Connect to RDP in a browser
Users can connect to an RDP server without installing an RDP client or the WARP client on their device. Browser-based RDP leverages Cloudflare Tunnel, which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the cloudflared daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname.
There are two ways for users to reach the RDP server in their browser:
- App Launcher: Users can log in to the Access App Launcher with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server.
- Direct URL: A user may also navigate directly to the Windows server at https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine.
Browser-based RDP can be used in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method.
- An active domain on Cloudflare.
- The domain uses either a full setup or a partial (CNAME) setup.
- An RDP server running a supported Windows operating system.
- Create a Cloudflare Tunnel for your server by following our dashboard setup guide. You can skip the connect an application step and go straight to connecting a network.
- In the Private Networks tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed.
A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare.
Create a target for each Windows machine that requires RDP access. To create a new target:
- In Zero Trust ↗, go to Networks > Targets.
- Select Add a target.
- In Target hostname, enter a user-friendly name for the target. We recommend using the server hostname, for example production-server. The target hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the targets secured by an Access application; they are not used for DNS address resolution.Format restrictions - Case insensitive
- Contain no more than 253 characters
- Contain only alphanumeric characters, -, or.(no spaces allowed)
- Start and end with an alphanumeric character
 
- In IP addresses, enter the IPv4 and/or IPv6 address of the target resource. The dropdown menu will not populate until you type in the full IP address.
- In the dropdown menu, select the IP address and virtual network where the resource is located. This IP address and virtual network pairing is now assigned to this target and cannot be reused in another target by design.
- Select Add target.
Make a POST request to the Infrastructure Access Targets endpoint:
Required API token permissions
 
At least one of the following token permissions 
is required:
- Zero Trust Write
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets" \  --request POST \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "hostname": "infra-access-target",    "ip": {        "ipv4": {            "ip_addr": "187.26.29.249",            "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"        },        "ipv6": {            "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",            "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"        }    }  }'- 
Add the following permission to your cloudflare_api_token↗:- Zero Trust Write
 
- 
Configure the cloudflare_zero_trust_infrastructure_access_target↗ resource:resource "cloudflare_zero_trust_infrastructure_access_target" "infra-ssh-target" {account_id = var.cloudflare_account_idhostname = "infra-access-target"ip = {ipv4 = {ip_addr = "187.26.29.249"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}ipv6 = {ip_addr = "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0"virtual_network_id = "c77b744e-acc8-428f-9257-6878c046ed55"}}}
Next, create an Access application to secure the target.
To make your RDP targets (that is, your Windows machines) available through the browser, you will need a Cloudflare DNS record for the domain and subdomain that users will connect to. This domain will be used to access any targets that are available to users through your Access application (see Step 4).
For example, if want users to connect to targets on rdp.example.com, create a DNS record for rdp.example.com. You can create either an A, AAAA, or CNAME record:
A record
 The following DNS record points your public subdomain (rdp) to an IPv4 address in the Class E address space ↗.
- Type: A
- Name: rdp
- IPv4 address: 240.0.0.0
- Proxy status: On
AAAA record
 The following DNS record points your public subdomain (rdp) to the IPv6 discard address range ↗:
- Type: AAAA
- Name: rdp
- IPv6 address: 100::
- Proxy status: On
CNAME record
 The following CNAME record points your public subdomain (rdp) to a fully qualified domain name.
- Type: CNAME
- Name: rdp
- Target: www.rdp.example.com
- Proxy status: On
The CNAME Target field is unrelated to the RDP targets configured in Step 2.
The DNS record does not need to point to an active destination IP address or hostname; the DNS record just needs to be valid. Cloudflare's RDP proxy will handle the routing to the correct RDP target.
- 
In Zero Trust ↗, go to Access > Applications. 
- 
Select Add an application. 
- 
Select Self-hosted. 
- 
Enter any name for the application. 
- 
In Session Duration, choose how often the user's application token should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management. 
- 
Select Add public hostname. 
- 
In the Domain dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use wildcards to protect multiple parts of an application that share a root path. Alternatively, to use a Cloudflare for SaaS custom hostname, set Input method to Custom and enter your custom hostname. 
- 
Expand Browser rendering settings. In the Browser rendering dropdown, select RDP. 
- 
In Target criteria, select the target hostname(s) that define your RDP servers. The application definition will apply to all targets that share the selected target hostname, including any targets added in the future. 
- 
In Port, enter the RDP listening port ↗ of your server. It will likely be port 3389.
- 
(Optional) If you run RDP on more than one port, select Add new target criteria and reconfigure the same target hostname(s) with the different port number. 
- 
Add Access policies to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. 
- 
Configure how users will authenticate: - 
Select the Identity providers you want to enable for your application. 
- 
(Recommended) If you plan to only allow access via a single IdP, turn on Instant Auth. End users will not be shown the Cloudflare Access login page. Instead, Cloudflare will redirect users directly to your SSO login event. 
- 
(Optional) Under WARP authentication identity, allow users to authenticate to the application using their WARP session identity. 
 
