diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx index ab8665bae509210..822a0d558bb3341 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas.mdx @@ -53,7 +53,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro | Key endpoint | Returns the current public keys used to [verify the Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/)
`https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//jwks` | | User info endpoint | Returns all user claims in JSON format
`https://.cloudflareaccess.com/cdn-cgi/access/sso/oidc//userinfo` | -11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. +11. 12. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index dff1dcc8bb70ac9..283e49f69daaa07 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -48,7 +48,7 @@ Obtain the following URLs from your SaaS application account: If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. ::: -11. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. +11. 12. diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx index adc44fa635952f3..ea8ebd5dde64737 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/self-hosted-public-app.mdx @@ -17,7 +17,7 @@ You can securely publish internal tools and applications by adding Cloudflare Ac ## 1. Add your application to Access - + ## 2. Connect your origin to Cloudflare @@ -37,12 +37,4 @@ Users can now connect to your self-hosted application after authenticating with ## Product compatibility -When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application. - -However, the following products are not supported: - -* [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/) -* [Automatic Platform Optimization](/automatic-platform-optimization) -* [Zaraz](/zaraz) - -You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](/rules/configuration-rules/) scoped to the application domain. + \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx index d0f7185f1944c1e..839cfbdf6c1ef11 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/browser-rendering.mdx @@ -5,34 +5,44 @@ sidebar: order: 3 --- -Cloudflare can render certain non-web applications in your browser without the need for client software or end-user configuration changes. Cloudflare currently supports rendering a terminal for SSH and VNC connections in a user's browser. +import { Render } from "~/components"; -:::note -You can only enable browser rendering on domains and subdomains, not for specific paths. -::: +Cloudflare can render SSH, VNC, and RDP applications in a browser without the need for client software or end-user configuration changes. For SSH and VNC, user email prefixes must match their username on the server. RDP leverages your existing Windows usernames and passwords for authenticating to the Windows server; Cloudflare does not manage any credentials on the Windows server. -## Enable browser rendering +## Limitations -To enable browser rendering: +- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames. +- You can only render a browser-rendered terminal on domains and subdomains, not on specific paths. +- +- Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust. -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. -2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. -3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. -4. Go to **Advanced settings** > **Browser rendering settings**. -5. For **Browser rendering**, choose _SSH_ or _VNC_. +## Turn on browser rendering - :::note +### SSH and VNC - When connecting over SSH, Cloudflare supports following key exchange algorithms: - - - `curve25519-sha256@libssh.org` - - `curve25519-sha256` - - `ecdh-sha2-nistp256` - - `ecdh-sha2-nistp384` - - `ecdh-sha2-nistp521` - - ::: +To turn on browser rendering for an SSH or VNC application: +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. +2. Locate the SSH or VNC application you created when [connecting the server to Cloudflare](/cloudflare-one/connections/connect-networks/use-cases/ssh/). Select **Configure**. +3. In the **Policies** tab, ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. +4. Go to **Advanced settings** > **Browser rendering settings**. +5. For **Browser rendering**, choose _SSH_ or _VNC_. 6. Select **Save application**. When users authenticate and visit the URL of the application, Cloudflare will render a terminal in their browser. + +### RDP + +To set up browser-rendering for RDP, refer to our [browser-based RDP guide](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser/). + +### SSH key exchange algorithms + +Cloudflare's browser-rendered SSH terminal supports the following Key Exchange (KEX) algorithms: + + - `curve25519-sha256@libssh.org` + - `curve25519-sha256` + - `ecdh-sha2-nistp256` + - `ecdh-sha2-nistp384` + - `ecdh-sha2-nistp521` + +For browser-rendered SSH connections to work, you may need to update the `sshd_config` file on your server to accept these algorithms. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/applications/non-http/index.mdx b/src/content/docs/cloudflare-one/applications/non-http/index.mdx index 3e040b8edadcf76..524fc807d749483 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/index.