Azure Arc: Securely connect to an Azure Arc-enabled Windows Server with RDP over SSH : wmatthyssen

Reader
April 15, 2025
Azure Arc: Securely connect to an Azure Arc-enabled Windows Server with RDP over SSH
by: wmatthyssen
blow post content copied from  Wim Matthyssen
click here to view original post


In this blog post, I’ll walk you through the steps to connect to an Azure Arc-enabled Windows Server using RDP over SSH.

As a seasoned Windows Administrator, I’m used to using the Remote Desktop Protocol (RDP) to directly connect to a Windows Server and perform necessary tasks.

However, with the combination of SSH and onboarding your server into Azure Arc, turning it into an Arc-enabled server, you can now connect to an RDP session through the SSH tunnel set up by the Azure Connected Machine agent.

This enables you to effortlessly connect to the RDP session on your local machine via a Windows Terminal window, just like a direct RDP connection, all by harnessing the power of Azure Arc and SSH.

In this blog post, I’ll show you how to do this.


Table of Contents


Prerequisites

  • A physical or virtual server running Windows Server 2019, 2022, or 2025, onboarded to Azure Arc with at least version 1.31.xxxx of the Azure Connected Machine agent. The server should have OpenSSH installed and enabled, or the OpenSSH for Windows – Azure Arc extension, along with Remote Desktop Protocol (RDP) enabled.
  • A management server or administrator workstation with Azure CLI installed, version 2.0.0 or higher (currently 2.71.0), which is required to connect to the server via SSH.
  • An account that is a member of the local OpenSSH Users or Administrators group to establish an SSH connection to the server.
  • An account that is a member of the built-in Administrators group or another local group with RDP access is required to log in to the server via RDP. This can be a local user or a domain user who is part of the Domain Administrators group or another domain group with the necessary permissions.
  • To log in with a domain user, the group the user belongs to must be added to the sshd_config file on the server.










Connect via OpenSSH and RDP with a local user account

To connect over RDP via SSH with a local user account, first open a Windows Terminal (or PowerShell) window on your management server or administrator workstation.

Then, sign in to Azure using the Azure CLI with the az login command. This will allow you to select the correct Azure subscription that contains the Arc-enabled server resource.


Next, run the following command to establish an RDP connection over SSH to the Arc-enabled Windows Server.

az ssh arc --resource-group <ResourceGroupName> --name <VMName> --local-user <LocalUsername> --rdp


In the example below, the command used is:

az ssh arc --resource-group rg-prd-myh-arc-srv-03 --name swprds061 --local-user example-admin --rdp



Then, enter the local user password. For security reasons, note that you won’t see any characters while typing.


Then click Connect in the “Remote Desktop Connection Security Warning” dialog box, which appears if you entered the correct password.


Then enter your local user credentials to log in to the server.


Then click Yes in the Remote Desktop Connection window, and you can begin your work.

💡 You’ll notice that the connection appears to be made to localhost instead of the actual server name. That’s because the SSH tunnel creates a secure local endpoint on your machine, forwarding your RDP traffic through the tunnel to the remote server.





Connect via OpenSSH and RDP with a domain user

To connect over RDP via SSH with a domain user account, the steps are the same, except for the user you’ll log in with. Start by opening a Windows Terminal (or PowerShell) window on your management server or administrator workstation.

Next, sign in to Azure using the az login command in the Azure CLI. This will allow you to select the correct Azure subscription containing the Arc-enabled server resource.


Next, run the following command to establish an RDP connection over SSH to the Arc-enabled Windows Server using a domain account:

az ssh arc --resource-group <ResourceGroupName> --name <VMName> --local-user "DOMAIN\Username" --rdp


In the example below, I log in with a domain user who is part of the Domain Administrators group. The command used is:

az ssh arc --resource-group rg-prd-myh-arc-srv-03 --name swprds061 --local-user "domain\wmatthysen_xx" --rdp



After entering the correct password, click Connect in the “Remote Desktop Connection Security Warning” dialog that appears.


Then, enter your domain user credentials to log in to the server.


Next, click Yes in the Remote Desktop Connection window to proceed and begin your work.

💡 Just like with a local account, you’ll notice the connection is made to localhost rather than the actual server name. This is because the SSH tunnel sets up a secure local endpoint on your machine, which forwards the RDP traffic to the remote server.





Common connection issues

If you forget to add the domain group that the domain user belongs to in the sshd_config file on the server, you’ll receive a “Connection closed by UNKNOWN port 65535” error.


If you enter the wrong password for the user, whether local or domain, you’ll have up to three attempts to retry. After that, you’ll see a “Permission denied (publickey, password, keyboard-interactive)” message, and the SSH connection will be dropped.


Conclusion

RDP over SSH via Azure Arc offers a secure way to access remote desktop sessions, especially useful over public networks or when enhanced security is needed, all without requiring a VPN or VPN client.

In this blog post, I showed you how to do this with both a local user account and a domain user account.

I hope this is helpful in your environment, lab, or production. If you have any questions or suggestions about this blog post, feel free to reach out on X (@wmatthyssen) or leave a comment below.



April 15, 2025 at 07:09PM
Click here for more details...

=============================
The original post is available in Wim Matthyssen by wmatthyssen
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce