RDP (Remote Desktop Protocol)

Adding an RDP Zero Trust application

This article describes how to configure a Zero Trust RDP Application to a remote Windows instance, such as Windows Server 2016 / Windows 10 or 11.

1. Go to the Applications tab in the Harmony SASE Platform. Select Add application.

2. Fill in the following information:

• Application Name: Enter a name of your choice.
• Protocol: RDP
• Icon: Use default or choose an icon of your own choice.
• Host: Enter the internal IP address of the server to which you'd like to connect.
• Port: 3389
• Network: Choose the network that contains the gateway from which you created a tunnel to the environment that hosts the server you'd like to connect to.
• Max number of connections: The maximum number of concurrent RDP sessions.
• Ignore server certificate: Yes, unless you activate an RDP over SSL.
• Admin console: Connect directly to the console session on the Windows server.
• Display Application Icon at Login Screen: Choose according to your preference.
• Enable copy-paste from RDP to clipboard: Default: yes
• Enable printing from RDP: Default: yes
• URL Alias (Optional): See further instructions here.
  
  

Security Mode: This mode dictates how data will be encrypted and what type of authentication will be performed if any. By default, a security mode is selected based on a negotiation process that determines what both the client and the server support.

Authentication:
Username and Password: Enter one set of credentials as predefined on the server. You will not be required to enter any parameter with the login.
Domain: If applicable, enter your active directory FQDN.

• Access Groups: State the names of the user groups that will have access to the RDP application.
• Policy: Leave blank, or choose a policy that was previously created and matches your needs.

Configuration and troubleshooting

Windows 7 users:

Registry modifications may be required in case you're operating on a Windows 7 device.

1. Navigate to HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows NT -> Terminal Services.
2. Select "fServerEnableRDP8". 
3. Set the value type to "REG_DWORD".
4. Make sure that the enabled value is 1 (the disabled value is 0).
5. Reboot the machine.

Windows Server 2016 users:

Registry modifications may be required in case you're operating on a Windows 2019 server.

1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
2. Select "SecurityLayer" and change the value to 1.
3. Select "UserAuthentication" and change the value to 0.

Windows Server 2019 users:

Registry modifications may be required in case you're operating on a Windows 2019 server.

1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
2. Select "SecurityLayer" and change the value to 0.
3. Reboot the machine.

Upstream error:

1. If password authentication is enabled, and any security mode is selected, then the upstream error implies a wrong password or username. Please make sure your credentials are correct.
2. If password authentication is disabled, simply edit the application and choose TLS as your security mode.


Additional Troubleshooting steps:

1. Disable NLA on the remote machine:
   Open the Control Panel, Ensure that the control panel is showing items by Category.
   Click on System and Security and under System click on Allow remote access.Under the Remote Desktop group un-tick the checkbox "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".Click OK.