Re: Microsoft Remote Desktop Mac Proxy
Tabatha Pasqua
I have setup a Remote Desktop Gateway server using Windows Server 2012 R2. I am using the Remote Desktop Gateway as an intermediary between to provide the remote desktop session over 443 since 3389 is blocked at many client locations.
Is is possible to configure Remote Desktop to connect via web proxy? If so, how? If not does any one have any suggestions on how to provide a Remote Desktop session via 443 over proxy for situations where you don't control the client's PC or network? Does RemoteApps allow for access via web proxy when using RD Gateway?
Your computer can't connect to the remote computer because the web proxy server requires authentication. To allow unauthenticated traffic to an RD Gateway server through your web proxy server, contact your network administrator.
As of 2008 a Microsoft employee indicated there was "no official way" to accomplish this. Given the six intervening years you'd like to think there has been progress, but I'm not seeing that there has been.
If I were in your situation I'd try to find a small Win32 HTTP/HTTPS proxy that can be "pointed" at an upstream proxy and configured to provide authentication. I don't have an immediate recommendation for such a thing. (I'd probably just throw something together with Perl or Python, personally.)
Another option is to use an SSH tunnel. PuTTY, to name names, has an easily-configured proxy option, so it can work through the proxy server and then provide a local tunnel through which you can connect to the RDP destination.
As Omaha's answer suggested, another option is an SSH tunnel. If you had SSH installed on your windows box [possibly not trivial] then you may be able to connect to that box, creating an SSH tunnel for a port, then connect your rdp client to that port (putty can create tunnels, or ssh can something like -with-ssh-through-a-proxy, ex:
FreeRDP-WebConnect may be an option [it appears to be a web server backend to interface with RDP behind it, with HTML5 client front end] then you could open the port through to your box [whichever one it's serving on] and hopefully access that using HTTP. Assuming websockets aren't blocked. Guacamole appears similar (you setup a service and web server on the RDP server box, it provides an HTML5 front end).
Barring that, if you have an external 3rd box (not behind any firewalls) that has an SSH server you could create a port forwarding through that intermediary box, via SSH (same mechanism -with-ssh-through-a-proxy).
Guacamole and FreeRDP-WebConnect are Linux based gateways. For Windows Servers (I saw you are using Windows Server 2012 R2), you can try Myrtille, a comparable solution (equally using FreeRDP as rdp client), also open source.
So I am at my wits end at this point. I have been beating my head against a wall for the last two weeks with setting up an RDS deployment with Entra App proxy. Regardless of what I seem to do I end back at the same issue. The end result is when I try and launch a published app from the webapp, I land with getting this error immediately. "The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening, ask your admin or tech support for help." Jokes on them because I am both of those things! I have been on the phone with microsoft twice now, who dont know what the problem is, but both of the people I was on the phone with know that its not their department that is the issue so I am waiting on my third person to talk to. I have tried this with a few different scenarios. One with the Web Server and the Gateway Seperate, one with them together. One with the entra connecter installed on the web srver, once on the connection broker and once on a seperate server entirely. I am using a publicly issued cert from go daddy for the all of the rds roles. its bound to port 443, I have gone through this walk through -aad-proxy/
All have ended with the same result of having that error message. Then if I try and download the RDP file and launch it I get 'your computer can't connect to the remote computer because authentication to the firewall failed due to missing firewall credentials.' I have engaged every serach i can think of, chatgpy for days on end. I have been deep in the settings in IIS and Remote Gateway manager and still stuck in the same boat. Any help would be greatly appreciated.
@Timothy L. Riley Can you confirm if pre-auth is enabled and if you are using either Edge in IE Mode or Internet Explorer, as required for Remote Desktop? Publish Remote Desktop with Microsoft Entra application proxy - Microsoft Entra ID Microsoft Learn
The Microsoft Remote Desktop client is used to connect to Azure Virtual Desktop to access your desktops and applications. This article shows you how to connect to Azure Virtual Desktop with the Remote Desktop Web client. The web client lets you access your Azure Virtual Desktop resources directly from a web browser without needing to install a separate client.
