Cloud Edge Secure Access Getting Started Guide

Download PDF

Technical Documentation > Cloud Edge Secure Access Getting Started Guide > Securing the Platform > Securing User Access > Agent-less Access > Zero Trust Application > RDP (Remote Desktop Protocol)

RDP (Remote Desktop Protocol)

Adding an RDP Zero Trust application

This article describes how to configure a Zero Trust RDP Application to a remote Windows instance, such as Windows Server 2016 / Windows 10.

Before we begin

Make sure you are familiar with the server's authentication methods (username and password or RDP keys) and that you have a tunnel connecting your network and the environment that hosts the Windows instance.

Go to the Applications tab at the SonicWall Cloud Edge Platform. Select Add application.
Fill in the following information:
- Application Name: Choose an indicative name of your own choice.
- Protocol: RDP
- Icon: Use default or choose an icon of your own choice.
- Host: Enter the internal IP address of the server to which you'd like to connect.
- Port: 3389
- Network: Choose the network that contains the gateway from which you created a tunnel to the environment that hosts the server you'd like to connect to.
- Max number of connections: The maximum number of concurrent RDP sessions.
- Ignore server certificate: Yes, unless you activate an RDP over SSL.
- Admin console: Connect directly to the console session on the Windows server.
- Display Application Icon at Login Screen: Choose according to your preference.
- Enable copy-paste from RDP to clipboard: Default: yes
- Enable printing from RDP: Default: yes
- URL Alias (Optional): See Advanced Setting Guide.
- Security Mode: This mode dictates how data will be encrypted and what type of authentication will be performed if any. By default, a security mode is selected based on a negotiation process that determines what both the client and the server support.
- Authentication:
  
  Username and Password: Enter one set of credentials as predefined on the server. You will not be required to enter any parameter with the login.
  
  Domain: If applicable, enter your active directory FQDN.
  
  If the Authentication toggle is Disabled, you'll need to enter your credentials as predefined on the Windows instance with every new RDP login.
  
  Windows Server 2016 and Windows 10 instances will need an additional configuration.
  
  Please follow the "Windows Server 2016 / Windows 10" section below.
- Access Groups: State the names of the user groups that will have access to the RDP application.
- Policy: Leave blank, or choose a policy that was previously created and matches your needs.

Configuration and troubleshooting

Windows 7 users:

Registry modifications may be required in case you're operating on a Windows 7 device.

Navigate to HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> Terminal Services.
Select "fServerEnableRDP8".
- Set the value type to "REG_DWORD".
- Make sure that the enabled value is 1 (disables value is 0).
Reboot the machine.

Windows Server 2019 users:

Registry modifications may be required in case you're operating on a Windows 2019 server.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Select "SecurityLayer" and change the value to 0.
Reboot the machine.

Upstream error:

If password authentication is enabled, and any security mode is selected, then the upstream error implies a wrong password or username. Please make sure your credentials are correct.
If password authentication is disabled, simply edit the application and choose TLS as your security mode.

Additional Troubleshooting steps

Disable NLA on the local machine:

Open Control Panel. Ensure that the control panel is showing items by Category (i.e., not in Classic View ).
Click on System and Security.
Under System click on Allow remote access.
Under the Remote group, un-tick the checkbox "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".
Click OK.