>
    Strata Copilot
    Configure Native RDP/SSH
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Browser
    3. Prisma Access Browser Administration
    4. Manage Prisma Browser Applications
    5. Configure Native RDP/SSH
    Download PDF
    Prisma Browser

    Configure Native RDP/SSH

    Table of Contents

    Configure Native RDP/SSH

    Guide to configure RDP/SSH
    Native RDP/SSH is a feature in Prisma Browser that allows you to access RDP (Remote Desktop Protocol) and SSH (Secure Shell) applications without the need for additional licenses.
    RDP connections can route through an RDS Gateway instead of requiring direct connections.
    Key Changes Upon Activation:
    • Native RDP takes precedence over PRA (Prisma Access Remote Access) and Remote Connections will no longer work via Prisma Browser on the tenant.
    • A new option, Remote Connection, appears under the Applications Tab.
    • When specifying an Access and Data Control rule, options related to Remote Connections can be found under Access and Data Control Rule → Applications → Remote Connections.

    Configure the Native RDP/SSH

    A. Applications Tab (Remote Connections)
    In the Applications directory, do the following:
    1. Click the Remote Connections tab and click Add Remote Connection.
    2. In the Add remote connection window, enter the information as needed.
    3. Be sure to configure the Remote Connection using an FQDN (Fully Qualified Domain Name), an IP address, or a PC Name (the server where the application resides).
    4. The configuration supports non-standard ports.
      1. The standard RDP port is 3389
      2. The standard SSH port is 22
    5. Select the Classification for the connection. The options are:
      • Sanctioned: A Remote Connection that is permitted.
      • Tolerated: A Remote Connection that is allowed, but is not sanctioned by the organization.
      • Unsanctioned: The connection is not authorized by the organization at all.
      • Unclassified: The connection has not yet been classified.
    6. In the Additional settings section, select the following:
      • Tags, if needed
      • Routing: Select whether or not to route the Remote Connection through Prisma Access.
      • RDS Gateway: When this field is populated, the FQDN/IP/PC Name address field above no longer requires FQDN or IP address validation. Users can enter a PC name instead.
    B. Access and Data Control Rule
    • The rule creation flow remains the same as for any other application.
    • Within the Remote Connection Application settings,
      • First, check to enable the Remote connections setting for your rule. This allows users to view and establish remote connections from the Prisma Browser.
        When this option is enabled, users can access remote connection capabilities in the browser. You can control which remote connections are available to users by configuring one or both of the following options:
        • Administrator-Defined Remote Connections
          Allow usders to access remote connections that were created and managed by an administrator.
          You can select one of the following options:
          • Any defined connection — Users can access any remote connection defined by the administrator.
          • Specific connections — Users can access only the remote connections selected in the rule.
          Use this option when administrators need to control which RDP, SSH, or other supported remote connection targets are available to users.
        • Any Remote Connection Using Manual Connect
        Allow users to manually create remote connections from the Prisma Browser.
        When this option is enabled, users can add their own remote connections from the Remote connections settings panel in the browser by selecting “+ New connection.”
        Use this option when users need the flexibility to connect to remote resources that were not preconfigured by an administrator.
    For tenants with Prisma Access entitlement, all traffic associated with user-created applications established through the manual connections option is routed through Prisma Access by default.

    Enable Native RDP/SSH

    RDP does not support Session Recording
    To enable and fully utilize the Native RDP/SSH feature, follow these steps:
    1. Configure a Remote Connection under the Applications directory.
    2. Create an Access and Data Control Policy allow access to the newly configured Remote Connection.
    3. Create a Security Policy under Explicit Proxy (EP).
      • This step is necessary to allow access to RDP/SSH applications that may reside within your data center.
        1. Navigate to Configuration > NGFW and Prisma Access.
        2. Change the Configuration Scope to Prisma Access or Explicit Proxy.
        3. Create a Security Rule in Explicit Proxy with the following parameters:
          • Source: Trust
          • Destination: Any or Specific Location
          • Applications: ms-RDP and SSH
          • Action: Allow
          You may need to duplicate these policies on other intermediaries, such as the Next-generation Firewall (NGFW), that are in the path to your private applications.
          Once a port is selected, it cannot be changed in any way. You need to define a new application with the desired port.

    Migration from Remote Connections

    Native Clients and Remote Connections/PRA cannot co-exist in Prisma Browser. Remote Connections/PRA must be disabled first for Native RDP/SSH to work.
    If Remote Connections/PRA is currently not enabled on your tenant, you must request that this feature be added by contacting your customer-success manager.
    1. Take Note of All Configurations: Before disabling, record all existing Remote Connection configurations as you will need to manually reconfigure the applications and update the policies later.
      • Self-Correction: You will need this information to re-configure the apps as Remote Connection Apps.
    2. Disable Remote Connections:
      • Navigate to Administration > Remote Connection.
      • Disable the toggle switch.
    1. Configure Remote Connection Apps: Once disabled, Remote Connections will be renamed to Remote Connection Apps in the administration screens. You can now configure the applications and policies for the new feature.
    2. Follow the Enablement Steps: Proceed with the steps outlined in Enable Native RDP/SSH.

    User Experience

    Users access the Remote Connections feature through the Prisma Browser client interface.
    1. Click on the Prisma Browser Profile Icon.
    2. Click on Remote Connections
      This will open a list of the available remote connections.
    3. Select the remote connection that you need, and click Connect.
    4. In the window, enter your username and password.
    5. Select the check boxes you need. Select Use these credentials for gateway to apply the entered credentials to both the remote connection authentication and the gateway authentication..
    6. Click Connect now.
    This will open a new tab for Remote Connections where the user can view:
    • All RDP/SSH applications allowed per the policy created by the administrator.
    • An option to add "New Connections," if the Manual Connect option is enabled for their profile/scope.
    Connection Management:
    • Connections defined by the user can be Edited or Deleted from the list.
    • Connections defined by the administrator cannot be edited by the user.
    Only 1 additional connection can be defined with the same IP/FQDN. This means that a maximum of 2 IP/FQDNs can share the same connection.

    © 2026 Palo Alto Networks, Inc. All rights reserved.