Use BeyondTrust to start a Remote Desktop Protocol [RDP] session with a remote Windows or Linux System. Because RDP sessions are converted to BeyondTrust sessions, users can share or transfer sessions, and sessions can be automatically audited and recorded as your administrator has defined for your site.
To use Local RDP through BeyondTrust, you must be on the same network segment as the target system and must have the user account permission Allowed Jump Methods: Local RDP.
To use Remote RDP through BeyondTrust, you must have access to a Jumpoint and must have the user account permissions Allowed Jump Methods: Remote RDP.
To start an RDP session, open the Remote Desktop Protocol dialog from:
- The Support menu of the representative console
- The RDP button at the top of the representative console
From the Jumpoint dropdown, select the network that hosts the computer you wish to access. If you generally access the same Jumpoint, check Remember as my preferred choice. Enter the Hostname / IP of the system you wish to access.
By default, the RDP server listens on port 3389, which is therefore the default port BeyondTrust attempts. If the remote RDP server is configured to use a different port, add it after the hostname or IP address in the form of : or : [for example, 10.10.24.127:40000].
Provide the Username to sign in as, along with the Domain.
Select the Quality at which to view the remote screen. This cannot be changed during the RDP session. Select the color optimization mode to view the remote screen. If you are going to be primarily sharing video, select Video Optimized; otherwise, select between Black and White [uses less bandwidth], Few Colors, More Colors, or Full Color [uses more bandwidth]. Both Video Optimized and Full Color modes allow you to view the actual desktop wallpaper.
To start a console session rather than a new session, check the Console Session box.
If the server's certificate cannot be verified, you receive a certificate warning. Check Ignore Untrusted Certificate to connect to the remote system without seeing this message.
Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
Select the Public Portal through which this Jump Item should connect. If a session policy is assigned to this public portal, that policy may affect the permissions allowed in sessions started through this Jump Item. The ability to set the public portal depends on your account permissions.
Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
To set when users are allowed to access this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
Choose a Session Policy to assign to this Jump Item. The session policy assigned to this Jump Item has the highest priority when setting session permissions. The ability to set a session policy depends on your account permissions.
To import an RDP file, click the Import button. This prepopulates some of the fields required for the RDP connection.
To begin the RDP session, click Jump.
You are prompted to enter the password for the username you specified earlier.
Your RDP session now begins. Begin screen sharing to view the remote desktop. You can send the Ctrl-Alt-Del command, capture a screenshot of the remote desktop, and share clipboard contents. You can also share or transfer the RDP session with other logged-in BeyondTrust users, following the normal rules of your user account settings.
Multi-Monitor Support
An option allows you to open a Remote Support connection expanded across all the monitors on the client computer regardless of the client monitor configuration. With this feature, you can fully utilize all the monitors connected to the client computer, therefore being able to adjust screen sizing and scaling during an RDP session across multiple monitors.
If you are using full screen view while using this feature, the remote system is displayed across all of your monitors.
Jump Items can be set to allow multiple users to simultaneously access the same Jump Item. If set to Start New Session, then a new independent session starts for each user who Jumps to a specific RDP Jump Item. The RDP configuration on the endpoint controls any further behavior regarding simultaneous RDP connections.
For more information on simultaneous Jumps, please see Jump Item Settings.
Besides Remote Assistance, you can use Remote Desktop Session Shadowing to remotely connect to the Windows 10 user’s desktop. Most administrators are using this feature to connect to user sessions on the RDS servers running Windows Server 2012 R2 / Server 2016. However, a few of them know that session shadowing can be used to remotely view and manage a user desktop console session in Windows 10 as well. Let’s see how it works.
As you remember, if you try to connect to a Windows 10 computer using RDP, the session of a user working locally is knocked out [even if you enable multiple concurrent RDP sessions in Windows 10]. However, you can connect to a console user session directly without locking it.
Suppose, you want to connect from a server running Windows Server 2012 R2 to the desktop of a user working locally on a workstation running Windows 10 Pro.
In order to establish shadow connection to a user session, you must use the standard RDP tool mstsc.exe. The command looks like this:
Mstsc.exe /shadow: /v:
You can also use one of the following options:
- /prompt – request a user credentials to connect [if not specified, you will be connected with the current user credentials];
- /control – the mode that allows to interact with the user session. If the parameter is not set, you will be connected to a user session in a view mode, i. e. you won’t be able to control a user’s mouse or enter data from the keyboard;
- /noConsentPrompt – allows not to prompt the user for confirmation to connect to a session.
Remote shadowing setting is configured using a Group Policy or by registry modification. You can configure whether you need to request the user confirmation to connect, and whether view or control is allowed in the shadow session.
The policy is located in the GPO editor section Computer Configuration -> Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections and called Set rules for remote control of Remote Desktop Services user sessions.
Instead of enabling the policy, you can set the necessary value in the DWORD registry parameter Shadow in the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services registry key. The allowed values are:
0 – disable remote control;
1 — full control with user’s permission;
2 — full control without user’s permission;
3 — view session with user’s permission;
4 — view session without user’s permission.
By default, this registry parameter is not set and the shadow connection is performed in full control mode with user permissions.
To connect to a user session remotely using shadowing, the connecting account must have the administrator permissions and Remote Desktop [RDP] enabled on the Windows 10 computer [in the System Properties].
Let’s remotely request the list of sessions on Windows 10 workstation using this command:
qwinsta /server:192.168.1.90
As you can see, there is one console user session with the ID = 1 on this computer.
Let’s try to remotely connect to the user session 1 via a shadow connection. Run the command:
Mstsc /shadow:1 /v:10.10.11.60
The Windows 10 user will see the following request on the screen:
Remote connection request
PC\admin is requesting to view your session remotely. Do you accept the request?
If the user accepts the connection, you’ll connect to the Windows 10 console session and see the users’ desktop. You will see all user actions, but won’t be able to control this session.
If you check the network connections using TCPView, you can see that it is the RemoteRPC connection [not an RDP one using port TCP/3389]. It means that a random TCP port from high RPC range is used for shadow connection. Mstsc.exe establishes the connection on the side of a connecting computer, and rdpsa.exe or rdpsaproxy.exe [depending on the Windows 10 build] processes the connection on the client side. So RemoteRPC must be enabled on the client:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
“AllowRemoteRPC”=dword:00000001
Remote Desktop Shadowing is available in Windows 10 / 8.1 and Windows Server 2012 R2 / 2016 / 2019. To allow shadowing on Windows 7 SP1 [Windows Server 2008 R2] clients, you will need to install the RDP client version 8.1 – KB2830477 [requires installation of the following updates – KB2574819 and KB2857650].
Thus, Remote Desktop Shadowing can be used as the substitute of Remote Assistance or TeamViewer in a local or corporate network.