Register an Individual RDP Server

  • Updated on Apr 09, 2024
This article describes features that are only available in the Banyan Enterprise edition and Banyan Unlimited edition.

Overview

Use Banyan’s RDP service to provide your end users zero-trust access, regardless of their network location. RDP traffic flows through Banyan’s Access Tier and is wrapped in a MTLS tunnel, as shown in the diagram below.

1. End user requests access to RDP server. User’s request is routed to Banyan.
2. Banyan runs a device trust check via user’s org’s device manager, which is integrated with the Banyan app.
3. Once verified, the device is then authenticated via their org’s identity provider.
4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
5. User’s request is passed to the Global Edge Network, relayed to the Connector inside the org’s private network, and then sent to the RDP server.

1. End user requests access to RDP server. User’s request is routed to Banyan.
2. Banyan runs a device trust check via user’s org’s device manager, which is integrated with the Banyan app.
3. Once verified, the device is then authenticated via their org’s identity provider.
4. Once authenticated, user’s device is issued a Trust Cert. Banyanproxy adds the Trust Cert to the user’s request.
5. User’s request is passed to the self-hosted Access Tier inside the org’s private network, and then sent to the RDP server.

Steps

Setting up access to an individual RDP server is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.

You can securely expose your RDP server in four steps:

  1. Create a Role
  2. Create a Policy
  3. Define a Service
  4. On the end user device, connect the Banyan desktop app

1. Create a Role for your end users

1.1 In the Banyan Command Center, navigate from Directory > Roles, and then select + Add Role.

1.2 Create a User Role, and then select + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).

2. Create a Policy for your RDP server

2.1 Navigate from Private Access > Access Policies, and select + Create Policy.

2.2 Select the Infrastructure Policy template.

3. Register a Service for your RDP Server

3.1 Navigate from Private Access > Infrastructure, and then select + Register Service. Select the option RDP Service. Configure the RDP service as shown below:

3.2 Under Service Details, assign a domain name for this service (e.g.,myrdpserver.corp.example.com ), and leave the port as 8443.

3.3 Select a Cluster.

3.4 Under Service Attributes, select an Access Tier (self-hosted private edge deployment) or a Connector (global edge deployment).

3.5 Select a Service Domain Name.

3.6 Set the method for how incoming connections should be proxied to the backend to Fixed Backend Domain.

3.7 Set the Backend Domain to 10.10.12.12 and port 12345. The banyanproxy will tunnel traffic over port 12345.

3.8 Optional: Set the Backend DNS Override for the Service Domain Name.

3.9 Under Service Connection Settings, set the Assigned Listen Port. Choose whether you want end users to be able to override these settings.

3.10 Optional: Attach the policy you created in Step 2, and then choose an Enforcement Mode (i.e., Permissive or Enforcing).

4. Connect via the Banyan desktop app

Ensure your end users install the latest Banyan desktop app and register their device.

4.1 In the Banyan desktop app, locate the RDP service and select Connect (only necessary if Autorun is not enabled).

4.2 Open your preferred RDP client (such as Windows Remote Desktop), and create a new PC.

4.3 Copy the IP and port from the Banyan Desktop App and then save the new PC. Enter user account credentials as needed.

4.4 The RDP client will use banyanproxy to automatically tunnel the RDP session over a Mutual-Auth TLS channel using HTTP Connect.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.