Skip to content

Zero-Trust Desktop Access

Desktop Access via Zero Trust

Most of your applications are now modern, responsive web apps. However, you still have some native Desktop applications. You need to be able to access them remotely, safely, simply. You need to be able to grant access to specific Desktops to specific users, but, they may not work for you. Your Desktop may run in a site without a public IP, or a configurable firewall allowing safe inbound access. Perhaps your house, perhaps a branch office.

In 10 minutes you can have 1-click remote access to that Desktop. With no configuration onsite, no change to the Desktop or the firewall.

Via Remote Desktop Protocol, or via VNC.

Via a Native Client, or via a web interface.

Desktop Access Setup

Note: you can use a site-to-site VPN via IPSEC, or use the onsite Agilicus Agent Connector for each pool of servers. These instructions assume the latter.

STEP 1: CREATE ORG

CREATE ORGANISATION

Your Organisation lets you setup your identity providers, your DNS name (CNAME), and control your users.
See SIGNUP

STEP 1: CREATE ORG
STEP 2: SETUP IDENTITY

SETUP IDENTITY PROVIDERS

You can enable Google, Apple, Microsoft as check box items. You may also wish to enable a specific Azure Active Directory
Also setup initial users and group membership.

STEP 2: SETUP IDENTITY
STEP 3: CREATE CONNECTOR

CREATE CONNECTOR PER SITE

Each pool of servers needs a method to reach it. This can be a site-to-site VPN, or an on-site agent connector. Install a connector now, this may be on each remote-desktop server, on 1 of the servers that can reach the others, on a machine in the same network, a raspberry pi, whatever, it’s up to you.

STEP 3: CREATE CONNECTOR
STEP 4: CREATE NETWORK RESOURCE

CREATE DESKTOP RESOURCE

Each Desktop host will require a Desktop Resource to provide the coordinates. This will include a name, and hostname/IP. The Hostname/IP will be in the internal coordinates.

STEP 4: CREATE NETWORK RESOURCE
STEP 5: ASSIGN PERMISSIONS

ASSIGN PERMISSIONS

We must now assign ‘Owner’ permission to each user or group that should be able to connect. See “Resource Permissions” for more information.

STEP 5: ASSIGN PERMISSIONS
STEP 6: DOWNLOAD RDP FILE

DOWNLOAD RDP FILE

From https://profile.YOURDOMAIN, you may download a .rdp file for each Desktop. This will open in the client of your choice on the OS/Platform of your choice.

STEP 6: DOWNLOAD RDP FILE

Detailed Desktop Creation

The ‘Desktops/New’ asks 3 questions:

  1. Connector. This you will have already setup, you need 1 per site (or more if you wish, e.g. 1 per host)
  2. Name. This will be the ‘name’ you assign permission to, it will show in the audit, the end-user will see it
  3. Hostname/IP. This is how you would address the Desktop within the (private) site.

Once you have completed these steps, as an Administrator you will be offered the opportunity to download an RDP file. This will open in your native Remote Desktop application (on all platforms). The Desktop will become available approximately 1-2 minutes after you apply the config.

You may now assign permissions (by group, or by user). Each user who has access will see, in https://profile.MYDOMAIN, an icon for the same RDP file. Each user’s .rdp file will be specifically signed with their access token, by default good for 1 week.

Connection Parameter Override

Theory of Operation

The end user will use the Profile, see an icon for their desktop, and select it. This will generate a RDP file. Depending on platform this may automatically launch, or, may download. If you do download the file, you will see something like:

full address:s:localhost:3389
gatewayhostname:s:desktops.ca-1.agilicus.ca:443
gatewaycredentialssource:i:5
gatewayusagemethod:i:1
gatewayprofileusagemethod:i:1
networkautodetect:i:0
dynamic resolution:i:1
bandwidthautodetect:i:1
connection type:i:6
domain:s:
bitmapcachesize:i:32000
smart sizing:i:1
gatewayaccesstoken:s:eyJ0eXAiOiJKV1QiLCJhbGciOiJXXXXXXXXYfm6xs6PZvLA

The ‘gatewayaccesstoken’ is a JSON Web Token is generated each time. Included in it is an ‘expiry’ field, a timeout. Once this time has elapsed the file may no longer be used.

Remote Desktop Product Walk-through Video

First Name
Last Name
Email
Thanks!
There was an error. Please try again. Or email info@agilicus.com

Return to Product Configuration