[ZT] Browser-based RDP WARP auth (#23704)

* allow targets through gateway partial

* turn off WARP auth for RDP

* fix partial

Author: ranbel

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -44,7 +44,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 <Render file="access/add-infrastructure-app" />
 
 ## 3. (Recommended) Modify order of precedence in Gateway
-<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target" }} />
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target", protocol: "infra"}} />
 
 ## 4. Configure the server
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -76,4 +76,5 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
 <Render file="gateway/client-notifications-os" product="cloudflare-one" />
 
 ## Modify order of precedence in Gateway
-<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Private App" }} />
+
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Private App", protocol: "private" }} />

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx

@@ -123,7 +123,8 @@ Ensure that only **Allow** or **Block** policies are present. **Bypass** and **S
 19. Select **Save**.
 
 ## 5. (Recommended) Modify order of precedence in Gateway
-<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target" }} />
+
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target", protocol: "rdp" }} />
 
 ## 6. Connect as a user
 
@@ -216,7 +217,7 @@ Cloudflare will not configure user identifiers on the RDP target. Any user ident
 ## Known limitations
 
 - **TLS certificate verification**: Cloudflare uses TLS to connect to the RDP target but does not verify the origin TLS certificate.
-- **WARP authentication**: Users cannot authenticate to RDP targets using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/#configure-warp-sessions-in-access).
+- **WARP authentication**: Since browser-based RDP traffic does not go through the WARP client, users cannot use their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/#configure-warp-sessions-in-access) to authenticate.
 - **Audio over RDP**: Users cannot use their microphone and speaker to interact with the remote machine.
 - **Clipboard controls**: Admins do not have the ability to restrict copy/paste actions between the remote machine and the user's local clipboard.
 - **File transfers**: Users cannot copy/paste files from their local machine to the remote machine and vice versa.

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx

@@ -42,7 +42,7 @@ To connect your devices to Cloudflare:
 <Render file="access/add-infrastructure-app" />
 
 ## 6. (Recommended) Modify order of precedence in Gateway
-<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target" }} />
+<Render file="access/modify-gateway-policy-precedence" product="cloudflare-one" params={{ selector: "Access Infrastructure Target", protocol: "ssh" }} />
 
 ## 7. Configure SSH server
 

src/content/partials/cloudflare-one/access/modify-gateway-policy-precedence.mdx

@@ -1,16 +1,29 @@
 ---
 params:
   - selector
-
+  - protocol
 ---
 
-By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies:
+
+<ol>
+<li>
+Create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
+
+	| Selector                     | Operator | Value     | Action |
+	| ---------------------------- | -------- | --------- | ------ |
+	| {props.selector}             | is       | _Present_ | Allow  |
+</li>
+
+{ props.protocol === "rdp" && (<> <li> Ensure that <strong>Enforce WARP client session duration</strong> is turned off, otherwise users will be blocked from accessing RDP targets. </li> </>)}
+
+<li>
+Update the policy's [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence) using the dashboard or API.
+</li>
 
-| Selector                     | Operator | Value     | Action |
-| ---------------------------- | -------- | --------- | ------ |
-| {props.selector}             | is       | _Present_ | Allow  |
+</ol>
 
-You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
+{ props.selector === "Access Infrastructure Target" &&	(<p> This Gateway policy will apply to all Access for Infrastructure targets, including RDP and SSH. </p>) }
 
 :::note
 Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.