Skip to content

Terminal Servers


About this Document

The objective of this article is to provide an overview of the most common configurations related to authentication and access to terminal servers.

Terminal Server Setup

For additional information about the concepts presented in this document, refer to the following feature manuals on this site:

  • SSO Tool Setup Manual

  • Authentication Manual

  • Reverse Proxy Manual


Also see the context-sensitive help on the AXS Guard appliance.

Terminal Server Setups

Web Access Authentication


If your terminal server supports virtual IP addresses, i.e. one IP per terminal client, you can use the SSO tool. If this is not the case, you should choose another user authentication mechanism, such as Kerberos authentication.

SSO with Virtual IP

See the SSO Tool manual for additional details and configuration instructions.

Setup with Virtual IP Addresses and SSO


See the Authentication manual for additional details and configuration instructions.

Kerberos Authentication

Basic Authentication

Another option is to make use of basic authentication as defined in RFC 7617. With basic authentication, users will be prompted to enter their credentials in a browser popup window before they are allowed to access the Internet. This setup is less common due its obvious restrictions.

See the Authentication manual for additional details and configuration instructions.



Ident is an old protocol which should no longer be used because it is insecure. It is still supported by AXS Guard for legacy reasons.

Web Access Policies

Web Access filters or Access Control Lists (ACL) govern the access to specific URLs and websites.

ACLs can be assigned to users, groups, computers or the entire system (a.k.a. a system-wide configuration). Group and user ACLs require authentication to be activated.

Using the Reverse Proxy for Remote Access to Terminal Servers


There are several methods to access a terminal server, depending on their type, e.g. Remote Desktop Gatway (RDG) servers and servers which provide web-based services (HTTP) require a different setup and approach, i.e. by using the AXS Guard reverse proxy.

Note that an Enterprise Software Bundle is required to use the AXS Guard reverse proxy solution presented in this section. Customers who don’t have this bundle can make use of a VPN connection instead.

Remote Desktop Gateway (RDG)

This setup relies on the RDP protocol and is a secure solution to remotely access your RDG applications. 2FA authentication can be enforced by AXS Guard.

See the Reverse Proxy guide and KB section on this site for additional information and step-by-step configuration examples.

RDG Example Setup

Reverse Proxy Web Services

For web-based services such as Awingu, Citrix and XenApp. See the Reverse Proxy manual for additional information and configuration instructions.

Web-based Services

Access through a VPN

It is possible to securely access terminal servers via one of the AXS Guard VPN services, e.g. OpenVPN, SSTP or L2TP. See the relevant setup guides on this site for additional information and configuration instructions.