From fd5b89a39cd057905d32dd6f6d42ae1473611c8b Mon Sep 17 00:00:00 2001 From: Bolke de Bruin Date: Fri, 26 Sep 2025 00:25:58 +0200 Subject: [PATCH] Add extra on mstsc --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 22c19bf..4e1e77b 100644 --- a/README.md +++ b/README.md @@ -310,6 +310,15 @@ otherwise the client will not connect at all (it won't send any packages to the Finally, ``mstsc`` requires a valid certificate on the gateway. +Additionally, ``mstsc`` is more restrictive about SSL cipher suites compared to other RDP clients. When using a reverse proxy like nginx for TLS termination, you may need to configure specific cipher suites that ``mstsc`` supports. A working configuration for nginx ``ssl_ciphers`` is: +``` +ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 +``` + +``mstsc`` also requires server names rather than IP addresses for connections, despite Microsoft's documentation suggesting otherwise. When configuring hosts in the rdpgw configuration, ensure you use hostnames. + +Furthermore, the ``mstsc`` client sends the hostname including the port number when establishing connections. To ensure proper host verification, configure your hosts in the rdpgw configuration file with the port numbers included (e.g., ``myserver:3389`` even for the default RDP port 3389). + The Microsoft Remote Desktop Client from the Microsoft Store does not have these issues, but it requires that the username and password used for authentication are the same for both the gateway and the RDP host.