Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

In-browser remote desktop

Provide secure, in-browser remote desktop access to Windows hosts without Remote Desktop Protocol (RDP) client software on the user's device. This is useful when you need to give IT staff or support teams remote access to Windows machines for administration or troubleshooting from any browser.

To explore other access scenarios, refer to Secure private apps.

This guide follows the same steps as the Get Started experience in the Cloudflare One dashboard.

How it works

Cloudflare Tunnel connects your private network to Cloudflare without opening any ports on your network. You install cloudflared, a connector service that runs in the background, on a device that can reach the Windows host. It creates a secure connection from your network out to Cloudflare, so no firewall changes are required.

Cloudflare Access sits in front of the host and verifies who each user is before letting them through. Users sign in through a browser using an email one-time PIN or your identity provider, then interact with the Windows desktop through an in-browser remote desktop session.

For details on supported operating systems, connection methods, and known limitations, refer to Connect to RDP in a browser.

Prerequisites

  • A Cloudflare account with a Zero Trust organization. If you have not set this up, refer to Get started.
  • An active domain on your Cloudflare account. A public subdomain is created on this domain for your application.
  • A Linux, Windows, or macOS device on your private network that can reach the Windows host. This is where you install the tunnel.
  • A Windows host on your private network that accepts Remote Desktop connections.

Step 1: Define your application

In this step, you describe the Windows host you want to make available through Cloudflare.

  1. In Cloudflare One, select the Get Started tab.
  2. For Securely access private web apps without an agent, select Get started.
  3. For Enable in-browser remote desktop sessions to Windows hosts, select Continue.
  4. On the Zero Trust RDP client directly from your browser screen, select Continue.
  5. Enter a name for your application.
  6. Enter the local IP address of the Windows host (for example, 10.10.1.25).
  7. Enter the RDP port (the default is 3389).
  8. Select Continue.

Step 2: Select a public domain

Your application needs a public URL so users can reach it from a browser. Cloudflare creates a public URL on one of your existing domains for the application.

  1. Select a domain from the dropdown.
  2. Enter a subdomain (for example, grafana). A preview of the full URL appears (for example, grafana.example.com).
  3. Select Continue.

Step 3: Add your first policy

An Access policy controls who can reach your application. In this step, you create a simple policy using email-based one-time PINs. Users you add here receive a one-time PIN by email when they try to access the application.

  1. Enter the email addresses of users you want to grant access to.
  2. Select Continue.

Step 4: Assign a tunnel

A tunnel connects your private network to Cloudflare so traffic can reach your application. You can select an existing tunnel or create a new one.

  1. In the Choose or create a Tunnel dropdown, select an existing tunnel or enter a name to create a new one.
  2. Select Continue.

Step 5: Deploy your tunnel

Install cloudflared on a device in your private network that can reach the application. The dashboard generates commands specific to your operating system.

  1. Select your operating system from the dropdown.
  2. Copy and run the commands shown in the dashboard. For Windows, open Command Prompt as an administrator. For all other operating systems, use a terminal window.
  3. After the tunnel connects, select Continue.

Step 6: Review details

The dashboard confirms that your application is available and protected behind Cloudflare Access.

  • Test your application:

    1. Select Test login on the success screen.
    2. On the Access login screen, enter one of the email addresses you added to your Access policy.
    3. Select Send me a code.
    4. Enter the code from your email and select Sign in.

  • Explore more with Zero Trust: Review your applications, policies, and tunnels in the Cloudflare One dashboard.

  • Configure an identity provider: Replace email one-time PINs with your organization's identity provider for a seamless login experience. For more information, refer to Identity providers.

For in-depth guidance on clientless access, refer to the Clientless access learning path.

Troubleshoot

If you have issues connecting, refer to these resources: