Connect to RDP in a browser

With Cloudflare Zero Trust, users can connect to an RDP server without installing an RDP client or the WARP client on their device. Browser-based RDP leverages Cloudflare Tunnel, which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the cloudflared daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname.

There are two ways for users to reach the RDP server in their browser:

App Launcher: Users can log in to the Access App Launcher with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
Direct URL: A user may also navigate directly to the Windows server using a public URL. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine.

Browser-based RDP can be used in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.

Prerequisites

An active domain on Cloudflare
Domain uses either a full setup or a partial (CNAME) setup
Windows machine supports RDP connections. For a list of supported operating systems, refer to the Windows documentation ↗.

1. Connect the server to Cloudflare

Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.

In the Private Networks tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.

2. Add a target

A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare.

Create a target for each Windows machine that requires RDP access. To create a new target:

In Zero Trust ↗, go to Networks > Targets.
Select Add a target.
In Target hostname, enter a user-friendly name for the target resource. We recommend using the server hostname, for example production-server. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
Format restrictions
- Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, -, or . (no spaces allowed)
- Start and end with an alphanumeric character
In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address.

In the dropdown menu, select the IP address and virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
Select Add target.

Create an API token with the following permissions:

Type Item Permission
Account Zero Trust Edit

Type	Item	Permission
Account	Zero Trust	Edit

Make a POST request to the Infrastructure Access Targets endpoint:

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \
--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
--data '{
  "hostname": "infra-access-target",
  "ip": {
    "ipv4": {
      "ip_addr": "187.26.29.249",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    },
    "ipv6": {
      "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
      "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
    }
  }
}'

Add the following permission to your cloudflare_api_token ↗:
- Zero Trust Write

Configure the cloudflare_zero_trust_infrastructure_access_target ↗ resource:

resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {
  account_id = var.cloudflare_account_id
    hostname   = "infra-access-target"
    ip = {
      ipv4 = {
        ip_addr = "187.26.29.249"
        virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
      }
      ipv6 = {
        ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"
        virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"
      }
    }
}

Next, create an Access application to secure the target.

3. Create an Access application

In Zero Trust ↗, go to Access > Applications.
Select Add an application.
Select Self-hosted.
Enter any name for the application.
In Session Duration, choose how often the user's application token should expire.

Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management.

Select Add public hostname.

Browser-based RDP is only compatible with public hostnames. If you add a private hostname or IP, RDP functionality will not be available in this application.
In the Domain dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use wildcards to protect multiple parts of an application that share a root path.

Alternatively, to use a Cloudflare for SaaS custom hostname, set Input method to Custom and enter your custom hostname.

You can only enable browser-based RDP on domains and subdomains, not for specific paths.
Expand Browser rendering settings. In the Browser rendering dropdown, select RDP.
In Target criteria, select the target hostname(s) that define your RDP servers. The application definition will apply to all targets that share the selected target hostname, including any targets added in the future.
In Port, enter the RDP listening port ↗ of your server. It will likely be port 3389.
(Optional) If you run RDP on more than one port, select Add new target criteria and reconfigure the same target hostname(s) with the different port number.
Add Access policies to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.

Configure how users will authenticate:
1. Select the Identity providers you want to enable for your application.
2. (Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event.
3. (Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity.
Select Next.
(Recommended) Turn on Show application in App Launcher and configure App Launcher settings for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL.

Ensure that users match an Allow rule in your App Launcher policies.
Under Block page, choose what end users will see when they are denied access to the application:
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is That account does not have access, or you can enter a custom message.
- Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
Select Next.
(Optional) Configure advanced settings:
- Cross-Origin Resource Sharing (CORS) settings
- Cookie settings
- 401 Response for Service Auth policies: Return a 401 response code when a user (or machine) makes a request to the application without the correct service token.
Select Save.

4. Create a DNS record

In the Cloudflare dashboard ↗, go to DNS > Records and verify that a DNS record exists for your domain. The DNS record allows Cloudflare to proxy browser-based RDP traffic to your private network. Any arbitrary DNS record will work.

If you do not already have a DNS record, create a new DNS record. For example, you could create a CNAME record that points your Access application public hostname (app.example.com) to your Cloudflare Tunnel (<tunnel-id>.cfargotunnel.com):

Type: CNAME
Name: app
Target: c1744f8b-faa1-48a4-9e5c-02ac921467fa.cfargotunnel.com
Proxy status: On

5. Connect as a user

To connect to a Windows machine over RDP:

Open a browser and go to your App Launcher URL:
```
https://<your-team-name>.cloudflareaccess.com
```
Replace <your-team-name> with your Zero Trust team name.
Follow the prompts to log in to your identity provider.

Once you have authenticated, the App Launcher will display tiles showing the applications that you are authorized to use. Windows servers (targets) available through browser-based RDP will also appear as tiles. If a target is reachable through multiple Access applications, the target will have a tile per Access application.
Select the target you want to connect to.

The App Launcher tile will launch a URL of the form https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>. You may also navigate directly to this URL.
Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port 3389 and port 65321).
Enter your Windows username and password.

You now have access to the remote Windows desktop.

Product compatibility

When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.

However, the following products are not supported:

You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a Configuration Rule scoped to the application domain.

Was this helpful?

Community
X
Discord
YouTube
GitHub