All Products
Search
Document Center

Bastionhost:Perform RDP-based O&M

Last Updated:Mar 31, 2026

Use MSTSC (Windows Remote Desktop Connection) to connect to a Bastionhost instance and access Windows hosts for O&M operations. Bastionhost proxies the Remote Desktop Protocol (RDP) connection, so you connect to the bastion host rather than directly to the target host.

How it works

When you connect to the bastion host over RDP, Bastionhost authenticates your identity and routes traffic to the target host you select. You never connect directly to the target host — the bastion host acts as an audited gateway.

Prerequisites

Before you begin, ensure that you have:

Assets and user authorization The hosts you want to manage are imported into Bastionhost, and the user account you use is authorized to manage those hosts. See Add hosts, Manage users, and Authorize users or user groups to manage assets and asset accounts.

To let Bastionhost access hosts without requiring you to enter credentials each time, authorize the user to use the hosts' asset accounts. See Authorize a user to manage assets and asset accounts. If no asset accounts are managed in Bastionhost, enable Unauthorized Asset Accounts Are Allowed in the Special Asset Accounts section so that you can enter the host username and password manually. See Configure O&M settings.

O&M address Obtain the O&M address from the Bastion Host Information section on the Overview page in the Bastionhost console. See Log on to the console of a bastion host.

概览
Bastionhost supports both fixed O&M addresses and dynamic O&M IP addresses. Because the IP address behind the private O&M address may change, always connect using the O&M address rather than the IP address directly.

Connect to a host

RDP connections to Bastionhost support two authentication methods: password authentication and token authentication. Both methods share the same opening steps — the difference is how you authenticate in step 3.

Steps 1–2: Open MSTSC and enter the O&M address

  1. Start MSTSC on your Windows server.

  2. Enter the O&M address in the following format, then click Connect:

    <O&M address>:63389

    For example: kagp******-public.bastionhost.aliyuncs.com:63389 The default RDP port is 63389. To change the O&M port, see Configure a bastion host.

    rdp远程桌面连接

Step 3: Authenticate

Choose one of the following methods:

Password authentication

  1. In the Remote Desktop Connection dialog box, click Yes.

    RDP验证身份

  2. In the login dialog box, enter the username and password of your Bastionhost account, then click Login.

    image

  3. If two-factor authentication is enabled, enter the verification code. To configure two-factor authentication, see Enable two-factor authentication.

    image

Token authentication

  1. On the General tab in MSTSC, enter the O&M address, enter your Bastionhost username, select Allow me to save credentials, and click Connect.

  2. In the dialog box that appears, enter the O&M token of the bastion host, then click OK. To get an O&M token, see Manage an O&M token.

  3. In the Remote Desktop Connection dialog box, click Yes.

    RDP验证身份

Step 4: Select a host

On the asset management page, double-click the host you want to access. The host session opens.

image

References

For a list of remote connection tools and versions compatible with Bastionhost, see Database O&M tools and versions.