7

Is there a way to replace RDS Gateway with some sort of linux based proxy. I know there some ways to do it with ssh/port forwarding, but this is to replace a current RDS Gateway our users utilize for remote access (~300 users). I need to support multiple windows clients using their native RDP to connect to their windows desktops on campus, using some sort of linux proxy in between.

From my searching, there are some solutions (xrdp,ssh proxy, port forwarding, etc) that sort of do what I need but they either aren't user friendly or they involve using multiple/non-standard ports. Before I give up my search and succumb to paying MS Licensing for RDS, is it currently possible to use linux to proxy RDP from windows using their native client?

[Multiple Remote Windows Clients] => [Linux proxy/gateway] => [Corporate Windows Desktops]

person
  • 207
  • 2
  • 6

3 Answers3

1

We did a more elaborated setup, as we asked our users to shutdown their computer before leaving the office. To connect to their PC, they open a browser to the "gateway" (small PHP script which WakesOnLan the PC and adds the port forwarding rule based on browser IP so that the user doesn't have to use custom ports).

In your case, I would put a VPN server (instead of RDGW) which would allow connections only to the Windows desktops. It gives you:

  • no windows exposed to the mean outside world
  • additional protection against weak user passwords
  • easy remote access to other campus resources or internal (web,ftp,..) services
claudiuf
  • 266
  • 1
  • 2
  • Its not using just RDP, but might be feasible, does that PHP script add a port forwarding rule directly on the public interface server; so anyone connecting to port X on the gateway server is forwarded to port 3389 on the desktop? – person Mar 17 '17 at 11:11
  • the IP tables rules has something like `-p TCP -s $_SERVER['REMOTE_ADDR'] --dport 3389 -j DNAT --to internalip:3389` – claudiuf Mar 18 '17 at 11:25
  • in the above setup, the user connects to public_inteface:3389. Alternatively, you can also add multiple rules with `-p TCP --dport 20001 -j DNAT --to internalip_1:3389` and `-p TCP --dport 20002 -j DNAT --to internal_1:3389`, so this means you map everything statically and you dont need any php or gateway. Users connect to public_interface:20xxx, each user must remember both public_ip and his dedicated port. – claudiuf Mar 18 '17 at 11:34
1

If you are looking to proxy RDP connection through linux, there now is a linux implementation of the remote desktop gateway, which is lightweight. It is compatible with all MS clients and open source clients and uses OIDC/Oauth2 for authentication.

See: https://github.com/bolkedebruin/rdpgw

Bolke de Bruin
  • 111
  • 1
0

I've been using the Thincast Remote Desktop Client on Ubuntu (Snap) and saw that the vendor also has a Linux RD Gateway and RD WebAccess Server for Linux: https://thincast.com/en/products/rdgateway

gollum
  • 775
  • 5
  • 7