RDP Connections

PAM Configuration

The PAM Configuration contains information of your target infrastructure

PAM Machine Record

The PAM Machine record contains information of the endpoint you want to establish an RDP protocol connection to.

PAM User Record

The PAM User record contains the user credentials that will be used to connect to the endpoint

Protocol

Required

The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the RDP protocol should be selected

Enable Connection

Required

To enable connection for this record, this toggle needs to be enabled

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record

Include Key Events

When enabled, the individual keystroke data will be included in the session playback. Note: This will include any secrets potentially typed by the user.

Connection Port

The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For RDP, the port is 3389

Launch Credentials

When configured, these credentials will be used to authenticate the connection. More details here

Allow users to select credentials from their vault

When enabled, allow users to use their own personal/private credentials to authenticate the connection. More details here

Rotate launch credentials upon session termination

When enabled, the configured launch credentials will be automatically rotated when the session is closed

Security Mode

The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.

Legal values are:

• "any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).

• "NLA" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.

• "RDP Encryption" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.

• "TLS Encryption" - Transport Layer Security.

• "Hyper-V/VMConnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.

Default value is Any

Disable Authentication

If enabled, authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.

If you are using NLA, authentication must be enabled by definition.

Ignore Server Certificate

If enabled, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed)

Load Balance Info/Cookie

The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank

RDP Source ID

The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.

Preconnection BLOB (VM ID)

An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.

Can copy to clipboard

If enabled, text copied within the connected protocol session will be accessible by the user

Can paste from clipboard

If enabled, users can paste text from clipboard within the connected protocol session

Enable SFTP

If enabled, users can upload files securely, to the target system, through SFTP. SSH Key or Password Based authentication must be set up and enabled on the target system. If you have not setup OpenSSH on the target system, please visit Microsoft's Official Site on Get started with OpenSSH for Windows

Disable Audio

Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output

Initial program

The full path to the initial program to run immediately upon connecting.

Client name

When connecting to the RDP server, Keeper will normally provide its own hostname as the name of the client "client-name". If this parameter is specified, Keeper will use its value instead.

On Windows RDP servers, this value is exposed within the session as the CLIENTNAME environment variable.

Keyboard layout

The server-layout that the RDP server will be using. Legal values are:

• "da-dk-qwerty" - Danish

• "de-ch-qwertz" - Swiss German

• "de-de-qwertz" - German

• "en-gb-qwerty" - UK English

• "en-us-qwerty" - US English (the default)

• "es-es-qwerty" - Spanish

• "es-latam-qwerty" - Latin American

• "fr-be-azerty" - Belgian French

• "fr-ch-qwertz" - Swiss French

• "fr-fr-azerty" - French

• "hu-hu-qwertz" - Hungarian

• "it-it-qwerty" - Italian

• "ja-jp-qwerty" - Japanese

• "pt-br-qwerty" - Portuguese Brazilian

• "sv-se-qwerty" - Swedish

• "tr-tr-qwerty" - Turkish-Q

• "failsafe" - Force use of Unicode events rather than key events for all keys

This is the layout of the RDP server and has nothing to do with the keyboard layout in use on the client. The Keeper vault client is independent of keyboard layout. The RDP protocol is not independent of keyboard layout, and Keeper needs to know the keyboard layout of the server in order to send the proper keys when a user is typing.

Time zone

The timezone that the client should send to the server for configuring the local time display of that server. The format of the timezone is in the standard IANA key zone format, which is the format used in UNIX/Linux. This will be converted by RDP into the correct format for Windows.

Support for forwarding the client timezone varies by RDP server implementation. For example, with Windows, support for forwarding timezones is only present in Windows Server with Remote Desktop Services (RDS, formerly known as Terminal Services) installed. Windows Server installations in admin mode, along with Windows workstation versions, do not allow the timezone to be forwarded. Other server implementations, such as XRDP, may not implement this feature at all. Consult the documentation for the RDP server to determine whether or not this feature is supported.

Enable multi-touch

Set to "true" if enable-touch support should be enabled for the RDP connection. Enabling RDP support for multi-touch allows touch events to be passed through to the remote desktop, and requires that the RDP server support the RDPEI channel.

This parameter does not control whether Keeper itself supports touch events. Keeper always supports touch events and will use any touch events to emulate a mouse by default. This parameter controls only whether touch events should be passed directly through to the RDP server instead of emulating a mouse.

Administrator console

If set to "true", you will be connected to the console (admin) session of the RDP server.

Width

The width of the display to request, in pixels. If this value is not specified, the width of the connecting client display will be used instead.

Height

The height of the display to request, in pixels. If this value is not specified, the height of the connecting client display will be used instead.

Resolution (DPI)

The desired effective resolution of the client display, in dpi. If this value is not specified, the resolution and size of the client display will be used together to determine, heuristically, an appropriate resolution for the RDP session.

Color dept

The color-depth to request, in bits per pixel. Legal values 8, 16, or 24. Note that, regardless of what value is chosen here, Keeper will always attempt to optimize image transmission, automatically using fewer bits per pixel if doing so will not visibly alter image quality.

Force lossless compression

If set to "true", all graphical updates will use lossless compression algorithms. By default, lossy compression will automatically be used when Keeper detects that doing so would likely outperform lossless compression.

Resize method

Resize method used to update the RDP server when the width or height of the client display changes. If this value is not specified, no action will be taken when the client display changes size.

Normally, the display size of an RDP session is constant and can only be changed when initially connecting. As of RDP 8.1, the "Display Update" channel can be used to request that the server change the display size. For older RDP servers, the only option is to disconnect and reconnect with the new size. Legal values are:

• "display-update" - Use the "Display Update" channel (added in RDP 8.1) to signal the server when display size has changed

• "reconnect" - Automatically disconnect and reconnect the RDP session when the client display size has changed

Read-only

If set to "true", no input will be accepted on the connection at all. Users will be able to see the desktop or application but will be unable to interact.

Disable copying from remote desktop

If set to "true", copied text within the RDP session will not be accessible by the user at the browser side of the Keeper session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.

Disable pasting from client

If set to "true", text copied at the browser side of the Keeper session will not be accessible within the RDP session. By default, the user will be able to paste data from outside the browser within the RDP session.

Support audio in console

If set to "true", audio will be explicitly enabled in the console (admin) session of the RDP server. Setting this option to "true" only makes sense if the "Administrator Console" parameter is also set to "true".

Disable audio

Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output by setting this parameter to "true".

Enable audio input (microphone)

If set to "true", audio input support (microphone) will be enabled, leveraging the standard "AUDIO_INPUT" channel of RDP. By default, audio input support within RDP is disabled.

Support audio in console

If set to "true", console-audio will be explicitly enabled in the console (admin) session of the RDP server. Setting this option to "true" only makes sense if the console parameter is also set to "true".

Disable audio

Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable-audio output by setting this parameter to "true".

Enable audio input (microphone)

If set to "true", enable-audio-input support (microphone) will be enabled, leveraging the standard "AUDIO_INPUT" channel of RDP. By default, audio input support within RDP is disabled.

Enable printing

If set to "true", a redirected printer will be made available within the RDP session that users can use to print to a PDF. The PDF is received and automatically downloaded by the user's browser. By default, enable-printing is disabled.

Redirected printer name

The name of the redirected printer-name device that is passed through to the RDP session. This is the name that the user will see in their applications and within the Devices and Printers control panel. If printer redirection is not enabled, this parameter has no effect.

Enable drive - Coming Soon

If set to "true", a redirected enable-drive will be made available within the RDP session that users can use to transfer files. The contents of the virtual drive are persisted on the Keeper Gateway in the directory specified by the "drive-path" parameter. By default, drive redirection is disabled.

Drive name - Coming Soon

The name of the filesystem used when passed through to the RDP session. This is the drive-name that users will see in their Computer/My Computer area along with client name, and is also the name of the share when accessing the special \\tsclient network location.

If drive redirection is not enabled, this parameter is ignored.

Drive path - Coming Soon

The directory on the Keeper Gateway in which transferred files should be stored.

If drive-path redirection is not enabled, this parameter is ignored.

Enable wallpaper

If set to "true", enables rendering of the desktop wallpaper. By default, wallpaper will be disabled, such that unnecessary bandwidth need not be spent redrawing the desktop.

Enable theming

If set to "true", enables use of theming of windows and controls. By default, theming within RDP sessions is disabled.

Enable font smoothing (ClearType)

If set to "true", text will be rendered with smooth edges. Text over RDP is rendered with rough edges by default, as this reduces the number of colors used by text, and thus reduces the bandwidth required for the connection.

Enable full-window drag

If set to "true", the contents of windows will be displayed as windows are moved. By default, the RDP server will only draw the window border while windows are being dragged.

Enable desktop composition (Aero)

If set to "true", graphical effects such as transparent windows and shadows will be allowed. By default, such effects, if available, are disabled.

Enable menu animations

If set to "true", menu open and close animations will be allowed. Menu animations are disabled by default.

Disable bitmap caching

If set to "true", the RDP bitmap cache will not be used. By default, caching of bitmaps is enabled.

This is generally only useful when dealing with an RDP server that has known bugs in its implementation of bitmap caching, and should remain enabled in most circumstances.

Disable off-screen caching

If set to "true," caching of regions of the screen that are not currently visible will be disabled. By default, caching of off-screen regions is enabled.

This is generally only useful when dealing with an RDP server that has known bugs in its implementation of off-screen caching, and should remain enabled in most circumstances.

Disable glyph caching

If set to "true", the RDP glyph cache will not be used. By default, caching of glyphs is enabled.

This is generally only useful when dealing with an RDP server that has known bugs in its implementation of glyph caching, and should remain enabled in most circumstances.

Program

This is the Remote Application to start on the RDS Host or target system configured with RemoteApp. This application and only this application will be available to the user upon launching the connection.

Typically, for an application to be available, it must first be published as a "RemoteApp" program in a current or newly created "Collection". You can specify the "Alias" you have set of a RemoteApp, such as "||cmd" or use full paths to launch a program instead of an alias such as "C:\Windows\system32\cmd.exe" or "%windir%\system32\cmd.exe".

More information about Remote Desktop Services collection for remote apps can be officially found here.

Working Directory

This will be the working directory of the remote application, if any and or supported. Not all applications support working directory, such as Notepad for example.

In the context of Microsoft's RemoteApp, the working directory is the default folder that a remote application uses to open and save files. It is the starting location for file operations and is particularly important for legacy applications that expect to find specific files in a certain place to function correctly such as data or configurations.

To specify "Working Directory" simply add the directory path such as "C:\remoteworkingdir\"

Parameters

This is where you would put "command-line arguments" to pass to the remote application, if any. Not all applications have command-line arguments.

Please refer to the command line documentation for your application's "command-line arguments" and usage.

For example, if you wanted the RemoteApp, "cmd.exe" to enable command extensions, change background/foreground colors and list out the contents of your working directory, upon Launching the RemoteApp connection, you can add the following command-line arguments "/e:on /t:06 /k dir", specifically for "cmd.exe", to this field.

More examples of "command-line arguments", for "cmd.exe" can be found here if you would like to use for testing.

Load balance info/cookie

The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank.

RDP source ID

The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.

Preconnection BLOB (VM ID)

An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.

Enable SFTP

Whether file transfer should be enabled. If set to "true", the user will be allowed to upload or download files from the specified server using SFTP. If omitted, SFTP will be disabled.

SFTP User

The "PAM User" record to authenticate as when connecting to the specified SSH server for SFTP. This parameter is required if SFTP is enabled.

Default upload directory

The directory to upload files to if they are simply dragged and dropped, and thus otherwise lack a specific upload location. If left blank, the default upload location of "C:\Users\<username>\" will be used.

SFTP keepalive interval

The interval in seconds between which keepalive packets should be sent to the SSH server for the SFTP connection, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".