diff --git a/README.md b/README.md
index b1c8ba6dc25d82fb24c5e5219bb29664483a68ff..753a29528d2ad901d8be800f2363b9a2980edd87 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@ openId:
 caps:
  SmartCardAuth: false
  tokenAuth: true
+ # connection timeout in minutes, 0 is limitless
  idleTimeout: 10
  DisablePrinter: true
  DisablePort: true
diff --git a/rdg.go b/rdg.go
index 5b65ff047c2aa659fc3c5eb4df457c4df993b972..9ee67d5482158a7217b7f3369c578389ecfa8cda 100644
--- a/rdg.go
+++ b/rdg.go
@@ -450,11 +450,19 @@ func readHeader(data []byte) (packetType uint16, size uint32, packet []byte, err
 // HTTP_EXTENDED_AUTH_SSPI_NTLM is not supported in Linux
 // but could be in Windows. However the NTLM protocol is insecure
 func handshakeResponse(major byte, minor byte, auth uint16) []byte {
+	var caps uint16
+	if conf.Caps.SmartCardAuth {
+		caps = caps | HTTP_EXTENDED_AUTH_PAA
+	}
+	if conf.Caps.TokenAuth {
+		caps = caps | HTTP_EXTENDED_AUTH_PAA
+	}
+
 	buf := new(bytes.Buffer)
 	binary.Write(buf, binary.LittleEndian, uint32(0)) // error_code
 	buf.Write([]byte{major, minor})
 	binary.Write(buf, binary.LittleEndian, uint16(0))                                            // server version
-	binary.Write(buf, binary.LittleEndian, uint16(HTTP_EXTENDED_AUTH_PAA|HTTP_EXTENDED_AUTH_SC)) // extended auth
+	binary.Write(buf, binary.LittleEndian, uint16(caps)) // extended auth
 
 	return createPacket(PKT_TYPE_HANDSHAKE_RESPONSE, buf.Bytes())
 }
@@ -526,8 +534,37 @@ func createTunnelAuthResponse() []byte {
 	binary.Write(buf, binary.LittleEndian, uint16(0))                                                                                        // reserved
 
 	// flags
-	binary.Write(buf, binary.LittleEndian, uint32(HTTP_TUNNEL_REDIR_ENABLE_ALL)) // redir flags
-	binary.Write(buf, binary.LittleEndian, uint32(0))                            // timeout in minutes
+	var redir uint32
+	if conf.Caps.RedirectAll {
+		redir = HTTP_TUNNEL_REDIR_ENABLE_ALL
+	} else if conf.Caps.DisableRedirect {
+		redir = HTTP_TUNNEL_REDIR_DISABLE_ALL
+	} else {
+		if conf.Caps.DisableClipboard {
+			redir = redir | HTTP_TUNNEL_REDIR_DISABLE_CLIPBOARD
+		}
+		if conf.Caps.DisableDrive {
+			redir = redir | HTTP_TUNNEL_REDIR_DISABLE_DRIVE
+		}
+		if conf.Caps.DisablePnp {
+			redir = redir | HTTP_TUNNEL_REDIR_DISABLE_PNP
+		}
+		if conf.Caps.DisablePrinter {
+			redir = redir | HTTP_TUNNEL_REDIR_DISABLE_PRINTER
+		}
+		if conf.Caps.DisablePort {
+			redir = redir | HTTP_TUNNEL_REDIR_DISABLE_PORT
+		}
+	}
+
+	// idle timeout
+	timeout := conf.Caps.IdleTimeout
+	if timeout < 0 {
+		timeout = 0
+	}
+
+	binary.Write(buf, binary.LittleEndian, uint32(redir)) // redir flags
+	binary.Write(buf, binary.LittleEndian, uint32(timeout))                            // timeout in minutes
 
 	return createPacket(PKT_TYPE_TUNNEL_AUTH_RESPONSE, buf.Bytes())
 }