Connect to a Windows target

This topic explains how to connect to your Windows machines using your preferred RDP client. The RDP gateway supports single-factor authentication and multi-factor authentication (MFA).

After your user is authenticated, DPA creates an ephemeral user on the target with the appropriate permissions, which enables you to work as a local user.

Connection guidance page and generate RDP file

To see the Connection guidance page, you must have the appropriate permission from your administrator. Your administrator must add Show Dynamic Privilege Access Tile administrative rights to one of your roles via Identity Administration. For more information, see How to give end users access to the Connection guidance page.

The Connection guidance page helps you connect to a target using DPA, creating an RDP file with the relevant connection details. Use of the Connection guidance page is optional, though you may find it easier as the page automatically provides some of the details needed for connection, such as the subdomain for the computer and username fields. The Connection guidance page also shows the different formats used for connecting to cloud and on-premises targets. If you don't want to use the Connection guidance page, see Connect to a Windows target via RDP clients.

To connect using the Connection guidance page, go to https://<subdomain>.cyberark.cloud/dpa, where <subdomain> is your organization's tenant subdomain, as provided to you by your administrator.

Connect to a Windows target via RDP clients

Use one of the following methods to connect to your target using DPA.

To configure a Connection Manager:

  1. Open a Connection Manager application on your desktop and create an entry for the target. Give each entry a meaningful name.

  2. Enter the DPA RDP gateway address (<subdomain>.rdp.cyberark.cloud) in the Remote machine address field. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

  3. To configure the sign-in credentials, enter your username.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a mymachine.mydomain.com

      • This connection string replaces the on-premises legacy format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine. For an on-premises machine, this must be the FQDN.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address> /d <target_domain>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a i-012758297b381602 /d target_domain.com

      • This connection string replaces the cloud legacy connection string format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine.

          • For an AWS target, this can be instance ID, public IP, or private IP.

          • For an Azure target, this can be public IP or private IP.

        • /d - The domain of the target machine.

  4. To verify that you are connecting securely with the DPA RDP gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

To configure an RDP file:

  1. Create an RDP file.

  2. Configure the RDP settings as described in the following table. During the authentication process you will also be prompted for your password.

    RDP parameter settings
    Setting RDP Parameter Type Description

    full address

    		 s

    The DPA RDP gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

    username

    		 s

    Enter your username.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a mymachine.mydomain.com

      • This connection string replaces the on-premises legacy format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine. For an on-premises machine, this must be the FQDN.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address> /d <target_domain>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a i-012758297b381602 /d target_domain.com

      • This connection string replaces the cloud legacy connection string format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine.

          • For an AWS target, this can be instance ID, public IP, or private IP.

          • For an Azure target, this can be public IP or private IP.

        • /d - The domain of the target machine.

    Authentication level

    i

    To verify that you are connecting securely with the DPA RDP gateway, configure your session to only connect when the server is properly authenticated. To do so, add a the following Authentication parameter setting:

    authentication level:i:1

     

     

  3. Repeat for each target.

To configure MSTSC to connect to the target:

  1. Open MSTSC. The Remote Desktop Connection window opens.

    You can also execute MSTSC through the command line using:

    MSTSC /v:<DPA RDP gateway address>

  2. In the Computer field, enter the DPA RDP gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

  3. Open Show Options.

  4. In the User name field, enter your username.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a mymachine.mydomain.com

      • This connection string replaces the on-premises legacy format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine. For an on-premises machine, this must be the FQDN.

    • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address> /d <target_domain>

      For example:

      secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a i-012758297b381602 /d target_domain.com

      • This connection string replaces the cloud legacy connection string format.

      • The connection string must begin with secureaccess.

      • The delimiter details are:

        • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

        • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

        • /a – The address of the target machine.

          • For an AWS target, this can be instance ID, public IP, or private IP.

          • For an Azure target, this can be public IP or private IP.

        • /d - The domain of the target machine.

  5. To verify that you are connecting securely with the DPA gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

  6. Click Connect. An authentication window is displayed.

  7. To connect to other targets using MSTSC, repeat this procedure for each target machine.

To connect to your target system through DPA using any standard RDP client application:

Configure your RDP client to use the parameters detailed in the following table. During the authentication process you will also be prompted for your password.

RDP client parameters
Parameter Description

Address

The DPA gateway address: <subdomain>.rdp.cyberark.cloud. The <subdomain> parameter is your organization's tenant subdomain, as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

Username

Enter your username.

  • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address>

    For example:

    secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a mymachine.mydomain.com

    • This connection string replaces the on-premises legacy format.

    • The connection string must begin with secureaccess.

    • The delimiter details are:

      • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

      • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • /a – The address of the target machine. For an on-premises machine, this must be the FQDN.

  • secureaccess /i <user@login_suffix> /s <subdomain> /a <target_address> /d <target_domain>

    For example:

    secureaccess /i john@mysubdomain.cyberark.cloud /s mysubdomain /a i-012758297b381602 /d target_domain.com

    • This connection string replaces the cloud legacy connection string format.

    • The connection string must begin with secureaccess.

    • The delimiter details are:

      • /i - The identity of the user and the user's login suffix in the format: <user@login suffix>.

      • /s – The tenant subdomain as provided to you by your administrator, and as shown in your portal URL (https://subdomain.cyberark.cloud).

      • /a – The address of the target machine.

        • For an AWS target, this can be instance ID, public IP, or private IP.

        • For an Azure target, this can be public IP or private IP.

      • /d - The domain of the target machine.

Server authentication

To verify that you are connecting securely with the DPA gateway, configure your session to only connect when the server is properly authenticated. To do so, go to your RDP client's Advanced > Server authentication section and select Do not connect.

After you successfully authenticate to your target, the client displays how much time you have left in your session.

  • Your session ends and gets disconnected either when you get to the end of the allotted session time, or if it is inactive for more than the amount of time allowed by your organization. You are notified 30 seconds before the session ends and is disconnected.

  • When the session ends, the user profile on the local machine is deleted.

How to give end users access to the Connection guidance page

This section is for administrators.

If you want your end users to be able to see the Connection guidance page, they must have a role which includes Show Dynamic Privileged Access Tile administrative rights.

 

To add Show Dynamic Privileged Access Tile administrative rights to a role:

  1. In Identity Administration, go to Core Services > Roles.

  2. Click the role you want to use. For example, DPA Users.

  3. On the role page, click Administrative Rights, then click Add. The Add Rights search dialog is displayed.

  4. In the search box, search for Show Dynamic Privileged Access tile, then select it and click Add. The right is added to the role.

 

To assign the role to an end user:

  1. In Identity Administration, go to Core Services > Roles.

  2. Search for and select the role you want to assign.

  3. Click Members, then Add. The Add Members search dialog is displayed.

  4. In the search box, search for the user, then select the user and click Add. The role is assigned to the user.