ZTNA console application configuration options

Authentication settings

• Authentication method

  • User-provided credentials

    When connecting to the resource, the user must enter their own credentials.

    You can activate the checkbox Offer users the option to have their credentials remembered so they don’t have to re-enter on each visit to allow ZTNA to store the credentials for future sessions.

  • Admin-provided credentials

    The user cannot enter their own credentials. Instead, the administrator provides a shared set of credentials that the system enters automatically when connecting to the resource.

    • Username (optional)

      Enter the username that all users will use to log on to the resource.

    • Password (optional)

      Enter the password that all users will use to log on to the resource.

    Note:

    Both the username and password are optional. If the administrator leaves one of these fields empty, the user is asked to provide the missing credential. If both fields are empty, the system behaves as with user-provided credentials.

Advanced authentication settings

• Security mode

  • Any

    Automatically uses the most secure method supported by the remote endpoint.

  • NLA (Recommended)

    Uses TLS encryption and requires the username and password to be given in advance, authenticating the user before the session starts.

  • Extended NLA

    NLA with added endpoint risk posture assessment and compliance checks to enforce stronger security before the session starts. Enhances NLA with channel and service binding to prevent credential relay and man-in-the-middle attacks.

  • RDP Encryption (Legacy)

    Legacy, less secure mode where the user is presented with the server’s native login page and authentication occurs after the session starts.

  • TLS Encryption (RDSTLS)

    Used in load-balanced configurations where the initial RDP connection may redirect to another server. Encrypts the connection using TLS before authentication but does not enforce pre-session user verification.

  • Hyper-V / VMConnect

    Enables connections to Remote Desktop resources on Hyper-V hosts that are accessible only through VMConnect. This mode is specifically designed for scenarios where the RDP session cannot be established directly over the network and must instead be tunneled through the Hyper-V management interface.

• Ignore certificate error

  The gateway will validate the server’s certificate. If the certificate is untrusted, expired, or has an error, it will still allow the RDP server to connect. This option is enabled by default – keep it on if the certificate in the app is self-signed, which is common for internal applications, or uncheck it if a trusted certificate is installed on the RDP endpoint.

• This remote desktop server can host multiple connections behind a single TCP port

  This setting allows a single server to differentiate between multiple incoming RDP sessions on the same network port, ensuring that each connection is routed to the correct virtual or remote desktop instance.

  • Preconnection Id

    The numeric identifier for the RDP source that determines which session to connect to. Leave this blank when connecting via Hyper-V, as it is not used in that scenario.

  • Preconnection Blob

    A string used to identify the specific RDP session on the server. Depending on the server configuration, this may be optional; for Hyper-V, it corresponds to the destination virtual machine ID.

  • Enhanced session mode

    This RDP mode provides advanced features such as clipboard redirection, drive mapping, and improved display options for RDP sessions. Enhanced session mode works by using additional RDP channels negotiated after the initial connection, allowing richer interaction between the client and the remote virtual machine or server.

Maximum connections

• Maximum number of connections that can use this application at once

  This setting limits the total number of simultaneous remote connections when licensing, compute capacity, or other limits require it. For example, Windows Server allows a maximum of two RDP sessions to the same server without Terminal Server licensing, and Cisco routers or switches allow only 5 or 16 SSH sessions depending on the model.

• Maximum number of connections per account

  This setting stops one user from using all available remote sessions on a machine so that other users can still connect.

Session and environment

• Initial program

  If specified, the program will start automatically when you connect. Enter the program’s full path.

• Session recordings

  Activate this checkbox to record all sessions for this resource. Any active recorded session is automatically terminated after 12 hours. Once the session ends, the recording can be accessed through the related alert on the Alerts screen, in the Additional Info section of the alert description, and will remain available for up to 7 days for review or export.

Clipboard settings

Display settings

• Display width (pixels)

  Display height (pixels)

  These options let you set the console window size in the browser. The minimum value for each is 100 pixels. If you leave these fields empty, the console uses the same size as the remote client, which may be large and require scrolling.

