Symantec Privileged Access Management

 View Only
  • 1.  PAM with XRDP

    Posted Oct 18, 2021 04:50 PM
    Hello,

    We have configured XRDP session but we don't have the option to enter in full screen mode:

    Anyone know with has any possible configuration via PAM that allow us to switch to full screen or this configuration has to be made in server?

    Other problem we are having is the session will not end when we close the session, its possible to configure this via PAM?

    Thank you All.


  • 2.  RE: PAM with XRDP

    Broadcom Employee
    Posted Oct 26, 2021 11:34 AM
    Hello Yan, Can you clarify what RDP client you are using and how you have it configured? Is it a TCP/UDP service? Are you using the built-in RDP access method to open an xRDP session on a linux host? E.g. if you have an RDP service configured that runs the native mstsc client, option /f would launch the client in full screen. The built-in RDP access method uses the RDP resolution from your user settings, by default 1024x768. You can customize this, including setting it to full screen, by clicking on your user name in the top right and setting the RDP resolution under Terminal Customization.




  • 3.  RE: PAM with XRDP

    Broadcom Employee
    Posted Oct 27, 2021 09:28 AM
    As far as the sessions not ending... this is not a function of PAM, no RDP client terminates the session when the window is closed.  Either the user must sign out/log off, of you must configure gpo to log off disconnected sessions after a certain amount of time.

    Here are the GPO settings that we recommend to our customers:

    The policies are as indicated below:

    1.       GPO-Restrict Remote Desktop Services Users to a single Remote Desktop Services Session

    a.       This policy should be set to Disabled

    2.       GPO-Limit Number of connections

    a.       This policy should be set to Enabled

    b.      Unlimited (9999)

    3.       GPO-Set time limit for disconnected sessions

    a.       Enabled

    b.      3hrs

    4.       GPO-Set time limit for active but idle Remote Desktop Sessions

    a.       Enabled

    b.      3hrs


    These settings ensure that:
    • Multiple users can log in with the same credential without logging other users off (necessary for some customers)
    • No user will be denied login because there are too many inactive sessions
    • Inactive and disconnected sessions are terminated in a timely manner, but not so quickly that a user cannot restore their session if they are disconnected during a long running activity.  (users can reconnect to a disconnected session from the users tab in task manager)



  • 4.  RE: PAM with XRDP

    Broadcom Employee
    Posted Oct 27, 2021 01:50 PM

    I just noticed that this was an issue with XRDP.

    I suspect the setting you need, per https://www.systutorials.com/docs/linux/man/5-xrdp.ini/ is

    tcp_keepalive=[true|false] Regulate if the listening socket uses socket option SO_KEEPALIVE. If set to 1, true or yes and the network connection disappears without closing messages, the connection will be closed.