Hey everyone,
I have been trying to dive in to the Zero Trust tools that Cloudflare has been building out and I’m wondering if it’s possible to set up RDP on a windows server, but using Warp for the endpoint connection.
I’ve read this article about using Cloudflared to connect from the client to the tunnel and I can get this working, but I am hoping that it’s possible to do the same type of thing but from the Warp client instead of needing to install Cloudflared on the clients - https://developers.cloudflare.com/cloudflare-one/tutorials/rdp/
I have also gotten it working where it’s basically functioning like a VPN and I expose the local VLAN through the Tunnel on the server. This might resolve the problem I’m trying to solve, but ideally I would like to only expose RDP, basically “as a service” and then have Cloudflare evaluate the connections directly, rather than exposing it at a network level. And I’m hoping I can do so through Warp so that it’s easier to deploy to our clients. Just wondering if it’s even possible. Thank you!
As of now and with what I know, from my tests, the way they want us to only deploy rdp throught the zero trust platform, it with using the cloudflare deamon on the client too. The client deamon redirect the 3389 through the tunnel. The issue I see is I don’t know if the wrap client while be considered this way. There is a chance but not sure.
I wish the client side would not need the cloudflare deamon for this installation as I don’t want to configure every user with the deamon on their personal computers…
Yes, it totally seems possible through Warp, at least one person managed to do this:
https://community.cloudflare.com/t/private-network-rdp/298006/24
Yeah the Cloudflare tools seem powerful, they just need the UI and special sauce to make it more user friendly and turn key. Having to leave a command prompt open to maintain the tunnel, and having a full browser window for authentication doesn’t exactly make for a great user experience.
Ideally, they’d have a portal page that integrates with Warp that allows admins to configure “apps” that when selected establish the tunnel and then optionally run a custom command/executable like “mstsc” on the local computer. That way all the user needs to do (after installing/configuring Warpfor the first time), is to go the app portal and click an “app”.
Going further, I was hoping when first reading about these tools, that users would just be able to hit the service directly via a friendly sub-domain and have the tunnel happen automatically through Cloudflare’s cloud servers. All that would be required on the client is an authenticated agent that perhaps intercepts the DNS queries to implicitly authenticate and handle the connection. Maybe that’s technically not possible or has security implications, but that would be ideal.
This is correct. I’m actually in the process of setting up RDP for about 8 users in a small company, with Intune managed PCs and AzureAD only. It’s not the smoothest process and unless you’re able to automate this, it’s honestly only possible with a small number of people.
I have come up with a super janky, Cloudflare only solution to deployment.
- Create a Cloudflare pages site with an instructions HTML file and zip files of the below
- Allow the Cloudflare access app portal (or whatever it’s called)
- Create shortcuts to the instruction HTML, the direct app download links and then a zip file for each staff member that contains:
- Shortcut to cloudflared.exe as directed in the instructions with the hostname you’re using to connect
- Custom RDP shortcut that contains their username and password and some other settings (only necessary when dealing with AzureAD joined PCs as they have some weirdness)
- Send staff the CF Access portal website and let them set it up themselves. I’ve tested with a couple of non-technical staff and it works fairly well.
That’s kind of what I’m seeing too, but I was hoping I was just missing something. I’ll keep poking around and see if there’s some way to make it work, or hopefully this is something coming in a future release. Thanks for confirming!
I believe they are just exposing the IP for that based on their comment. I can get the IP subnets to work through Warp if I set up the cloudflared to just expose the network subnet, but what I’d like to do (at some point anyway) is just expose some RDP servers more like services. So you are only hitting that specific service, rather than an IP. It also kind of helps solve situations where IP subnets overlap.
I can get it to work by having cloudflared on both sides, but it’s a bit of a pain to have client computers try to configure that on their own computers. Or I can use the IP subnets and just use Warp to route to those. So there are workarounds, I was just hoping for a more specific solution. Hopefully it’s something they can add in the future!