• Color depth

  This field sets the color depth requested from the RDP server.

  • Automatic (recommended)

    Portnox Cloud and the remote server choose the most suitable color depth based on the bandwidth.

  • 8-bit (256 colors)

    Best for simple, non-graphic desktops when connection speed or bandwidth is limited.

  • 16-bit (High color)

    Suitable for most remote desktops but may not display detailed images or video clearly.

  • 24-bit (True color)

    Provides the highest image quality but uses more bandwidth and may not work well on slow or unstable connections.

• Do not use lossy compression

  Activate this checkbox if image quality is very important and you cannot accept any loss of detail caused by compression.

• Resize method

  This field defines how the console behaves when you resize the browser window.

  • Display update virtual channel (RDP 8.1+)

    The browser dynamically adjusts the console size as you resize the browser window.

  • Take no action when client display size changes

    The console size stays the same, which may require scrolling if you make the browser window smaller.

  • Reconnect when client display size is changed

    Each time you resize the browser window, the console reconnects to the remote desktop using a console size that matches the new window size.

• Only allow read-only access

  Activate this checkbox to make the console display the remote screen without sending any actions, such as clicking or typing, back to it. This view-only mode is mainly used for informational displays in a NOC or for digital signage applications.

Device redirection

• Disable audio (recommended if you are concerned about bandwidth usage)

  If you activate this option, the remote desktop will not send any audio information to the console.

• Allow audio input (microphone)

  If you activate this option, your local machine’s audio input, such as the microphone, will be used to send audio information to the remote desktop.

• Allow multi-touch events and gestures (mobile or tablet devices)

  If you activate this option, it works only when your browser is on a mobile or tablet device. Multi-touch events (touching the screen in multiple places at once) and gestures recognized by the device will be sent to the remote desktop.

• Allow printing to a virtual printer (will send a PDF).

  If you activate this option, a virtual Portnox Cloud printer will appear on the remote computer. Users can print normally from any application. This generates a PDF, which is then offered as a download to the client. The PDF can be saved and/or printed to create a physical copy.

Performance settings

All default settings are configured for optimal performance. Admins can modify the following performance settings as they see fit to provide a more consistent desktop experience that users may be accustomed to.

• Show desktop wallpaper

• Allow theming of windows and controls

• Enable font smoothing

• Display window content as windows are moved

• Show effects like transparent windows and shadows

• Allow menu open/close animations

• Disable RDP built-in bitmap caching

  Bitmap caching stores parts of the remote desktop screen locally so repeated images do not have to be resent, which can improve performance and reduce bandwidth usage; disabling it may increase network use but can help avoid display issues or stale images.

• Disable offscreen caching

  Offscreen caching stores additional drawing elements (like graphics drawn off the visible screen) in memory to speed up redrawing; turning it off may reduce temporary memory use but can decrease responsiveness during complex screen updates.

RemoteApp

If RemoteApp is configured on your RDP server, you can control which applications users can access. RemoteApp lets users run individual applications from the server as if they were installed locally, showing only the application window integrated with the local desktop and taskbar.

• Remote App

  When a user connects, only this application will be visible. Use Windows notation for the RemoteApp name, prefixed with two vertical bars: ||application_name. For example, ||SAPGUI to publish SAP GUI as a RemoteApp for remote access to the corporate SAP system.

• Remote App directory

  If available, enter the working directory for the remote application. Use a full path in the user’s profile, for example: C:\Users\kosh\AppData\Local\SAP\SAPGUI for SAP GUI, so the app starts in the correct environment.

• Remote App arguments

  If used, enter command-line arguments for the remote app. For example: /system=CORP /client=100 /user=kosh /file="C:\Users\kosh\Documents\SAP\SalesReport.spr" to open a specific SAP session or report automatically when SAP GUI launches via RemoteApp.

Public host key (optional)

An SSH public host key allows the client to verify the server’s identity, preventing man-in-the-middle attacks. It ensures that the client connects to the intended server and not an impersonator.

