Connection Types¶
This guide covers configuring different connection types in the SPSA Portal. All connection parameters are documented for each protocol.
Supported Protocols¶
| Protocol | Use Case | Default Port |
|---|---|---|
| RDP | Windows remote desktop | 3389 |
| SSH | Linux/Unix shell | 22 |
| VNC | Cross-platform desktop | 5900 |
| Telnet | Legacy systems | 23 |
Creating Connections¶
Basic Steps¶
- Go to Settings > Connections
- Click New Connection
- Configure the connection settings
- Click Save
Common Parameters (All Protocols)¶
| Parameter | Required | Description |
|---|---|---|
| Name | Yes | Display name shown to users |
| Location | Yes | Parent group (ROOT for top level) |
| Protocol | Yes | Connection protocol (RDP, SSH, VNC, Telnet) |
Connection Limits¶
| Parameter | Description | Recommended |
|---|---|---|
| Maximum number of connections | Total concurrent connections allowed | 10 |
| Maximum number of connections per user | Per-user concurrent limit | 2 |
| Connection weight | Load balancing weight (higher = more connections) | 1 |
Resource Protection
Always set connection limits to prevent a single connection from exhausting server resources.
RDP Connections¶
Remote Desktop Protocol for Windows systems.
Network Parameters¶
| Parameter | Required | Description | Default |
|---|---|---|---|
| Hostname | Yes | Target IP address or FQDN | - |
| Port | No | RDP port | 3389 |
Authentication Parameters¶
| Parameter | Description | Security Note |
|---|---|---|
| Username | Windows username | Leave empty to prompt user |
| Password | Windows password | Leave empty to prompt user |
| Domain | Windows domain name | Required for domain accounts |
| Security mode | Authentication/encryption mode | Use NLA |
| Disable authentication | Skip RDP authentication | Never enable |
| Ignore server certificate | Accept self-signed certificates | Enable only for known systems |
Security Mode Options:
| Mode | Description | Recommendation |
|---|---|---|
| Any | Auto-negotiate security | Not recommended |
| NLA | Network Level Authentication | Recommended - Most secure |
| NLA with Extended Credential SSO | NLA with credential delegation | For specific SSO scenarios |
| TLS | TLS encryption without NLA | Use if NLA not supported |
| RDP | Legacy RDP encryption | Avoid - weak encryption |
| Hyper-V | For Hyper-V VM connections | Hyper-V hosts only |
Always Use NLA
NLA (Network Level Authentication) authenticates the user before establishing a full RDP session. This prevents unauthorized users from reaching the Windows login screen and protects against certain attacks.
Remote Desktop Gateway Parameters¶
For connections through Microsoft Remote Desktop Gateway:
| Parameter | Description |
|---|---|
| Hostname | RD Gateway server hostname or IP |
| Port | RD Gateway port (default 443) |
| Username | Gateway authentication username |
| Password | Gateway authentication password |
| Domain | Gateway authentication domain |
Basic Settings¶
| Parameter | Description | Default |
|---|---|---|
| Initial program | Program to launch instead of desktop | Empty (full desktop) |
| Client name | Client identifier sent to server | SPSA hostname |
| Keyboard layout | Keyboard layout for session | Server default |
| Timezone | Timezone passed to remote session | Server timezone |
| Administrator console | Connect to console/admin session | Disabled |
| Enable multi-touch | Enable touch gestures | Disabled |
Keyboard Layout Options:
| Value | Layout |
|---|---|
| en-us-qwerty | US English |
| de-de-qwertz | German |
| de-ch-qwertz | Swiss German |
| fr-fr-azerty | French |
| fr-ch-qwertz | Swiss French |
| it-it-qwerty | Italian |
| (many more) | See Guacamole documentation |
Display Settings¶
| Parameter | Description | Default |
|---|---|---|
| Width | Display width in pixels | Auto-detect |
| Height | Display height in pixels | Auto-detect |
| Resolution (DPI) | Display DPI | 96 |
| Color depth | Color bit depth | Auto-detect |
| Force lossless compression | Disable lossy compression | Disabled |
| Resize method | Window resize behavior | - |
| Read-only | Disable all input (view only) | Disabled |
Color Depth Options:
| Value | Description | Bandwidth |
|---|---|---|
| 8 | 256 colors | Lowest |
| 16 | 65,536 colors (High Color) | Low |
| 24 | 16.7 million colors (True Color) | Medium |
| 32 | 16.7 million + alpha | Highest |
Resize Method Options:
| Value | Description |
|---|---|
| display-update | Server adjusts resolution (RDP 8.1+) |
| reconnect | Disconnect and reconnect with new size |
Performance Optimization
For slow connections, reduce color depth to 16-bit and disable lossless compression.
