Last adaptation to the version: 14.1.2 (02.2026)
- BetaFor participants on the Beta Channel only:
- 14.1.1
- 14.1.1
- 14.1.1
notemptyThis article refers to a Beta version
Introduction
UTMuser@firewall.name.fqdnVPN 
Clientless VPN provides the ability to connect to an RDP or VNC server on the corporate network via the browser. Users log in to the user interface and are then given the option to connect with a designated server. For this to work, the browser must have HTML5, Java or similar is not necessary.
Configuration of the UTM
Add Clientless Host
Under click the button.
All servers that are to be made available to users via the user interface using Clientless VPN are entered here.
| Caption | Value | Description | UTMuser@firewall.name.fqdnVPN  Create server
|
|---|---|---|---|
| Servername: | Windows Server 2012 RDP | Assign a name for the host | |
| Type: | Service through which the host is to be accessed | ||
| notempty VNC is an unencrypted protocol. We also recommend a VPN connection between the server and the UTM. In general, even when using RDP, it is recommended to protect the connection with a VPN to ensure authenticity. | |||
| Security: | Choose the security protocol | ||
| IP address: | 10.10.10.10 | IP address of the host | |
| Port: | 3389 | Port that is enabled for access on the host | |
| Video resolution: | Resolution (selectable from 320x200 to 2540x1440 pixels) notempty v14.1.1 | ||
| Color depth: | Choose color depth (16 or 24 bit) | ||
| notemptyNew as of v14.1.1 | |||
| The resolution and color depth depends on the capabilities of the destination host and the clients from which the destination host is accessed via the browser. The entries Domain, Username and Password are optional, if these fields are left blank, the username and password will be requested when the host is accessed via Clientless VPN. | |||
UTMuser@firewall.name.fqdnAuthenticationUser 
Group permissions
- Click Area Groups button or existing group
- in the Permissions section:
- Enable Userinterface with the On button
- Enable Clientless VPN with the On button
- Assign a unique name in the Group name: field.
Subsequent assignment of the group
- Switch to the Clientless VPN tab.
- Activate desired clientless VPN connection with On
- Apply the changes with
Allow access
UTMuser@firewall.name.fqdnFirewall 
Group permissions
Now it must be ensured that the clientless VPN user is also allowed to log in to the user web interface via the browser. This can be done either by Implicit Rules or by manually creating a corresponding Packetfilter Rule on the interface.
In this case it is sufficient to activate the User Interface Portal VPN rule with On in the menu under Area VPN.
Login to the user interface
- The user login to the user interface is called up via the IP address or URL of the UTM, possibly followed by a port specification
- Depending on the assigned permissions, various functions are made available
- Click on the corresponding tile to access the desired function
| Configured | Port | Example call with IP | Example call with URL |
|---|---|---|---|
| Default | 443 | i.e. https://192.168.175.1 | i.e. https://utm.ttt-point.de |
| Port changed bei administrator Menu: Network / Appliance Settings / Appliance Settings / Webserver / User Webinterface Port |
4443 | i.e. https://192.168.175.1:4443 | i.e. https://utm.ttt-point.de:4443 |
notemptyThe responsible admin must provide the IP address or domain name and, if necessary, the port for the user web interface
After entering the IP address, the user login page of he Securepoint UTM is loaded. The login credentials are entered there.
| Value | Description |  |
|---|---|---|
| Username | ||
| The associated password | ||
Optional |
If this input box is displayed, a one-time password (OTP) must be entered The one-time password (OTP) is an authentication mechanism that provides additional security when a user logs in. | |
| Login | You can log in to the user interface by clicking on this button after entering all login data correctly. | |
| [[Datei: ]] | ||
| Cursor | ||
| Off | ||
Hints
Windows 2012R2 with enabled terminal services
If a 2012R2 server is to be used as the RDP server for the clientless VPN, the establishment of the RDP connection fails due to the "Authentication at network level".
When using the terminal services, this function can also no longer be deactivated via the familiar way.
However, it is possible to force the disabling of ""Authentication at network level"" via the GPO (Group Policy).
Adjusting the registry
However, it may also be necessary to adjust a registry entry. This must have a value of 1.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SecurityLayer
notemptyFor Terra-Cloud machines it may be necessary to adjust the registry entry.