---
title: "RDP (Remote Desktop Protocol)"
slug: "how-to-add-an-rdp-application"
tags: ["Enterprise", "Essentials", "Premium"]
updated: 2026-04-07T08:59:11Z
published: 2026-04-07T08:59:11Z
canonical: "support.perimeter81.com/how-to-add-an-rdp-application"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# RDP (Remote Desktop Protocol)

## Adding an RDP Zero Trust application

Check Point SASE allows you to create an RDP Zero Trust Application (ZTA) as either:

- **Web Client Type** - A browser-based solution providing convenient and quick remote desktop access without installation.
- **Native Client Type**- A locally installed application offering robust performance and advanced features for remote desktop access.

For networks created or upgraded after September 2024, the administrators can configure a property in the IdP Attribute for Host and/or Port fields, that allows each member to access the dedicated RDP server. For more information, see [RDP Server Access Based on IdP](/v1/docs/how-to-add-an-rdp-application#rdp-server-access-based-on-idp)***.***

## Prerequisite

Make sure you have the credentials to access the application over RDP.

## Known Limitation

Native applications launched directly from the Check Point Portal Applications Management page might disconnect after a few minutes. To avoid this issue, launch them from Access for Members.

## Adding an RDP ZTA

To add an RDP Zero Trust Application:

1. Access the Check Point SASE Administrator Portal and click **Private Access** > **Applications**.
2. Click **Add Application**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(57).png)The **Add application** window appears.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AddAppli.PNG)
3. In the **General Settings**section, enter these:
  1. **Application Name** - Name of the application.
  2. **Protocol** - RDP
  3. **Icon** - Icon for the application.
  4. **Client****Type**- Select one of these:
    - **Web**
    - **Native****Note - For Native Client Type, these are the supported clients: Windows 10, Windows 11, Android, iOS, Mac, with latest MSTSC or MSRDC applications from Microsoft.**
  5. **Host -**Internal IP address of the server to which you want to connect. Select one of these and enter the value:
    - **Fixed Value** - A predefined, unchanging value set by the administrator.
    - **IdP Attribute -**Information provided by the Identity Provider during user authentication. For more information, see [RDP Server Access Based on IdP](/v1/docs/how-to-add-an-rdp-application#rdp-server-access-based-on-idp).Notes:

      - IdP Attribute:
        - This feature is available only for networks created after September 2024. To use it for existing networks, contact [Check Point Support](https://www.checkpoint.com/support-services/contact-support/).
        - This feature is supported only for Active Directory/LDAP and Azure Active Directory IdPs.
        - The administrator must store the hostname and/or port number in the IdP for each member.
  6. **Port**- Select one of these and enter the value:
    1. **Fixed Value** - 3389
    2. [**IdP Attribute**](/v1/docs/how-to-add-an-rdp-application#rdp-server-access-based-on-idp)
  7. **Network** - Network that hosts the application.
  8. **Max number of connections**- Maximum number of concurrent RDP sessions.Note - Disabled when you select **Client Type** as **Native**.
  9. **Ignore server certificate** - Select **Yes** to ignore the SSL certificate, unless you activate RDP over SSL.
  10. **Admin console** - Select the checkbox to connect directly to the console session on the Windows server.
  11. (Optional) **Display Application Icon at Login Screen**- Displays the application icon for the member in the login page.Note - Disabled when you select **Client Type** as **Native**.
  12. (Optional) **Enable copy-paste from RDP to clipboard**- Enables to copy data from RDP to clipboard.
  13. (Optional) **Enable printing from RDP**- Enables to print data from RDP.
    - Native RDP - Once enabled, the user's local printer should appear in the list of available printers in addition to the remote printers on the remote site.
    - Web RDP - Once enabled,  the **Perimeter81 VirtualPrinter** printer appears in the list of available printers and lets you download a PDF file to the user's machine that can be printed using the user's local printer.
  14. (Optional) **URL Alias**- URL for members to access the application.Important - You cannot add a URL alias after you create the application.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/URLAlias.PNG)
  15. In the **External Domain (CNAME)** field, enter a CNAME associated with your domain.
  16. From the **SSL Certificate** list, select the application domain SSL certificate uploaded in [Certificate Manager](/v1/docs/url-alias).
  17. Go to your DNS administrator (for example, GoDaddy or R53 in AWS).  
Under your domain, use the CNAME specified in the previous step and point it to the application FQDN. The FQDN appears in the application settings after you click Apply.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/FQDN.PNG)
4. From the **Select Security Mode**list, select a security mode. It indicates the encryption and authentication mode.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1727691440687.png)
  - **Any** (default) - Select the security mode automatically based on the security protocols supported by the client and the server.
  - **Network Level Authentication (NLA)** - Uses the TLS encryption and requires credentials to access the application. Also referred to as hybrid or CredSSP (the protocol that drives NLA).
  - **Extended Network Level Authentication (NLA-EXT)** - Sends Early User Authorization Result from the server to the client after the NLA handshake.
  - **Transport Layer Security (TLS)**- RDP authentication and encryption through TLS (RDPTLS). This is suitable for load balancing where the primary RDP server redirects the connection to secondary servers.
  - **VMconnect**- Selects a security mode supported by Hyper-V or VMConnect automatically based on the supported protocol by client and server.
  - **Remote Desktop Protocol (RDP)**- Suitable for machines running old Windows version where a login screen is required.Note - Disabled when you select **Client Type** as **Native**.
5. In the **Authentication**section, enter these:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Authen.PNG)
  1. **Username** and **Password** - Server credentials.
  2. **Domain**- Your active directory FQDN.Notes:

