Remote Desktop Protocol/Virtual Network Computing Connection Frequently Asked Questions (FAQs) - NCM-Remote-Connect-LAN-Manager/Remote-Desktop-Protocol/Virtual-Network-Computing-Connection-Frequently-Asked-Questions-FAQs

RDP and VNC are only available on Cradlepoint products with Advanced packages.

To copy and paste (Ctrl+C/Ctrl+V on a keyboard) between your workstation and your RDP/VNC session, the copy and paste function must be enabled in your web browser and on the RDP/VNC server to which you are connected.

Copying/pasting is supported in RDP/VNC sessions when using Chromium-based web browsers only (Chrome, Opera, and Edge). For all other browsers, copy and paste is not supported at this time.

In Chrome, the following pop-up displays the first time you attempt to make a LAN Manager profile connection that uses RDP/VNC. Make sure to click Allow to allow copying/pasting between your workstation and the RDP/VNC window.

To change this setting, click the lock icon in your address bar and change the setting.

Even if you have configured your browser to block clipboard access, you may still be able to copy data from your remote system and paste it into your local system. See Google Developer's Guide for more details.

To block clipboard access in both directions, ensure that the RDP/VNC server to which you are connecting does not allow clipboard access.

Allowing or disallowing copy/paste on an RDP/VNC server differs depending on which RDP/VNC server is being used. Unable to Copy and Paste to Remote Desktop Session discusses how to enable copy/paste on certain Windows RDP servers.

No, at this time the ability to map a drive through a web browser is not supported.

The port to use depends on the RDP/VNC server configuration. These are typical port settings you may encounter when configuring ports for RDP/VNC:

Currently, Cradlepoint does not support the ability to change the color depth.

At this time, audio is not supported.

No, not currently.

No, not currently.

For performance reasons, Cradlepoint has chosen to disable by default wallpaper, desktop themes, font smoothing, full window drag, desktop compositions, and menu animations.

Not exactly, but see RDP wake-on-lan in LAN environment for a possible work-around.

All Remote Connect sessions last for 60 minutes. This value is controlled by an internal setting in NetCloud.

This is a feature of NetCloud Manager. You cannot access this feature directly from the router user interface.

NetCloud Manager continues to log the same information to the activity log for RDP/VNC that it logs for other Remote Connect sessions (for example, NetCloud Manager logs a message for the beginning and end of a Remote Connect session).

An attacker would need access to both the NetCloud Manager credentials and the RDP/VNC credentials. The remote machine would also need to be running an RDP/VNC server.

NetCloud Manager uses AES-256 encryption to securely transmit user credentials. NetCloud Manager does not store user credentials.

Encryption keys are not rotated. The encryption key is randomly generated each time a connection is created.

No, a new encryption key is generated for each connection.

See NetCloud Manager Remote Connect Overview for more information on enabling Remote Connect.

There are many common vulnerabilities and exposures for RDP. Could this feature introduce any risk for Cradlepoint - risk that Cradlepoint may be responsible to remediate?

Recent RDP common vulnerabilities and exposures (CVE) notifications:

Each of these vulnerabilities are problems on the RDP server. In the case of the NetCloud Manager implementation of RDP, NetCloud Manager is acting as an RDP client, not an RDP server.

The NetCloud Manager implementation uses an open source library called Apache Guacamole to act as an RDP client. The vulnerabilities discussed here pertain to rdesktop and mstc.exe, not Apache Guacamole. For reference on this topic, see the Dark Reading article New Vulnerabilities Make RDP Risks Far from Remote. Following is an excerpt from that article:

"In both of the open source RDP clients, Check Point found that malware on the 'host' system could use a buffer overflow technique to force remote code execution on the client machine. There are actually a variety of ways to do this; so far, 19 vulnerabilities have been identified and given CVE designations in rdesktop, while six have been identified in FreeRDP)."

Use your username, not your email address, on the Cradlepoint network. Leave the domain field blank.

There are many possible reasons that the connection failed. One helpful troubleshooting technique is to attempt to RDP into your computer from a second computer on the same LAN without using NetCloud Manager. If you can successfully use RDP while on the same LAN, you can rule out some of the most common reasons for a failed connection. Here are a few of the most common reasons for failure:

The router may be unable to connect to the NetCloud Manager Remote Connect servers. This typically happens due to a firewall restricting outbound connections to ports 30000–32767. To determine whether this might be the case, check the router logs and look for a line from dbclient stating, "Authentication succeeded." If this line is in the router logs, this is not the issue.

The entered username, password, or domain may be incorrect. Double-check the credentials and try again.

The IP address or port that you are using to connect may be incorrect. Double-check these settings and try again.

Windows firewall may be preventing incoming connections to port 3389. Temporarily disable Windows firewall and try again to determine if that is the issue.

If a user receives the error message "Connection Failed, you do not have permission to perform this action" when trying to connect using Remote Connect, it can indicate that the client refused the connection and that there isn't a permissions issue.

There is no difference in the minimum firmware version needed for RDP/VNC compared to other Remote Connect features. See NetCloud Manager Remote Connect Overview for more information.

According to this SuperUser article, do the following:

Unfortunately, there is no way for Cradlepoint to directly send these key sequences to the remote system since the Cradlepoint platform is based on the use of a web browser. The recommended approach to handle special key sequences is to use a virtual keyboard. See How to Use the On-Screen Keyboard on Windows 7, 8, and 10 for more information on turning on a virtual keyboard in Windows.

Yes and no. Typically, a web browser allows you to enter full-screen mode by using a function key such as F11. After a RDP session has been established, the Windows machine (or the destination machine) intercepts the F11 key.

However, you can still go into full screen mode in one of two ways:

While this changes the browser to full screen mode, the resolution of the remote system does not automatically adjust to fill the screen. There is an outstanding request in Cradlepoint's backlog to allow for "auto" resolution.

Unfortunately, this is something that the open source library Cradlepoint uses does not yet support. Following is from chapter 5 of the Apache Guacamole guide: "The VNC standard defines only password-based authentication. Other authentication mechanisms exist but are non-standard or proprietary. Guacamole supports only the password method." An upcoming release of the Guacamole library promises to add support for this, but a release date has not yet been announced.

By default, the VNC server built into Raspberry Pi uses "SystemAuth" for authentication. This requires the use of a username and password, but NetCloud Manager currently only supports password-based authentication when connecting to a VNC server (see above answer to "Why can I not enter a username when connecting to a VNC server"). You can, however, change the VNC server on the Raspberry Pi to use "VncAuth" instead of "SystemAuth" to work around this issue. For more details, see the Rasberry Pi VNC documentation page and scroll down to the section titled "Authenticating to VNC Server."

No. The Remote Connect Out-of-Band Manager (OOBM) and LAN Manager features are TLS encrypted and secure, but not FIPS-certified, and therefore not enabled on FIPS-certified devices.

For remote management of IP devices on FIPS certified routers, there are several options:

To manage serial devices on FIPS certified routers, connect to the router via SSH and use the "serial" command to connect to the serial console. See Configuring Advanced Out of Band Management.

Yes. Remove Connect LAN Manager works with Dynamic connections and does not require a static public routable IP address.

No. The session is limited to 60 minutes by default.