@Timothy L. Riley , It should work with Edge version 79 or later in IE mode like you mentioned so I'm not sure why you would get the browser error if you are meeting those requirements. Do you receive any additional account lockout error?
If you send me an email at AzCom...@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, I can open a one-time free support case to look into your issue. If you also send me the support case number for any currently open case I can reach out internally to the owner.
Many remote desktop solutions require installing something on the computer you are trying to access and the computer you are using to connect. They are heavily proprietary and, frankly, unnecessary. This will get you up and running in 5 minutes; anyone can do it. Now, if you have some familiarity with Docker, I would recommend that method; however, it's not required. I'll show you both.
You will need a paid personal account to proxy a TCP port, which we will do to remote desktop into our computer. I acknowledge there are some free alternatives to do this, but it will be hard to match this level of simplicity, flexibility, and control. ngrok is so versatile it's worth it for me (they did not pay me to say that :). I'm confident it will also be for you once you start playing with it. ngrok - Online in One Line
For added security, I highly recommend setting up Endpoints and IP Policies in Ngrok to ensure you're tunnels are secure. Once set up, they can be applied to your TCP tunnel, allowing you to whitelist access from certain locations, for instance, your workplace.
I'm aware of the TS Gateway, Royal Server, and Secure Gateway options, but we have a requirement to pass connections through several proxy server to meet audit requirements. There are separate proxy servers for development and production environments, so we would like to configure this at the connection level, not the system level.
possibly you may use Royal Server in combination with Secure Gateway to securely tunnel your RDP connections? Basically the Secure Gateway is a SSH tunnel where active connections will get tunnel'ed through. Probably this may solve your audit requirements? Furthermore this is also possible on connection level, as you wrote (as you can have multiple Secure Gateways). May this help you in that case?
Probably not... In order to audit the connection we do not want the additional encryption. We are using a security product that acts as a man-in-the-middle for Remote Desktop connections... It supports connections via SOCKS5 for transparent encryption and decryption, but would probably not be able to decrypt the SSH tunnel to perform the audit.
Royal TS is using the Microsoft RDP ActiveX control which ships with Windows. We checked the API and it seems there's no SOCKS5 support or any other proxy support available in RDP except for Remote Desktop Gateway servers.
Correct me if I'm wrong, but to implement the Security Gateway functionality you probably create a tunnel that forwards a local port to the target, and then use the Microsoft RDP ActiveX control to connect to the local port. Implementing SOCKS5 support would work exactly the same... You would open a Socket via the proxy server to the target, open another socket on the localhost and forward all traffic from each Socket. For examples in C# see:
Note that I have purchased RoyalTS for my own personal use already... But I would like to convince my company to purchase the global license so that others can use it, and this would be key functionality.
I'm not sure that's correct. The links you provided are samples on how to create a proxy server. With our Royal Server as Secure Gateway / SSH tunnel you already have a SOCKS5 capable proxy (see Chrome web page connection's proxy support). The issue is that the RDP ActiveX control only accepts a server name and port. There's no way to specify which proxy to use and the TCP communication from the ActiveX control can not be changed as the ActiveX is a black box where we don't have the source code.
We need support for a non-secure Gateway, i.e. a non-encrypted tunnel so that we can audit it for regulatory compliance. We have software in place that will decrypt both SSH and RDP protocols if they are passing through a specific software package that behaves as a SOCKS5 proxy server, but not if they are passing through a SSH tunnel or a different SOCKS5 proxy that is provided dynamically by a ssh connection. The auditing software is CryptoAuditor ( ). There are several competing audit packages that provide similar functionality, they are very common in extremely large companies that are subject to regulatory compliance such as PCI-DSS, Sarbanes-Oxley, HIPAA, etc...
The links I sent do not show how to create a proxy server. They show how to use a SOCKS5 proxy server to create a non-encrypted tunnel from a local port to a remote server and port via a SOCKS5 proxy server.
You would set this up to listen on a random unused local port for each connection which would forward to the true target, and simply use the RDP ActiveX control to connect to the localhost and local port. Since the RDP ActiveX control doesn't support SSH tunnels either, I expect this is exactly what you are doing with the SSH tunnels in the Secure Gateway feature.
d3342ee215