    - If you disable **Authentication**, then the member must enter the credentials when accessing the application.
    - This section is disabled when you select **Client Type** as **Native**.
6. In the **Access Groups**and **Members** section, in the **Groups and Members** list, select the member groups that can access the application.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/AccessGRP.PNG)
7. (Recommended) In the **Policy****Name** list, select an application policy.
8. Click **Apply**.  
The system lists the application in the **Applications** page and enables it by default.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Applic.PNG)

## RDP Server Access Based on IdP

For the RDP Zero Trust Application, the administrators can configure a property in the IdP Attribute for Host and/or Port fields, that allows each member to access the dedicated RDP server.

Notes:

- Hostname must be an IP address or Fully Qualified Domain Name(FQDN).
- The administrator must store the hostname and/or port number in the IdP to redirect the member to the appropriate RDP server.
- For the list of supported IdP Attribute properties, see [Microsoft Graph User Properties](https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties).
- Custom properties are not supported.
- For Azure AD, make sure to configure the Azure application to have these permissions:
  - ***Directory.Read.All***
  - *User.Read***  
For more information, see [Microsoft Entra ID (formerly Azure AD) (Enterprise Application)](/v1/docs/azure-active-directory-enterprise-application).
- To map the AD/LDAP attributes to the property name in AD/LDAP, see [Map AD/LDAP Profile Attributes to Auth0 User Profile](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/map-ad-ldap-profile-attributes-to-auth0).
- Working with Active Directory Federation Services (ADFS) is available on demand. For more information, contact [Check Point Support](https://www.checkpoint.com/support-services/contact-support/).

## Additional Registry Configuration

### Windows 7

1. Open the **Registry Editor**.
2. Navigate to **HKEY_LOCAL_MACHINE** > **Software** > **Microsoft**>**Windows NT**>**Terminal Services**.
3. Select**fServerEnableRDP8**.
4. Set the value type to **REG_DWORD**.
5. Set the value to **1**.
6. Reboot the machine.

### Windows Server 2016

1. Open the**Registry Editor**.
2. Navigate to **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp**
3. Select **SecurityLayer** and change the value to **1**.
4. Select UserAuthentication and change the value to **0**.

### Windows Server 2019

1. Open the **Registry Editor**.
2. Navigate to **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp**
3. Select **SecurityLayer** and change the value to **0**.
4. Reboot the machine.

## Troubleshooting

### Upstream Error

1. If **Authentication** is enabled, verify the credentials. If it is disabled, change the security mode to **Transport Layer Security (TLS).****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SecurityMode.PNG)**

### **Additional Troubleshooting Steps**

1. ****Disable NLA on the remote machine:
  1. Open the **Control Panel.**
  2. Click**System and Security**and under **System**, click **Allow remote access.****![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SysSec.PNG)**The**System Properties**window appears.****
2. Go to the **Remote** tab and in the **Remote Desktop** section, clear the **Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)** checkbox.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SysProperty.PNG)**
3. Click**OK.**[Check Point Support](https://www.checkpoint.com/support-services/contact-support/)