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/index.mdx @@ -23,11 +23,11 @@ If you would like to define how users access specific infrastructure servers wit ## Clientless access -Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported, and user email prefixes must match their username on the server. +Clientless access methods are suited for organizations that cannot deploy the WARP client or need to support third-party contractors where installing a client is not possible. Clientless access requires onboarding a domain to Cloudflare and configuring a public hostname in order to make the server reachable. Command logging is not supported. ### Browser-rendered terminal -Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. +Cloudflare's [browser-based terminal](/cloudflare-one/applications/non-http/browser-rendering/) allows users to connect over SSH, RDP, and VNC without any configuration. When users visit the public hostname URL (for example, `https://ssh.example.com`) and log in with their Access credentials, Cloudflare will render a terminal in their browser. For RDP connections, users must authenticate to the Windows server using their Windows username and password in addition to being authenticated by Cloudflare Access. ### Client-side cloudflared (legacy) diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index f6c49121e82377e..87c7922bb2ffad7 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -40,7 +40,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti ## 1. Add a target - + ## 2. Add an infrastructure application diff --git a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx index c4b43248c542a18..04368a06d043fbe 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx @@ -22,17 +22,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl ## Add your application to Access -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. - -2. Select **Add an application**. - -3. Select **Self-hosted**. - -4. Enter any name for the application. - -5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire. - - Cloudflare checks every HTTPS request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application. + 6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path. @@ -40,7 +30,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). ::: -7. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. +7. 8. Configure how users will authenticate: @@ -58,14 +48,9 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl 12. Select **Next**. -13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +13. - - [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/) - - [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings) - - **Browser rendering settings**: - - [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/) - - [Browser rendering for SSH and VNC](/cloudflare-one/applications/non-http/browser-rendering/) - - **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](/cloudflare-one/identity/service-tokens/). + These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). 14. Select **Save**. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx index 159f5f1c2e8787e..0d2f77d28efca5e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/agentless/index.mdx @@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo - **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)** - **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture -- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections +- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections - **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/) - **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)** - **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx index 0f7a040557307bf..090c5ce74af8888 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/private-net/cloudflared/index.mdx @@ -19,7 +19,8 @@ To enable remote access to your private network, follow the guide below. To connect your infrastructure with Cloudflare Tunnel: -1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. + + 2. In the **Private Networks** tab for the tunnel, enter the IP/CIDR range that you wish to route through the tunnel (for example `10.0.0.0/8`). ## 2. Set up the client diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx index 277c1731f8a6947..e2813000b24eea1 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/grpc.mdx @@ -32,9 +32,9 @@ Server started, listening on 50051 To establish a secure, outbound-only connection to Cloudflare: -1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. + -2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). +2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. ## 3. Route private network IPs through WARP diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx deleted file mode 100644 index 92650f044cdec28..000000000000000 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp.mdx +++ /dev/null @@ -1,126 +0,0 @@ ---- -pcx_content_type: how-to -title: RDP -sidebar: - order: 2 ---- - -import { Render } from "~/components"; - -The Remote Desktop Protocol (RDP) provides a graphical interface for users to connect to a computer remotely. RDP is most commonly used to facilitate simple remote access to machines or workstations which users cannot physically access. However, this also makes RDP connections the frequent subject of attacks, since a misconfiguration can inadvertently allow unauthorized access to the machine. - -With Cloudflare Zero Trust, you can enjoy the convenience of making your RDP server available over the Internet without the risk of opening any inbound ports on your local server. - -Cloudflare Zero Trust offers two solutions to provide secure access to RDP servers: - -- [Private subnet routing with Cloudflare WARP to Tunnel](#connect-to-rdp-server-with-warp-to-tunnel) -- [Public hostname routing with `cloudflared access`](#connect-to-rdp-server-with-cloudflared-access) - -## Set up an RDP server in GCP - -This example walks through how to set up an RDP server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports RDP connections. - -1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). -2. Go to **Compute Engine** > **VM instances**. -3. Select **Create instance**. -4. Name your VM instance, for example `windows-rdp-server`. -5. Configure your VM instance: - 1. Scroll down to **Boot Disk** and select **Change**. - 2. For **Operating system**, select _Windows Server_. - 3. Choose a **Version** with Desktop Experience, for example _Windows Server 2016 Datacenter_. -6. Once