- 
- 
Select Next. 
- 
(Recommended) Turn on Show application in App Launcher and configure App Launcher settings for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL. 
- 
Under Block page, choose what end users will see when they are denied access to the application: - Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is That account does not have access, or you can enter a custom message.
- Redirect URL: Redirect to the specified website.
- Custom page template: Display a custom block page hosted in Zero Trust.
 
- Cloudflare default: Reload the login page and display a block message below the Cloudflare Access logo. The default message is 
- 
Select Next. 
- 
(Optional) Configure advanced settings: - Cross-Origin Resource Sharing (CORS) settings
- Cookie settings
- 401 Response for Service Auth policies: Return a 401response code when a user (or machine) makes a request to the application without the correct service token.
 
- 
Select Save. 
By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies, create the following Gateway network policy:
| Selector | Operator | Value | Action | 
|---|---|---|---|
| Access Infrastructure Target | is | Present | Allow | 
You can move this policy in the Gateway policy builder to change its order of precedence.
To connect to a Windows machine over RDP:
- 
Open a browser and go to your App Launcher URL: https://<your-team-name>.cloudflareaccess.comReplace <your-team-name>with your Zero Trust team name.
- 
Follow the prompts to log in to your identity provider. Once you have authenticated, the App Launcher will display tiles showing the applications that you are authorized to use. Windows servers (targets) available through browser-based RDP will also appear as tiles. If a target is reachable through multiple Access applications, the target will have a tile per Access application. 
- 
Select the target you want to connect to. The App Launcher tile will launch a URL of the form https://<app-domain>/rdp/<vnet-id>/<target-ip>/<port>. You may also navigate directly to this URL.
- 
Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port 3389and port65321).
- 
(Optional) In your browser settings, allow the Access application to access the clipboard. Clipboard permissions grant the ability to copy or paste text between the local machine and the remote Windows machine. 
- 
Enter your Windows username and password. For more information on supported login credentials, refer to User identifier formats. 
You now have access to the remote Windows desktop.
Browser-based RDP supports connecting to Windows machines that run the following operating systems:
- Windows 11 Pro
- Windows 11 Enterprise
- Windows 10 Pro
- Windows 10 Enterprise
- Windows Server 2025
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
| Browser | Compatibility | 
|---|---|
| Google Chrome | ✅ | 
| Mozilla Firefox | ✅ | 
| Safari | ❌ | 
| Microsoft Edge (Chromium-based) | ✅ | 
| Other Chromium-based browsers (Opera, Brave) | ✅ | 
| Internet Explorer 11 and below | ❌ | 
Browser-based RDP supports connecting to Windows machines using the following login credentials:
SAM-formatted user identifiers are supported with and without spaces.
Examples:
- DOMAIN\username
- DOMAIN\username with spaces
- .\username
- .\username with spaces
- username
- username with spaces
Character limits
 Identifiers which specify a domain, such as DOMAIN\username, can have a maximum of 20 characters for the domain and 15 characters for the username.
Identifiers without a domain, such as .\username, will use the default domain. The username can have a maximum of 20 characters.
UPN-formatted user identifiers are supported with spaces, with and without quotes.
Examples:
- "username with spaces"@domain.org
- username with spaces@domain.org
- username@domain.org
When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.
However, the following products are not supported:
You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a Configuration Rule scoped to the application domain.
- TLS certificate verification: Cloudflare uses TLS to connect to the RDP target but does not verify the origin TLS certificate.
- WARP authentication: Users cannot authenticate to RDP targets using their WARP session identity.
- Audio over RDP: Users cannot use their microphone and speaker to interact with the remote machine.
- Clipboard controls: Admins do not have the ability to restrict copy/paste actions between the remote machine and the user's local clipboard.
- File transfers: Users cannot copy/paste files from their local machine to the remote machine and vice versa.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark