How to control RDP settings based on access policy

TAC provides two transports systems for enabling RDP communications thru the TAC Gateway, "Native RDP Proxy" and "TAC Client Services".

Native RDP Proxy does not require the TAC Client Services to be installed on the client computer or device. Portsys recommends using Native RDP Proxy as the default transport in RDP configuration.

Without TAC Client software installed, TAC access policy cannot determine client computer criteria prior to login, for example: is AV installed and up to date, is the firewall enabled, is the device jailbroken?  The default behavior of Native RDP Proxy is to allow login as long as the user is a member of the Remote Access Users group.

Regardless of the Default transport method in RDP configuration, TAC CS will be required to present on the system when access policy assigned to the site or RDP application. 

TAC provides the ability to publish RDP applications.  As an administrator, you may want to limit the RDP settings such as clipboard sharing, bit rate, drive settings, multi-monitors, depending on the end users' system criteria. TAC allows combining Access Policy evaluation and RDP settings for this purpose.

To enable customized RDP application, the administrator needs to create required RDP access policy in the Access Policy editor. 

In this example, you will create an access policy to evaluate IF Anti-Virus is active THEN enable clipboard sharing for this remote session and vice versa; ELSE disable clipboard sharing. 

You use the "Set Flag" option to set values for the RDP file.  You should define the value for the option you are setting in the RDP file template using flags. 

You can find list of RDP settings and values here: https://www.donkz.nl/overview-rdp-file-settings/

Flag name is a string and it must be same string in the rules that participate for this evaluation in the policy and must match the name of the flag used in the RDP line template.  "EnableClipboard" is the flag name in this example. You may add many flags in the rule by click on  next to "Set flag" option. 

Below is the syntax you will see after creating the rules in the rules editor:

IF
AntiVirus.IsActive Equals 'Yes'
THEN
Set Flag("EnableClipboard", "1")

IF
AntiVirus.IsActive Equals 'No'
THEN
Set Flag("EnableClipboard", "0")

IF
True.Value Equals 'Yes'
THEN
Allow()

In above example, rules with "Set Flag" only set values and not provide Allow/Deny permission. Therefore, you need to add an Allow rule in bottom of the rule.  By default, an implicit deny will be applied in the end of rules evaluation.

When you have a policy assigned to an application, it will be evaluated when user accesses the list of applications.  If an administrator wants to use a policy whose purpose is to set flags and then generate RDP file content based on these flags, the policy needs to have an allow action as the final rule. By default if no allow or deny actions are defined, the policy is treaded as deny.

If an application needs to have any other parameters to check: such as Firewall, network etc... and sets access permissions based on those rules, then allow\deny actions have to be listed AFTER rules which set flags.  Set Flag doesn’t stop and execution continues until the first Allow or Deny is met or until the end of the policy rule.

You may create complex policies depend on the requirement of your organization.

Next, you need to apply the policy to the RDP application and require to add additional RDP file settings in the application.

Read more about how to publish RDP application here.

To customize RDP settings and assign the policy to the created RDP application;

  1. Select the RDP application from the application list and click Edit...
  2. Go to Remote Desktop Server tab.


  1. In the RDP file content field enter the RDP settings in the RDP file format:
  2.     redirectclipboard:i:@@TacVarPolicyFlag_EnableClipboard
    RDP file template consist of "option:type:valueformat.  In the above example, after the "type:", TAC will call the policy assigned to get the output value and apply it to the RDP template. The syntax "@@TacVarPolicyFlag_" is the common syntax to call the TAC access policy assigned to the application which should be same for the all policy flag references. After the "_" you need to provide the flag name you used to set values in the policy, here it is "EnableClipboard".
    You may get the list of RDP file settings from here : https://technet.microsoft.com/en-us/library/ff393699(WS.10).aspx.
  3. Next, go to Security tab.
  4. Select the access policy you've created in the Policy section.
  5. Click OK.

Apply configuration to take effect the changes.

See the brief video below: