VMware Horizon Community
yzzzd
Contributor
Contributor
‎04-11-2019 08:50 PM
Jump to solution

published apps remote desktop connection

Hi,

We have granted remote desktop access to users as it is required for connection to remote apps.

Doing so, we also granting them access to the RDS server directly via RDP.

How can we prevent RDP connection to the server without disabling their access to remote apps.

Yazid-

Reply
0 Kudos
1 Solution

Accepted Solutions
sjesse
Leadership
Leadership
‎04-15-2019 02:22 AM
Jump to solution

If you tunnel your connections through a unified access gateway, you can force blast or pcoip, and they ill connect using those protocols and then the uag will  handle the rdp part, Then block all rdp except from the uag and allowed admin networks. You can't do it per use unfortunaly, but this is what we do. We have all of our virtual desktops in there own firewall zone, rdp is impossible except for specified network ranges. All connections go through different uags using blast or pcoip, we don't allow rdp at all except by admins for maintenance.

View solution in original post

Reply
5 Replies
techguy129
Expert
Expert
‎04-12-2019 10:04 AM
Jump to solution

Are you tunneling users through a security gateway or UAG? If so, that is a simple firewall rule in Windows Firewall.

If not, the common way is to set the RDS setting to execute the logoff.exe at logon. RemoteApp is really a limited RDP session.

Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session>Remote Session Environment under Computer Configuration

Set program as c:\windows\system32\logoff.exe and work directory as c:\windows\system32

Reply
0 Kudos
yzzzd
Contributor
Contributor
‎04-15-2019 01:50 AM
Jump to solution

Hi,

It works. But it applies to all log on.

How can we apply it only to non-admin account? Thank you.

Regards,
Yazid-

Reply
0 Kudos
sjesse
Leadership
Leadership
‎04-15-2019 02:22 AM
Jump to solution

If you tunnel your connections through a unified access gateway, you can force blast or pcoip, and they ill connect using those protocols and then the uag will  handle the rdp part, Then block all rdp except from the uag and allowed admin networks. You can't do it per use unfortunaly, but this is what we do. We have all of our virtual desktops in there own firewall zone, rdp is impossible except for specified network ranges. All connections go through different uags using blast or pcoip, we don't allow rdp at all except by admins for maintenance.

Reply
sjesse
Leadership
Leadership
‎04-15-2019 02:24 AM
Jump to solution

To do the logon part you using security filtering and have groups that gpo applies to and put in groups you want it to apply to. I'm not a fan of this unless its necessary as this can break in some cases.

Reply
0 Kudos
yzzzd
Contributor
Contributor
‎04-15-2019 03:00 AM
Jump to solution

Hi sjesse,

We don't have UAG in our VDI environnment. All connections are via connection server.

So we have to use GPO then. Thank you.

Regards,
Yazid-

Reply
0 Kudos