Skip to content

How To?

Set up direct access to an RDS machine without an agent

This article describes how to set up a direct access to a Windows machine, in RDS mode, without having to deploy and configure an agent on this machine.

The operating principle is the following: from a local application on the user’s computer, such as MobaXTerm or Mremote, it is possible to initiate an RDP connection to a cyberelements gateway which, depending on the authorizations and settings implemented, will allow access to a target server with session recording.

This allows internal users of an organization to bypass the cyberelements user web portal and use their usual RDP connection tools.

Use Case

We describe here the use case where the user wants to access a resource via RDP using a different account than the one used to authenticate to the server. The latter is stored in the cyberelements vault and therefore unknown to the user.

The connection target of the RDP session is the IP of the cyberelements gateway


It is necessary to enable a service present by default on the gateways of cyberelements.

Name of the service: cleanroom-xrdp-direct

To do this, you must first open an SSH session on the gateway concerned as root.

Then execute the following command to enable the service even if the gateway is restarted.

systemctl enable cleanroom-xrdp-direct

Then the following command to start the service.

systemctl start cleanroom-xrdp-direct

You can check the status of the service by running the following command:

systemctl status cleanroom-xrdp-direct


At this stage, the MFA is only supported in direct access without agent.

It is therefore necessary to differentiate, for example by duplicating the authentication domain concerned by these internal users and not to enable SSO:

The following field must be left empty for internal users performing direct access:

Direct access to the gateway in RDP mode to open an RDP resource using the Cleanroom vault

Step 1 - Configuration of the resource

First of all, it is necessary to configure a target RDS resource without agent:

The “without agent mode” box must be checked for this mode.

Step 2 -Configuration of an access contract without agent

In order to allow users to access a resource directly, it is necessary to configure an access contract.

These access contracts are different from those used to manage access to the user web portal.


Open the “direct RDP access contract without agent” menu:

This screen allows you to associate:

> The groups of users concerned, organized in domains.

> The sites concerned.

> The resources or applications concerned, organized in categories.

In the first tab, select the desired group(s) by a simple drag and drop to the list on the right.

In the second tab, the concerned site:

In the “Applications” tab, finish creating the SSH recording contract by selecting the resources to be accessed. The resources are organized in categories. It is possible to select an entire category or only certain resources by clicking on “+”.

Step 3 - Syntax of the user-side RDP client

At the level of the RDP client used on the workstation, it is necessary to use a particular syntax for the login.

The syntax is as follows:


Example with the mRemote client:

Note :

> The password must be left blank

> The target IP is that of the cyberelements gateway of the site concerned

When the connection is launched, the password of the account defined in the connection login (here vs_adm) is requested:

After entering the password, the connection to the server is made; a message reminds that the session is recorded:

The connection account is different:

And the session is recorded:

The connection sequence in video format:

The direct access functionality allows you to inhance your users experience without compromising security.

Any questions?  Book a meeting with our experts

Set up your direct access to an RDS machine

or book a meeting with our experts