MS RDS server: How to publish multiple Putty instances with different config files for different users ?.

[RimBlock]

Hi,

So I am using a Remote Desktop Services server to provide an entry way in to a lab for 2 groups of users, each requiring access to specific servers exclusively.

I have been looking at SuperPutty and pre-defining the sessions.xml with all saved servers defined but I can't seem to find a way to start it as a web app and force the loading of a predefined settings.xml.

I was hoping I can either publish multiple instances of Putty started with different settings files for specific servers for specific users but am not sure this will work either.

The number of users is quite small so multiple session hosts would be massive overkill (one for each version of Putty).

Any ideas on how to do this.

 

[Marjan]

Hello,

I would say just publish multiple instances of putty with saved sessions for each connection. For each published putty set appropriate access rights for users. Each session is started like this:
putty.exe -load "session name".
No need for multiple session hosts, like you already said.

I haven't used RDS since Windows 2008 but I don't think much has changed.

Or, you can use Apache Guacamole. If you haben't heard of it, it's SSH, VNC, and RDP publishing software, all sessions are in browser. It supports AD authentication, users, groups... It's not hard to set up, there are also docker containers.

Cheers

 

[RimBlock]

Hi, Thanks for the reply.

Unfortunately I have 14 servers for one team to connect to and have more teams wanting access soon. I can see one instance of putty for each server spiralling out of control .

I did manage to get SuperPutty to restart with a preconfigured server list using User Personal Drives and putting a base config in a shared location with the sessions file but that will only work for one team. Not sure I want to work out a script to copy different session files in for the user depending on their AD group. Unfortunately SuperPuTTY does not have a command line option to start with a specific sessions.xml file.

Apache Guacamole sounds interesting if it runs on the RDS server rather than the users desktop. Using the RDS server is to airgap the users ability to SSH files out from the lab (local drives etc are disabled in the RDS sessions). I will take a look now, cheers.

Regards

 

[Marjan]

Yes I agree, it can go out of control quickly.

Apache Guacamole runs on Linux as a web interface, so you either publish it to internet behind reverse proxy or publish some browser on RDS that opens it.
In the background it uses SSH, VNC and RDP clients and presents the remote connection to the end user. Each connection you need to set up, assign proper group, etc. A little bit of manual work. Luckily, you can copy existing connection and just change name and IP.

Regards

 

[gb00s]

I may totally misunderstand your goal, but have you checked Bitwise or MobaXterm where you can predefine connections for each user?

 

[VMman]

Yes I agree, it can go out of control quickly.

Apache Guacamole runs on Linux as a web interface, so you either publish it to internet behind reverse proxy or publish some browser on RDS that opens it.
In the background it uses SSH, VNC and RDP clients and presents the remote connection to the end user. Each connection you need to set up, assign proper group, etc. A little bit of manual work. Luckily, you can copy existing connection and just change name and IP.

Regards

+1 for the Guacamole deployment idea, less overhead.

 

[RimBlock]

I may totally misunderstand your goal, but have you checked Bitwise or MobaXterm where you can predefine connections for each user?

Thanks for the replay and I will certainly take a look at those. MobaXTerm seems quite feature packed.

The goal is to provide a RDP (for Windows desktops) and SSH (for Linux serers) connection in the lab for lab users that does not originate from their own desktops so they cannot SFTP files over SSH out of the lab. Sure they can use the clipboard but I am more interested in big files coming out rather than a page or so of text via the clipboard.

The users will need to access 'some' servers and for the Linux side I would like to use a client that can be started with a preset list of servers. One windows from which they can just click and connect to all the servers they require for their project.

SuperPuTTY allows you to use a sessions.xml which lists all the saved sessions but only loads the one in your 'settings'directory with no option of supplying a specific sessions file via command line parameter.

It is this load sessions specific to each user group (controlled via AD group and RDS webapplication setup) without requiring a new RDS server for each team that is the challenge I am trying to get round at the moment.

+1 for the Guacamole deployment idea, less overhead.

Thanks for the upvote on Guacamole.

 

[gb00s]

Can't you restrict users from SFTP over SSH with match user policy in sshd_config? Then the user could get his own ssh_config via mobaxterm on his own Win desktop. I have to test this over the weekend. But Guacamole might be already the right solution for you.

 

[RimBlock]

Won't block SCP or doing...

ssh user@hostname 'cat /tmp/remotefile.conf' > /tmp/localfile.conf

SSHD is pretty powerful . Air-gapping via a jump host is the only way I have found to break the User to server direct link.

Very open to other ideas though .