Clipboard Settings¶
| Parameter | Description | Security Recommendation |
|---|---|---|
| Normalize clipboard line endings | Convert line endings | Preserve (empty) |
| Disable copying from remote desktop | Block copy FROM remote | Enable for untrusted systems |
| Disable pasting from client | Block paste TO remote | Enable for high security |
Security: Compromised Systems
When accessing potentially compromised or infected systems:
- Enable "Disable copying from remote desktop" - Prevents malware from exfiltrating data via clipboard
- Enable "Disable pasting from client" - Prevents accidentally introducing sensitive data
This blocks the primary data exfiltration vector through remote access sessions.
Device Redirection¶
| Parameter | Description | Security Recommendation |
|---|---|---|
| Support audio in console | Enable audio playback | Disable |
| Disable audio | Completely disable audio | Enable |
| Enable audio input (microphone) | Allow microphone redirection | Disable |
| Enable printing | Allow print redirection | As needed |
| Enable drive | Enable drive/file sharing | Disable for security |
| Drive name | Name of shared drive | - |
| Drive path | Server-side path for drive | - |
| Automatically create drive | Create drive path if missing | Disabled |
| Disable file download | Block downloading files | Enable for security |
| Disable file upload | Block uploading files | Enable for security |
Security: File Transfer
For compromised or untrusted systems:
- Disable drive - Prevents any file system access
- Enable "Disable file download" - Blocks downloading files from remote
- Enable "Disable file upload" - Blocks uploading files to remote
File transfer is a high-risk vector for malware spread and data exfiltration.
Performance Settings¶
| Parameter | Description | Performance Impact |
|---|---|---|
| Enable wallpaper | Show desktop wallpaper | Disable for speed |
| Enable theming | Enable visual themes | Disable for speed |
| Enable font smoothing | ClearType text rendering | Enable for readability |
| Enable full window drag | Show window contents while dragging | Disable for speed |
| Enable desktop composition | Aero/DWM effects | Disable for speed |
| Enable menu animations | Animate menus | Disable for speed |
Recommended Performance Settings
For best balance of usability and performance:
- Enable: Font smoothing (readability)
- Disable: Wallpaper, theming, window drag, composition, animations
RemoteApp Settings¶
For launching specific applications instead of full desktop:
| Parameter | Description |
|---|---|
| Program | Full path to RemoteApp executable |
| Working directory | Starting directory for application |
| Parameters | Command-line arguments |
Example RemoteApp Configuration:
| Parameter | Value |
|---|---|
| Program | C:\Windows\System32\mstsc.exe |
| Working directory | C:\Users\Public |
| Parameters | /v:internal-server |
Preconnection Settings¶
For Hyper-V and connection brokers:
| Parameter | Description |
|---|---|
| Preconnection ID | Numeric VM identifier |
| Preconnection BLOB | VM identifier string (GUID for Hyper-V) |
Load Balancing¶
| Parameter | Description |
|---|---|
| Load balance info | Token for RD Connection Broker |
Session Recording¶
| Parameter | Description |
|---|---|
| Recording path | Server path for recordings |
| Recording name | Recording filename template |
| Exclude graphics/streams | Record only input/output text |
| Exclude mouse | Exclude mouse movements |
| Include key events | Record keystrokes (security sensitive) |
| Automatically create path | Create recording directory |
Key Logging
"Include key events" records all keystrokes including passwords. Enable only when required for audit/compliance and ensure recordings are properly secured.
SFTP File Transfer¶
| Parameter | Description |
|---|---|
| Enable SFTP | Enable SFTP-based file transfer |
| Hostname | SFTP server (default: RDP host) |
| Port | SFTP port (default: 22) |
| Username | SFTP username |
| Password | SFTP password |
| Private key | SSH private key for SFTP |
| Passphrase | Private key passphrase |
| Upload directory | Default upload location |
| Keepalive interval | SFTP keepalive in seconds |
| Disable file download | Block SFTP downloads |
| Disable file upload | Block SFTP uploads |
Wake-on-LAN¶
| Parameter | Description |
|---|---|
| Send WoL packet | Send Wake-on-LAN before connecting |
| MAC address | Target MAC address |
| Broadcast address | WoL broadcast address |
| UDP port | WoL port (default: 9) |
| Wait time | Seconds to wait after WoL |
SSH Connections¶
Secure Shell for Linux/Unix systems.
