Zero Trust Access to an Individual RDP Server

  • Updated on Aug 19, 2021

This article describes Banyan’s capability to access an Individual RDP Server. With the release of Netagent v1.27.1 in August-2020, this technique has been superseded by Banyan’s Access to a Collection of RDP Services capability, which uses RD Gateway mode and HTTP Connect Tunneling.

If your RDP service was created in Banyan before Banyan v2.50 (Oct-28-2020), then you must recreate it using the steps below.


You can use Banyan’s default Mutually Authenticated TLS (MTLS) flows for TCP services to provide your end users VPN-free Zero Trust access regardless of their network location. RDP traffic flows through the Banyan Access Tier and is wrapped in a MTLS tunnel (shown in the diagram below).


Setting up VPN-free access to an individual RDP server is the setup process followed to secure a TCP service, as described in Notes on Securing TCP Services.

You can securely expose your RDP server in 4 steps. In this article, we will create a Banyan Role (for contractors) and a Banyan Policy so only users on devices that meet the policy can gain to secure access to the SSH Server, using the following steps:

  1. In the Banyan Command Center, create a Role
  2. In the Banyan Command Center, create a Policy
  3. In the Banyan Command Center, define a Service
  4. On the end user device, click “Connect” in the Banyan Desktop App

1. Create a Role for your End Users

1. In the Banyan Command Center, navigate to Secure Access > Roles and then click + Add Role.

2. Create a User Role and then click + Add Role Attributes to apply it to specific sets of users (such as By Group contractors).

2. Create a Policy for your RDP Server

1. Navigate to Secure Access > Policies and then click Create Policy.

2. Select the option TCP Policy.

3. Define a Service for your RDP Server

1. Navigate to Manage Services > Infrastructure and then click + Register Service. Select the option RDP Service.

2. Configure the RDP service as shown below:

  • Assign a domain name for this service and keep the port as 8443; the banyanproxy will tunnel RDP traffic over port 8443.
  • Set the method for how incoming connections should be proxied to the backend to Fixed Backend Domain.
  • Set the Backend Domain to and port 12345. The banyanproxy will tunnel traffic over port 12345.
  • Attach the policy we had previously created and set enforcement mode to Enforcing.

4. Connect via the Banyan Desktop App

Ensure your end users install the latest Banyan Desktop App and register their device.

1. In the Banyan Desktop App, locate the RDP service and click Connect.

2. Open your preferred RDP client (such as Windows Remote Desktop) and create a new PC.

3. Copy the IP and port from the Banyan Desktop App and then save the new PC. Enter user account credentials as needed.

4. The RDP client will use banyanproxy to automatically tunnel the RDP session over a Mutual-Auth TLS channel using HTTP Connect.

Can’t find what you’re looking for?

We’re happy to help. Contact our team .