The Remote Desktop Protocol (RDP) allows end users to connect to a desktop from a different machine.
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to RDP without being on a virtual private network (VPN).
You can choose to deploy the Cloudflare agent on every target desktop or deploy it once, in a bastion or jump host model, in your target environment.
This section will cover:
NOTE: If you have an origin that serves both RDP and HTTP requests, you need to place those services on separate domains or subdomains. Otherwise, errors occur when attempting to access the machine over different protocols. For example, requests made in a web browser will route over RDP and fail.
Connect the remote desktop to Cloudflare
1. Install cloudflared On The Remote Machine
Download and install
cloudflaredon the machine hosting the file share. If you need help, you can find the relevant instructions for your OS here.
Select the version depending on your architecture, 64-bit or 32-bit.
Place the cloudflared executable in a location accessible to the OS, for example:
- Next, run CMD as an administrator to install the service.
C:\Cloudflared\bin\cloudflared.exe service install
By default, the agent will run as a Local Account service and will look for the configuration and certificate file in the systemprofile.
- Run the following command to create a new directory within systemprofile.
- Run the following command to authenticate
cloudflaredinto your Cloudflare account.
cloudflaredwill open a browser window where you will be asked to login to your Cloudflare account.
If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine.
Once you login, Cloudflare will display the applications that you added to your account. Select the site where you want to create a subdomain to represent the remote desktop.
For example, if you plan to share the desktop at
site.comfrom the list.
Each remote desktop requires a unique subdomain.
The file will now download to the user profile.
Copy the file to the
systemprofiledirectory created previously.
copy C:\Users\%USERNAME%\.cloudflared\cert.pem C:\Windows\System32\config\systemprofile\.cloudflared
cloudflaredwill download a wildcard certificate for the site.
This certificate allows
cloudflaredto create a DNS record for a subdomain of the site.
cloudflaredwill use a YML file for configuration. Run
Notepad.exeas an administrator.
Make sure you do so as an administrator, as this file will be saved to the system directory.
hostname: rdp.site.comurl: rdp://localhost:3389logfile: C:\Windows\System32\config\systemprofile\.cloudflared\tunnel.log
- Save this file to the following location:
3. Secure The Subdomain With Cloudflare Access
For example, if you share the desktop at
rdp.site.com, that is the subdomain you will configure for the application).
4. Connect The Remote Desktop To Cloudflare
Confirm which port your remote desktop protocol uses.
By default, the RDP protocol listens on port
3389, but you can also use nonstandard ports.
Depending on your RDP configuration, consider one of the following options to connect:
- If you are not using a configuration file, you can run the following command to connect the desktop to Cloudflare, replacing the
445values with your site and port.
\cloudflared.exe tunnel --hostname rdp.site.com --url rdp://localhost:3389
- If you are using an internal DNS and the target machine is running on a hostname, you will need to modify the command to start the Tunnel without TLS verification to avoid certificate mismatches. For example, if the remote desktop server is available at
rdp.internal.com,the following command can be run.
$ cloudflared tunnel --hostname rdp.site.com --no-tls-verify --origin-server-name rdp.internal.com --url rdp://localhost:433
- If you are using the configuration file created as part of the Authenticate cloudflared process above, you can start the service from the Windows services panel, or run:
sc start cloudflared
In both operations,
cloudflared will confirm that the connection has been established. The process needs to be configured to stay alive and autostart.
If the process is killed, end users will not be able to connect.
5. Bastion or jump host Models (optional)
Instead of deploying
cloudflared on each target machine, you can deploy it once in a private subnet in the bastion or jump host model.
To do so:
Follow steps 1 through 3 above to configure the target bastion/jump host machine.
Use this configuration when establishing the tunnel:
$ cloudflared tunnel --hostname rdp.site.com --bastion
This command will allow everything that can be routed from cloudflared to be reachable through the Tunnel. Ensure your network is properly segmented to avoid issues.
- Use this command to start an RDP listener on the client machine:
cloudflared access rdp --hostname YOURDOMAIN.domain.com --url localhost:2244 --destination rdpserver:3389
rdpserver:3389 is a default value and could differ based on what was configured in your instance.
- Now run the RDP client with the server set to
You will then be prompted for an access login in the browser.
Connect from a client machine
1. Install cloudflared On The Client Machine
Follow steps 1 through 3 above to download and install cloudflared on the client desktop that will connect to the remote desktop. cloudflared will need to be installed on each user device that will connect.
2. Connect To The Remote Desktop
- Run the following command to create a connection from the device to Cloudflare. Any available port can be specified.
\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244
This command can be wrapped as a desktop shortcut so that end users do not need to use the command line.
Open your RDP client and configure the client to point to
localhost:2244. Do not input the hostname.
When the client launches,
cloudflaredwill launch a browser window and prompt the user to authenticate with your SSO provider.
3. Bastion or Jump Host Model (optional)
If you are deploying Cloudflare Access for RDP in a bastion or jump host model:
- End users will need to specify the local address of the specific desktop they want to reach. In most cases, this will be the names used when connecting over RDP on a VPN.
\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244 --destination rdpserver:3389
Next, open the RDP client on the machine.
Point it to
localhost:2244and initiate the connection.
Configuring A Desktop Shortcut
You can help end users connect without requiring the command line by providing them with a shortcut that can be launched from the desktop.
cloudflared.exeis installed on the end user device and available in the Windows Path.
Right-click on the Windows desktop and select New > Shortcut.
In the wizard that appears, paste in the following command with the hostname your team uses:
$ cloudflared access rdp --hostname monday.example.com --url localhost:2244
- Click Next and complete the wizard.
At this point the shortcut will appear on the desktop, and users can launch with a double-click. The shortcut can then be distributed to end users along with
You may get a warning indicating that the
cloudflared.exe) is unknown. This can be skipped by clicking
More Infoin the dialog box and then clicking Run Anyway. This will only appear one time.
Ensure that RDP is enabled on the target Windows machine. If not, you may encounter an error:
No connection could be made because the target machine actively refused it.
MacOS users can save a command shortcut that will launch the RDP flow.
- The command below can be saved as a
.commandfile that can be launched on login:
var=/Applications/CF-RDP-Tunnel.command &&echo "`which cloudflared` access rdp --hostname monday.example.com --url localhost:2244 &" > $var &&chmod +x $var
- Check that everything is successful by running the following command:
$ lsof -nP -iTCP:2244 | grep LISTEN
If needed, you can kill the process by running the following command:
$ sudo kill -9 [process id]
The command from Step 1 can then be configured to run at device login by navigating to System Preferences > Users & Groups.
Navigate to Macintosh HD/Applications.
Double click on the previously created
The default behavior in MacOS is for the Terminal window to stay open. You can configure it to close automatically.
In this video, you’ll learn how to use Cloudflare Access to protect a Remote Desktop Protocol (RDP) connection by setting up a secure link with Argo Tunnel.