your VM is running, open the dropdown next to **RDP** and select _View gcloud command to reset password_. -7. Select **Run in Cloud Shell**. -8. Run the command in the Cloud Shell terminal. You will be asked to confirm the password reset. -9. Copy the auto-generated password and username to a safe place. - -## Install Microsoft Remote Desktop - -You can use any RDP client to access and configure the RDP server. - -To access the server through Microsoft Remote Desktop: - -1. Download and install [Microsoft Remote Desktop](https://apps.microsoft.com/store/detail/microsoft-remote-desktop/9WZDNCRFJ3PS). -2. Once downloaded, open Microsoft Remote Desktop and select **Add a PC**. -3. For **PC name**, enter the public IP address of your RDP server. In GCP, this is the **External IP** of the VM instance. -4. For **User account**, select **Add User Account** and enter your auto-generated password and username. -5. Select **Add**. The PC will display in Microsoft Remote Desktop. -6. To test basic connectivity, double-click the newly added PC. -7. When asked if you want to continue, select **Continue**. - -You can now remotely access and configure your RDP server. - -:::note - -By default, Internet Explorer will be installed and configured in [Enhanced Security mode](https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/enhanced-security-configuration-faq#internet-explorer-enhanced-security-configuration). If the browser is slow or unable to load, you can turn off Enhanced Security and install an alternate browser such as Google Chrome. -::: - -## Connect to RDP server with WARP to Tunnel - - - -### 1. Connect the server to Cloudflare - - - -### 2. Set up the client - - - -### 3. Route private network IPs through WARP - - - -### 4. Connect as a user - -Once the WARP client is configured, you can use your RDP client to connect to the server's private IP address (instead of the public IP address used initially). - -To connect in Microsoft Remote Desktop: - -1. Open Microsoft Remote Desktop and select **Add a PC**. -2. For **PC name**, enter the private IP address of your RDP server. In GCP, this is the **Internal IP** of the VM instance. -3. For **User account**, enter your RDP server username and password. -4. To test Zero Trust connectivity, double-click the newly added PC. -5. When asked if you want to continue, select **Continue**. - -You now have secure, remote access to the RDP server. - -## Connect to RDP server with `cloudflared access` - - - -### 1. Connect the server to Cloudflare - -1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). - -2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`). - -3. For **Service**, select _RDP_ and enter the [RDP listening port](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port) of your server (for example, `localhost:3389`). It will likely be port `3389`. - -4. Select **Save hostname**. - -5. (Recommended) Add a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server. - -### 2. Connect as a user - -1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine. -2. Run this command to open an RDP listening port: - - ```sh - cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389 - ``` - - This process will need to be configured to stay alive and autostart. If the process is killed, users will not be able to connect. - -:::note - -If the client machine is running Windows, port `3389` may already be consumed locally. Select an alternative port to `3389` that is not being used. -::: - -3. While `cloudflared access` is running, connect from an RDP client such as Microsoft Remote Desktop: - 1. Open Microsoft Remote Desktop and select **Add a PC**. - 2. For **PC name**, enter `localhost:3389`. - 3. For **User account**, enter your RDP server username and password. - 4. Double-click the newly added PC. - 5. When asked if you want to continue, select **Continue**. - -When the client launches, a browser window will open and prompt the user to authenticate themselves. diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/index.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/index.mdx new file mode 100644 index 000000000000000..96b169ad5835bcc --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/index.mdx @@ -0,0 +1,17 @@ +--- +pcx_content_type: navigation +title: RDP +sidebar: + order: 2 +tableOfContents: false +--- + +The Remote Desktop Protocol (RDP) provides a graphical interface for users to connect to a computer remotely. RDP is most commonly used to facilitate simple remote access to machines or workstations which users cannot physically access. However, this also makes RDP connections the frequent subject of attacks, since a misconfiguration can inadvertently allow unauthorized access to the machine. + +With Cloudflare Zero Trust, you can make your RDP server available over the Internet without the risk of opening any inbound ports on your local server. + +Cloudflare offers three ways to secure RDP: + +- [Browser-based RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser/) +- [RDP with WARP client](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel/) +- [RDP with client-side cloudflared](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication/) \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx new file mode 100644 index 000000000000000..b7f75ae4943a8f0 --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser.mdx @@ -0,0 +1,126 @@ +--- +pcx_content_type: how-to +title: Connect to RDP in a browser +sidebar: + order: 2 + label: Browser-based RDP + badge: + text: Beta +--- + +import { Render, GlossaryTooltip } from "~/components" + +:::note[Availability] +Browser-based RDP is currently available in closed beta to Enterprise customers. To request access, contact your account team. +::: + +With Cloudflare Zero Trust, users can connect to an RDP