Zero-Trust Desktop Access
Desktop Access via Zero Trust
Most of your applications are now modern, responsive web apps. However, you still have some native Desktop applications. You need to be able to access them remotely, safely, simply. You need to be able to grant access to specific Desktops to specific users, but, they may not work for you. Your Desktop may run in a site without a public IP, or a configurable firewall allowing safe inbound access. Perhaps your house, perhaps a branch office.
In 10 minutes you can have 1-click remote access to that Desktop. With no configuration onsite, no change to the Desktop or the firewall.
Desktop Access Setup
Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Agent Connector for each pool of servers. These instructions assume the latter.
Detailed Desktop Creation
The ‘Desktops/New’ asks 3 questions:
- Connector. This you will have already setup, you need 1 per site (or more if you wish, e.g. 1 per host)
- Name. This will be the ‘name’ you assign permission to, it will show in the audit, the end-user will see it
- Hostname/IP. This is how you would address the Desktop within the (private) site.
Once you have completed these steps, as an Administrator you will be offered the opportunity to download an RDP file. This will open in your native Remote Desktop application (on all platforms). The Desktop will become available approximately 1-2 minutes after you apply the config.
You may now assign permissions (by group, or by user). Each user who has access will see, in https://profile.MYDOMAIN, an icon for the same RDP file. Each user’s .rdp file will be specifically signed with their access token, by default good for 1 week.
Theory of Operation
The end user will use the Profile, see an icon for their desktop, and select it. This will generate a RDP file. Depending on platform this may automatically launch, or, may download. If you do download the file, you will see something like:
full address:s:localhost:3389
gatewayhostname:s:desktops.ca-1.agilicus.ca:443
gatewaycredentialssource:i:5
gatewayusagemethod:i:1
gatewayprofileusagemethod:i:1
networkautodetect:i:0
dynamic resolution:i:1
bandwidthautodetect:i:1
connection type:i:6
domain:s:
bitmapcachesize:i:32000
smart sizing:i:1
gatewayaccesstoken:s:eyJ0eXAiOiJKV1QiLCJhbGciOiJXXXXXXXXYfm6xs6PZvLAThe ‘gatewayaccesstoken’ is a JSON Web Token is generated each time. Included in it is an ‘expiry’ field, a timeout. Once this time has elapsed the file may no longer be used.
Remote Desktop Product Walk-through Video
Related Configuration
Return to Product Configuration
- Resources – Overview, Concepts
- Connect to VTScada – Adding a Web Application
- Web Application Security
- Administrative Users
- Define Application: Proxy
- Authorisation rules
- Agent Connector Install: Raspberry Pi
- Linux, FreeBSD, Embedded Agent Connector Install
- Agent Connector Install: Ubiquity EdgeRouter X
- Audit Destinations
- Agent Connector Install: Netgate SG-1100 pfSense
- Identity Group Mapping
- Billing
- Auto-Create Users From Specific Domain With Google Workplace
- Organisation
- Authentication Audit
- Authentication Issuer
- Signup
- Microsoft ClickOnce
- Groups
- Agilicus Agent Windows Cluster
- Launchers
- Forwarding
- Usage Metrics
- Service Accounts
- Connectors
- Identity & Authentication Methods
- Content Security Policy
- Users
- Sign-In Theming
- Sign in With Apple
- Azure Active Directory
- Sign in With Microsoft
- Agilicus Agent (Desktop)
- Agent-Connector
- Zero-Trust SSH Access
- Theory of Operation: CNAME + DOMAIN
- Zero-Trust Desktop Access
- Command Line API Access
- Applications
- Permissions
- Profile
- Multi-Factor Authentication
- Authentication Rules
- Application Request Access
- OpenWRT Agent Connector Install
- Synology Agent Connector Install
- Authentication Clients
- Authentication Rules
- Shares
- Services
- Resource Permissions
- Resource Groups
- Legacy Active Directory