Network Parameters¶
| Parameter | Required | Description | Default |
|---|---|---|---|
| Hostname | Yes | Target IP address or FQDN | - |
| Port | No | SSH port | 22 |
| Host key | No | Expected server public key | - |
Host Key Verification
For high-security environments, specify the expected host key to prevent man-in-the-middle attacks.
Authentication Parameters¶
Password Authentication:
| Parameter | Description |
|---|---|
| Username | SSH username |
| Password | SSH password |
Public Key Authentication:
| Parameter | Description |
|---|---|
| Username | SSH username |
| Private key | Private key content (paste full key) |
| Passphrase | Private key passphrase |
Key-Based Authentication
Public key authentication is more secure than passwords. Paste the entire private key including -----BEGIN and -----END lines.
Display Settings¶
| Parameter | Description | Default |
|---|---|---|
| Color scheme | Terminal color theme | - |
| Font name | Terminal font face | - |
| Font size | Font size in points | 12 |
| Maximum scrollback size | Lines in scrollback buffer | 1000 |
| Read-only | Disable all input (view only) | Disabled |
Color Scheme Options:
| Value | Description |
|---|---|
| black-white | Black on white |
| gray-black | Gray on black |
| green-black | Green on black (classic terminal) |
| white-black | White on black |
Clipboard Settings¶
| Parameter | Description | Security Recommendation |
|---|---|---|
| Disable copying from terminal | Block copying text out | Enable for untrusted systems |
| Disable pasting from client | Block pasting text in | Enable for high security |
Security: Compromised Systems
When accessing potentially compromised systems:
- Enable "Disable copying from terminal" - Prevents data exfiltration via clipboard
- Enable "Disable pasting from client" - Prevents introducing sensitive data
Terminal Behavior¶
| Parameter | Description | Default |
|---|---|---|
| Execute command | Command to run instead of shell | Login shell |
| Locale | Session locale ($LANG) | Server default |
| Timezone | Session timezone ($TZ) | Server default |
| Backspace key | Backspace key code | 127 (ASCII DEL) |
| Terminal type | Terminal type ($TERM) | linux |
| Server alive interval | Keepalive interval in seconds | 0 (disabled) |
Backspace Key Options:
| Value | Description |
|---|---|
| 8 | ASCII backspace (Ctrl+H) |
| 127 | ASCII delete (DEL) |
Keepalive for Firewalls
Set "Server alive interval" to 30-60 seconds to prevent firewalls from closing idle connections.
Session Recording¶
| Parameter | Description |
|---|---|
| Recording path | Server path for recordings |
| Recording name | Recording filename template |
| Exclude graphics/streams | Record text only |
| Exclude mouse | Exclude mouse events |
| Include key events | Record keystrokes |
| Automatically create path | Create recording directory |
SFTP File Transfer¶
| Parameter | Description |
|---|---|
| Enable SFTP | Enable file browser |
| Root directory | SFTP root directory |
| Disable file download | Block downloads |
| Disable file upload | Block uploads |
Wake-on-LAN¶
| Parameter | Description |
|---|---|
| Send WoL packet | Send Wake-on-LAN before connecting |
| MAC address | Target MAC address |
| Broadcast address | WoL broadcast address |
| UDP port | WoL port (default: 9) |
| Wait time | Seconds to wait after WoL |
VNC Connections¶
Virtual Network Computing for cross-platform graphical access.
Network Parameters¶
| Parameter | Required | Description | Default |
|---|---|---|---|
| Hostname | Yes | Target IP address or FQDN | - |
| Port | No | VNC port (5900 + display number) | 5900 |
VNC Port Calculation
VNC traditionally uses port 5900 + display number. Display :0 = port 5900, display :1 = port 5901, etc.