server without installing an RDP client or the [WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device. Browser-based RDP leverages [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/), which creates a secure, outbound-only connection from your RDP server to Cloudflare's global network. Setup involves running the `cloudflared` daemon on the RDP server (or any other host machine within the private network) and routing RDP traffic over a public hostname. + +There are two ways for users to [reach the RDP server in their browser](#4-connect-as-a-user): +- **App Launcher**: Users can log in to the [Access App Launcher](/cloudflare-one/applications/app-launcher/) with their Cloudflare Access credentials and then initiate an RDP connection within the browser to their Windows machine. Users will authenticate to the Windows machine using their pre-configured Windows username and password. Cloudflare does not manage any credentials on the Windows server. +- **Direct URL**: A user may also navigate directly to the Windows server using a public URL. The authentication flow is the same as for the App Launcher; first users must log in to Cloudflare Access and then use their Windows credentials to authenticate to the Windows machine. + +Browser-based RDP can be used in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method. + +## Prerequisites + +- An [active domain on Cloudflare](/fundamentals/setup/manage-domains/add-site/) +- Domain uses either a [full setup](/dns/zone-setups/full-setup/) or a [partial (`CNAME`) setup](/dns/zone-setups/partial-setup/) +- Windows machine supports RDP connections. For a list of supported operating systems, refer to the [Windows documentation](https://learn.microsoft.com/windows-server/remote/remote-desktop-services/remotepc/remote-desktop-supported-config). + +## 1. Connect the server to Cloudflare + + + + + +## 2. Add a target + + + +## 3. Create an Access application + + + +6. Select **Add public hostname**. + + :::note + Browser-based RDP is only compatible with public hostnames. If you add a private hostname or IP, RDP functionality will not be available in this application. + ::: + +7. + + :::note + You can only enable browser-based RDP on domains and subdomains, not for specific paths. + ::: + +8. Expand **Browser rendering settings**. In the **Browser rendering** dropdown, select _RDP_. + +9. In **Target criteria**, select the [target hostname(s)](#2-add-a-target) that define your RDP servers. The application definition will apply to all targets that share the selected target hostname, including any targets added in the future. + +10. In **Port**, enter the [RDP listening port](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port) of your server. It will likely be port `3389`. + +11. (Optional) If you run RDP on more than one port, select **Add new target criteria** and reconfigure the same target hostname(s) with the different port number. + +12. + +:::note +Ensure that only **Allow** or **Block** policies are present. **Bypass** and **Service Auth** are not supported for browser-rendered applications. +::: + +13. + +14. Select **Next**. + +15. (Recommended) Turn on **Show application in App Launcher** and configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. The App Launcher allows users to view the Windows servers that they can access using browser-based RDP. Without the App Launcher, users will need to know each target's direct URL. + + :::note + Ensure that users match an Allow rule in your [App Launcher policies](/cloudflare-one/applications/app-launcher/#enable-the-app-launcher). + ::: + +16. + +17. Select **Next**. + +18. + +19. Select **Save**. + +## 4. Create a DNS record + +In the [Cloudflare dashboard](https://dash.cloudflare.com/login), go to **DNS** > **Records** and verify that a [DNS record](/dns/manage-dns-records/how-to/create-dns-records/) exists for your domain. The DNS record allows Cloudflare to proxy browser-based RDP traffic to your private network. Any arbitrary DNS record will work. + +If you do not already have a DNS record, [create a new DNS record](/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records). For example, you could create a `CNAME` record that points your Access application public hostname (`app.example.com`) to your Cloudflare Tunnel (`.cfargotunnel.com`): + +- **Type**: _CNAME_ +- **Name**: `app` +- **Target**: `c1744f8b-faa1-48a4-9e5c-02ac921467fa.cfargotunnel.com` +- **Proxy status**: On + +## 5. Connect as a user + +To connect to a Windows machine over RDP: + +1. Open a browser and go to your App Launcher URL: + + ```text + https://.cloudflareaccess.com + ``` + + Replace `` with your Zero Trust team name. +2. Follow the prompts to log in to your identity provider. + + Once you have authenticated, the App Launcher will display tiles showing the applications that you are authorized to use. Windows servers (targets) available through browser-based RDP will also appear as tiles. If a target is reachable through multiple Access applications, the target will have a tile per Access application. +3. Select the target you want to connect to. + + The App Launcher tile will launch a URL of the form `https:///rdp///`. You may also navigate directly to this URL. +4. Select the port that you want to connect to. The port selection screen only appears if the Access application allows RDP traffic on multiple ports (for example, port `3389` and port `65321`). +5. Enter your Windows username and password. + +You now have access to the remote Windows desktop. + +## Product compatibility + + + + diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx new file mode 100644 index 000000000000000..586c6147dd6535a --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-cloudflared-authentication.mdx @@ -0,0 +1,52 @@ +--- +pcx_content_type: how-to +title: Connect to RDP with client-side cloudflared +sidebar: + order: 5 + label: RDP with client-side cloudflared +--- + +import { Render } from "~/components"; + +End users can connect to an RDP server without the WARP client by authenticating through `cloudflared` in their native terminal. This method requires having `cloudflared` installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. + +Client-side `cloudflared` can be used in conjunction with [routing over WARP](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel/) and [Browser-based RDP](/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-browser/) so that there are multiple ways to connect to the server. You can reuse the same Cloudflare Tunnel when configuring each connection method. + +## 1. Connect the server to Cloudflare + +1. Create a Cloudflare Tunnel by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). + +2. In the **Public Hostnames** tab, choose a domain from the drop-down menu and specify any subdomain (for example, `rdp.example.com`). + +3. For **Service**, select _RDP_ and enter the [RDP listening port](https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port) of your server (for example, `localhost:3389`). It will likely be port `3389`. + +4. Select **Save hostname**. + +## 2. (Recommended) Create an Access application + +By default, anyone on the Internet can connect to the server using its public hostname. To allow or block specific users, create a [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access. + +## 3. Connect as a user + +1. [Install `cloudflared`](/cloudflare-one/connections/connect-networks/downloads/) on the client machine. +2. Run this command to open an RDP listening port: + + ```sh + cloudflared access rdp --hostname rdp.example.com --url rdp://localhost:3389 + ``` + + This process will need to be configured to stay alive and autostart. If the process is killed, users will not be able to connect. + +:::note + +If the client machine is running Windows, port `3389` may already be consumed locally. Select an alternative port to `3389` that is not being used. +::: + +3. While `cloudflared access` is running, connect from an RDP client such as Microsoft Remote Desktop: + 1. Open Microsoft Remote Desktop and select **Add a PC**. + 2. For **PC name**, enter `localhost:3389`. + 3. For **User account**, enter your RDP server username and password. + 4. Double-click the newly added PC. + 5. When asked if you want to continue, select **Continue**. + +When the client launches, a browser window will open and prompt the user to authenticate with Cloudflare Access. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx new file mode 100644 index 000000000000000..b4cf0deff5f042c --- /dev/null +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/rdp/rdp-warp-to-tunnel.mdx @@ -0,0 +1,79 @@ +--- +pcx_content_type: how-to +title: Connect to RDP using WARP +sidebar: + order: 2 + label: RDP with WARP client +--- + +import { Render } from "~/components"; + +Cloudflare WARP to Tunnel allows users to connect to RDP servers using their preferred RDP client. Cloudflare Tunnel creates a secure, outbound-only connection from your RDP server to Cloudflare's global network; this requires running the `cloudflared` daemon on the server (or any other host machine within the private network). Users install the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enroll in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can connect to the RDP server unless you build policies to allow or block specific users. + +This example walks through how to set up an RDP server on a Google Cloud Platform (GCP) virtual machine (VM), but you can use any machine that supports RDP connections. + +## 1. Set up an RDP server in GCP + +1. In your [Google Cloud Console](https://console.cloud.google.com/), [create a new project](https://developers.google.com/workspace/guides/create-project). +2. Go to **Compute Engine** > **VM instances**. +3. Select **Create instance**. +4. Name your VM instance, for example `windows-rdp-server`. +5. Configure your VM instance: + 1. Scroll down to **Boot Disk** and select **Change**. + 2. For **Operating system**, select _Windows Server_. + 3. Choose a **Version** with Desktop Experience, for example _Windows Server 2016 Datacenter_. +6. Once your VM is running, open the dropdown next to **RDP** and select _View gcloud command to reset password_. +7. Select **Run in Cloud Shell**. +8. Run the command in the Cloud Shell terminal. You will be asked to confirm the password reset. +9. Copy the auto-generated password and username to a safe place. + +## 2. Install Microsoft Remote Desktop + +You can use any RDP client to access and configure the RDP server. + +To access the server through Microsoft Remote Desktop: + +1. Download and install [Microsoft Remote Desktop](https://apps.microsoft.com/store/detail/microsoft-remote-desktop/9WZDNCRFJ3PS). +2. Once downloaded, open Microsoft Remote Desktop and select **Add a PC**. +3. For **PC name**, enter the public IP address of your RDP server. In GCP, this is the **External IP** of the VM instance. +4. For **User account**, select **Add User Account** and enter your auto-generated password and username. +5. Select **Add**. The PC will display in Microsoft Remote Desktop. +6. To test basic connectivity, double-click the newly added PC. +7. When asked if you want to continue, select **Continue**. + +You can now remotely access the RDP server using its public IP. The next steps will configure access to the server using its private IP. + +:::note + +By default, Internet Explorer will be installed and configured in [Enhanced Security mode](https://learn.microsoft.com/troubleshoot/developer/browsers/security-privacy/enhanced-security-configuration-faq#internet-explorer-enhanced-security-configuration). If the browser is slow or unable to load, you can turn off Enhanced Security and install an alternate browser such as Google Chrome. +::: + +## 3. Connect the server to Cloudflare + + + +2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance. + +3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server. + +## 4. Set up the client + + + +## 5. Route private network IPs through WARP + + + +## 6. Connect as a user + +Once the WARP client is configured, you can use your RDP client to connect to the server's private IP address (instead of the public IP address used initially). + +To connect in Microsoft Remote Desktop: + +1. Open Microsoft Remote Desktop and select **Add a PC**. +2. For **PC name**, enter the private IP address of your RDP server. In GCP, this is the **Internal IP** of the VM instance. +3. For **User account**, enter your RDP server username and password. +4. To test Zero Trust connectivity, double-click the newly added PC. +5. When asked if you want to continue, select **Continue**. + +You now have secure, remote access to the RDP server. \ No newline at end of file diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx index 8c099811d2aafe6..deb7934716b6050 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/smb.mdx @@ -20,14 +20,13 @@ While SMB was developed for Microsoft Windows, Samba provides SMB connectivity f ## Connect to SMB server with WARP to Tunnel - +You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the `cloudflared` daemon on the server. Users reach the service by installing the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users. ### 1. Connect the server to Cloudflare -1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. - -2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). + +2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. 3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server. ### 2. Set up the client @@ -60,7 +59,9 @@ While SMB was developed for Microsoft Windows, Samba provides SMB connectivity f ## Connect to SMB server with `cloudflared access` - +Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having `cloudflared` installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. + +The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes. ### 1. Connect the server to Cloudflare diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx index 639d887bd9d861b..03c3b7a2c805792 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx @@ -20,9 +20,9 @@ import { Tabs, TabItem, Badge, Render } from "~/components"; ## 1. Connect the server to Cloudflare -1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. + -2. In the **Private Networks** tab for the tunnel, enter the IP address of your server (or a range that includes the server IP). Typically this would be a private IP, but public IPs are also allowed. + ## 2. Set up the client @@ -38,7 +38,7 @@ To connect your devices to Cloudflare: ## 4. Add a target - + ## 5. Add an infrastructure application diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx index e1b87ef1cd3b5bd..3866ba385beb7ad 100644 --- a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel.mdx @@ -59,7 +59,11 @@ In order to be able to establish an SSH connection, do not enable [OS Login](htt ## 3. Connect the server to Cloudflare - + + +2. In the **Private Networks** tab for the tunnel, enter the private IP or CIDR address of your server. In GCP, the server IP is the **Internal IP** of the VM instance. + +3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server. ## 4. Set up the client diff --git a/src/content/docs/cloudflare-one/identity/users/session-management.mdx b/src/content/docs/cloudflare-one/identity/users/session-management.mdx index eb1f04b69440d97..bd677d73491f28a 100644 --- a/src/content/docs/cloudflare-one/identity/users/session-management.mdx +++ b/src/content/docs/cloudflare-one/identity/users/session-management.mdx @@ -47,9 +47,13 @@ You can set an application session duration for self-hosted and private Access a The application token will expire after this period of time (unless you have set a [policy session duration](#set-policy-session-duration)). -#### SaaS application sessions +#### SaaS applications - + + +#### SSH, RDP, and VNC + + ### Set policy session duration diff --git a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx index 9c6e059dbc4379c..fba100ca701bb36 100644 --- a/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx +++ b/src/content/docs/cloudflare-one/insights/logs/audit-logs.mdx @@ -84,7 +84,7 @@ Identity-based authentication logs contain the following fields: | **IP address** | IP address of the authenticating user. | | **App UID** | UUID of the Access application. | | **App domain** | URL of the Access application. | -| **App type** | The type specifies if the Access application is self-hosted, SaaS, or infrastructure. | +| **App type** | Specifies the type of Access application: self-hosted, browser SSH, browser VNC, browser RDP, SaaS, or infrastructure. | | **Event** | Type of authentication event, such as a login attempt. | | **Connection** | IdP used to authenticate. | | **Allow** | Result of the authentication event. | diff --git a/src/content/docs/learning-paths/zero-trust-web-access/access-application/create-access-app.mdx b/src/content/docs/learning-paths/zero-trust-web-access/access-application/create-access-app.mdx index 9584d8f4e849738..cb00cfbae1c5025 100644 --- a/src/content/docs/learning-paths/zero-trust-web-access/access-application/create-access-app.mdx +++ b/src/content/docs/learning-paths/zero-trust-web-access/access-application/create-access-app.mdx @@ -14,6 +14,6 @@ Each application can have multiple policies with different constraints depending ## Add your application to Access - + When users go to the application, they will be prompted to login with your identity provider. diff --git a/src/content/partials/cloudflare-one/access/add-access-policies.mdx b/src/content/partials/cloudflare-one/access/add-access-policies.mdx new file mode 100644 index 000000000000000..d497342ed365f0f --- /dev/null +++ b/src/content/partials/cloudflare-one/access/add-access-policies.