Cloudflare access RDP - ztna

Hello Team,

I use pointed my domain NS records to Cloudflare edge network and use Cloudflare for teams for exposing my internal apps (zero trust platform). I have managed to expose web UI (http/https) and SSH access in browser. But somehow just can not make RDP access to work. I created CNAME record for rdp app, configured cloudflared conf file with ingress rule for rdp app (rdp://localhost:3389), routed DNS for this CNAME to tunnel and no success.
User experience is, when openning rdp app in browser and successful authentication nothing happens. SSL cert is valid (Cloudflare cert), but browser is empty (blank/white screen only/no messages).
Can You help me with this? How to make this work? Will RDP work in browser or how?

Thank You in advance.

Milos

Hello,

I just managed to access internal resources by RDP by creating websocket listener on RDP client machine on random port (not 3389). And to access it like creating RDP connection to: localhost:3398

Is there possibility to expose RDP in browser directly? This is like not good user experience to have to expose web socket and so on…

It seems you already figured it out.

Let me make this extra clear for everyone though. There are 2 usages for Tunnel:

  1. expose private origins on Cloudflare DNS/LB to the Internet (possibly blocked by Access) — this works for HTTP
  2. expose private origins via IP (or private DNS) to Cloudflare-connected users (e.g. with Zero Trust WARP client) — this works for any TCP/UDP protocol

The caveat in this “simple” view is that, for 1., we also support TCP. But the way we do it is by having the client run cloudflared access to expose a port (on the client machine) where TCP traffic goes to, it gets wrapped in webscoket, goes to Cloudflare HTTP path and lands on your Tunnel origin. All of that via the mechanism 1. that is HTTP only. The caveat is obviously that your clients have to run cloudflared access.

What we promote/recommend these days is to use the approach 2 for more complex cases (which yours is starting to sound, with multiple types of origins and protocols).
It is easier to manage and more transparent to users. It is also more powerful.

You can read about these in:

  1. https://developers.cloudflare.com/cloudflare-one/applications/non-http/arbitrary-tcp/
  2. https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/

Going with 1. is particularly neat when it’s HTTP only, or if the TCP-based protocol is supported by the in-browser functionality that Cloudflare gives (which is SSH and VNC only today).

Hello Nuno,

Thank You for clear answer.

Kindly send me techical topology for options 1 and 2 if any.

If I use warp client on my origin it eliminates need for cloudflared or not? Does warp client needs to be up all time to make origin available all time. Or on the other hand warp client is used on client side only? Backend (origin) is like tunneled to Cloudflare edge via cloudflared tunnel?

Srdačan pozdrav/Kind regards,

Miloš Jovović | Network Security Team Leader

Jevrejska 37, 78000 Banja Luka, Bosna i Hercegovina

m +387 66 582 112

e [email protected]

w www.pulsec.com

The links on the docs I shared above are the best entry points.
You can also see tutorials in https://developers.cloudflare.com/cloudflare-one/tutorials/ that cover many cases.

The server will always have cloudflared tunnel running.
The client can have cloudflared access (for case 1. above), which has to be run for each specific server being accessed. Or it can have WARP (for case 2. above), which routes all traffic via Cloudflare and so we do the “access” for the client transparently (it acts more like a distributed SaaS VPN).

Yes. Think of WARP as a client to a distributed SaaS Zero Trust VPN.

Yes

Yes

Hello Nuno,

Thanks for explanation.

If I expose SSH app (in browser) I figured out that lines are short (not really helpful for remote administration).
Is there some tip for SSH apps to solve this issue?

If I use warp client how to make my client PC (windows with warp client) connect to my origin apps (SSH, WebUI, RDP)?
If I do not use in warp client option (Preferences > Account > Login with Cloudflare Zero trust), how to access apps?
And If I check this option “Login with Cloudflare Zero trust” how to connect to apps? I can enter my organization (team) name.

And login to teams Cloudflare access (Cloudflare zero trust) with warp client.

Now my warp client connection/session is authenticated and details are:
• Connection: WARP+ (what does it mean?)
• DNS protocol: HTTPS (how to make it normal DNS not encrypted and tunneled over HTTP?)
• Account type is: Zero Trust
• Team Name: xxx

It uses like Gateway with WARP > Virtual networks (default). What does it mean?
I can see that I can switch to Gateway with DoH, what does it mean (difference from Gateway with WARP)?
If it is switched to Gateway with DoH, connection details are:
Connection: 1.1.1.1
DNS Protocol: HTTPS

If I log off from zero trust with my warp client, I get again options:
• 1.1.1.1
Connection details are:
o Connection: 1.1.1.1
o DNS protocol: HTTPS (Can be switched to TLS)
• 1.1.1.1 with WARP
Connection details are:
o Connection: WARP
o DNS Protocol: HTTPS (Can be switched to TLS and WARP)

And What are those two options in warp client?

What is difference between this warp client which is logged to zero trust and warp client (not logged to zero trust)?

I’m not sure what that means.

@abe can you tag Kenny here for in-browser SSH to private origins?

Option 2. (cited above in my comment) is for when you login with Cloudflare Zero Trust.
You can see a tutorial at https://developers.cloudflare.com/cloudflare-one/tutorials/zero-trust-network-access/

As for all the other questions, you can find plenty of docs about it all in https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/
All you need is the Cloudflare Zero Trust mode.

You can see all the other modes in https://developers.cloudflare.com/warp-client/warp-modes/ but they won’t let you access private origins. Those other modes are just for protecting your egress traffic, but it still goes out to the Internet (via Cloudflare).

Hello Nuno,

Thanks again for explanation.

I can see for normal warp client mode that in windows routing table there are no Cloudflare next hops.

How to check if my outgoing traffic goes thorough Cloudflare edge network?

How to make split tunnel changes?

image001.png