Server SSH keys are typically stored in one of the following files on your existing SSH client. You can open one of these files, locate the server key for the relevant server (for example, 10.0.9.57), and copy it directly from there to paste in the Public host key field.

• ~/.ssh/known_hosts – user-specific location on UN*X systems

• /home/user_name/.ssh/known_hosts – alternative user-specific location on UN*X systems

• /etc/ssh/ssh_known_hosts – system-wide location on UN*X systems

• %USERPROFILE%\.ssh\known_hosts – user-specific location on Windows

• C:\Users\user_name\.ssh\known_hosts – alternative user-specific location on Windows

Example of a host key:

10.0.9.57 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Yk2Hq8pF3Z1mT9vL0sD4nXJcQe5R2Kp6VtW1aG8zFJ4uP0mQxL9cH3sB7rE6dYw2N5uKf8ZpR1vT4jC0XqL6sM3nB9WcD2hF5tK8yP1zQe7R4vU0mL3sN6xC9bH2YfP5qD7JkL0wT8mZ1A6rN3sV9pQ4cE2yK7Hj5U0LxB3vC8M1aZ6nR4QyT2fW7P9dJ0sK5eL3uX8gH2V4mC1pN6tR0Zb7YwQ3F9kD2aL5sJ8xM4Vn1P6qT0hC3rW9B2yK7G5D1ZxN8uQ4L6cS0pE3mJ9H2fT7vR5W1Y8kC4A6nP0bX3L9qD2tF5gM7U1V8sH4E0rK6wZ3yJ9C2

ssh-keyscan -t ecdsa 10.0.9.57
10.0.9.57 ecdsa-sha2-nistp256 AAAAE2VjZHNlLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF3yJk8l2Qx8v3R0my9V8QdQk7lP0a4Xq2wEJZ1bU4Jj8g9QZ2sP5tZL6cN3bAwM9x7kEfPZ+QkUm1xY4sH7=

Authentication settings

• Authentication method

  • User-provided credentials

    When connecting to the resource, the user must enter their own credentials.

    You can activate the checkbox Offer users the option to have their credentials remembered so they don’t have to re-enter on each visit to allow ZTNA to store the credentials for future sessions.

  • Admin-provided credentials

    The user cannot enter their own credentials. Instead, the administrator provides a shared set of credentials that the system enters automatically when connecting to the resource.

    • Username (optional)

      Enter the username that all users will use to log on to the resource.

    • Password (optional)

      Enter the password that all users will use to log on to the resource.

    Note:

    Both the username and password are optional. If the administrator leaves one of these fields empty, the user is asked to provide the missing credential. If both fields are empty, the system behaves as with user-provided credentials.

Maximum connections

• Maximum number of connections that can use this application at once

  This setting limits the total number of simultaneous remote connections when licensing, compute capacity, or other limits require it. For example, Windows Server allows a maximum of two RDP sessions to the same server without Terminal Server licensing, and Cisco routers or switches allow only 5 or 16 SSH sessions depending on the model.

• Maximum number of connections per account

  This setting stops one user from using all available remote sessions on a machine so that other users can still connect.

Session and environment

• Execute command

  Specify a command to run immediately when you connect. If you do not specify a command, the SSH session will start with the user’s default shell (for example, bash or PowerShell).

• Language

  Enter the standard UN*X locale code, for example, mt_MT.UTF-8. To choose the correct code, choose from this list.

• Timezone

  Enter the standard timezone code (TZ identifier), for example, America/Montreal. To choose the correct code, choose from this list

• Server keepalive interval (seconds)

  To prevent the SSH session from timing out due to inactivity, you can send periodic keepalive packets to the server. Enter the number of seconds between keepalive packets. If set to 0 (the default), no keepalive packets are sent and idle sessions may disconnect.