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/add-target.mdx b/src/content/partials/cloudflare-one/access/add-target.mdx index 8f996522e09d6c0..b4746a37622d083 100644 --- a/src/content/partials/cloudflare-one/access/add-target.mdx +++ b/src/content/partials/cloudflare-one/access/add-target.mdx @@ -1,12 +1,18 @@ --- -{} +params: + - protocol --- import { Tabs, TabItem, Render, Details } from "~/components"; -A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. +A target represents a single resource in your infrastructure (such as a server, Kubernetes cluster, database, or container) that users will connect to through Cloudflare. -To create a new target: +{ + props.protocol === "rdp" ? ( +

Create a target for each Windows machine that requires RDP access. +To create a new target:

) : + (

Targets are protocol-agnostic, meaning that you do not need to define a new target for each protocol that runs on the server. To create a new target:

) +} @@ -55,14 +61,14 @@ If the target IP does not appear in the dropdown, go to **Networks** > **Routes* ``` - + :::note[Provider versions] The following example requires Cloudflare provider version `>=4.45.0`. ::: 1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/api_token): - - `Teams Write` + - `Zero Trust Write` 2. Configure the [`cloudflare_zero_trust_infrastructure_access_target`](https://registry.terraform.io/providers/cloudflare/cloudflare/4.45.0/docs/resources/zero_trust_infrastructure_access_target) resource: @@ -86,4 +92,4 @@ The following example requires Cloudflare provider version `>=4.45.0`. -Next, create an infrastructure application to secure the target. \ No newline at end of file +Next, create an Access application to secure the target. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app.mdx deleted file mode 100644 index 7d11ef74287cf85..000000000000000 --- a/src/content/partials/cloudflare-one/access/self-hosted-app.mdx +++ /dev/null @@ -1,48 +0,0 @@ ---- -{} - ---- - -import { Render } from "~/components" - -1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. - -2. Select **Add an application**. - -3. Select **Self-hosted**. - -4. Enter any name for the application. - -5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire. - - Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). - -6. Select **Add public hostname**. - -7. In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) to protect multiple parts of an application that share a root path. - - Alternatively, to use a [Cloudflare for SaaS custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname. - -8. Add [Access policies](/cloudflare-one/policies/access/) to control who can connect to your application. All Access applications are deny by default -- a user must match an Allow policy before they are granted access. - -9. - -10. Select **Next**. - -11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. - -12. - -13. Select **Next**. - -14. (Optional) Configure advanced settings for your application: - - - [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/) - - [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings) - - **Browser rendering settings**: - - [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/) - - [Browser rendering for SSH and VNC](/cloudflare-one/applications/non-http/browser-rendering/) - - **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](/cloudflare-one/identity/service-tokens/). - -15. Select **Save**. - diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/advanced-settings.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/advanced-settings.mdx new file mode 100644 index 000000000000000..d526a33967505cf --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/advanced-settings.mdx @@ -0,0 +1,10 @@ +--- +{} + +--- + +(Optional) Configure advanced settings: + + - [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/) + - [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings) + - **401 Response for Service Auth policies**: Return a `401` response code when a user (or machine) makes a request to the application without the correct [service token](/cloudflare-one/identity/service-tokens/). diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx new file mode 100644 index 000000000000000..bf5c7dae842e9f3 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/choose-domain.mdx @@ -0,0 +1,10 @@ +--- +{} + +--- + +import { Render } from "~/components" + +In the **Domain** dropdown, select the domain that will represent the application. Domains must belong to an active zone in your Cloudflare account. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) to protect multiple parts of an application that share a root path. + + Alternatively, to use a [Cloudflare for SaaS custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access/), set **Input method** to _Custom_ and enter your custom hostname. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx new file mode 100644 index 000000000000000..5c57c4fb2c84f0b --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx @@ -0,0 +1,24 @@ +--- +params: + - private? + +--- + +import { Render } from "~/components" + +1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Access** > **Applications**. + +2. Select **Add an application**. + +3. Select **Self-hosted**. + +4. Enter any name for the application. + +5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire. + + Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/). + + { + props.private && ( +

If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.

