Connect to a Windows target

This topic explains how to connect to your Windows machines using your preferred RDP client. The RDP gateway supports single-factor authentication and multi-factor authentication (MFA).

After your user is authenticated, DPA creates an ephemeral user on the target with the appropriate permissions, which enables you to work as a local user.

Connection guidance page and generate RDP file

To see the Connection guidance page, you must have the appropriate permission from your administrator. Your administrator must add Show Dynamic Privilege Access Tile administrative rights to one of your roles via Identity Administration. For more information, see How to give end users access to the Connection guidance page.

The Connection guidance page helps you connect to a target using DPA, creating an RDP file with the relevant connection details. Use of the Connection guidance page is optional, though you may find it easier as the page automatically provides some of the details needed for connection, such as the subdomain for the computer and username fields. The Connection guidance page also shows the different formats used for connecting to cloud and on-premises targets. If you don't want to use the Connection guidance page, see Connect to a Windows target via RDP clients.

To connect using the Connection guidance page, go to https://<subdomain>.cyberark.cloud/dpa, where <subdomain> is your organization's tenant subdomain, as provided to you by your administrator.

Connect to a Windows target via RDP clients

Use one of the following methods to connect to your target using DPA.

To configure a Connection Manager:

  1. Open a Connection Manager application on your desktop and create an entry for the target. Give each entry a meaningful name.

  2. Enter the DPA RDP gateway address (<subdomain>.rdp.cyberark.cloud) in the Remote machine address field. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

  3. To configure the sign-in credentials, enter your username.

    • <user@login_suffix>#<subdomain>@<target>

      For example:

      john@mysubdomain.cyberark.cloud#mysubdomain@mymachine.mydomain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter for an on-premises target must be FQDN.

      • The parameters <user@login_suffix> and <target> are optional. If you don't configure them at this stage, you can enter them manually when you connect.

    • <user@login_suffix>#<subdomain>@<target>@<target_domain>

      For example, this is how the sign-in credentials might look:

      john@mysubdomain.cyberark.cloud#mysubdomain@i-012758297b381602@target_domain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter:

        • For an AWS target can be instance ID, public IP, or private IP.

        • For an Azure target, can be public IP or private IP.

      • The parameter <user@login_suffix> is optional. If you don't configure it at this stage, you can enter the parameter manually when you connect.

      • The parameters <target> and <target_domain> are also optional:

        • You must enter both or neither.

        • If you enter neither at this stage, when you connect, you must enter them manually in the Target machine field, using the format <target>@<target_domain>. For example, i-012758297b381602@target_domain.com.

  4. To verify that you are connecting securely with the DPA RDP gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

To configure an RDP file:

  1. Create an RDP file.

  2. Configure the RDP settings as described in the following table.

    RDP parameter settings
    Setting RDP Parameter Type Description

    full address

    		 s

    The DPA RDP gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    username

    		 s

    Enter your username.

    • <user@login_suffix>#<subdomain>@<target>

      For example:

      john@mysubdomain.cyberark.cloud#mysubdomain@mymachine.mydomain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter for an on-premises target must be FQDN.

      • The parameters <user@login_suffix> and <target> are optional. If you don't configure them at this stage, you can enter them manually when you connect.

    • <user@login_suffix>#<subdomain>@<target>@<target_domain>

      For example, this is how the sign-in credentials might look:

      john@mysubdomain.cyberark.cloud#mysubdomain@i-012758297b381602@target_domain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter:

        • For an AWS target can be instance ID, public IP, or private IP.

        • For an Azure target, can be public IP or private IP.

      • The parameter <user@login_suffix> is optional. If you don't configure it at this stage, you can enter the parameter manually when you connect.

      • The parameters <target> and <target_domain> are also optional:

        • You must enter both or neither.

        • If you enter neither at this stage, when you connect, you must enter them manually in the Target machine field, using the format <target>@<target_domain>. For example, i-012758297b381602@target_domain.com.

    You will also be prompted for your password.

