xrdp Deployment Guide#

The following instructions are for deploying xrdp which is an implementation of Microsoft’s RDP server that enables remote desktop access on Linux.

http://xrdp.org

Prerequisites#

This guide is written for a Red Hat Enterprise Linux 8 based operating system which is operating within a cluster of systems and the following are the prerequisites:

References#

These instructions were written for xrdp 0.9.19

Instructions are based on the following documentation:
https://github.com/neutrinolabs/xrdp

Deployment Scripts#

Note

An example bash script of the instructions has been provided: deploy-xrdp.sh

User Experience#

When using Self-Signed certificates, the Windows RDP client will show a warning that the remote computer cannot be verified. Users can check the “Don’t ask me again for connections to this computer” to avoid this warning in the future. This warning will not be displayed if using a trusted CA to issue the certificate.

../_images/rdp_warning.png

Deployment Steps#

Note

Instructions assume execution using the root account.

  1. Install Extra Packages for Enterprise Linux (EPEL) Repository:

dnf -y install epel-release
dnf -y distro-sync

  1. Install xrdp:

dnf -y install xorgxrdp xrdp xrdp-selinux

  1. Create Self-signed SSL certificate:

Important

Replace values with the specifics of your network.

# Country Name (2 letter code) [XX]:US
# State or Province Name (full name) []:New York
# Locality Name (eg, city) [Default City]:New York
# Organization Name (eg, company) [Default Company Ltd]:engwsc
# Organizational Unit Name (eg, section) []:
# Common Name (eg, your name or your server's hostname) []:user01.engwsc.example.com
# Email Address []:

mkdir -p /etc/xrdp/ssl/
openssl req -x509 -nodes -newkey rsa:4096 \
    -keyout "/etc/xrdp/ssl/xrdp-selfsigned.key" \
    -out "/etc/xrdp/ssl/xrdp-selfsigned.crt" \
    -subj "/CN=user01.engwsc.example.com/C=US/ST=New York/L=New York/O=engwsc" \
    -days 365

chmod 600 /etc/xrdp/ssl/xrdp-selfsigned.key
chmod 644 /etc/xrdp/ssl/xrdp-selfsigned.crt

  1. Set default options:

sed -i "s|certificate=|certificate=/etc/xrdp/ssl/xrdp-selfsigned.crt|g" /etc/xrdp/xrdp.ini
sed -i "s|key_file=|key_file=/etc/xrdp/ssl/xrdp-selfsigned.key|g" /etc/xrdp/xrdp.ini
sed -i "s/security_layer=negotiate/security_layer=tls/g" /etc/xrdp/xrdp.ini

  1. Set firewalld rules:

Important

Replace the IPv4 Address and Subnet mask with the value of your network.

firewall-cmd --zone=public --add-port=3389/tcp --permanent
firewall-cmd --reload

  1. Start xdrp service:

systemctl enable xrdp
systemctl restart xrdp