Unsupported: How to install xRDP for GUI remote access on Linux

  • Article

You want to access a Linux VM on Azure using a GUI through Remote Desktop or similar tools.

The installation and configuration of 3rd party tools are beyond the scope of Azure Linux support but we have here a few notes and best practices to enable xRDP if needed.

There are other ways of achieving similar results with other tools, in this article we are covering specifically xRDP.

When using the standard configuration in xRDP the port needed to be opened by using an Endpoint (Classic) or Network Security Groups (Resource Manager) will be 3389 TCP, the same used for Microsoft Windows remote access.

There are a few security implications to keep in mind when enabling xRDP but we will be covering a few best practices at the end of this article.

Steps to install xRDP are listed below.

For Ubuntu/Debian:
sudo -i
apt-get update
apt-get install xrdp

For Red Hat, CentOS and Oracle:
You need to install a 3rd party repository (EPEL) which is usually not supported by the vendors but here you can find more information:
https://fedoraproject.org/wiki/EPEL

Make sure you install the one for your specific version (6.x/7.x).

After that repository is successfully installed then you can proceed with the steps below.

Red Hat / CentOS and Oracle version 7.x:
sudo -i
yum install xrdp tigervnc-server xterm
systemctl enable xrdp
systemctl enable xrdp-sesman

Red Hat / CentOS and Oracle version 6.x
sudo -i
yum install xrdp tigervnc-server xterm
service xrdp restart
chkconfig xrdp on

Once you can connect using xRDP and you have xterm opened, you can test any graphical application that you want, for example, you can try xclock.

Best practices to improve security

A) Using an SSH local tunnel to avoid opening extra ports and encrypt traffic.

By tunneling the xRDP access through SSH you not only encrypt all traffic but you also avoid opening up extra ports on your Linux VM and Azure network topology and the xRDP daemon can be basically listening to the localhost interface in your Linux VM on Azure.

Basic steps to configure a more secure xRDP environment are:

1) Edit the /etc/xrdp/xrdp.ini and change/add the following to force the daemon to listen to 127.0.0.1 and also use a higher encryption level:

[globals]
bitmap_cache=yes
bitmap_compression=yes
port=3389
crypt _level=high
channel_code=1
max_bpp=24
#black=000000
#grey=d6d3ce
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72
address=127.0.0.1

NOTE: Keep in mind that by changing the daemon to 127.0.0.1 you will only be able to access it by doing an SSH tunnel which can be done by following the steps below.

For OSX and Linux users, you can run on a terminal window:
ssh -N -p 22 USER@VM_PUBLIC_IP -L 3389:127.0.0.1:3389

In the example above you are basically using a local port 3389 (on your workstation/laptop) and tunnelling that traffic to your Linux VM on Azure to its localhost on port 3389, so to connect to the VM using xRDP you will basically connect locally on your workstation to port 3389 and that gets automatically tunnelled to the VM on Azure.

Generally GUI's are disabled by default on Linux servers due to security concerns so, if you really need to enable this kind of access it is highly recommended that you are using SSH Keys as well as local tunnels so you don't have to open extra ports to the Linux VM.