Secure RDP Connections with SSL (2024)

1. On the PSM server, set the security layer. Proceed per PSM server operating system:

   • Secure RDP Connections with SSL.

2. On the PSM server, run gpedit.msc.

   1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
   2. Open the Security setting, Set client connection encryption level.

   3. In the Options area, from the Encryption Level drop-down list, select High Level.

   4. Click OK to save your settings.

   5. Open the Security setting, Require use of specific security layer for remote (RDP) connections.

   6. In the Options area, from the Security Layer drop-down list select:

      OS	Security Layer
      Windows 2016	SSL
      Window 2012 R2	SSL (TLS 1.0).

   7. Click OK to save your settings.

   8. Continue with update all the active connection components described in step 4.

3. In the PVWA, update all the active connection components to enable RDP over SSL connections to the PSM machine. For example, for PSM SSH connections, update PSM-SSH.

4. To support Live Session connections, update the target connection component.

   1. Log onto the PVWA as an administrative user.

   2. In the System Configurations page, click Options, then expand the Connection Components.

   3. In each active connection component, add a new Component Parameter.

   4. In the Component Parameter properties, add a new parameter with the following values:

      • Name – The name of the component parameter.

        • For connections with ActiveX, specify AdvancedSettings4.AuthenticationLevel.

        • For connections with RDP files, specify authentication level:i.

        • Add both parameters to use both methods.

      • Value – The value of this parameter name. Specify 1.

   5. Click Apply to apply the new configurations and stay in the Options page.

5. Connections to the PSM require a certificate on the PSM machine. By default, Windows generates a self-signed certificate, but you can use a certificate that is supplied by your enterprise.

   1. Expand the Privileged Session Management parameters and then expand Configured PSM Servers.

   2. Expand Connection Details, and select Server; the Server Properties are displayed.

   3. In the Address property, specify the certificate common name.

   4. Click Apply to apply the new configurations, or,

   5. Click OK to save the new configurations and return to the System Configuration page.

   In the Privileged Session Management parameters, make sure that the PSM address specifies the exact common name of the certificate.

6. On the Client machines, make sure that the PSM machine certificate is signed by a trusted CA.

1. In the System Configuration page, in the Web Access section, click Options, then select Connection Components; the connection component parameters that define target addresses are displayed in the properties list.

2. Expand the PSM-RDP connection component, and then expand the Target Settings.

3. Right-click Client Specific, then in the pop-up menu select Add Parameter; a new parameter is added to the list of client specific parameters.

4. In the parameter properties, specify the following:

   • Name – The name of the client specific parameter. Specify AuthenticationLevel.

   • Value – The authentication level that will be used for this connection. Specify any of the following values:

   Value	Description
   0	The PSM server is not required to authenticate the target machine before connecting to it.
   1	The PSM server will authenticate the target machine before connecting to it.
   2	The PSM server will authenticate the target machine before connecting to it. If the authentication fails, the user will be able to cancel the connection or to initiate a connection without authentication.

5. Click Apply to apply the new Connection Component configurations,

or,

Click OK to save the new Connection Component configurations and return to the System Configuration page.