    Authentication level

    i

    To verify that you are connecting securely with the DPA RDP gateway, configure your session to only connect when the server is properly authenticated. To do so, add a the following Authentication parameter setting:

    authentication level:i:1

     

     

  3. Repeat for each target.

To configure MSTSC to connect to the target:

  1. Open MSTSC. The Remote Desktop Connection window opens.

    You can also execute MSTSC through the command line using:

    MSTSC /v:<DPA RDP gateway address>

  2. In the Computer field, enter the DPA RDP gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

  3. Open Show Options.

  4. In the User name field, enter your username.

    • <user@login_suffix>#<subdomain>@<target>

      For example:

      john@mysubdomain.cyberark.cloud#mysubdomain@mymachine.mydomain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter for an on-premises target must be FQDN.

      • The parameters <user@login_suffix> and <target> are optional. If you don't configure them at this stage, you can enter them manually when you connect.

    • <user@login_suffix>#<subdomain>@<target>@<target_domain>

      For example, this is how the sign-in credentials might look:

      john@mysubdomain.cyberark.cloud#mysubdomain@i-012758297b381602@target_domain.com

      • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

        The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

      • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • The <target> parameter:

        • For an AWS target can be instance ID, public IP, or private IP.

        • For an Azure target, can be public IP or private IP.

      • The parameter <user@login_suffix> is optional. If you don't configure it at this stage, you can enter the parameter manually when you connect.

      • The parameters <target> and <target_domain> are also optional:

        • You must enter both or neither.

        • If you enter neither at this stage, when you connect, you must enter them manually in the Target machine field, using the format <target>@<target_domain>. For example, i-012758297b381602@target_domain.com.

  5. To verify that you are connecting securely with the DPA gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

  6. Click Connect. An authentication window is displayed.

  7. To connect to other targets using MSTSC, repeat this procedure for each target machine.

To connect to your target system through DPA using any standard RDP client application:

Configure your RDP client to use the parameters detailed in the following table.

RDP client parameters
Parameter Description

Address

The DPA gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

Username

Enter your username.

  • <user@login_suffix>#<subdomain>@<target>

    For example:

    john@mysubdomain.cyberark.cloud#mysubdomain@mymachine.mydomain.com

    • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

      The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

    • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    • The <target> parameter for an on-premises target must be FQDN.

    • The parameters <user@login_suffix> and <target> are optional. If you don't configure them at this stage, you can enter them manually when you connect.

  • <user@login_suffix>#<subdomain>@<target>@<target_domain>

    For example, this is how the sign-in credentials might look:

    john@mysubdomain.cyberark.cloud#mysubdomain@i-012758297b381602@target_domain.com

    • If you are providing a username, this must also include the login suffix, in the format <user@login_suffix>.

      The login suffix identifies the domain of your company as defined in Identity Administration. For more information about login suffixes, see Manage login suffixes.

    • The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    • The <target> parameter:

      • For an AWS target can be instance ID, public IP, or private IP.

      • For an Azure target, can be public IP or private IP.

    • The parameter <user@login_suffix> is optional. If you don't configure it at this stage, you can enter the parameter manually when you connect.

    • The parameters <target> and <target_domain> are also optional:

      • You must enter both or neither.

      • If you enter neither at this stage, when you connect, you must enter them manually in the Target machine field, using the format <target>@<target_domain>. For example, i-012758297b381602@target_domain.com.

You will also be prompted for your password.

Server authentication

To verify that you are connecting securely with the DPA gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

After you successfully authenticate to your target, the client displays how much time you have left in your session.

  • Your session ends and gets disconnected either when you get to the end of the allotted session time, or if it is inactive for more than the amount of time allowed by your organization. You are notified 30 seconds before the session ends and is disconnected.

  • When the session ends, the user profile on the local machine is deleted.

How to give end users access to the Connection guidance page

This section is for administrators.

If you want your end users to be able to see the Connection guidance page, they must have a role which includes Show Dynamic Privileged Access Tile administrative rights.

 

To add Show Dynamic Privileged Access Tile administrative rights to a role:

  1. In Identity Administration, go to Core Services > Roles.

  2. Click the role you want to use. For example, DPA Users.

  3. On the role page, click Administrative Rights, then click Add. The Add Rights search dialog is displayed.

  4. In the search box, search for Show Dynamic Privileged Access tile, then select it and click Add. The right is added to the role.

 

To assign the role to an end user:

  1. In Identity Administration, go to Core Services > Roles.

  2. Search for and select the role you want to assign.

  3. Click Members, then Add. The Add Members search dialog is displayed.

  4. In the search box, search for the user, then select the user and click Add. The role is assigned to the user.