InfoGrab Docs

데스크톱 접근 구성 참조

요약

데스크톱 접근과 관련된 teleport.yaml 필드: Windows Desktop Service는 두 가지 모드로 배포할 수 있습니다. 직접 모드에서, Windows Desktop Service는 Teleport Auth 서비스에 직접 등록하고 Teleport 프록시에서 오는 데스크톱 연결을 수신 대기합니다.

데스크톱 접근과 관련된 teleport.yaml 필드:

# 데스크톱 접근을 담당하는 주요 서비스.
#
# 동일한 또는 다른 Active Directory 도메인에 연결된 여러 Desktop Service
# 인스턴스가 클러스터에 있을 수 있습니다(단, 동일한 teleport.yaml에는 불가).
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/desktop-config.yaml -->
windows_desktop_service:
  enabled: true
  # This is the address that windows_desktop_service will listen on.
  listen_addr: "0.0.0.0:3028"
  # (optional) This is the address that windows_desktop_service will advertise
  # to the rest of Teleport for incoming connections. Only proxy_service should
  # connect to windows_desktop_service, users connect to the proxy's web UI
  # instead.
  public_addr: "desktop-access.example.com:3028"
  # (optional) Determines whether desktop sessions will show a user-selected wallpaper
  # vs a system-default, single-color wallpaper. For improved visual performance,
  # set this to false (its default value).
  show_desktop_wallpaper: false
  # (optional) ldap contains configuration keys used when connecting Teleport
  # to an Active Directory domain.
  ldap:
    # Address of the LDAP server for secure LDAP connections.
    # Usually, this address will use port 636, like: ldap.example.com:636.
    # For best results, this address should point to a highly-available
    # endpoint rather than a single domain controller.
    addr: "$LDAP_SERVER_ADDRESS"
    # locate_server gets a list of available LDAP servers from the AD
    # domain's SRV records. When enabled, addr is ignored.
    locate_server:
      enabled: true
      # Optional: Site is the logical AD site that locate_server should return.
      # Ignored if locate_server is false.
      site: "$LDAP_SITE_NAME"
    # Optional: the server name to use when validating the LDAP server's
    # certificate. Useful in cases where addr is an IP but the server
    # presents a cert with some other hostname.
    server_name: "$LDAP_SERVER_NAME"
    # You can skip LDAPS certificate verification by setting
    # this to true. It is recommended that this be set to false
    # and the certificate added your system's trusted repository,
    # or provided as a PEM encoded certificate using ldap_ca_cert variable.
    # You can provide a filepath with der_ca_file, but this behavior is deprecated.
    insecure_skip_verify: false
    # PEM encoded LDAP CA certificate.
    ldap_ca_cert: |
      -----BEGIN CERTIFICATE-----
          *certificate data*
      -----END CERTIFICATE-----
    # DER encoded LDAP CA certificate.
    # deprecated: prefer ldap_ca_cert instead
    der_ca_file: /path/to/cert
    # Active Directory domain name you are connecting to.
    domain: "$LDAP_DOMAIN_NAME"
    # LDAP username for authentication. This username must include the domain
    # NetBIOS name. The use of single quotes here is intentional in order to
    # avoid the need to escape the backslash (\) character.
    #
    # For example, if your domain is "example.com", the NetBIOS name for it is
    # likely "EXAMPLE". When connecting as the "svc-teleport" user, you should
    # use the format: "EXAMPLE\svc-teleport".
    username: "$LDAP_USERNAME"
    # The security identifier of the service account specified by the username
    # field above. This looks like a string starting with "S-".
    #
    # Any AD user with permission to read user objects can obtain this value
    # by opening a PowerShell and running
    # ```
    # Get-AdUser -Identity $LDAP_USERNAME | Select SID
    # ```
    #
    # The value can be obtained over LDAP by constructing a query with the
    # filter = (&(objectCategory=person)(objectClass=user)(sAMAccountName=$LDAP_USERNAME))
    # and requesting the attribute = objectSid
    sid: "$LDAP_USER_SID"

  # (optional) When AD support is used, this field allows you to override
  # the domain that Teleport uses for PKI operations. If empty, the domain
  # from the ldap section is used. This can be useful for cases where PKI
  # is configured in a root domain but Teleport is used to provide access
  # to users and computers in a child domain.
  pki_domain: root.example.com

  # (optional) Configures the address of the Kerberos Key Distribution Center,
  # which is used to support RDP Network Level Authentication (NLA). When set,
  # this field takes priority over locate_server. If empty and locate_server
  # is disabled, the LDAP address will be used instead.
  #
  # example: kdc.example.com:88.
  # The port is optional and defaults to port 88 if unspecified.
  #
  # Note: NLA is only supported in Active Directory environments - this field has
  # no effect when connecting to desktops as local Windows users.
  kdc_address: "$KDC_SERVER_ADDRESS"

