Some organizations want to centralize their Remote Desktop connections to be established from Remote Desktop Manager only. A few things would need to be considered if this needs to be implemented in your organization.
Just blocking Microsoft RDP (mstsc.exe) is still leaving other “surfaces” open for getting access. One could imagine installing Microsoft RDC Manager or even another copy of Remote Desktop Manager which would connect with settings that you do not approve.
Indeed, you can force your users to use Remote Desktop Manager by hiding the session credentials in the application. This will results that the users will be able to establish the remote connection without knowing the credentials.
If you feel that disabling Microsoft RDP (mstsc.exe) is sufficient for your needs, it is documented on
Our best solution involves going through a gateway that is protected by a password unknown from the end user. One can achieve this by using a SSH Tunnel or our own Jump feature. The second step is to adjust the firewalls on the remote hosts to disable connections from IP addresses other than your approved gateways.
SSH tunnels is a very good approaches because they can run on a VM using any *nix distribution and require limited ram and hdd space.
This will also force your user to use Remote Desktop Manager because the credentials to use a SSH Tunnel cannot be a domain credential and the information to authenticate will be saved in Remote Desktop Manager.
For more information, please consult How to Setup a SSH Tunnel