Using the Cloud to Simplify and Secure Microsoft RDS Deployments

Using the Cloud to Simplify and Secure Microsoft RDS Deployments

Microsoft Remote Desktop Services (RDS) is a Windows feature that businesses use to provide remote access to their desktops and applications. However, securing and simplifying RDS deployments can be complicated and time-consuming. This is where cloud-based solutions come in. By leveraging the power of the cloud, businesses can simplify and secure their RDS deployments with no VPN or firewall exposure, while also gaining access to a wide range of additional features and benefits, such as integrated security, reduced latency, and improved disaster recovery. 

In this article, we explore three popular solutions that can help businesses secure their RDS deployment, and gain access to new capabilities such as Automatic Scaling, Zero Trust, and Identity Management. Whether you’re a small business just starting out or a large enterprise looking to improve your RDS deployment, this article will provide you with the information you need to make an informed decision. 

Cloud-Based Solutions for Remote Desktop Services

Cloud-based solutions for Remote Desktop Services are often referred to as Secure Services Edge (SSE) or Cloud Access Security Broker (CASB). Essentially, they eliminate the need for any type of “gateway” on or behind the on-premises firewall, thus eliminating the need to open any inbound port on the firewall. This effectively makes the RDS deployment invisible over the public internet. Moreover, cloud-based solutions eliminate the need for VPN, thereby preventing ransomware traversal between remote VPN clients and networks hosting the RDS servers. 

Among the benefits of SSE and CASB solutions for RDS is the increasing requirement by Cybersecurity Insurance companies for Microsoft RDS solutions with no inbound firewall exposure of any kind. 

Below are three very popular solutions for achieving Zero-Trust access to Microsoft RDS environments, including references on how to learn more about the solutions. 

Microsoft Azure AD Application Proxy

Azure AD Application Proxy provides secure remote access to on-premises applications, including Microsoft Remote Desktop Services (RDS). Here’s a summary of how it works: 

  1. Pre-Authentication: Azure AD Application Proxy integrates with Azure AD to handle user authentication before they access the RDS deployment. This ensures only authenticated users are allowed to connect.
  2. Conditional Access and Multi-Factor Authentication: Azure AD supports conditional access policies, including multi-factor authentication, for an extra layer of security. For instance, end users can be required to provide additional proof of their identity when they sign in, or limit access to certain locations or devices.
  3. Secure Access Without VPN: Application Proxy creates a secure tunnel between the user’s device and your RDS deployment without the need for a VPN. This reduces the attack surface by not exposing RDS servers directly to the internet.
  4. Scalability and Availability: As a cloud service, Application Proxy automatically scales to meet demand, and it’s available wherever Azure AD is available.

Please see end of this article for additional resources about Azure AD Application Proxy.

TruGrid SecureRDP

TruGrid SecureRDP is a solution specifically designed to simplify ad secure remote access to Microsoft Remote Desktop Services (RDS) and Windows Virtual Desktops. Here’s a general overview of how TruGrid SecureRDP works to secure RDS:

  1. Simplified and Secure Setup: TruGrid simplifies the setup and management of secure RDP connections. It establishes a secure, encrypted connection between the end user client device and the RDS server without the need for open inbound firewall port or Virtual Private Networks (VPNs), thereby making RDS servers invisible over the internet.
  2. Multi-Factor Authentication (MFA): TruGrid includes built-in MFA, which adds an additional layer of security by requiring users to provide at least two forms of identification before they can access RDS. This can help prevent unauthorized access even if a user’s primary credentials are compromised.
  3. Fast Connections / Latency Reduction: TruGrid SecureRDP reduces RDS lag with its use of multiple fiber-optic relays all over the world. Unlike Azure AD Application Proxy, TruGrid end users can connect to RDS servers across continents without experiencing slow connections or RDS lag.
  4. Geo-Blocking: TruGrid has Geo-Blocking / whitelist feature that allows organizations to restrict countries where RDS users can connect from. In addition to its enhanced security feature of cloud authentication, zero firewall exposure, integrated MFA, TruGrid can further reduce attack surface by allowing connections only from certain countries.
  5. Hybrid Authentication: TruGrid supports hybrid authentication, whereby end users can use their Azure AD credentials to connect to RDS servers and RemoteApp in Active Directory environment.
  6. Multitenant Dashboard: The TruGrid SecureRDP allows Service Providers to manage multiple clients and settings from a single dashboard.

Please see end of this article for additional resources about Azure AD Application Proxy.


ZScaler Private Access (ZPA) provides secure access to internal applications, which includes Microsoft Remote Desktop Services (RDS), without exposing them to the internet. 

ZPA operates on the Zero Trust Network Access (ZTNA) principle, which means that no user or device is inherently trusted. Instead, the system verifies the identity and security posture of each user and device before allowing access.

Here’s a high-level overview of how ZPA might be used to secure RDS: 

  1. Identity and Access Management: ZPA integrates with existing identity providers, like Azure AD, to authenticate users. It then uses that identity information to determine what services a user can access based on policy.
  2. TLS Tunneling: After a user is authenticated and authorized, ZPA establishes a secure, outbound-only, TLS-encrypted tunnel between the user’s specific device and the requested application (such as an RDS server).
  3. Application Segmentation: Rather than allowing users broad network access, ZPA uses application segmentation. This means users can only access the specific applications they’re authorized for, reducing the potential attack surface.
  4. Inspection and Logging: All traffic going through ZPA can be logged and inspected for threats, helping to provide additional security.
  5. Cloud-Based and Scalable: As a cloud service, ZPA can easily scale to accommodate large numbers of users and applications.


Since all of the three popular solutions require varying degree of knowledge for successful implementation, please see additional resources.

Additional Resources


TruGrid SecureRDP

ZScaler Secure Private Access