Book Demo!

˂ Return to FAQ

New Xton Documentation Center
Xton help has moved. Please visit the current version of this page for the most recent updates. Our new documentation center can be found at

Creating secure RDP proxy sessions using your native Desktop or Mobile Applications

Xton Access Manager (XTAM) can create quick, easy and secure native client high-trust logins using your own desktop or mobile RDP client like Windows RDP client (MSTSC), Mac RDP client, Remote Desktop Connection Manager and mRemote while enforcing audit events, notifications, permissions, access request and password rotation. Unlike other products, the XTAM RDP Proxy provides this without having to download, install or maintain any custom launchers, agents or deployment packages to your computer or device!

Now your privileged users can securely connect to your managed Windows endpoints over RDP without disclosing passwords:

  1. Using their native Web browser (desktop or mobile) without installing any custom launchers, agents or packages.
  2. Using their native RDP client (desktop or mobile) without installing any custom launchers, agents or packages.

Secured passwords are never sent or synced to the user’s computer or mobile device. XTAM maintains complete and total control of all passwords while the user connects to the managed endpoint and it can even reset the password after the user’s session has completed.

To learn about how XTAM can provide secure SSH Proxy access using native SSH clients, please read our SSH client article.

The following sections describe how to create secure Windows Host RDP records in XTAM and then how to use these records in your native desktop or mobile clients.

Enabling RDP Proxy in XTAM


Login to XTAM with a System Administrator account


Navigate to Administration > Setting > Parameters


Locate and modify the following settings:


RDP Proxy: Switch this option to Enabled and click the Save button to its right.


RDP Proxy Port: Use or change the port value that XTAM will use for RDP proxy and click the Save button to its right.

XTAM RDP Proxy - Enable Settings


Once both settings have been updated and saved, restart the PamManagement service (Windows) or pammanager service (Unix/Linux).


When the services is fully restarted (can take 1-5 minutes), the RDP proxy module is online.


Creating a RDP session record in XTAM


In XTAM, navigate to a Vault or Container and create a new record using the Windows Host record type.


Populate all the fields with your endpoint’s connection details.


Click the Save and Return button.

Your record is now saved and under management in XTAM. All access to this record will be captured in the audit log, including Active and Completed sessions. Permissions and workflows can also be applied to your users or groups ensuring only authorized personnel can access to the record.


Using your RDP session record in a native RDP Client

You can create your remote session in your native RDP client using one of two methods. The first method is to populate your connection parameters into the client manually and the second method is to download a remote desktop file that already contains your Host and User values. If you choose to download the remote desktop file, then you can skip to step 5 in this section. Please note that for MFA authentication, your User value will need to be updated to contain the MFA token or MFA type as described below.


If you are currently logged into XTAM, please logout and log back in to the web portal. Any users that wish to connect using the RDP Proxy must sign in to the XTAM web portal once so their account can be automatically registered for this feature. They only need to do this login once, not every time that want to connect with the RDP Proxy.


Open your local RDP client (we will use the native Windows 10 RDP client in our example but most other RDP clients function similarly) and create a new session.


In the Computer field, enter the hostname of your XTAM serverfollowed by the configured RDP proxy port. For example,


In the User name field, enter a user string as described below:
YourXTAMLoginName#XTAMrecordName or YourXTAMLoginName#XTAMrecordID
For example, if your login to XTAM was the username bwilliams and the XTAM record that contains the Windows Host RDP details has the name Windows Production Server and ID i-hyG1KUfAHh8, then the login string would be bwilliams#Windows Production Server or bwilliams#i-hyG1KUfAHh8

When using the record Name to define the connection string, the record Name must be unique in XTAM. If the name is not unique, the connection will fail and you must use its record ID instead.

XTAM RDP Proxy - Client Connection Values

A # (hash), % (percent) or : (colon) character may be used as a separate between the login and recordID values.
The record’s ID can be found in the records’s URL or when viewing the record’s Details (

For users that are required to authenticate using MFA, your connection string for the Username name needs to include your MFA token or type. Please use the following examples to illustrate MFA connection strings.

  • For TOTP like Google Authenticator or RADIUS like RSA, the Username string will follow this pattern:
  • XTAM Username#Your MFA code#Unique XTAM Record Name or ID

    bwilliams#278461#Windows Production Server

    The 278461 represents an example of your TOTP token.

  • For Duo Security, the Username string will follow this pattern:
  • XTAM Username#Duo type or passcode#Unique XTAM Record Name or ID

    bwilliams#auto#Windows Production Server
    bwilliams#push#Windows Production Server
    bwilliams#phone#Windows Production Server
    bwilliams#397623#Windows Production Server

    The auto type will use your default Duo method, the push type will send a Duo Push to your registered device, the phone type will generate a phone call to your registered device and the 397623 represents an example your unique Duo Passcode. SMS is not supported because there is no prompt to enter the code after it is generated.

    Please note when using either the auto, push and phone options, the connection process of the RDP Proxy will pause until you Approve the Duo challenge on your registered device.


Now, click the Connect button in your client.


Enter the password for your XTAM user account when prompted and click OK. Note that you will be connecting to the XTAM server rather than directly to this Windows endpoint.

XTAM RDP Proxy - Client Password Prompt


Confirm the XTAM security certificate by clicking the Yes button.

XTAM RDP Proxy - Accept Client Certificate


After a few moments, you will be connected to the remote RDP endpoint using the secured connection details in the referenced XTAM record.

XTAM RDP Proxy - Connecting Progress

XTAM RDP Proxy - Connected


To confirm that the session is being provided via XTAM, you can navigate to the Session tab of this record and note that there is now an Active session using this record. When you end the session using the native Disconnect or Sign Out options, the session will be reported as Completed.

XTAM RDP Proxy - Session Complete

Note that the Type RDPP indicates a RDP Proxy Session whereas the Type RDP indicates a RDP Web Session.


Current Restrictions or Limitations

Please note the following when enabling the XTAM RDP Proxy

  • Clients using NTLMv1 authentication are not supported.
  • Remote endpoints using TLSv1.0 are not supported. This includes Windows Server 2008 SP1 and earlier Windows Server versions.
  • “Double Hop” RDP Proxy connections, commonly used for isolated network access, is not yet supported.
  • Dynamic Credentials and Pass-Through are not yet supported. Dynamic Credentials and Pass-Through are now supported.
  • Session recording is not yet supported, this includes both video and session events.
  • The Join, Terminate, Video Playback and Video Conversion options are not yet supported.
  • Workflow restrictions are not yet supported. Users that are required to Request Access or are Denied Access due to a workflow binding will not be required to request using the RDP Proxy to connect.
  • MFA authentication is not yet supported. Users that are required to provide a secondary MFA token when authenticating to XTAM will not be required to do so when using the RDP Proxy to connect.


Example using Remote Desktop Connection Manager

XTAM RDP Proxy using Remote Desktop Connection Manager


Example using mRemoteNG

XTAM RDP Proxy using mRemoteNG


Example using a generic RDP Mobile App

XTAM RDP Proxy using a Mobile App


Copyright © 2020 Xton Technologies, LLC. All rights reserved.