edbarrag Absent Member.
Absent Member.
828 views

RDP-Tcp configuration to guarantee the functioning RDPRelay

Currently, the RDP-Relay option of NPAM 3.2 for accessing Windows servers in different versions (2012, 2008 and 2016) is being implemented, but different problems have been presented, because if the security layer and encyption level options are different to low, RDP_Relay does not work.
There is documentation of how the RDP-Tcp configuration should be and why it should be.

I appreciate the support. regards
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: RDP-Tcp configuration to guarantee the functioning RDPRe

edbarrag;2478693 wrote:
Currently, the RDP-Relay option of NPAM 3.2 for accessing Windows servers in different versions (2012, 2008 and 2016) is being implemented, but different problems have been presented, because if the security layer and encyption level options are different to low, RDP_Relay does not work.
There is documentation of how the RDP-Tcp configuration should be and why it should be.

I appreciate the support. regards


Could this be related: https://www.novell.com/support/kb/doc.php?id=7017028

Thomas
0 Likes
Highlighted
edbarrag Absent Member.
Absent Member.

Re: RDP-Tcp configuration to guarantee the functioning RDPRe

Thanks Thomas,


I read the article, however it refers to the RDP version that the user uses to connect via RDP-relay, the problem is in the server that has the NPAM agent installed and also mentions that it is solved with version 3.2.

Currently both the manager and the agent has version 3.2. The problem that is detected is if RDP security is increased in the server, Rdp-Relay stops working. For windows server 2008 and 2003 in the properties of RDP-Tcp, for windows 2012 and 2016 in the following registration key
\ HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp \ SecurityLayer

The doubts are the following:

- What should be the configuration of RDP on the server to ensure the proper functioning of RDP-Relay, because if configurations are applied to increase security, RDP-Relay does not work.

-It exists documentation that supports the modifications that must be made to the server that contains the NPAM agent, with the finality of explaining to the client that to make use of RDP-Relay the security controls for RDP currently applied must be reduced.


Thanks for the support, regards.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP-Tcp configuration to guarantee the functioning RDPRe

This might be related here - Network Layer Authentication (NLA): https://www.novell.com/support/kb/doc.php?id=7020137
Or more likely this from documentation relating to SecurityLayer: https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/t43bypjp91cs.html
0 Likes
edbarrag Absent Member.
Absent Member.

Re: RDP-Tcp configuration to guarantee the functioning RDPRe

Thank you very much Harris,

In order to guarantee the functionality of RDP_relay, is there any fact sheet that documents the requirements and configurations that a windows server with an NPAM agent should have?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: RDP-Tcp configuration to guarantee the functioning RDPRe

The following are the relevant documentation sources:
Privileged Account Management for Windows.
RDP-Relay configuration details.

If it's a Windows-specific Best Practices Guide you are aiming for, I recommend creating an enhancement idea in the PAM Idea Portal.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.