Configuring secured connection between terminals and Terminal Server

Setting Terminal Server certificate

By default, Terminal Server uses certificate distributed with Dispatcher Paragon to provide encrypted communication between Terminal Server and MFDs. This certificate can be found in <install_dir>\SPOC\terminalserver\Certificates. Terminal Server can also use external certificates provided by Windows Certificate Store or file system.

Certificate of your Root CA must be uploaded to MFD (following the vendor's guide). Otherwise MFD might reject certificate and users will be unable to login.

In case you have problems with SSL/TLS communication, it can be switched off entirely. This is, however, not recommended in a production environment.

CA-signed certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the Terminal Server.

  • The time while the certificate is valid is also important. The expiration date is added to the certificate by its signer, thus in case of self-signed certificate or certificate signed by your CA, it is up to you, how long it will be valid. In case you want certificates signed by a trusted third-party CA, they will set this value according to their policy.

  • For importing the certificate you need it in an appropriate format - Personal Information Exchange (.pfx file) containing the private key and whole certificate chain.


In case your key/certificate is in a different format than Personal Information Exchange, you can convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter in System communication hardening.

Configuring Terminal Server to use your certificate

In the TerminalServer.exe.config configuration file (<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) specify the certificate source by adding or modifying configuration option dsCertificateSource located in the appSettings section.This option has three possible values (all case insensitive):

  • Default - default certificate provided with YSoft SafeQ

  • WindowsCertStore - finds certificate in Windows Certificate Store

  • FileSystem - tries to find certificate on local or network storage

All the settings in this chapter can be also configured in the Management web interface, under Expert configuration options. This works as a global configuration for all Terminal Servers and FlexiSpoolers in SafeQ system. Since there should be different certificates for each Terminal Server (e.g. because of the domain name / IP address validation), this is not recommended.

Windows Certificate Store

  1. Stop the Dispatcher Paragon Terminal Server service.

  2. Copy your key/certificate in the Personal Information exchange format to the server where the Terminal Server is installed.

  3. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My" "dispatcherparagoncertificate.pfx"

    In Windows Server 2008 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "dispatcherparagoncertificate.pfx"

  4. In the TerminalServer.exe.config configuration file (<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) add or modify following configuration options:

    <add key="dsCertificateSource" value="windowscertstore" />
    <add key="dsCertificateStore" value="my" />
    <add key="dsCertificateStoreIdentifier" value="000102030405060708090a0b0c0d0e0f10111213" />

    Configuration option dsCertificateStoreIdentifier is used for specification of certificate in selected certificate store. The certificate in store can be specified by its name (value enetered in Common Name (CN) field when generating a certificate signing request) or by its unique thumbprint , which can be obtained by double-clicking the certificate and browsing the Details tab for Thumbprint field. In case you are copying certificate thumbprint from the window, remove spaces and make sure there are no invisible characters (it adds an invisible character at the beginning!).

  5. Start the Dispatcher Paragon Terminal Server service.

File system

  1. Stop the Dispatcher Paragon Terminal Server service.

  2. Copy your key/certificate in the Personal Information exchange format to the server where the Terminal Server is installed.

  3. In the TerminalServer.exe.config configuration file (<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) add or modify following configuration options:

    <add key="dsCertificateSource" value="filesystem" />
    <add key="dsCertificateFileSource" value="absolute\path\to\your\certificate.pfx" />

    Currently the file must not be protected by a password (can be protected by an empty string) to make Dispatcher Paragon able to load keys and certificates from file system. That is why it is currently recommended to use Windows Certificate Store as a certificate source.

    Terminal Server loads certificate from filesystem. This certificate is automatically installed into Windows Certificate Store specified by configuration option dsCertificateStore.

    To specify location of file on local disc or network storage, configuration option dsCertificateFileSource must be provided. Path to the certificate can be specified as follows:

    • Full path to certificate file - e.g. C:\Certificates\dispatcherparagoncertificate.pfx

    • Directory containing certificate - e.g. C:\Certificates, first .pfx file found in this directory is taken

  4. Start the Dispatcher Paragon Terminal Server service.

Cryptographic key for terminal authentication tokens

As a proof of successful authentication in terminal, a user receives an authentication token from the Terminal Server. Authentication tags for Dispatcher Paragon Terminal Application tokens are generated using a key, which is generated during Dispatcher Paragon installation and is unique per tenant. This key is encoded using Base64 and by default it is 16 bytes long.

It is possible to specify own key following the steps below.

  1. Stop the Dispatcher Paragon Terminal Server service.

  2. Set custom key for generation of the authentication tokens. In the Management web interface go to the System configuration and under Expert options find the following parameter and set it to the desired value.

    sqtaTokenKey

  3. Start the Dispatcher Paragon Terminal Server service.