  # (optional) static_hosts is a list of hosts to register as WindowsDesktop
  # objects in Teleport. You can define host name and labels directly.
  static_hosts:
    - name: example1
      ad: false
      addr: win1.dev.example.com
      labels:
        datacenter: dc1
    - ad: true
      addr: win2.dev.example.com # name will be generated based on address
      labels:
        controller: all

  # (optional) settings for enabling automatic desktop discovery via LDAP.
  # To disable automatic discovery, omit this section.
  discovery_configs:
    - base_dn: "OU=prod,DC=example,DC=com"
      # (optional) LDAP filters for further customizing the LDAP search.
      # See https://ldap.com/ldap-filters for details on LDAP filter syntax.
      filters:
        - "(location=Oakland)"
        - "(!(primaryGroupID=516))" # exclude domain controllers
      # (optional) LDAP attributes to convert into Teleport labels.
      # The key of the label will be "ldap/" + the value of the attribute.
      label_attributes:
        - location
      # (optional) static labels to apply to all hosts discovered via this policy
      labels:
        env: prod
      # (optional) The port to use for RDP.
      # Defaults to 3389 if unspecified.
      rdp_port: 3389

  # (optional) interval at which to run desktop discovery
  discovery_interval: 10m

  # (optional) interval at which to publish CRLs
  # Defaults to 5m if unspecified
  publish_crl_interval: 10m

  # (optional) configure a set of label selectors for dynamic registration.
  # If specified, this service will monitor the cluster for dynamic_windows_desktop
  # and automatically proxy connections for desktops with matching labels.
  resources:
    - labels:
        "env": "dev"

  # (optional) rules for applying labels to Windows hosts based on regular expressions
  # matched against the host name. If multiple rules match, the desktop will
  # get the union of all matching labels.
  host_labels:
    - match: '^.*\.dev\.example\.com'
      labels:
        environment: dev
    - match: '^.*\.prod\.example\.com'
      labels:
        environment: prod
    - match: "^EC2AMAZ-"
      labels:
        environment: discovered-in-aws

  # Labels to attach to the Windows Desktop Service. This is used internally, so
  # any custom labels added won't affect the Windows hosts.
  labels:
    teleport.internal/resource-id: "resource-id"
<!-- /INCLUDE:ENGLISH -->

배포#

Windows Desktop Service는 두 가지 모드로 배포할 수 있습니다.

직접 모드#

직접 모드에서, Windows Desktop Service는 Teleport Auth 서비스에 직접 등록하고 Teleport 프록시에서 오는 데스크톱 연결을 수신 대기합니다. 직접 모드를 활성화하려면 teleport.yaml에서 windows_desktop_service.listen_addr을 설정하고, teleport.auth_server가 Auth 서비스를 직접 가리키도록 합니다.

직접 모드에는 다음 양방향 네트워크 연결이 필요합니다:

  • Teleport 프록시에서 Windows Desktop Service로.
  • Windows Desktop Service에서 Auth 서비스로.

이러한 이유로 직접 모드는 Teleport 클라우드에서는 사용할 수 없으며, 셀프 호스팅 Teleport 클러스터에서만 사용할 수 있습니다.

IoT 모드 (역방향 터널)#

IoT 모드에서, Windows Desktop Service는 Teleport 프록시에 아웃바운드 연결만 할 수 있으면 됩니다. Windows Desktop Service는 프록시에 역방향 터널을 설정하며, Auth 서비스에 대한 등록과 데스크톱 세션이 모두 이 터널을 통해 수행됩니다. 이 모드를 활성화하려면 windows_desktop_service.listen_addr설정되지 않은 상태로 teleport.proxy_server가 Teleport 프록시를 가리키도록 합니다.

화면 크기#

기본적으로, Teleport는 브라우저 창 크기에 따라 원격 데스크톱 세션의 화면 크기를 설정합니다. 특정 호스트가 특정 화면 크기를 사용하도록 구성하고 싶을 수 있습니다. 이를 위해 windows_desktop 리소스에서 screen_size 속성을 설정합니다:

kind: windows_desktop
metadata:
  name: fixed-screen-size
spec:
  host_id: 307e091b-7f6b-42e0-b78d-3362ad10b55d
  addr: 192.168.1.153:3389
  non_ad: true

  # 선택 사항 - 브라우저 창의 크기에 관계없이 모든 세션이 동일한 화면 크기를 사용하도록 합니다.
  # 브라우저 창 크기를 사용하려면 비워두세요.
  screen_size:
    width: 1024
    height: 768

데스크톱 접근 구성 참조

원문 보기
요약

데스크톱 접근과 관련된 teleport.yaml 필드: Windows Desktop Service는 두 가지 모드로 배포할 수 있습니다. 직접 모드에서, Windows Desktop Service는 Teleport Auth 서비스에 직접 등록하고 Teleport 프록시에서 오는 데스크톱 연결을 수신 대기합니다.

데스크톱 접근과 관련된 teleport.yaml 필드:

# 데스크톱 접근을 담당하는 주요 서비스.
#
# 동일한 또는 다른 Active Directory 도메인에 연결된 여러 Desktop Service
# 인스턴스가 클러스터에 있을 수 있습니다(단, 동일한 teleport.yaml에는 불가).
<!-- INCLUDE:ENGLISH:docs/pages/includes/config-reference/desktop-config.yaml -->
windows_desktop_service:
  enabled: true
  # This is the address that windows_desktop_service will listen on.
  listen_addr: "0.0.0.0:3028"
  # (optional) This is the address that windows_desktop_service will advertise
  # to the rest of Teleport for incoming connections. Only proxy_service should
  # connect to windows_desktop_service, users connect to the proxy's web UI
  # instead.
  public_addr: "desktop-access.example.com:3028"
  # (optional) Determines whether desktop sessions will show a user-selected wallpaper
  # vs a system-default, single-color wallpaper. For improved visual performance,
  # set this to false (its default value).
  show_desktop_wallpaper: false
  # (optional) ldap contains configuration keys used when connecting Teleport
  # to an Active Directory domain.
  ldap:
    # Address of the LDAP server for secure LDAP connections.
    # Usually, this address will use port 636, like: ldap.example.com:636.
    # For best results, this address should point to a highly-available
    # endpoint rather than a single domain controller.
    addr: "$LDAP_SERVER_ADDRESS"
    # locate_server gets a list of available LDAP servers from the AD
    # domain's SRV records. When enabled, addr is ignored.
    locate_server:
      enabled: true
      # Optional: Site is the logical AD site that locate_server should return.
      # Ignored if locate_server is false.
      site: "$LDAP_SITE_NAME"
    # Optional: the server name to use when validating the LDAP server's
    # certificate. Useful in cases where addr is an IP but the server
    # presents a cert with some other hostname.
    server_name: "$LDAP_SERVER_NAME"
    # You can skip LDAPS certificate verification by setting
    # this to true. It is recommended that this be set to false
    # and the certificate added your system's trusted repository,
    # or provided as a PEM encoded certificate using ldap_ca_cert variable.
    # You can provide a filepath with der_ca_file, but this behavior is deprecated.
    insecure_skip_verify: false
    # PEM encoded LDAP CA certificate.
    ldap_ca_cert: |
      -----BEGIN CERTIFICATE-----
          *certificate data*
      -----END CERTIFICATE-----
    # DER encoded LDAP CA certificate.
    # deprecated: prefer ldap_ca_cert instead
    der_ca_file: /path/to/cert
    # Active Directory domain name you are connecting to.
    domain: "$LDAP_DOMAIN_NAME"
    # LDAP username for authentication. This username must include the domain
    # NetBIOS name. The use of single quotes here is intentional in order to
    # avoid the need to escape the backslash (\) character.
    #
    # For example, if your domain is "example.com", the NetBIOS name for it is
    # likely "EXAMPLE". When connecting as the "svc-teleport" user, you should
    # use the format: "EXAMPLE\svc-teleport".
    username: "$LDAP_USERNAME"
    # The security identifier of the service account specified by the username
    # field above. This looks like a string starting with "S-".
    #
    # Any AD user with permission to read user objects can obtain this value
    # by opening a PowerShell and running
    # ```
    # Get-AdUser -Identity $LDAP_USERNAME | Select SID
    # ```
    #
    # The value can be obtained over LDAP by constructing a query with the
    # filter = (&(objectCategory=person)(objectClass=user)(sAMAccountName=$LDAP_USERNAME))
    # and requesting the attribute = objectSid
    sid: "$LDAP_USER_SID"

  # (optional) When AD support is used, this field allows you to override
  # the domain that Teleport uses for PKI operations. If empty, the domain
  # from the ldap section is used. This can be useful for cases where PKI
  # is configured in a root domain but Teleport is used to provide access
  # to users and computers in a child domain.
  pki_domain: root.example.com

  # (optional) Configures the address of the Kerberos Key Distribution Center,
  # which is used to support RDP Network Level Authentication (NLA). When set,
  # this field takes priority over locate_server. If empty and locate_server
  # is disabled, the LDAP address will be used instead.
  #
  # example: kdc.example.com:88.
  # The port is optional and defaults to port 88 if unspecified.
  #
  # Note: NLA is only supported in Active Directory environments - this field has
  # no effect when connecting to desktops as local Windows users.
  kdc_address: "$KDC_SERVER_ADDRESS"

