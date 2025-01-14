Version: 16.x

Desktop Access Configuration Reference

teleport.yaml fields related to desktop access:

windows_desktop_service: enabled: yes listen_addr: "0.0.0.0:3028" public_addr: "desktop-access.example.com:3028" show_desktop_wallpaper: false ldap: addr: '$LDAP_SERVER_ADDRESS' server_name: '$LDAP_SERVER_NAME' insecure_skip_verify: false ldap_ca_cert: | -----BEGIN CERTIFICATE----- *certificate data* -----END CERTIFICATE----- der_ca_file: /path/to/cert domain: '$LDAP_DOMAIN_NAME' username: '$LDAP_USERNAME' sid: '$LDAP_USER_SID' pki_domain: root.example.com kdc_address: '$KDC_SERVER_ADDRESS' static_hosts: - name: example1 ad: false addr: win1.dev.example.com labels: datacenter: dc1 - ad: true addr: win2.dev.example.com labels: controller: all discovery: base_dn: '*' filters: - '(location=Oakland)' - '(!(primaryGroupID=516))' label_attributes: - location host_labels: - match: '^.*\.dev\.example\.com' labels: environment: dev - match: '^.*\.prod\.example\.com' labels: environment: prod - match: '^EC2AMAZ-' labels: environment: discovered-in-aws labels: teleport.internal/resource-id: "resource-id"

The Windows Desktop Service can be deployed in two modes.

In direct mode, Windows Desktop Services registers directly with the Teleport Auth Server, and listens for desktop connections from the Teleport Proxy. To enable direct mode, set windows_desktop_service.listen_addr in teleport.yaml , and ensure that teleport.auth_server points directly at the Auth Server.

Direct mode requires network connectivity both:

from the Teleport Proxy to the Windows Desktop Service.

from the Windows Desktop Service to the Auth Service.

For these reasons direct mode is not available in Teleport cloud, only self-hosted Teleport clusters.

In IoT mode, Windows Desktop Service only needs to be able to make an outbound connection to a Teleport Proxy. The Windows Desktop Service establishes a reverse tunnel to the proxy, and both registration with the Auth Server and desktop sessions are performed over this tunnel. To enable this mode, ensure that windows_desktop_service.listen_addr is unset, and point teleport.proxy_server at a Teleport Proxy.

By default, Teleport will set the screen size of the remote desktop session based on the size of your browser window. In some cases, you may wish to configure specific hosts to use a specific screen size. To do this, set the screen_size attribute on the windows_desktop resource: