cancel
Showing results for 
Search instead for 
Did you mean: 

RDP - Network Level Authentication

Highlighted
Frequent Contributor

RDP - Network Level Authentication

Is there any chance this century that we might get RDP capability which includes support for Network Level Auth which was introduced way back in 2008?  The HOB client just doesn't seem to be progressing.  I mean, 4 years isn't forever, but it sure feels like it.

 

How are others handling access to servers using NLA?

21 REPLIES 21
Highlighted
Regular Contributor

Re: RDP - Network Level Authentication

NLA is currently not supported through Terminal services.

The following KB will be modified when the support is included.

 

http://kb.pulsesecure.net/kb19222

Highlighted
New Contributor

Re: RDP - Network Level Authentication

I used WSAM to get around NLA..  I used this forum post

 

https://forums.pulsesecure.net/topic/pulse-connect-secure/20764-jsam-and-wndows-tsweb-2008

 

Highlighted
Not applicable

Re: RDP - Network Level Authentication

Sorry to raise a dead thread, but we are new to Juniper and we have ran into this issue when setting up RDP based resources. Testing proves NLA is the root cause and disabling allows RDP to work properly. The thing is, this is an audit point for us and is enforced domain wide via GP.

 

How can this still be an issue in 2014? We are coming from Sonicwall and Watchguard which were not very good SSL appliances and neither exhibited this issue. I certainly expected Juniper, which is supposed to be the king of these appliances to fully support NLA by this point. After all, it has been 6 years!

 

Is this on the horizon at all? We are running 8:R3 on the MAG.  

Highlighted
Not applicable

Re: RDP - Network Level Authentication

Hi,

 

Is there any update on this news?

 

Regards

 

J

Highlighted
Valued Contributor

Re: RDP - Network Level Authentication

Unfortunately, I do not have any significant updates on this issue.  I will attempt to discuss this internally to see if I can get some useful feedback.  Also, I would suggest reaching out to your Juniper account team to file an enhancement request.  If more customer's request for this feature, the better chances the feature will be implemented in a future release.

 

If I have any useful feedback, I will update the thread accordingly.

Highlighted
Frequent Contributor

Re: RDP - Network Level Authentication

Kita, I too would like an update on this issue.  I'd also like to point out some key pieces of information regarding this problem.

 

First, the fix listed in KB19222 was to select an option found only in Server 2008. Server 2012 does not have an option to "Allow connections from computers running any version of Remote Desktop".  It does have an option to turn off the requirement for Network Level Authentication and doing so does resolve the issue. (See attachment.)

 

Unfortunately, the requirement to use NLA in RDP is defaulted to ON in Server 2012. Turning it off is seen as reducing the security posture of the operating system by my Information Security folks and I'm sure I'm not the only admin in this situation.

 

One last point. It appears that this is also the default setting for the RDP service in Windows 8. If so it's likely that this issue is going to be reported more frequently.

Highlighted
Valued Contributor

Re: RDP - Network Level Authentication

Thank you for the input and I will pass this information along.  I will discuss this internally and provide feedback when it is made available to me.

Highlighted
Occasional Contributor

Re: RDP - Network Level Authentication

Could not agree more. This needs a fix.

Highlighted
Super Contributor

Re: RDP - Network Level Authentication

Hob Soft, where Juniper licenses the RDP java client from, does list NLA as supported for the products they sell directly on their web site.  Is there some issue with Juniper getting this specific deploy on the SSL VPN updated?

 

I don't have a license for the HOB so I had been using ProperRDP which also does not support NLA.  I have on my list to get this deployed at some point.  My preliminary research found these options.

 

FreeRDP lists NLA support for the Java client.  But we would need to work out the install options into SSL VPN.  These can be tedious and tricky so I just haven't gotten around to it yet.

 

http://www.freerdp.com/

 

Another paid commercial supported option would be Remote Spark Enterprise if you have a budget for software add-ons.

 

http://www.remotespark.com/java_solution.html

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home