I work with a client that migrated their infrastructure to Microsoft. In order to connect to their Linux Server, I now have to Remote Desktop to their Azure Virtual Desktop thing. I’m not pleased but it’s out of my control.
I tried remmina freerdp but doesn’t seem to support that Azure thing, there doesn’t seem to be an option to add the workspace.
Any recommendations or do I have to setup a virtual machine just for this? :/ Cheers
I specialize in Azure admin.
Sounds like this might be by design to ensure secure connections.
Using AVD as a bastion replacement.
Only option with similar security would be VPN into the vnet and just ssh normally.
- AVD as a jumpbox
- Bastion (costly solution)
- VPN then SSH/RDP
- Log into the Windows machine via the webclient avaliable at https://windows365.microsoft.com/
- Use PuTTY to set up a reverse tunnel. You’ll need to create a restricted tunnel-only user in your machine. Make sure to use key auth.
- From your local machine, connect to localhost:portnumber.
As an alternative, you might be able to set up OpenSSH in Windows (yes it’s possible), then use the
ProxyJumpsetting in your local ~/.ssh/config to connect via a tunnel to the final box.Here’s how you configure the server to not let the user wreak too much havoc:
Match User restricted PermitOpen 127.0.0.1:3389 [::1]:3389 X11Forwarding no AllowAgentForwarding no ForceCommand /bin/sh -c 'while sleep 999; do true; done' ClientAliveInterval 1 ClientAliveCountMax 2Fun fact: mentioning etc ssh sshd_config triggers some CloudFlare security warning that prevents me from posting it under the right name.
Got to love our Cloudflare overlords
I wasn’t able to set up a reverse tunnel, because I’m also under a corporate VPN :( I was able to get
xfreerdpto work, though! Maybe I can add some port-forward + tunnels and be free :PIf your local machine is not reachable from the internet, you could set up the cheapest VPS - you can get a free one for 12 months at https://azure.microsoft.com/en-us/free/#all-free-services Connect from your destination machine (the firewalled one) to the VPS, and set up a reverse tunnel. For example, drop this into your ~/.ssh/config on the destination machine:
Host rtun Hostname something RemoteForward 1234 localhost:22tmux new-ses 'while sleep 1; do ssh rtun; done'Then configure your local machine to connect to destination via the jumpbox:
Host vps Hostname something Host destination Hostname localhost Port 1234 ProxyJump vpsssh destinationshould work now.Make sure to use SSH key auth, not passwords, and never transport secret keys off-machine. It’s easier to wipe and recreate a VPS, if you lose keys, than to explain to Security folks how you were the donkey that enabled the breach.
Freerdp 3.x has this support. I have been using it half a year back for this very purpose. Ask for help on #FreeRDP:matrix.org they are very helpful
My example:
xfreerdp “$RDPW_FILE” /u:“$RDP_USERNAME” /p:“$RDP_PASSWORD” /sec:nla /cert:ignore +clipboard /multimon /monitors:0 /gateway:type:arm /network:auto /gfx:AVC444 /rfx /dynamic-resolution
Keep in mind that I was using for accessing Windows machine… Some flags might need to be a bit different
This worked perfectly, thank you so much. Now let’s check if I can add some port forwarding through this…
In arch it’s
xfreerdp3, just in case anyone needs it.Where’d you get the .rdp file? I can’t find a way to get a working version of mine.
Here’s how I got mine:
-
Go to the web version: https://client.wvd.microsoft.com/arm/webclient/index.html
- You should have a list of machines, in my case I only have one
-
In the top right corner, click on the settings icon (cog)
-
Under “Resources Launch Method”, select the `Download the rdp file" radio option
-
Click whatever machine you want to access
-
The file started to download
Lovely. Thanks! Now to figure out how to redirect that YubiKey USB device, so I could use Passkey auth…
-
@pathief just use the webclient. By far the easiest option
https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-webCan you use it though a web browser?
I can use it, just not very efficiently.
Ideally, I can set port forwards/tunnels so that I can then work from my machine’s terminal.
