clipboard is the boring nightmare of browser-RDP. the wire protocol negotiates fine. the browser side has the clipboard API gated behind permissions plus a user-gesture requirement for writes. on the read side most browsers prompt the user every single time. so you either rebuild a custom in-page clipboard buffer (loses OS integration, defeats the point) or accept that paste-INTO-RDP works smoothly while paste-OUT-of-RDP needs a click each time. neither matches what people expect when they hear "web RDP client." worth checking the project's behavior on chrome vs firefox before assuming feature-parity with native mstsc.
To be honest, three nested RDPs sound like a terrible hack. In an ideal world, this would be two port forwardings and one RDP (thinking about ssh, which is still underrepresented in windows world). In an even more ideal world, this would be an IPv6 direct access ;-)
There are legit reasons, at least for two nested sessions. A production network that’s airgapped except for a bastion host that acts as a gateway. It’s better than port forwarding because you have to auth to the bastion host before the RDP chaining, and it often takes separate credentials for the second RDP session.
It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.
> airgapped except for a bastion host that acts as a gateway
First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.
This concept is related to PAM.
You often have to do ops on infra and need some DMZ to do the ops. In regulated industry you have to record every operations done by the person and have to follow principle of least privilege. This what should happen in an ideal world.
> You often have to do ops on infra and need some DMZ to do the ops.
This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.
It's probably there not as a way to connect networks, but as a way to keep them separate, only allowing RDP between specific computers on different networks.
...A test suite, And security audits, And most importantly benchmarks.
What it does have is a license which it is GPLv3. So if anyone adds all those changes, they have to make the source code available with the same software license.
In this era tho, licenses (I don't agree with this, but this is what it is) are a matter of "tokens", I speak for a fact knowing multiple relatively-big companies just gobbling GPLv3 projects and rewriting them entirely, some do publish them as well.
When it’s in a browser you don’t need to install anything on the local machine. I used to use Apache guacamole to access my machine at home from work when I was stuck in a cube all day.
Browsers are sandboxes, your native client often isn't, there is definitely a huge advantage, portability and embeddability as well, it's also simpler to sniff traffic (and MITM it).
clipboard is the boring nightmare of browser-RDP. the wire protocol negotiates fine. the browser side has the clipboard API gated behind permissions plus a user-gesture requirement for writes. on the read side most browsers prompt the user every single time. so you either rebuild a custom in-page clipboard buffer (loses OS integration, defeats the point) or accept that paste-INTO-RDP works smoothly while paste-OUT-of-RDP needs a click each time. neither matches what people expect when they hear "web RDP client." worth checking the project's behavior on chrome vs firefox before assuming feature-parity with native mstsc.
> ...on the read side most browsers prompt the user every single time.
I don't think that is the case. Google Docs, Office 365, Notion, etc. do the same without requiring users' permission every time.
Looks very interesting, but i’m a bit surprised the most important feature isn’t mentioned: How well does clipboard sharing work?
Im not a big fan of Windows but copy pasting a file across 3 nested RDP sessions feels magical every time
I am not sure if you have tried broadcasting feature in terminals, thats magical too.
To be honest, three nested RDPs sound like a terrible hack. In an ideal world, this would be two port forwardings and one RDP (thinking about ssh, which is still underrepresented in windows world). In an even more ideal world, this would be an IPv6 direct access ;-)
There are legit reasons, at least for two nested sessions. A production network that’s airgapped except for a bastion host that acts as a gateway. It’s better than port forwarding because you have to auth to the bastion host before the RDP chaining, and it often takes separate credentials for the second RDP session.
It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.
> airgapped except for a bastion host that acts as a gateway
First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.
This concept is related to PAM. You often have to do ops on infra and need some DMZ to do the ops. In regulated industry you have to record every operations done by the person and have to follow principle of least privilege. This what should happen in an ideal world.
> You often have to do ops on infra and need some DMZ to do the ops.
This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.
Airgapped is a different concept altogether.
Logically air gapped :)
https://docs.aws.amazon.com/aws-backup/latest/devguide/logic...
The moat!
It's probably there not as a way to connect networks, but as a way to keep them separate, only allowing RDP between specific computers on different networks.
We have a custom RDP client [1]. So i have some experience building something like this. We do some an implementation similar to this.
Clipboard sharing, uploading and downloading via shared drive is a freerdp feature that should be readily available.
We also have sessions recording which is non-negotiable in PAM.
[1] https://adaptive.live
And desktop scaling. And multi-monitor support. And file transfers. And drive redirection. And peripheral redirection. And...
...A test suite, And security audits, And most importantly benchmarks.
What it does have is a license which it is GPLv3. So if anyone adds all those changes, they have to make the source code available with the same software license.
In this era tho, licenses (I don't agree with this, but this is what it is) are a matter of "tokens", I speak for a fact knowing multiple relatively-big companies just gobbling GPLv3 projects and rewriting them entirely, some do publish them as well.
is it work for opening rdp file from cyberark pam?
Interesting from a technical perspective but with native RDP clients readily available on just about every platform, I don't see the need for it.
When it’s in a browser you don’t need to install anything on the local machine. I used to use Apache guacamole to access my machine at home from work when I was stuck in a cube all day.
https://guacamole.apache.org/
1 contributor, 1 commit, new project... gives me vibe-coding feels.
Browsers are sandboxes, your native client often isn't, there is definitely a huge advantage, portability and embeddability as well, it's also simpler to sniff traffic (and MITM it).
Not many good MFA options for native RDP/RDG. Putting it in the browser lets you wrap the whole thing with OAUTH/passkeys etc