[ZT] Clientless RDP (#20767)

* remove SMB partials

* update RDP IA

* connect server and create target

* create self-hosted app partials

* remove legacy

* rdp self-hosted app

* update browser rendering

* browser-rendered sessions

* clarify active session

* update browser rendering overview

* update app types

* user steps

* remove legacy note

* session duration partial

* clean up rdp

* fix partial

* review feedback

* add partial

* update titles

* additional feedback

* Apply suggestions from code review

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx

Co-authored-by: Max Phillips <[email protected]>

* Update src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/index.mdx

---------

Co-authored-by: Max Phillips <[email protected]>

Author: ranbel

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx

@@ -53,7 +53,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
     | Key endpoint           | Returns the current public keys used to [verify the Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/jwks`                                   |
     | User info endpoint     | Returns all user claims in JSON format <br/> `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<client-id>/userinfo`                                                                                                                        |
 
-11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+11. <Render file="access/add-access-policies" product="cloudflare-one" />
 
 12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx

@@ -48,7 +48,7 @@ Obtain the following URLs from your SaaS application account:
 If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values.
 :::
 
-11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+11. <Render file="access/add-access-policies" product="cloudflare-one" />
 
 12. <Render file="access/access-choose-idps" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx

@@ -17,7 +17,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac
 
 ## 1. Add your application to Access
 
-<Render file="access/self-hosted-app" />
+<Render file="access/self-hosted-app/generic-public-app" />
 
 ## 2. Connect your origin to Cloudflare
 
@@ -37,12 +37,4 @@ Users can now connect to your self-hosted application after authenticating with
 
 ## Product compatibility
 
-When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application.
-
-However, the following products are not supported:
-
-* [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/)
-* [Automatic Platform Optimization](/automatic-platform-optimization)
-* [Zaraz](/zaraz)
-
-You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](/rules/configuration-rules/) scoped to the application domain.
+ <Render file="access/self-hosted-app/product-compatibility" product="cloudflare-one" />

src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx

@@ -5,34 +5,44 @@ sidebar:
   order: 3
 ---
 
-Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser.
+import { Render } from "~/components";
 
-:::note
-You can only enable browser rendering on domains and subdomains, not for specific paths.
-:::
+Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server.
 
-## Enable browser rendering
+## Limitations
 
-To enable browser rendering:
+- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames.
+- You can only render a browser-rendered terminal on domains and subdomains, not on specific paths.
+- <Render file="access/self-hosted-app/ssh-sessions" />
+- Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust.
 
-1.  In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-2.  Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
-3.  In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
-4.  Go to **Advanced settings** > **Browser rendering settings**.
-5.  For **Browser rendering**, choose _SSH_ or _VNC_.
+## Turn on browser rendering
 
-        	:::note
+### SSH and VNC
 
-        	When connecting over SSH, Cloudflare supports following key exchange algorithms:
-
-        	- `[email protected]`
-        	- `curve25519-sha256`
-        	- `ecdh-sha2-nistp256`
-        	- `ecdh-sha2-nistp384`
-        	- `ecdh-sha2-nistp521`
-
-        	:::
+To turn on browser rendering for an SSH or VNC application:
 
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
+2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**.
+3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications.
+4. Go to **Advanced settings** > **Browser rendering settings**.
+5. For **Browser rendering**, choose _SSH_ or _VNC_.
 6.  Select **Save application**.
 
 When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser.
+
+### RDP
+
+To set up browser-rendering for RDP, refer to our [browser-based RDP guide](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser/).
+
+### SSH key exchange algorithms
+
+Cloudflare's browser-rendered SSH terminal supports the following Key Exchange (KEX) algorithms:
+
+	- `[email protected]`
+	- `curve25519-sha256`
+	- `ecdh-sha2-nistp256`
+	- `ecdh-sha2-nistp384`
+	- `ecdh-sha2-nistp521`
+
+For browser-rendered SSH connections to work, you may need to update the `sshd_config` file on your server to accept these algorithms.

src/content/docs/cloudflare-one/applications/non-http/index.mdx

@@ -23,11 +23,11 @@ If you would like to define how users access specific infrastructure servers wit
 
 ## Clientless access
 
-Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server.
+Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported.
 
 ### Browser-rendered terminal
 
-Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser.
+Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access.
 
 ### Client-side cloudflared (legacy)
 

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -40,7 +40,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 ## 1. Add a target
 
-<Render file="access/add-target" />
+<Render file="access/add-target" params={{ protocol: "generic" }}/>
 
 ## 2. Add an infrastructure application
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -22,25 +22,15 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 ## Add your application to Access
 
-1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**.
-
-2. Select **Add an application**.
-
-3. Select **Self-hosted**.
-
-4. Enter any name for the application.
-
-5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
-
-   Cloudflare checks every HTTPS request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.
+<Render file="access/self-hosted-app/create-app" product="cloudflare-one" params={{ private: true }}/>
 
 6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
 
 	:::note
 	Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
 	:::
 
-7. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access.
+7.  <Render file="access/add-access-policies" product="cloudflare-one" />
 
 8. Configure how users will authenticate:
 
@@ -58,14 +48,9 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 12. Select **Next**.
 
-13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
+13. <Render file="access/self-hosted-app/advanced-settings" product="cloudflare-one" />
 
-		- [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/)
-		- [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings)
-		- **Browser rendering settings**:
-				- [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/)
-				- [Browser rendering for SSH and VNC](/cloudflare-one/applications/non-http/browser-rendering/)
-		- **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](/cloudflare-one/identity/service-tokens/).
+		These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
 
 14. Select **Save**.
 

src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx

@@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo
 
 - **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)**
 - **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture
-- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections
+- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
 - **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/)
 - **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)**
 - **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB

src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx

@@ -19,7 +19,8 @@ To enable remote access to your private network, follow the guide below.
 
 To connect your infrastructure with Cloudflare Tunnel:
 
-1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network.
+<Render file="tunnel/connect-private-network" />
+
 2. In the **Private Networks** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`).
 
 ## 2. Set up the client

src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx

@@ -32,9 +32,9 @@ Server started, listening on 50051
 
 To establish a secure, outbound-only connection to Cloudflare:
 
-1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network.
+<Render file="tunnel/connect-private-network" />
 
-2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP).
+2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server.
 
 ## 3. Route private network IPs through WARP