  # (optional) static_hosts is a list of hosts to register as WindowsDesktop
  # objects in Teleport. You can define host name and labels directly.
  static_hosts:
    - name: example1
      ad: false
      addr: win1.dev.example.com
      labels:
        datacenter: dc1
    - ad: true
      addr: win2.dev.example.com # name will be generated based on address
      labels:
        controller: all

  # (optional) settings for enabling automatic desktop discovery via LDAP.
  # To disable automatic discovery, omit this section.
  discovery_configs:
    - base_dn: "OU=prod,DC=example,DC=com"
      # (optional) LDAP filters for further customizing the LDAP search.
      # See https://ldap.com/ldap-filters for details on LDAP filter syntax.
      filters:
        - "(location=Oakland)"
        - "(!(primaryGroupID=516))" # exclude domain controllers
      # (optional) LDAP attributes to convert into Teleport labels.
      # The key of the label will be "ldap/" + the value of the attribute.
      label_attributes:
        - location
      # (optional) static labels to apply to all hosts discovered via this policy
      labels:
        env: prod
      # (optional) The port to use for RDP.
      # Defaults to 3389 if unspecified.
      rdp_port: 3389

  # (optional) interval at which to run desktop discovery
  discovery_interval: 10m

  # (optional) interval at which to publish CRLs
  # Defaults to 5m if unspecified
  publish_crl_interval: 10m

  # (optional) configure a set of label selectors for dynamic registration.
  # If specified, this service will monitor the cluster for dynamic_windows_desktop
  # and automatically proxy connections for desktops with matching labels.
  resources:
    - labels:
        "env": "dev"

  # (optional) rules for applying labels to Windows hosts based on regular expressions
  # matched against the host name. If multiple rules match, the desktop will
  # get the union of all matching labels.
  host_labels:
    - match: '^.*\.dev\.example\.com'
      labels:
        environment: dev
    - match: '^.*\.prod\.example\.com'
      labels:
        environment: prod
    - match: "^EC2AMAZ-"
      labels:
        environment: discovered-in-aws

  # Labels to attach to the Windows Desktop Service. This is used internally, so
  # any custom labels added won't affect the Windows hosts.
  labels:
    teleport.internal/resource-id: "resource-id"
<!-- /INCLUDE:ENGLISH -->

배포#

Windows Desktop Service는 두 가지 모드로 배포할 수 있습니다.

직접 모드#

직접 모드에서, Windows Desktop Service는 Teleport Auth 서비스에 직접 등록하고 Teleport 프록시에서 오는 데스크톱 연결을 수신 대기합니다. 직접 모드를 활성화하려면 teleport.yaml에서 windows_desktop_service.listen_addr을 설정하고, teleport.auth_server가 Auth 서비스를 직접 가리키도록 합니다.

직접 모드에는 다음 양방향 네트워크 연결이 필요합니다:

  • Teleport 프록시에서 Windows Desktop Service로.
  • Windows Desktop Service에서 Auth 서비스로.

이러한 이유로 직접 모드는 Teleport 클라우드에서는 사용할 수 없으며, 셀프 호스팅 Teleport 클러스터에서만 사용할 수 있습니다.

IoT 모드 (역방향 터널)#

IoT 모드에서, Windows Desktop Service는 Teleport 프록시에 아웃바운드 연결만 할 수 있으면 됩니다. Windows Desktop Service는 프록시에 역방향 터널을 설정하며, Auth 서비스에 대한 등록과 데스크톱 세션이 모두 이 터널을 통해 수행됩니다. 이 모드를 활성화하려면 windows_desktop_service.listen_addr설정되지 않은 상태로 teleport.proxy_server가 Teleport 프록시를 가리키도록 합니다.

화면 크기#

기본적으로, Teleport는 브라우저 창 크기에 따라 원격 데스크톱 세션의 화면 크기를 설정합니다. 특정 호스트가 특정 화면 크기를 사용하도록 구성하고 싶을 수 있습니다. 이를 위해 windows_desktop 리소스에서 screen_size 속성을 설정합니다:

kind: windows_desktop
metadata:
  name: fixed-screen-size
spec:
  host_id: 307e091b-7f6b-42e0-b78d-3362ad10b55d
  addr: 192.168.1.153:3389
  non_ad: true

  # 선택 사항 - 브라우저 창의 크기에 관계없이 모든 세션이 동일한 화면 크기를 사용하도록 합니다.
  # 브라우저 창 크기를 사용하려면 비워두세요.
  screen_size:
    width: 1024
    height: 768