How to Configure TruGrid SecureRDP to Authenticate against On-Premise AD

Estimated Time: 10-20 minutes

If you would like to use Azure AD to authenticate users, please refer to this article.

ONBOARD & VALIDATE YOUR INTERNAL DOMAIN: Validate your domain before installing TruGrid Sentry in your internal AD.
Login to portal at www.trugrid.com
Sign in with initial credentials provided in your Account Activation Email
Validate domain via DNS TXT or WHOIS Email validation. We can also validate it for you within our system.
Retrieve Activation Code. You can retrieve the activation code by navigating to Company Management -> Workspace & User Assignments (bottom of the page). The activation code is unique to each domain. See this article for step by step instructions, if needed.


ONBOARD & VALIDATE A CUSTOMER DOMAIN (for MSPs):
Login to portal at www.trugrid.com
Go to Customers [1]




Enter customer domain [2-3] In order to use domain names without external / public DNS, such as officelocation.customerdomain.com, please add them and ask TruGrid to validate these domains. Please do not use .local domains. Only use domains with valid top level domain (tld) extensions
Validate domains via DNS TXT or WHOIS Email validation [4]. TruGrid can validate domains for Service Providers on request
Retrieve Activation Code. The activation code is unique to each domain. See this article for step by step instructions, if needed.


ADD UPN SUFFIX (if required): If the UPN on the local AD (for example domain.local) does not match the validated domain (for example acme.com) in TruGrid, please add a UPN. To do this, open “Active Directory Domain and Trusts” on the domain controller and add the validated external domain (for example acme.com) as an alternate UPN suffix, as shown below. This will not impact local logins and is the same step required for Office 365 integration. In order to use multiple UPNs to a specific domain, please refer to this article.



INSTALL AND ACTIVATE SENTRY:
Download the latest TruGrid Sentry Agent.
Note: TruGrid Sentry is supported on Windows Server 2012 R2 and later. In order to install this onto a Windows 10 machine, please refer to this article.
Ensure that the server to use for TruGrid Sentry is fully patched and has latest version of .NET installed.
TruGrid recommends at least two Sentry servers for redundancy and scalability. One will suffice for environments that don't desire redundancy
If the installation of the TruGrid Sentry agent is disrupted, this is generally due to either: a) EXE or directory (c:\program files\trugrid\sentry\) needs to be whitelisted in AV or IDS agent or b) outbound traffic IP address restrictions.
If installation throws Access Denied message, please refer to this article.
If required by TruGrid Customer Care, Sentry installation log is at: %userprofile%\AppData\Roaming\TruGrid

Important Note About TruGrid Sentry
All Sentry servers must be installed on the same high speed ethernet network (not VPN or WAN links) as the Windows RDP hosts
Sentry servers work independently to broker RDP connections. End users will connect if at least one Sentry server is online
If using TruGrid to connect to Windows RDS Servers, do NOT install or enable RDS BROKER, RDS WEB, or RDS GATEWAY. Only RDS HOST role (and possibly RDS Licensing) is required

VERIFY OUTBOUND TRAFFIC IS NOT BLOCKED: Prior to installation, if there are outbound proxy or firewall rules, please whitelist outbound TruGrid DNS entries.


ADD UPN SUFFIX TO USER ACCOUNT: If UPN suffix is added to Domain and Trusts, please update AD user UPN. In "Active Directory Users and Computers", open up each user in the TG-USERS group, go to the Accounts tab and adjust the UPN suffix to the proper UPN.



ENSURE ALL DESKTOPS ARE SETUP PROPERLY IN AD & DNS: For each computer (server or desktop) to be published via TruGrid, please ensure there is an accurate internal DNS entry. You can verify this via NSLOOKUP from a command prompt on the server you plan to install the TruGrid Sentry Agent onto.


ENSURE MACHINES ARE INTERNALLY ACCESSIBLE VIA RDP: For any machines you plan to publish to TruGrid, the server you install the TruGrid Sentry Agent onto needs to be able to establish an RDP session to that machine since it will be brokering RDP connections. Please ensure "Allow remote connections to the computer" is enabled on each machine, and the user you assign to the machine has rights to log into it via RDP. If you need to have non-AD machines report into TruGrid or you need to report in machines from another geographic location, please refer to this article.



ADD USERS AND MACHINES YOU WOULD LIKE TO PUBLISH INTO TRUGRID: Add machines to the TG-COMPUTERS group and users to the TG-USERS group. These groups are created automatically by the installation program and placed under the Users container - please do not manually create them. This step allows you to control which users and computers can be authorized within TruGrid.



ASSIGN USERS TO DESKTOPS: Refer to these instructions.


ASSIGN LICENSES TO DOMAIN: If you are an MSP and this is for a customer domain, please ensure you allocate sufficient licenses to the customer domain. You should allocate one licenses for each user added in the TG-USERS group for this domain. Refer to these instructions.


GEOGRAPHIC ROUTING OPTIMIZATION: SecureRDP connectivity is automatically routed via the closest Azure region. You can determine your closest Azure Region here. No further action is required for this step.


TEST AD LOGINS: Please test out the installation by trying to login with a test Active Directory login from the domain. Please follow this guide to test on a Windows computer.


For the fastest support, please contact TruGrid via the Live Chat icon on the bottom right. This is the fastest way to initiate contact with TruGrid. TruGrid can use video conferencing for additional support as desired.

Updated on: 24/02/2024