Configure an Advanced Server Access gateway for AD-Joined
Teams can configure their Advanced Server Access gateways to discover available servers and forward Remote Desktop Protocol (RDP) connections to an Active Directory (AD) domain.
Okta recommends configuring your network and gateway to restrict direct access to servers within the AD domain. This allows teams to use Advanced Server Access for things like authentication and auditing without comprising the security of the network. Teams may need to perform network and gateway configuration. Okta recommends using separate gateways for server discovery and RDP connections.
Requirements
- Install the gateway on a device running Ubuntu 20.04, 22.04, or RHEL 8
See Install the Advanced Server Access gateway on Ubuntu or Debian. - Update the gateway to v1.59.0 or later
Start this task
- Create an authentication certificate. Add a certificate to an Advanced Server Access gateway.
- Move the certificate to the gateway.
- Configure LDAP options for the gateway. See LDAP options.
- Configure RDP options for the gateway. See RDP options.
- Verify DNS name resolution of any target AD domains. Possible options:
- Create a cloud DNS forwarding rule.
- Add AD domain controllers as DNS servers to resolv.conf or resolvconf. Port 53 must be open between the gateway and DNS server.
- From the terminal, install resolvconf with the following command: sudo apt install resolvconf
- Enable the resolvconf service with the following command: sudo systemctl enable --now resolvconf.service
- Add the domain controller nameserver IP address to the following file /etc/resolvconf/resolv.conf.d/head
- Update the resolvconf subscribers with the following command: sudo resolvconf -u
- Verify that clients can reach the gateway over the network. See Connection options.
- Configure your network to allow proxied connections through the gateway. Possible options:
- Create firewall rules to limit RDP traffic (port 3389) to only gateway hosts with known static IPs.
- Add target servers to a private network and limit inbound access to Advanced Server Access gateways only.