RDP
The Remote Desktop Protocol (RDP) allows end users to connect to a desktop from a different machine.
Cloudflare Access provides a mechanism for end users to authenticate with their single sign-on (SSO) provider and connect to RDP without being on a virtual private network (VPN).
You can choose to deploy the Cloudflare agent on every target desktop or deploy it once, in a bastion or jump host model, in your target environment.
This section will cover:
- How to connect the remote desktop to Cloudflare
- How to connect from a Client machine
- How to configure desktop shortcuts for end users
NOTE: If you have an origin that serves both RDP and HTTP requests, you need to place those services on separate domains or subdomains. Otherwise, errors occur when attempting to access the machine over different protocols. For example, requests made in a web browser will route over RDP and fail.
Connect the remote desktop to Cloudflare
1. Install cloudflared On The Remote Machine
cloudflared
will maintain a secure, persistent, outbound-only connection from the machine to Cloudflare. RDP traffic will be proxied over this connection using Cloudflare Argo Tunnel.
Download and install
cloudflared
on the machine hosting the file share. If you need help, you can find the relevant instructions for your OS here.Select the version depending on your architecture, 64-bit or 32-bit.
Place the cloudflared executable in a location accessible to the OS, for example:
C:\Cloudflared\bin\cloudflared.exe
- Next, run CMD as an administrator to install the service.
C:\Cloudflared\bin\cloudflared.exe service install
By default, the agent will run as a Local Account service and will look for the configuration and certificate file in the systemprofile.
- Run the following command to create a new directory within systemprofile.
mkdir C:\Windows\System32\config\systemprofile\.cloudflared
2. Authenticate cloudflared
- Run the following command to authenticate
cloudflared
into your Cloudflare account.
C:\Cloudflared\bin\cloudflared.exe login
cloudflared
will open a browser window where you will be asked to login to your Cloudflare account.If you are working on a machine that does not have a browser, or a browser window does not launch, you can copy the URL from the command-line output and visit the URL in a browser on any machine.
Once you login, Cloudflare will display the applications that you added to your account. Select the site where you want to create a subdomain to represent the remote desktop.
For example, if you plan to share the desktop at
rdp.site.com
, selectsite.com
from the list.Each remote desktop requires a unique subdomain.
The file will now download to the user profile.
Copy the file to the
systemprofile
directory created previously.
copy C:\Users\%USERNAME%\.cloudflared\cert.pem C:\Windows\System32\config\systemprofile\.cloudflared
Once selected,
cloudflared
will download a wildcard certificate for the site.This certificate allows
cloudflared
to create a DNS record for a subdomain of the site.Finally,
cloudflared
will use a YML file for configuration. RunNotepad.exe
as an administrator.Make sure you do so as an administrator, as this file will be saved to the system directory.
hostname: rdp.site.comurl: rdp://localhost:3389logfile: C:\Windows\System32\config\systemprofile\.cloudflared\tunnel.log
- Save this file to the following location:
C:\Windows\System32\config\systemprofile\.cloudflared\config.yml`
3. Secure The Subdomain With Cloudflare Access
- Create an application for the subdomain of your RDP.
For example, if you share the desktop at rdp.site.com
, that is the subdomain you will configure for the application).
- Build a policy to restrict user access to that subdomain.
4. Connect The Remote Desktop To Cloudflare
Confirm which port your remote desktop protocol uses.
By default, the RDP protocol listens on port
3389
, but you can also use nonstandard ports.Depending on your RDP configuration, consider one of the following options to connect:
- If you are not using a configuration file, you can run the following command to connect the desktop to Cloudflare, replacing the
rdp.site.com
and445
values with your site and port.
\cloudflared.exe tunnel --hostname rdp.site.com --url rdp://localhost:3389
- If you are using an internal DNS and the target machine is running on a hostname, you will need to modify the command to start the Tunnel without TLS verification to avoid certificate mismatches. For example, if the remote desktop server is available at
rdp.internal.com,
the following command can be run.
