Disable RDP Forwarding and Still Allow RDP / RemoteApp : TSplus Helpdesk

By default, TSplus Remote Access listens to the RDP protocol on the web ports defined on the AdmiinTool > Home screen. If you do not want to expose any ports listening to the RDP protocol to the public internet, you can block the RDP port using a firewall and disable RDP forwarding to the web ports. However, your RDP/RemoteApp clients must be configured to use our Remote Desktop Gateway (RDG) feature to tunnel the RDP traffic over an HTTPS tunnel, including our .connect file and RemoteApp on the web. Just so you know, if you have a TSplus Remote Access farm, the RDG will only work for farms that have our farm's reverse-proxy feature enabled. Also, TLSv1.2 must be enabled on the AdminTool > Web > HTTPS screen.

Additional information on configuring Remote Desktop Gateway for MSTSC:

https://support.tsplus.net/a/solutions/articles/44001910887?lang=en

Instructions

1. If RemoteApp via the web portal is used, change the variable var remoteapp2_useasrdg = 'off'; to remoteapp2_useasrdg = 'on'; in the C:\Program Files (x86)\TSplus\Clients\www\software\remoteapp2.js file. If you have a TSplus Remote Access farm, this setting is only required on the gateway server. Ignore this step if your users do not connect using RemoteApp from the web portal.

2. If .connect files are used, regenerate them for all of your users, ensuring that the setting "Use the targeted server as a Remote Desktop Gateway (RDG) to encrypt data transfer" is selected in the Security tab when generating the .connect file. Ignore this step if you do not use .connect files in your environment.

3. Your TSplus Remote Access server must have a DNS record pointing to its IP address, with a valid SSL certificate for that DNS domain name bound to Terminal Services on the Windows computer where TSplus Remote Access is installed. This is automatically done for you when importing an SSL certificate in our AdminTool > Web > HTTPS screen. If you have a TSplus Remote Access farm, all servers in the farm must have the same SSL certificate bound to Terminal Services, including the gateway and the application servers.

4. Edit the C:\Program Files (x86)\TSplus\Clients\webserver\settings.bin file to include the following lines and restart the web server by clicking the refresh symbol on the AdminTool > Home screen for it to go into effect. If you have a TSplus Remote Access farm, this should be done for all servers in the farm, including the gateway and all your application servers.

disable_rdp=true

avoid_disable_rule_of_local_rdp_on_rdg=true

5. RemoteApp still relies on the RDP protocol for communication between the gateway and the application servers. Therefore, if you are disabling RDP forwarding on the web ports of the application servers, please go to the AdminTool > Farm screen on the gateway server, edit each application server entry, uncheck “Use Web Port”, and make sure the correct RDP port number is specified for that server.

If you wish to further restrict access, you can configure the firewall on each application server (for example, using Windows Firewall) to allow inbound RDP traffic only from the gateway’s IP address.

Disable RDP Forwarding and Still Allow RDP / RemoteApp Print

Related Articles