Hi,
We have granted remote desktop access to users as it is required for connection to remote apps.
Doing so, we also granting them access to the RDS server directly via RDP.
How can we prevent RDP connection to the server without disabling their access to remote apps.
Yazid-
If you tunnel your connections through a unified access gateway, you can force blast or pcoip, and they ill connect using those protocols and then the uag will handle the rdp part, Then block all rdp except from the uag and allowed admin networks. You can't do it per use unfortunaly, but this is what we do. We have all of our virtual desktops in there own firewall zone, rdp is impossible except for specified network ranges. All connections go through different uags using blast or pcoip, we don't allow rdp at all except by admins for maintenance.
Are you tunneling users through a security gateway or UAG? If so, that is a simple firewall rule in Windows Firewall.
If not, the common way is to set the RDS setting to execute the logoff.exe at logon. RemoteApp is really a limited RDP session.
Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session>Remote Session Environment under Computer Configuration
Set program as c:\windows\system32\logoff.exe and work directory as c:\windows\system32
Hi,
It works. But it applies to all log on.
How can we apply it only to non-admin account? Thank you.
Regards,
Yazid-
If you tunnel your connections through a unified access gateway, you can force blast or pcoip, and they ill connect using those protocols and then the uag will handle the rdp part, Then block all rdp except from the uag and allowed admin networks. You can't do it per use unfortunaly, but this is what we do. We have all of our virtual desktops in there own firewall zone, rdp is impossible except for specified network ranges. All connections go through different uags using blast or pcoip, we don't allow rdp at all except by admins for maintenance.
To do the logon part you using security filtering and have groups that gpo applies to and put in groups you want it to apply to. I'm not a fan of this unless its necessary as this can break in some cases.
Hi sjesse,
We don't have UAG in our VDI environnment. All connections are via connection server.
So we have to use GPO then. Thank you.
Regards,
Yazid-