Windows Internals

Before you begin

After you install the server agent and enroll the server, the server agent creates local server accounts for all Advanced Server Access users that are part of the related project. On Windows, these accounts are disabled unless a connection is active.

On Windows, a related access broker process is responsible for proxying Remote Desktop Protocol (RDP) connections. Using port 4421, this process is required to allow successful RDP connections to the server. For more information, see Access Broker Options.

Server Configuration

On Windows, the Advanced Server Access server agent runs under the LocalSystem account. You can control the Advanced Server Access server agent by manually creating a configuration file. On Windows, this file must be manually created at C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml. For details, see Configure the Advanced Server Access Advanced Server Access server agent.

Connection and authentication

When you open an RDP connection to a Windows server, the Advanced Server Access client performs several actions involving the Advanced Server Access, any bastions or gateways, and the access broker service running on the server:

  1. The client communicates with Advanced Server Access to receive short-lived credentials. Depending on your network topology, the client may establish an encrypted tunnel through any intermediate bastions or gateway servers.
  2. The client connects to the access broker process running on the server and authenticates using the short-lived certificates.
  3. The client authenticates the host certificate against information provided by Advanced Server Access. This helps defend against man-in-the-middle attacks.
  4. The client requests access to the related account on the server. On the server, the access broker sends a request to the server agent to enable the account.
  5. The client negotiates a proxied RDP connection via the access broker.
  6. The client starts a TCP server on a random port on the client device. Communications are proxied through the access broker to the RDP service running on the server.
  7. The RDP client connects to the local TCP port and is forwarded to the RDP service on the server.

The RDP client automatically authenticates as the user.

Server Connections

You can open an RDP connection with the rdp command (sft rdp <server-name> ). If you need to traverse one or more bastions, you can include --via arguments: sft rdp --via <first.bastion> --via <second.bastion> <server> . For additional information, see Use the Advanced Server Access client.

When you connect with the Windows RDP client, the title bar may display the loopback IP address (for example, 127.0.0.1).

Paths

Information related to the Advanced Server Access server agent installation is stored within the AppData\Local\ folder.

  • State directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft
  • Configuration file: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\sftd.yaml
    Note: You must manually create the configuration file.
  • Log directory: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\Logs
    Note: Log files are rotated after 5MB and only the 10 most recent log files are kept.
  • Enrollment token: C:\Windows\System32\config\systemprofile\AppData\Local\scaleft\enrollment.token

Related topics