are shown like the figure below to disable the key log hiding feature on certain user groups, follow the steps below log in to the single connect web gui navigate to policy control > portal functions open the function group definition tab enter the function group name then select the function as open the realm definition tab set realm for the user group and “disallow hiding key” function limiting applications on windows rdp devices settings single connect enables to limit applications to be accessed on windows servers and it is possible to set permissions for device groups for each application to adjust allowed applications on a windows server, follow the steps below; application path should be defined log in to the single connect web gui navigate to administration > remote desktop app fill the application name and path fields applications to be allowed should be chosen on the device group 4\ navigate to device groups 5\ right click on device group, and select allow remote app 6\ choose which application will be allowed for the devices in this device group if the application path is different from the path that is defined at “administration remote desktop app” page for a device, change the path on the device 7\ navigate to device inventory 8\ right click on target device 9\ choose the “add/edit remote app” option 10\ add/edit application name and path remote application seamless login log in to the single connect web gui navigate to device management > device group right click on the device group that you want to edit and select “allow remote application” click the “set auto login properties” button ocr text text to recognize if login page has loaded successfully key template login key template to insert username and password username username to log in to application password password to log in to application timeout duration to detect login page assigned credentials when connecting to the rdp devices through a single connect rdp proxy, the following credentials can be used for logging in to the remote device global username and global password (static values) global username as an sapm account, with changed password user’s own credentials, if they are allowed to log in to the remote device different assigned credentials for each user, like john local account for the user john, julia local account for the user julia, etc for the fourth option, assigned credentials should be used the following steps should be followed log in to the single connect web gui as an admin user navigate to device management > device groups right click a device group and select show properties save the “addassignedcredentialtouserselection” property as “true” these steps enable the assigned credential usage for a device group (this device group should be put in a device group realm with the user group including users, beforehand) to set up the assigned credentials for different users, first sapm or secret data vault accounts should be saved (“sapm” is used for passwords that are being rotated by the password manager, while “secret data vault” can be used for static usernames and passwords) after that, these steps should be followed log in to the single connect web gui as an admin user navigate to user management > assigned credential section start typing username in “user” text box, matching users will appear just below select the one for whom another credential will be assigned select “sapm” or “secret data vault” as the credential source (“sapm” is used for passwords that are being rotated by password manager, while “secret data vault” can be used for static usernames and passwords) according to the selection either select the “sapm username” or “secret data vault” name save after these steps are completed, assigned credentials will be used for the connection when these single connect users that are defined in these steps are trying to open an rdp session legal disclaimer message please ask consultation from kron technical support https //sc support\@kron com/ epdestek\@kron com tr reason field for device connections a mandatory reason field can be enabled to be filled by users when connecting to devices this text entered here would appear in session logs and the managerial approval emails and notifications to enable this feature, the “reasonrequiredforconnection” property must be set as “true” on a device group that includes the target devices transferring files between rdp endpoints transferring files between rdp endpoints is possible to activate this functionality please ask consultation from kron technical support https //sc support\@kron com/ epdestek\@kron com tr