locked
use IAG policy to deny published RDP resource sharing RRS feed

  • Question

  •  

     

    I would like to find out how to use IAG policy to deny remotley published  RDP from using device & drive resource mapping.

    YE 

     

    • Edited by Bob MCadoo Wednesday, September 30, 2009 11:19 AM
    Tuesday, September 29, 2009 2:09 PM

Answers

  • I don't think you could use endpoint policy to deny it.  For a non-web app there is no granularity and you either allow app or not. 

    What you could do is publish TSweb instead.  Most users wouldn't know that they could run mstsc.exe manually and would stick with the tsweb.  If you really wanted to lock it down, you could list the md5 signatures of the allowed client types in the client settings tab of iag application properties.  List here only the md5 signatures of activex rdp clients and not any mstsc.exe. 
    • Proposed as answer by Mark Resnik Friday, October 2, 2009 7:24 AM
    • Marked as answer by Erez Benari Tuesday, October 6, 2009 3:52 PM
    Friday, October 2, 2009 7:23 AM
  • Hi Amigo. UAG has policies to control the mapping of Disk Drives, Printers and Clipboard depending on the compliance checks result for RDP access. Currently only Windows 7 is supported as RDP needs to be version 6.1

    Hope it helps

    // Raúl
    // Raúl - I love this game
    • Marked as answer by Erez Benari Tuesday, October 6, 2009 3:52 PM
    Friday, October 2, 2009 8:00 AM

All replies

  • Are you using UAG to publish the RDP server?
    Meir Mendelovich, Sr. Program Manager, Microsoft Forefront - IAG/UAG Product Group
    Team Blog: http://blogs.technet.com/edgeaccessblog/
    Anything you can do, I can do anywhere!
    Tuesday, September 29, 2009 6:54 PM
  • Hello Meir,
    Yes, I use IAG to publish the RDP.
    YE
    Wednesday, September 30, 2009 7:47 AM
  • I don't think you could use endpoint policy to deny it.  For a non-web app there is no granularity and you either allow app or not. 

    What you could do is publish TSweb instead.  Most users wouldn't know that they could run mstsc.exe manually and would stick with the tsweb.  If you really wanted to lock it down, you could list the md5 signatures of the allowed client types in the client settings tab of iag application properties.  List here only the md5 signatures of activex rdp clients and not any mstsc.exe. 
    • Proposed as answer by Mark Resnik Friday, October 2, 2009 7:24 AM
    • Marked as answer by Erez Benari Tuesday, October 6, 2009 3:52 PM
    Friday, October 2, 2009 7:23 AM
  • Hi Amigo. UAG has policies to control the mapping of Disk Drives, Printers and Clipboard depending on the compliance checks result for RDP access. Currently only Windows 7 is supported as RDP needs to be version 6.1

    Hope it helps

    // Raúl
    // Raúl - I love this game
    • Marked as answer by Erez Benari Tuesday, October 6, 2009 3:52 PM
    Friday, October 2, 2009 8:00 AM