$ cloudflared tunnel --hostname rdp.site.com --no-tls-verify --origin-server-name rdp.internal.com --url rdp://localhost:433
- If you are using the configuration file created as part of the Authenticate cloudflared process above, you can start the service from the Windows services panel, or run:
sc start cloudflared
In both operations, cloudflared
will confirm that the connection has been established. The process needs to be configured to stay alive and autostart.
If the process is killed, end users will not be able to connect.
5. Bastion or jump host Models (optional)
Instead of deploying cloudflared
on each target machine, you can deploy it once in a private subnet in the bastion or jump host model.
To do so:
Follow steps 1 through 3 above to configure the target bastion/jump host machine.
Use this configuration when establishing the tunnel:
$ cloudflared tunnel --hostname rdp.site.com --bastion
This command will allow everything that can be routed from cloudflared to be reachable through the Tunnel. Ensure your network is properly segmented to avoid issues.
- Use this command to start an RDP listener on the client machine:
cloudflared access rdp --hostname YOURDOMAIN.domain.com --url localhost:2244 --destination rdpserver:3389
rdpserver:3389
is a default value and could differ based on what was configured in your instance.
- Now run the RDP client with the server set to
localhost:2244
:
You will then be prompted for an access login in the browser.
Connect from a client machine
1. Install cloudflared On The Client Machine
Follow steps 1 through 3 above to download and install cloudflared on the client desktop that will connect to the remote desktop. cloudflared will need to be installed on each user device that will connect.
2. Connect To The Remote Desktop
- Run the following command to create a connection from the device to Cloudflare. Any available port can be specified.
\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244
This command can be wrapped as a desktop shortcut so that end users do not need to use the command line.
Open your RDP client and configure the client to point to
localhost:2244
. Do not input the hostname.When the client launches,
cloudflared
will launch a browser window and prompt the user to authenticate with your SSO provider.
3. Bastion or Jump Host Model (optional)
If you are deploying Cloudflare Access for RDP in a bastion or jump host model:
- End users will need to specify the local address of the specific desktop they want to reach. In most cases, this will be the names used when connecting over RDP on a VPN.
\cloudflared.exe access rdp --hostname rdp.site.com --url localhost:2244 --destination rdpserver:3389
Next, open the RDP client on the machine.
Point it to
localhost:2244
and initiate the connection.
Configuring A Desktop Shortcut
Windows
You can help end users connect without requiring the command line by providing them with a shortcut that can be launched from the desktop.
Ensure that
cloudflared.exe
is installed on the end user device and available in the Windows Path.Right-click on the Windows desktop and select New > Shortcut.
In the wizard that appears, paste in the following command with the hostname your team uses:
$ cloudflared access rdp --hostname monday.example.com --url localhost:2244
- Click Next and complete the wizard.
At this point the shortcut will appear on the desktop, and users can launch with a double-click. The shortcut can then be distributed to end users along with cloudflared
.
Common issues
You may get a warning indicating that the
.exe
(cloudflared.exe
) is unknown. This can be skipped by clickingMore Info
in the dialog box and then clicking Run Anyway. This will only appear one time.Ensure that RDP is enabled on the target Windows machine. If not, you may encounter an error:
No connection could be made because the target machine actively refused it
.
MacOS
MacOS users can save a command shortcut that will launch the RDP flow.
- The command below can be saved as a
.command
file that can be launched on login:
var=/Applications/CF-RDP-Tunnel.command &&echo "`which cloudflared` access rdp --hostname monday.example.com --url localhost:2244 &" > $var &&chmod +x $var
- Check that everything is successful by running the following command:
$ lsof -nP -iTCP:2244 | grep LISTEN
If needed, you can kill the process by running the following command:
$ sudo kill -9 [process id]
The command from Step 1 can then be configured to run at device login by navigating to System Preferences > Users & Groups.
Select the
+
sign.Navigate to Macintosh HD/Applications.
Double click on the previously created
CF-RDP-Tunnel.command
file.
The default behavior in MacOS is for the Terminal window to stay open. You can configure it to close automatically.
Video Guides
In this video, you’ll learn how to use Cloudflare Access to protect a Remote Desktop Protocol (RDP) connection by setting up a secure link with Argo Tunnel.