RDP Connections

Keeper Connections - RDP Protocol

Overview

KeeperPAM enables zero-trust privileged session management for target infrastructure using the RDP protocol. This guide explains how to set up RDP connections on your PAM Machine Records in the Keeper Vault. Secure RDP sessions are established from the Vault, through the Keeper Gateway, and directly to target devices.

Prerequisites

Prior to following this guide, familiarize yourself with the prerequisites on the Connection's Getting Started page.

The following PAM records are needed in order to successfully setup this protocol:

PAM Record
Definition

The PAM Configuration contains information of your target infrastructure

The PAM Machine record contains information of the endpoint you want to establish an RDP protocol connection to.

The PAM User record contains the user credentials that will be used to connect to the endpoint

This guide will use a Azure VM as an example. For more details on how this is setup on the PAM Machine Record, visit the following page:

Example: Azure Windows VM

PAM Settings - Configuring RDP Protocol

Accessing Connection Settings

After creating a PAM Record Type (PAM Machine, PAM Database, or PAM Directory) with your target endpoint, navigate to the Connection Section on the PAM Settings screen by:

  1. Editing the PAM Record

  2. Clicking on "Set Up" in the PAM Settings section

  3. Navigate to the "Connection" section in the prompted window

Configuring Connection Settings

Prior to configuring the RDP protocol settings on the PAM Settings screen, the following fields are all required and need to be configured:

The following table lists all the configurable settings for the RDP protocol on the PAM Settings:

Field
Definition

Protocol

Required

The protocol to be configured on the record. The protocol settings will be populated based on the selected protocol. In this guide, the RDP protocol should be selected

Enable Connection

Required

To enable connection for this record, this toggle needs to be enabled

Graphical Session Recording

When enabled, graphical session recordings will be enabled for this record

Connection Port

The port used to establish the selected protocol connection. By Default, this will be the port value defined on the PAM Machine record. The port specified here will override the default port. For RDP, the port is 3389

Security Mode

The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.

Legal values are:

  • "any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).

  • "NLA" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.

  • "RDP Encryption" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.

  • "TLS Encryption" - Transport Layer Security.

  • "Hyper-V/VMConnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V / VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.

Default value is Any

Disable Authentication

If enabled, authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.

If you are using NLA, authentication must be enabled by definition.

Ignore Server Certificate

If enabled, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed)

Load Balance Info/Cookie

The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank

RDP Source ID

The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.

Preconnection BLOB (VM ID)

An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.

Can copy to clipboard

If enabled, text copied within the connected protocol session will be accessible by the user

Can paste from clipboard

If enabled, user can paste text from clipboard within the connected protocol session

Disable Audio

Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output

Troubleshooting Connections

When troubleshooting authentication and connection issues, check the following:

  • Ensure the user specified in the linked PAM User record has the rights to RDP to the target machine.

  • Adjust your group policy or add the user to the "Remote Desktop Users" group on Windows to grant access.

  • For additional troubleshooting, refer to the Gateway logs which will contain additional information. The location of the Gateway logs depends on the installation method.

Session Recordings - RDP Protocol

Last updated

Was this helpful?