I’m evaluating using Teams for ZTNA to replace VPN. On remote computers I want to use Warp and a device posture with to validate remote computers. Then use a network tunnel and gateway network policies to secure access to SMB and RDP servers. I got that part working, but I don’t see a way to authenticate users (Azure & MFA) and set session durations. I read in the forum linked below that a “session management for Warp” feature will be released soon. Once this feature is available, will I be able to set a gateway network policy with a sessions duration, and authenticate user sessions via Warp?
Or maybe there is another way to validate/authenticate devices and users? I believe our need to use SMB limits our options, or else we could use Access application policies. I read the tutorial linked below, but I don’t want to run cloudflared on remote computers because I don’t believe you can validate devices with a device posture. Proxying a non-standard localhost port such as 8445 is also problematic, and trying to use localhost 445 is an issue too.
Any advise you can offer would be greatly appreciated!
(Because you’re talking about RDP, I’m just going to assume that you’re using Windows mostly)
As far as I’m concerned, Cloudflare can pass on JWTs to sign you into applications, as well as signing into SAML/SSO applications.
I believe that Windows can try to use your Windows password automatically, and that RDP could use an RD Gateway, but at that point, your users might as well just use their passwords to sign in.
I believe that documentation error has more to do with who can sign in on a device. I don’t think this is for signing anyone in.
As far as I know, Cloudflare Access’s single-sign-on features are for web applications. RDP and SMB don’t really have any standardised SSO methods (apart from the Windows/Azure ones).
Now I’m really assuming that you’re using Windows 10/11, on either Pro/Education/Enterprise.
Using Active Directory to sign in to SMB and RDP would be the way to go. I haven’t tried this myself, but for remote work, as well as signing into other apps, you can add Azure AD as an authentication method for Cloudflare Zero Trust. If you deploy the WARP client (see here), you can probably use Azure AD as a Device Posture Attribute. This should help automatically sign users into web applications, as well as using the tunnel to sign in remotely.