Terminal behavior

• Backspace key sequence

  Different systems interpret the backspace key differently. For operating systems other than Linux, you may need to change the backspace key sequence so that pressing backspace deletes characters correctly in the terminal session. Available options:

  • CTRL-?: Sends the DEL (ASCII 127) character, which is used by most modern Linux/UN*X systems and terminal emulators.

  • CTRL-H: Sends the BS (ASCII 8) character, an older backspace sequence that some systems or applications still expect.

• Terminal type

  This setting tells the server how your terminal should behave, including how text, colors, cursor movement, and special keys work. Some options refer to older terminal standards:

  • ansi: A standard terminal type that supports basic text and control codes; commonly used by older servers, network gear (like Cisco routers), and simple terminal programs.

  • linux: The terminal type used by Linux consoles and many Linux servers, supporting extended colors and key behaviors common on Linux systems (for example, Ubuntu, CentOS, Debian).

  • vt100: A classic terminal standard that supports basic text and control sequences; useful for compatibility with older Unix systems and legacy equipment (for example, BSD servers, older Solaris systems).

  • vt200: An extension of vt100 with support for more advanced control codes; still recognized by some Unix and network systems for backward compatibility. Supports F1-F12 keys, multinational character sets, vector graphics, and adds color support.​

  • xterm: A terminal type that supports more features like color, function keys, and special key handling; common in graphical terminal emulators such as xterm, GNOME Terminal, and PuTTY.

  • xterm-256color: Like xterm but with support for 256 colors, useful for modern applications that use rich color output, scripting tools, and editors (for example, Vim/Neovim or tmux with color themes).

  Selecting the right terminal type helps ensure that text, colors, and keyboard behavior work as expected in your terminal session.

Clipboard settings

Display settings

• Color scheme

  The color scheme to use for the terminal session. These are important for accessibility, reducing eye strain, and improving readability depending on your environment and preferences. Available choices:

  • Gray on black: Neutral colors that are easy on the eyes for long sessions, good for low-light environments.

  • Black on white: High contrast scheme, similar to paper, useful for bright environments or users who prefer traditional text display.

  • White on black: Classic dark terminal style, reduces glare, often preferred by developers and sysadmins.

  • Green on black: Retro terminal look, can improve focus in low-light conditions, also familiar to users of older terminal systems.

• Default font

  Controls the font used in the terminal session. Fonts affect readability, accessibility, and compatibility with screen readers. Choose a font that is clear at small sizes or works well for your preferred color scheme. Available choices:

  • monospace: Standard fixed-width font, widely compatible and simple.

  • Courier New: Classic monospaced font, familiar to most users, clear at small sizes.

  • DejaVu Sans Mono: Modern monospaced font with good Unicode support.

  • Hack: Designed for programming, high readability with clear distinction of characters like 0 vs O.

  • Noto Mono: Supports many languages and symbols, good for multi-language terminals.

  Available font sizes: 8, 10, 12, 14, 16.

• Maximum scrollback window

  The maximum number of rows allowed in the terminal scrollbar buffer. Default value: 1000. Increasing this allows more history to be accessible when scrolling.

• Only allow read-only access

  Read-only access will prevent users from interacting with applications in the terminal session. Use this mode for monitoring or informational displays where input should be blocked.

File transfer via SFTP (Secure File Transfer Protocol)

• Enable SFTP

  If you activate this checkbox, users can access the file transfer panel with the shortcut Ctrl + Alt + Shift (Windows) or ⌘Command + ⌥Option + ⇧Shift (Mac).

  • SFTP root directory

    Enter the default directory where SSH users can upload and download files. Use the UN*X directory format, which uses / instead of the Windows-style \. For example: /var/ftp/public.

    Note:

    If you leave this field empty, the default directory is the root directory. Users will then have access to the entire filesystem, depending on the permissions granted by their credentials.

  • Do not allow users to download files from the remote system to the client (browser)

  • Do not allow users to upload files from the client (browser) to the remote system

    Note:

    Activate either none of these checkboxes or both of them. If you activate both checkboxes, SFTP functionality is effectively turned off.

Authentication settings

• Authentication method

  • User-provided credentials

    When connecting to the resource, the user must enter their own credentials.

    You can activate the checkbox Offer users the option to have their credentials remembered so they don’t have to re-enter on each visit to allow ZTNA to store the credentials for future sessions.

  • Admin-provided credentials

    The user cannot enter their own credentials. Instead, the administrator provides a shared set of credentials that the system enters automatically when connecting to the resource.

    • Username (optional)

      Enter the username that all users will use to log on to the resource.

    • Password (optional)

      Enter the password that all users will use to log on to the resource.

    Note:

    Both the username and password are optional. If the administrator leaves one of these fields empty, the user is asked to provide the missing credential. If both fields are empty, the system behaves as with user-provided credentials.

Maximum connections

• Maximum number of connections that can use this application at once

  This setting limits the total number of simultaneous remote connections when licensing, compute capacity, or other limits require it. For example, Windows Server allows a maximum of two RDP sessions to the same server without Terminal Server licensing, and Cisco routers or switches allow only 5 or 16 SSH sessions depending on the model.

• Maximum number of connections per account

  This setting stops one user from using all available remote sessions on a machine so that other users can still connect.

Clipboard settings

Display settings

• Color depth

  This field sets the color depth requested from the VNC server.

  • Automatic (recommended)

    Portnox Cloud and the remote server choose the most suitable color depth based on the bandwidth.

  • 8-bit (256 colors)

    Best for simple, non-graphic desktops when connection speed or bandwidth is limited.

  • 16-bit (High color)

    Suitable for most remote desktops but may not display detailed images or video clearly.

  • 24-bit (True color)

    Provides the highest image quality but uses more bandwidth and may not work well on slow or unstable connections.

• Do not use lossy compression

  Activate this checkbox if image quality is very important and you cannot accept any loss of detail caused by compression.

• Only allow read-only access

  Activate this checkbox to make the console display the remote screen without sending any actions, such as clicking or typing, back to it. This view-only mode is mainly used for informational displays in a NOC or for digital signage applications.

Performance settings

• Swap red/blue components

  Enable this option when the server and client interpret pixel formats differently (for example, one expects RGB and the other BGR). This can fix color distortion in VNC sessions, notably with some VMware, specialized, or embedded VNC servers.

• Render mouse cursor remotely

  Reduces mouse cursor ghosting or shadowing that can occur in VNC sessions. Without this, you might see both the local cursor and a lagging remote cursor. Rendering the cursor remotely makes the pointer position and movement feel more accurate, though it may require more screen updates.

• Display encodings

  By default, Portnox Cloud negotiates the best encoding supported by the remote VNC server. An admin can also select a specific encoding to improve connection time, compatibility, or performance under different network conditions.

  Common encodings:

  • CopyRect: Tells the client to copy a rectangle already on screen rather than resend pixel data, which reduces network usage when parts of the screen move.

  • ZRLE (Zlib Remote Framebuffer Encoding): Uses zlib compression with run-length encoding for efficient trade‑offs between bandwidth and CPU usage, often good for mostly static screens and text.

  • Hextile: Breaks the screen into 16×16 pixel tiles and encodes each tile with a mix of methods. It performs well on general GUIs and uses moderate bandwidth.

  • RRE (Rise‑and‑Run‑length Encoding): Encodes areas of constant color efficiently, good for simple UIs with large solid color regions but not that great for complex graphics.

  • Raw: Sends uncompressed pixel data. It is simple and places little decoding load on the client, but uses high bandwidth and is best only on very fast connections.

Authentication settings

• Authentication method

  • User-provided credentials

    When connecting to the resource, the user must enter their own credentials.

    You can activate the checkbox Offer users the option to have their credentials remembered so they don’t have to re-enter on each visit to allow ZTNA to store the credentials for future sessions.

  • Admin-provided credentials

    The user cannot enter their own credentials. Instead, the administrator provides a shared set of credentials that the system enters automatically when connecting to the resource.

    • Username (optional)

      Enter the username that all users will use to log on to the resource.

