If you want to use the
Log On To setting, this refers to the end users workstation and not the target workstation you are connecting to
When you do RDP, Microsoft checks the Log On To list to see if you can login. When the Target device is listed, the user will be granted local login access (console or direct keyboard/monitor access), but RDP from anywhere will fail.
In order to login via RDP you need to put the host where you will be initiating the Log On FROM (so, even though the Tab says Log On 'To', in this case we need to specify the workstation you are logging in 'FROM') in the list. This means your local workstation where you are launching MSTSC or PAM sessions from.
- If you put the Target device, this wont work.
- Ifyou put the PAM server address since access is "routed through pam" this will not work either because PAM is acting as a tunnel and so it just forwards the log in info: it doesn't repackage it with its hostname.
If you want to log in to
computer1,
computer2 and
computer3 alone, then the only possible way of limiting it would be to maybe filter that through firewall in the machines themselves, as by behaviour MS will be looking at the machine initiating the connection.