I use pointed my domain NS records to Cloudflare edge network and use Cloudflare for teams for exposing my internal apps (zero trust platform). I have managed to expose web UI (http/https) and SSH access in browser. But somehow just can not make RDP access to work. I created CNAME record for rdp app, configured cloudflared conf file with ingress rule for rdp app (rdp://localhost:3389), routed DNS for this CNAME to tunnel and no success.
User experience is, when openning rdp app in browser and successful authentication nothing happens. SSL cert is valid (Cloudflare cert), but browser is empty (blank/white screen only/no messages).
Can You help me with this? How to make this work? Will RDP work in browser or how?
I just managed to access internal resources by RDP by creating websocket listener on RDP client machine on random port (not 3389). And to access it like creating RDP connection to: localhost:3398
Is there possibility to expose RDP in browser directly? This is like not good user experience to have to expose web socket and so on…
Let me make this extra clear for everyone though. There are 2 usages for Tunnel:
expose private origins on Cloudflare DNS/LB to the Internet (possibly blocked by Access) — this works for HTTP
expose private origins via IP (or private DNS) to Cloudflare-connected users (e.g. with Zero Trust WARP client) — this works for any TCP/UDP protocol
The caveat in this “simple” view is that, for 1., we also support TCP. But the way we do it is by having the client run cloudflared access to expose a port (on the client machine) where TCP traffic goes to, it gets wrapped in webscoket, goes to Cloudflare HTTP path and lands on your Tunnel origin. All of that via the mechanism 1. that is HTTP only. The caveat is obviously that your clients have to run cloudflared access.
What we promote/recommend these days is to use the approach 2 for more complex cases (which yours is starting to sound, with multiple types of origins and protocols).
It is easier to manage and more transparent to users. It is also more powerful.
Going with 1. is particularly neat when it’s HTTP only, or if the TCP-based protocol is supported by the in-browser functionality that Cloudflare gives (which is SSH and VNC only today).
Kindly send me techical topology for options 1 and 2 if any.
If I use warp client on my origin it eliminates need for cloudflared or not? Does warp client needs to be up all time to make origin available all time. Or on the other hand warp client is used on client side only? Backend (origin) is like tunneled to Cloudflare edge via cloudflared tunnel?
Srdačan pozdrav/Kind regards,
Miloš Jovović | Network Security Team Leader
Jevrejska 37, 78000 Banja Luka, Bosna i Hercegovina
The server will always have cloudflared tunnel running.
The client can have cloudflared access (for case 1. above), which has to be run for each specific server being accessed. Or it can have WARP (for case 2. above), which routes all traffic via Cloudflare and so we do the “access” for the client transparently (it acts more like a distributed SaaS VPN).
Yes. Think of WARP as a client to a distributed SaaS Zero Trust VPN.
If I expose SSH app (in browser) I figured out that lines are short (not really helpful for remote administration).
Is there some tip for SSH apps to solve this issue?
If I use warp client how to make my client PC (windows with warp client) connect to my origin apps (SSH, WebUI, RDP)?
If I do not use in warp client option (Preferences > Account > Login with Cloudflare Zero trust), how to access apps?
And If I check this option “Login with Cloudflare Zero trust” how to connect to apps? I can enter my organization (team) name.
And login to teams Cloudflare access (Cloudflare zero trust) with warp client.
Now my warp client connection/session is authenticated and details are:
• Connection: WARP+ (what does it mean?)
• DNS protocol: HTTPS (how to make it normal DNS not encrypted and tunneled over HTTP?)
• Account type is: Zero Trust
• Team Name: xxx
It uses like Gateway with WARP > Virtual networks (default). What does it mean?
I can see that I can switch to Gateway with DoH, what does it mean (difference from Gateway with WARP)?
If it is switched to Gateway with DoH, connection details are:
Connection: 1.1.1.1
DNS Protocol: HTTPS
If I log off from zero trust with my warp client, I get again options:
• 1.1.1.1
Connection details are:
o Connection: 1.1.1.1
o DNS protocol: HTTPS (Can be switched to TLS)
• 1.1.1.1 with WARP
Connection details are:
o Connection: WARP
o DNS Protocol: HTTPS (Can be switched to TLS and WARP)
And What are those two options in warp client?
What is difference between this warp client which is logged to zero trust and warp client (not logged to zero trust)?
You can see all the other modes in https://developers.cloudflare.com/warp-client/warp-modes/ but they won’t let you access private origins. Those other modes are just for protecting your egress traffic, but it still goes out to the Internet (via Cloudflare).
