Register an Individual RDP Server

  • Updated on May 20, 2024

This article describes features that are only available in the Banyan Enterprise edition and Banyan Unlimited edition.

Overview

Use SonicWall’s Cloud Secure Edge (CSE) RDP service to provide your end users zero-trust access, regardless of their network location. RDP traffic flows through the Access Tier and is wrapped in a MTLS tunnel, as shown in the diagram below.

1. End user requests access to RDP server. User’s request is routed to CSE.
2. CSE runs a device trust check via user’s org’s device manager, which is integrated with the Banyan app.
3. Once verified, the device is then authenticated via their org’s identity provider.
4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
5. User’s request is passed to the Global Edge Network, relayed to the Connector inside the org’s private network, and then sent to the RDP server.

1. End user requests access to RDP server. User’s request is routed to CSE.
2. CSE runs a device trust check via user’s org’s device manager, which is integrated with the app.
3. Once verified, the device is then authenticated via their org’s identity provider.
4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
5. User’s request is passed to the self-hosted Access Tier inside the org’s private network, and then sent to the RDP server.

Steps

Setting up access to an individual RDP server is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.

You can securely expose your RDP server in four steps:

  1. Create a User Role
  2. Create an Access Policy
  3. Define a Service
  4. Connect the desktop app

1.1 In the Command Center, navigate from Directory > Roles, and then select + Add Role.

1.2 Create a User Role, and then select + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).

2.1 Navigate from Private Access > Access Policies, and select + Create Policy.

2.2 Select the Infrastructure Policy template.

2.3 Configure the Infrastructure Access Policy by adding a Policy Name, setting a Trust Level, and selecting a Role for the Access Group (likely, the same Role created in Step 1).

3.1 Navigate from Private Access > Infrastructure, and then select + Register Service. Select the RDP Service template.

Service Details

3.2 Assign a Service Name (and, optionally, a description and link to be shown to your end users).

3.3 Select a cluster under Cluster Name (you will be given the option to select either a Global Edge cluster or a Private Edge cluster).

3.4 Optional: Append RDP file properties. Examples of RDP file properties that can be appended can be found here.

Note: CSE facilitates the appending of RDP file properties but is not responsible for how RDP file properties function.

Service Attributes

3.5 Depending on whether you selected a Global Edge cluster or a Private Edge cluster in Step 3.3 above, you will have the option to select a Connector (Global Edge) or an Access Tier (self-hosted private edge Access Tier), respectively.

3.6 Select a Service Domain Name (e.g.,myrdpserver.corp.example.com ), and leave the port as 8443.

3.7 Set the method for how incoming connections should be proxied to the backend as Fixed Backend Domain.

3.8 Set the Backend Domain to 10.10.12.12 and port 12345. The banyanproxy will tunnel traffic over port 12345.

3.9 Optional: Set the Backend DNS Override for the Service Domain Name.

Service Connection Settings

3.10 Set the Assigned Listen Port. Choose whether you want end users to be able to override these settings.

3.11 Optional: Attach the policy you created in Step 2, and then choose an Enforcement Mode (i.e., Permissive or Enforcing).

Note: An RDP service can be created without attaching an Access Policy, but it will not be a functional service until an Access Policy is attached.

Ensure your end users install the latest desktop app and register their device.

4.1 In the desktop app, locate the RDP service and select Connect.

4.2 Open your preferred RDP client (such as Windows Remote Desktop), and create a new PC.

4.3 Copy the IP and port from the desktop app, and then save the new PC. Enter user account credentials as needed.

4.4 The RDP client will use banyanproxy to automatically tunnel the RDP session over a Mutual-Auth TLS channel using HTTP Connect.


Can’t find what you’re looking for?

We’re happy to help. Contact our team.