Single-click Remote Desktop forwarding

After connecting to an SSH server using Bitvise SSH Client, clicking the New Remote Desktop button launches a port forwarded Remote Desktop session. The SSH Client will setup all the settings and launch the Windows Remote Desktop client for you.

Accessing Remote Desktop over the SSH Client offers the following advantages:

  • Outside of a domain environment, the Windows Remote Desktop client cannot itself verify the authenticity of the server to which it is connecting. This renders the session vulnerable to a man-in-the-middle attack. When Remote Desktop is port forwarded over SSH, the SSH Client verifies the authenticity of the SSH server using the server's host key. This prevents a man-in-the-middle attack between the SSH Client and the SSH server.

  • A server firewall can be configured to disallow direct Remote Desktop access, and only permit it through SSH. This allows the use of additional defenses. The SSH user can be required to log in using public key authentication; if password access is not permitted, attackers will not be able to guess a password. If using Bitvise SSH Server and SSH Client, access to the server can be further obscured using SSH protocol obfuscation: this prevents any type of probing by attackers unless they know the obfuscation keyword.

Requirements

The only requirement for single-click Remote Desktop forwarding is that the computer on which the SSH server is running accepts Remote Desktop connections. This is supported in Windows Server editions, and Windows desktop editions including Professional and Enterprise. Linux servers can support Remote Desktop using the Xrdp server.

Note: Windows Home editions do not support accepting Remote Desktop connections.

If the server accepts Remote Desktop connections on the default port (3389), Remote Desktop forwarding will simply work as-is. No configuration or settings changes are needed.

If the server runs an appropriate version of Windows, you can verify that Remote Desktop access is enabled via Control Panel > System and Security > System > Advanced system settings > Remote tab. You can get there from the Start menu directly, by searching for "remote access".

What not to do

Sometimes, Remote Desktop forwarding does not work because users expect it to be difficult. Common pitfalls:

  • If the Remote Desktop server you're trying to access is on the same computer as the SSH server – which it is in most cases – do not try to alter the Computer setting on the Remote Desktop tab in the SSH Client. Leave that at the default value, 127.0.0.1. This is the localhost address, and will work when the Remote Desktop server is on the same computer as the SSH server.

  • Don't configure manual port forwarding rules, in either the C2S or S2C direction. To use single-click Remote Desktop forwarding, no manually configured rules are needed. Any rules you configure will most likely not interfere, but will also not help.

Customization

A selection of commonly used Remote Desktop settings can be configured in the SSH Client, on the Remote Desktop tab. You can configure any of these, but do not configure the Computer setting unless the Remote Desktop server is on a different computer than the SSH server.

If the Remote Desktop server is on a different computer than the SSH server, then the Computer setting needs to be configured with the IP address of that computer, reachable from the SSH server. This is usually a private IP address, not a public one.

If the Remote Desktop server runs on a non-default port, other than 3389, you can configure it in the Computer field by appending it to the IP address, separated with a colon. For example, if the port is 12345, configure this field to 127.0.0.1:12345.

You may wish to configure Remote Desktop settings that are not supported in the SSH Client's Remote Desktop tab. In this case, run the Remote Desktop client (mstsc), configure the setting you want, and save the Remote Desktop profile. You can then configure the path to that profile using the Profile setting.