    • Password (optional)

      Enter the password that all users will use to log on to the resource.

    Note:

    Both the username and password are optional. If the administrator leaves one of these fields empty, the user is asked to provide the missing credential. If both fields are empty, the system behaves as with user-provided credentials.

Maximum connections

• Maximum number of connections that can use this application at once

  This setting limits the total number of simultaneous remote connections when licensing, compute capacity, or other limits require it. For example, Windows Server allows a maximum of two RDP sessions to the same server without Terminal Server licensing, and Cisco routers or switches allow only 5 or 16 SSH sessions depending on the model.

• Maximum number of connections per account

  This setting stops one user from using all available remote sessions on a machine so that other users can still connect.

Terminal behavior

• Backspace key sequence

  Different systems interpret the backspace key differently. For operating systems other than Linux, you may need to change the backspace key sequence so that pressing backspace deletes characters correctly in the terminal session. Available options:

  • CTRL-?: Sends the DEL (ASCII 127) character, which is used by most modern Linux/UN*X systems and terminal emulators.

  • CTRL-H: Sends the BS (ASCII 8) character, an older backspace sequence that some systems or applications still expect.

• Terminal type

  This setting tells the server how your terminal should behave, including how text, colors, cursor movement, and special keys work. Some options refer to older terminal standards:

  • ansi: A standard terminal type that supports basic text and control codes; commonly used by older servers, network gear (like Cisco routers), and simple terminal programs.

  • linux: The terminal type used by Linux consoles and many Linux servers, supporting extended colors and key behaviors common on Linux systems (for example, Ubuntu, CentOS, Debian).

  • vt100: A classic terminal standard that supports basic text and control sequences; useful for compatibility with older Unix systems and legacy equipment (for example, BSD servers, older Solaris systems).

  • vt200: An extension of vt100 with support for more advanced control codes; still recognized by some Unix and network systems for backward compatibility. Supports F1-F12 keys, multinational character sets, vector graphics, and adds color support.​

  • xterm: A terminal type that supports more features like color, function keys, and special key handling; common in graphical terminal emulators such as xterm, GNOME Terminal, and PuTTY.

  • xterm-256color: Like xterm but with support for 256 colors, useful for modern applications that use rich color output, scripting tools, and editors (for example, Vim/Neovim or tmux with color themes).

  Selecting the right terminal type helps ensure that text, colors, and keyboard behavior work as expected in your terminal session.

Clipboard settings

Display settings

• Color scheme

  The color scheme to use for the terminal session. These are important for accessibility, reducing eye strain, and improving readability depending on your environment and preferences. Available choices:

  • Gray on black: Neutral colors that are easy on the eyes for long sessions, good for low-light environments.

  • Black on white: High contrast scheme, similar to paper, useful for bright environments or users who prefer traditional text display.

  • White on black: Classic dark terminal style, reduces glare, often preferred by developers and sysadmins.

  • Green on black: Retro terminal look, can improve focus in low-light conditions, also familiar to users of older terminal systems.

• Default font

  Controls the font used in the terminal session. Fonts affect readability, accessibility, and compatibility with screen readers. Choose a font that is clear at small sizes or works well for your preferred color scheme. Available choices:

  • monospace: Standard fixed-width font, widely compatible and simple.

  • Courier New: Classic monospaced font, familiar to most users, clear at small sizes.

  • DejaVu Sans Mono: Modern monospaced font with good Unicode support.

  • Hack: Designed for programming, high readability with clear distinction of characters like 0 vs O.

  • Noto Mono: Supports many languages and symbols, good for multi-language terminals.

  Available font sizes: 8, 10, 12, 14, 16.

• Maximum scrollback window

  The maximum number of rows allowed in the terminal scrollbar buffer. Default value: 1000. Increasing this allows more history to be accessible when scrolling.

• Only allow read-only access

  Read-only access will prevent users from interacting with applications in the terminal session. Use this mode for monitoring or informational displays where input should be blocked.