RDP
RDP (Remote Desktop Protocol) is how people connect to a Windows desktop or server and see its graphical screen. Through the Bridge, users get that full desktop experience while the session stays policy-controlled and recorded, and they never hold the target’s credentials.
You can offer RDP two ways, and you can use either or both:
- Native mode - users connect with Microsoft Remote Desktop (or any standard RDP client) pointed at a port on the Bridge.
- Browser mode - the remote desktop appears right inside the Bridge web interface, with nothing to install.
Granting access. Settings here enable RDP for the deployment. To grant a person access to a host, create a checkout - RDP has the richest per-grant controls (clipboard, drive, security mode): see the RDP checkout options and a worked example.
Native mode
Native RDP requires a TLS certificate and key, because RDP clients expect an encrypted, certificate-backed connection. You must supply both a certificate path and a key path. Port 3389 is the conventional RDP port.
rdp:
native:
enabled: true
listen: "3389"
tls_cert: "/data/certs/rdp-cert.pem"
tls_key: "/data/certs/rdp-key.pem"tls_cert and tls_key are required when native RDP is enabled - the Bridge will not start native RDP without them.
Users then open Microsoft Remote Desktop and connect to the Bridge’s address on the chosen port.
Header position
When users connect, the Bridge shows a small branded strip (a “chrome” bar) at the edge of the remote desktop. You can place it at the top or bottom of the screen. It cannot be turned off.
rdp:
native:
header_position: "bottom" # or "top"Browser mode
Browser mode renders the Windows desktop inside the web interface. You can set the default screen size and resolution that new sessions open at.
rdp:
browser:
enabled: true
default_width: 1600
default_height: 900
default_dpi: 144default_width and default_height are the starting screen size in pixels. default_dpi controls how large text and icons appear - a higher number makes everything bigger and sharper on high-resolution displays.
Shared options
rdp:
idle_timeout: 30m
allow_insecure_cert: trueallow_insecure_cert controls whether the Bridge verifies the target Windows machine’s certificate when it connects out. Left at the default (true) the Bridge does not verify it, which is convenient because many Windows hosts use self-signed RDP certificates. Set it to false for stricter verification.
File copy, clipboard sharing, and drive redirection (mapping a local drive into the remote desktop) are not configured here. They are granted per checkout as part of the access policy, so each grant can allow or deny them independently.
Examples
rdp:
idle_timeout: 30m
allow_insecure_cert: true
native:
enabled: true
listen: "3389"
tls_cert: "/data/certs/rdp-cert.pem"
tls_key: "/data/certs/rdp-key.pem"
header_position: "bottom"Option reference
| Option | Type | Default | Description |
|---|---|---|---|
rdp.idle_timeout | duration | 30m | Close a session after this much inactivity. |
rdp.allow_insecure_cert | bool | true | Skip verification of the target machine’s certificate. |
rdp.native.enabled | bool | false | Turn on native RDP (a listening port). |
rdp.native.listen | string (port) | 3389 | Port the Bridge listens on. Required when native is enabled. |
rdp.native.tls_cert | string | /data/certs/rdp-cert.pem | TLS certificate for the native listener. Required when native is enabled. |
rdp.native.tls_key | string | /data/certs/rdp-key.pem | TLS private key for the native listener. Required when native is enabled. |
rdp.native.header_position | string | bottom | Position of the branded strip: top or bottom. Cannot be disabled. |
rdp.browser.enabled | bool | false | Turn on the in-browser remote desktop. |
rdp.browser.default_width | int | 1600 | Default screen width in pixels. |
rdp.browser.default_height | int | 900 | Default screen height in pixels. |
rdp.browser.default_dpi | int | 144 | Default display scaling (DPI). |