Gateway support for Active Directory

Teams can configure their Advanced Server Access gateways to discover available servers and forward Remote Desktop Protocol (RDP) connections to an Active Directory (AD) domain.

Okta recommends configuring your network and gateway to restrict direct access to servers within the AD domain. This allows you to use Advanced Server Access for things like multifactor authentication and auditing, and ensures the security of your network. You may need to perform additional network and gateway configuration. Additionally, teams should consider using separate gateways for server discovery and RDP connections.

Before you begin

The gateway rejects all RDP connections unless RDP functionality is explicitly enabled using the gateway configuration file. See Remote Desktop Protocol (RDP) options. By default, gateways limit the maximum number of concurrent sessions to 20 connections. This can be adjusted from the gateway configuration file as well.

Teams must also make sure that clients are able to reach the gateway over their network. By default, gateways listen for client connections over port 7234, but you can change this by configuring the ListenPort option in the gateway configuration file. See Connection options.

If the gateway is not on the same subnet as a server, teams must disable Network Level Authentication (NLA) or connections will immediately exit. This process depends on your specific organizational requirements, but can be disabled through Group Policy.

The exact setup for proxying connections through the gateway depends on your specific network configuration, but two possible options are to:

  • Create firewall rules to limit traffic on port 3389 (used for RDP connections) to only gateway hosts with known static IPs.
  • Add target servers to a private network and limit inbound access to only an Advanced Server Access gateway.

To troubleshoot a connection to an AD domain, use the --log-level debug command.