Remote Sim Access Profile
Nguyet Mahrenholz
Users and groups: Select the users or user groups or add new users that should be able to use SSL VPN remote access with this profile. How to add users is explained on the Definitions & Users > Users & Groups > Users page.
Local networks: Select or add the local network(s) that should be reachable to the selected SSL clients through the VPN SSL tunnel. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Automatic firewall rules: Select this option to automatically add firewall rules that allow traffic for this profile. The rules are added as soon as the profile is enabled, and they are removed when the profile is disabled. If you do not select this option, you need to specify appropriate firewall rules manually.
Use Configuration Manager remote connection profiles to allow your users to remotely connect to work computers. These profiles let you deploy Remote Desktop Connection settings to users in your hierarchy. Users can access any of their primary work computers through Remote Desktop over a VPN connection.
When you specify remote connection profile settings with Configuration Manager, the client stores the settings in Windows local policy. These settings might override Remote Desktop settings that you configure with another application. Additionally, if you use Windows Group Policy to configure Remote Desktop settings, the settings specified in the Group Policy will override Configuration Manager settings.
Configuration Manager creates a security group on clients, Remote PC Connect. When you deploy a remote connection profile, the client adds the primary users of the computer to this group. A local administrator can manually add or remove users to this group, but Configuration Manager updates the membership when it next evaluates compliance of the profile.
If the user device affinity relationship between a user and a device changes, Configuration Manager disables the remote connection profile and Windows Firewall settings to prevent connections to the computer.
If you want to enable users to connect from the internet, install and configure a Remote Desktop Gateway server. For more information about how to install and configure a Remote Desktop Gateway server, see Remote Desktop Services - Access from anywhere.
If clients run a host-based firewall, it must enable the mstsc.exe program. When you configure a remote connection profile, enable the setting to Allow Windows Firewall exception for connections on Windows domains and on private networks. This setting allows Configuration Manager to automatically configure Windows Firewall.
Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration Manager. If you use Group Policy to configure Windows Firewall, make sure that Group Policy settings don't block mstsc.exe.
To manage remote connection profiles, your user account needs specific permissions in Configuration Manager. The Compliance Settings Manager built-in role includes the permissions required to manage these profiles. For more information, see Configure role-based administration.
Before you can deploy a remote connection profile, you need to enable the option to Allow all primary users of the work computer to remotely connect. With this configuration, you should always manually specify user device affinity. Don't consider the information that Configuration Manager collects from users or from the device to be authoritative. If you deploy a profile, and a trusted administrative user doesn't specify user device affinity, unauthorized users might receive elevated privileges and can remotely connect to computers.
Configuration Manager collects usage-based information through state messages, which is a fast but insecure communication channel. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point.
Restrict local administrative rights on the site server computer. A local administrator on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. This action might cause an elevation of privileges because members receive Remote Desktop permissions.
When a user remotely connects to a work computer, they download a .wsrdp file. This file contains the device name and the Remote Desktop Gateway Server name. These values are required to create the Remote Desktop session. The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that the user runs a Remote Desktop session.
On the General page of the Create Remote Connection Profile Wizard, specify a name and optional description for the profile. Both values have a maximum limit of 256 characters.
Full name and port of the Remote Desktop Gateway server (optional): Specify the name of the Remote Desktop Gateway Server to use for connections. This value has the following requirements:
Allow connections only from computers that run Remote Desktop with Network Level Authentication: Enabled by default, this setting adds an additional level of security for the connection. For more information, see Grant Remote Desktop access.
Remediate noncompliant rules when supported: Enable this setting to automatically remediate the profile settings when they're noncompliant on a device. The profile can be non-compliant when it doesn't exist.
Allow remediation outside the maintenance window: If you configure a maintenance window for the collection to which you deploy the profile, enable this option to let Configuration Manager remediate it outside the maintenance window. For more information, see How to use maintenance windows.
If a device leaves a collection to which you deploy a remote connection profile, Configuration Manager disables the settings on the device. However, for this process to occur correctly, you must have already deployed at least one configuration item or configuration baseline that contains a configuration item from your site.
Don't deploy more than one remote connection profile with conflicting settings to the same device. For example, you deploy two profiles with different settings to the same collection. You only configure one profile deployment to Remediate noncompliant rules when supported. This deployment might override the settings in the other profile. Configuration Manager doesn't support this type of remote connection profile deployment.
You can review summary information about the compliance of the remote connection profile deployment on the main page. To view more detailed information, select the profile deployment. Then on the Home tab of the ribbon, in the Deployment group, select View Status. This action opens the Deployment Status page.
On any tab, open a rule to create a temporary subnode under the Users node in the Assets and Compliance workspace. This subnode contains all devices with the compliance state of the selected tab.
Configuration Manager includes built-in reports that you can use to monitor information about remote connection profiles. These reports have the report category of Compliance and Settings Management.
If I edit a EMS remote acces profile will clients using this profile recive the updated change? For example if I edit the VPN Tunnel 'On Connect' XML script to add a new drive mapping I would want clients using this profile to detect this. I want to avoid uninstalling the client and re-installing.
I'm sorry but I don't understand what your goal is :D With telemetry, even if you are not connected in VPN, you receive the configurations. In the EMS forticlient you can temporarily exclude the PCs not to take the configurations. The "autoconnect" only serves to automatically connect the VPN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Ask user, wait and deny access - Show a message to the user which requests them to accept the connection (as shown above). The connection attempt will be abandoned if the user does not respond within the timeout period.
File Transfer - Allows admins to view files/folders on remote devices. You can enable this setting in isolation if you only want admins to have read-access to the remote device.
You must enable this setting in order to enable the two more powerful settings below:
Remote Desktop Services, formerly Terminal Services, is a server role in Windows Server that provides technologies that enable users to access session-baseddesktops, virtual machine-based desktops, or applications in the data center from both within a corporate network and from the Internet.
With the above information I would also have to say, just get rid of the roaming profiles. You could very easily configure a Terminal server and have everyone log into that. Centralizing all of your user data onto a terminal server.
It depends on the design. If you have more than one RDS server I would use roaming profiles. Normally if you only have 1 RDS server you would only do folder redirection. Roaming profiles can and most likely will come back to haunt you but are efficient if you have multiple servers in a cluster. We have 4 RDS servers in a cluster and us roaming profiles for our users. This gives them the same experience regardless of which server they are logged into. All of our users think we use just 4 RDS server when we have 4 to help balance the workload.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.