Authentication Parameters¶
| Parameter | Description |
|---|---|
| Password | VNC password |
| Username | Username (UltraVNC MS Logon only) |
Display Settings¶
| Parameter | Description | Default |
|---|---|---|
| Color depth | Color bit depth | Auto |
| Swap red/blue | Fix color channel order | Disabled |
| Cursor | Cursor rendering mode | - |
| Read-only | Disable all input (view only) | Disabled |
| Force lossless compression | Disable JPEG compression | Disabled |
Color Depth Options:
| Value | Description |
|---|---|
| 8 | 256 colors |
| 16 | 65,536 colors |
| 24 | 16.7 million colors |
| 32 | 16.7 million + alpha |
Cursor Options:
| Value | Description |
|---|---|
| local | Render cursor locally (smoother) |
| remote | Server renders cursor |
Clipboard Settings¶
| Parameter | Description | Security Recommendation |
|---|---|---|
| Clipboard encoding | Text encoding for clipboard | - |
| Disable copying from remote desktop | Block copying out | Enable for untrusted systems |
| Disable pasting from client | Block pasting in | Enable for high security |
Security: Compromised Systems
When accessing potentially compromised systems via VNC:
- Enable "Disable copying from remote desktop"
- Enable "Disable pasting from client"
- Consider Read-only mode if only observation is needed
Audio Settings (PulseAudio)¶
| Parameter | Description |
|---|---|
| Enable audio | Enable audio streaming |
| Audio server name | PulseAudio server address |
VNC Repeater¶
For connections through UltraVNC Repeater:
| Parameter | Description |
|---|---|
| Destination host | Target host through repeater |
| Destination port | Target port through repeater |
Reverse Connection¶
For VNC servers that connect to clients:
| Parameter | Description |
|---|---|
| Reverse connection | Enable reverse connection mode |
| Listen timeout | Seconds to wait for connection |
Session Recording¶
| Parameter | Description |
|---|---|
| Recording path | Server path for recordings |
| Recording name | Recording filename template |
| Exclude graphics/streams | Record text only |
| Exclude mouse | Exclude mouse events |
| Include key events | Record keystrokes |
| Automatically create path | Create recording directory |
SFTP File Transfer¶
| Parameter | Description |
|---|---|
| Enable SFTP | Enable SFTP file browser |
| Hostname | SFTP server hostname |
| Port | SFTP port |
| Username | SFTP username |
| Password | SFTP password |
| Private key | SSH private key |
| Passphrase | Key passphrase |
| Upload directory | Default upload path |
| Keepalive interval | SFTP keepalive seconds |
| Disable file download | Block downloads |
| Disable file upload | Block uploads |
Wake-on-LAN¶
| Parameter | Description |
|---|---|
| Send WoL packet | Send Wake-on-LAN before connecting |
| MAC address | Target MAC address |
| Broadcast address | WoL broadcast address |
| UDP port | WoL port (default: 9) |
| Wait time | Seconds to wait after WoL |
Telnet Connections¶
Legacy unencrypted terminal access.
Security Warning
Telnet transmits ALL data including passwords in plain text. Anyone on the network path can intercept credentials and session data.
Use SSH instead whenever possible. Only use Telnet for legacy systems that cannot support SSH.
Network Parameters¶
| Parameter | Required | Description | Default |
|---|---|---|---|
| Hostname | Yes | Target IP address or FQDN | - |
| Port | No | Telnet port | 23 |
Authentication Parameters¶
| Parameter | Description |
|---|---|
| Username | Auto-login username |
| Password | Auto-login password |
| Username regex | Pattern to detect username prompt |
| Password regex | Pattern to detect password prompt |
| Login success regex | Pattern indicating successful login |
| Login failure regex | Pattern indicating failed login |
Default Regex Patterns:
| Parameter | Default Pattern |
|---|---|
| Username regex | [Uu]sername: |
| Password regex | [Pp]assword: |
Custom Login Prompts
For devices with non-standard login prompts (network equipment, embedded systems), customize the regex patterns to match the actual prompts.
Display Settings¶
| Parameter | Description | Default |
|---|---|---|
| Color scheme | Terminal color theme | - |
| Font name | Terminal font face | - |
| Font size | Font size in points | 12 |
| Maximum scrollback size | Lines in scrollback buffer | 1000 |
| Read-only | Disable all input (view only) | Disabled |
Clipboard Settings¶
| Parameter | Description |
|---|---|
| Disable copying from terminal | Block copying text out |
| Disable pasting from client | Block pasting text in |
Terminal Behavior¶
| Parameter | Description | Default |
|---|---|---|
| Backspace key | Backspace key code | 127 |
| Terminal type | Terminal type ($TERM) | linux |
Session Recording¶
| Parameter | Description |
|---|---|
| Recording path | Server path for recordings |
| Recording name | Recording filename template |
| Exclude graphics/streams | Record text only |
| Exclude mouse | Exclude mouse events |
| Include key events | Record keystrokes |
| Automatically create path | Create recording directory |
Wake-on-LAN¶
| Parameter | Description |
|---|---|
| Send WoL packet | Send Wake-on-LAN before connecting |
| MAC address | Target MAC address |
| Broadcast address | WoL broadcast address |
| UDP port | WoL port (default: 9) |
| Wait time | Seconds to wait after WoL |
SPSA Proxy (guacd) Settings (Pro)¶
For SPSA Pro deployments with distributed SPSA Proxies connected via integrated VPN:
| Parameter | Description | Default |
|---|---|---|
| Hostname | SPSA Proxy hostname or IP | Local (empty) |
| Port | guacd port | 4822 |
| Encryption | Connection encryption mode | None |
Encryption Options:
| Value | Description |
|---|---|
| None | No encryption (internal network) |
| SSL/TLS | Encrypted connection |
Leave these settings empty to use the local guacd instance on the SPSA Portal.