) + } \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx new file mode 100644 index 000000000000000..1e0eb4a75d0904f --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/generic-public-app.mdx @@ -0,0 +1,33 @@ +--- +{} + +--- + +import { Render } from "~/components" + + + +6. Select **Add public hostname**. + +7. + +8. (Optional) Configure **Browser rendering settings**: + - [Automatic `cloudflared` authentication](/cloudflare-one/applications/non-http/cloudflared-authentication/automatic-cloudflared-authentication/) + - [Browser rendering for SSH, VNC, or RDP](/cloudflare-one/applications/non-http/browser-rendering/) + +9. + +10. + +11. Select **Next**. + +12. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. + +13. + +14. Select **Next**. + +15. + +16. Select **Save**. + diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/product-compatibility.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/product-compatibility.mdx new file mode 100644 index 000000000000000..9e400c75a7667fb --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/product-compatibility.mdx @@ -0,0 +1,13 @@ +--- +{} + +--- +When using Access self-hosted applications, the majority of Cloudflare products will be compatible with your application. + +However, the following products are not supported: + +* [Automatic Signed Exchanges](/speed/optimization/other/signed-exchanges/) +* [Automatic Platform Optimization](/automatic-platform-optimization) +* [Zaraz](/zaraz) + +You can disable Automatic Signed Exchanges and Zaraz for a specific application - instead of across your entire zone - using a [Configuration Rule](/rules/configuration-rules/) scoped to the application domain. diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx new file mode 100644 index 000000000000000..ca8503c7fd89819 --- /dev/null +++ b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](/cloudflare-one/identity/users/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one. \ No newline at end of file diff --git a/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx b/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx deleted file mode 100644 index a038fdfb2bb4cac..000000000000000 --- a/src/content/partials/cloudflare-one/tunnel/cloudflared-access.mdx +++ /dev/null @@ -1,8 +0,0 @@ ---- -{} - ---- - -Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having `cloudflared` installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. - -The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both the private network and public hostname routes. diff --git a/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx b/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx new file mode 100644 index 000000000000000..5b5bc56a5f07b77 --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/connect-private-network-infra-access.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +2. In the **Private Networks** tab for the tunnel, enter the IP or CIDR address of your server. Typically this would be a private IP, but public IPs are also allowed. diff --git a/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx b/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx new file mode 100644 index 000000000000000..1883b68dbb47e6b --- /dev/null +++ b/src/content/partials/cloudflare-one/tunnel/connect-private-network.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the [connect an application step](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) and go straight to connecting a network. diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx deleted file mode 100644 index 52d7380fe027c4e..000000000000000 --- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-intro.mdx +++ /dev/null @@ -1,6 +0,0 @@ ---- -{} - ---- - -You can use Cloudflare Tunnel to create a secure, outbound-only connection from your server to Cloudflare's global network. This requires running the `cloudflared` daemon on the server. Users reach the service by installing the [Cloudflare WARP client](/cloudflare-one/connections/connect-devices/warp/) on their device and enrolling in your Zero Trust organization. Remote devices will be able to connect as if they were on your private network. By default, all devices enrolled in your organization can access the service unless you build policies to allow or block specific users. diff --git a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-server.mdx b/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-server.mdx deleted file mode 100644 index cec90f2323525a6..000000000000000 --- a/src/content/partials/cloudflare-one/tunnel/warp-to-tunnel-server.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -{} - ---- - -1. Create a Cloudflare Tunnel for your server by following our [dashboard setup guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/). You can skip the connect an application step and go straight to connecting a network. - -2. In the **Private Networks** tab for the tunnel, enter the private IP address of your server (or a range that includes the server IP). In GCP, the server IP is the **Internal IP** of the VM instance. - -3. (Optional) [Set up Zero Trust policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to fine-tune access to your server.