RDP Connections
Keeper Connections - RDP Protocol
Overview
KeeperPAM enables zero-trust privileged session management for target infrastructure using the RDP protocol. This guide explains how to set up RDP connections on your PAM Machine Records in the Keeper Vault. Secure RDP sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.
Prerequisites
Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.
The following PAM records are needed in order to successfully setup this protocol:
The PAM Configuration contains information of your target infrastructure
The PAM Machine record contains information of the endpoint you want to establish an RDP protocol connection to.
The PAM User record contains the user credentials that will be used to connect to the endpoint
This guide will use a Azure VM as an example. For more details on how this is setup on the PAM Machine Record, visit the following page:
Example: Azure Windows VMPAM Settings - Configuring RDP Protocol
Accessing Connection Settings
After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:
Editing the PAM Record
Clicking on "Set Up" in the PAM Settings section
Navigate to the "Connection" section in the prompted window
Configuring Connection Settings
Prior to configuring the RDP protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:
The following table lists all the configurable settings for the RDP protocol on the PAM Settings:
Protocol
Required
The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the RDP protocol should be selected
Enable Connection
Required
To enable connection for this record, this toggle needs to be enabled
Graphical Session Recording
When enabled, graphical session recordings will be enabled for this record
Connection Port
The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For RDP, the port is 3389
Security Mode
The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.
Legal values are:
"any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).
"NLA" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.
"RDP Encryption" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.
"TLS Encryption" - Transport Layer Security.
"Hyper-V/VMConnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.
Default value is Any
Disable Authentication
If enabled, authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.
If you are using NLA, authentication must be enabled by definition.
Ignore Server Certificate
If enabled, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed)
Load Balance Info/Cookie
The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank
RDP Source ID
The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.
Preconnection BLOB (VM ID)
An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.
Can copy to clipboard
If enabled, text copied within the connected protocol session will be accessible by the user
Can paste from clipboard
If enabled, user can paste text from clipboard within the connected protocol session
Disable Audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output
Troubleshooting Connections
When troubleshooting authentication and connection issues, check the following:
Ensure the user specified in the linked PAM User record has the rights to RDP to the target machine.
Adjust your group policy or add the user to the "Remote Desktop Users" group on Windows to grant access.
For additional troubleshooting, refer to the Gateway logs which will contain additional information. The location of the Gateway logs depends on the installation method.
Session Recordings - RDP Protocol
Last updated
Was this helpful?