Connection Groups¶
Create Connection Group¶
- Go to Settings > Connections
- Click New Connection Group
- Configure settings
- Click Save
Group Parameters¶
| Parameter | Description |
|---|---|
| Name | Display name for the group |
| Location | Parent group (ROOT for top level) |
| Type | Organizational or Balancing |
| Maximum connections | Group-wide connection limit |
| Maximum connections per user | Per-user limit within group |
| Enable concurrent connections | Allow multiple concurrent sessions |
Group Types¶
| Type | Description | Use Case |
|---|---|---|
| Organizational | Folder for organizing connections | Grouping by department, location, function |
| Balancing | Load balance across member connections | High availability, failover |
Balancing Group Behavior:
- Connections are distributed across group members
- Use "Connection weight" on individual connections to influence distribution
- Higher weight = more connections routed to that host
Group Hierarchy¶
Groups can be nested for organization:
ROOT
├── Production
│ ├── Domain Controllers
│ ├── Database Servers
│ └── Application Servers
├── Development
│ ├── Dev Servers
│ └── Test Servers
└── Infrastructure
├── Network Devices
└── Storage Systems
Security Configuration for Compromised Systems¶
When accessing potentially compromised, infected, or untrusted systems, apply these security settings to minimize risk.
Recommended Settings for Untrusted Systems¶
RDP to Compromised Windows Systems¶
| Setting | Value | Reason |
|---|---|---|
| Disable copying from remote desktop | Enabled | Prevents clipboard exfiltration |
| Disable pasting from client | Enabled | Prevents data introduction |
| Disable file download | Enabled | Blocks malware extraction |
| Disable file upload | Enabled | Blocks malware upload to SPSA |
| Enable drive | Disabled | No file system access |
| Disable audio | Enabled | Reduces attack surface |
| Enable audio input | Disabled | No microphone access |
| Read-only | Consider enabling | If only observation needed |
SSH to Compromised Linux Systems¶
| Setting | Value | Reason |
|---|---|---|
| Disable copying from terminal | Enabled | Prevents data exfiltration |
| Disable pasting from client | Enabled | Prevents data introduction |
| Enable SFTP | Disabled | No file transfer |
| Disable file download | Enabled | Blocks file extraction |
| Disable file upload | Enabled | Blocks file upload |
| Read-only | Consider enabling | If only observation needed |
VNC to Compromised Systems¶
| Setting | Value | Reason |
|---|---|---|
| Disable copying from remote desktop | Enabled | Prevents clipboard exfiltration |
| Disable pasting from client | Enabled | Prevents data introduction |
| Enable SFTP | Disabled | No file transfer |
| Read-only | Consider enabling | If only observation needed |
Creating a "Secure Investigation" Template¶
Create a connection template for investigating compromised systems:
- Create a new connection with all security restrictions enabled
- Save as template (do not assign to users)
- Copy and customize for specific investigations
- Document investigation purpose and approval
Investigation Documentation
When accessing compromised systems:
- Document authorization for access
- Enable session recording (if available)
- Log all actions taken
- Do not trust ANY data from the compromised system
Best Practices¶
Security¶
| Practice | Implementation |
|---|---|
| No stored credentials | Leave username/password empty |
| Use NLA | Set security mode to NLA for RDP |
| Prefer SSH keys | Use key-based auth over passwords |
| Disable clipboard | For untrusted system access |
| Disable file transfer | For high-security environments |
| Avoid Telnet | Use SSH instead |
| Session recording | Enable for audit/compliance |
Organization¶
| Practice | Implementation |
|---|---|
| Descriptive names | "DC01 - Primary Domain Controller" |
| Logical grouping | Group by function, location, or security level |
| Connection limits | Set max connections to prevent abuse |
| Templates | Create templates for common configurations |
Performance¶
| Setting | Recommendation |
|---|---|
| Color depth | 16-bit for slow connections |
| Visual effects | Disable all except font smoothing |
| Font smoothing | Enable for readability |
| Keepalive | Enable for connections through firewalls |
Guacamole Documentation Reference¶
For additional details and advanced parameters: