r/CloudFlare: Sysadmin Help With Cloudflared / Zero Trust Configuration

r/CloudFlare: Sysadmin Help With Cloudflared / Zero Trust Configuration
💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/zs1uc2/sysadmin_help_with_cloudflared_zero_trust/

Question

Hi,

I am a sysadmin planning to deploy Cloudflare Zero Trust to allow our employees to access their Windows remote desktop sessions off-site. I ran into a couple limitations and have some questions:

  1. I have Azure AD working as an authentication method. But we only want users of a specific group to have access. I went under “Edit Policy -> Configure Rules -> Include Selector -> Azure Groups”. Then I used Microsoft Graph to get the group ID, to put in the box. It’s a “mail-based security group”. The ID is in the format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. But when trying to login, I get the error “That account does not have access.” Am I not doing this correctly?
  2. Is there a way to customize the login screen a bit. We don’t need to remove all the Cloudflare branding, but would like to add a custom message for our users. Custom colors and a Logo would be a bonus. So far, the product seems really limited with customization, unless I am missing something?
  3. Ideally (or as an alternative to #1 above), we want each user to only be able to remote to their own computer. I wrote a simple Powershell script that prompts for Computer name, and then then passes it off to the tunnel in bastion mode, and launches the RDP window for the user. Whenever the user authenticates through Cloudflare, how would I go about passing off the user’s name/ID to my script so I can lookup the computer the user is authorized to connect to?

Thank you. I have not found much online in the way of tutorials or documentation for Cloudflare Zero Trust.

Answer

Here are my initial inputs to your questions:

  1. Azure AD and using its groups works exactly like you configured it. You could have just gone to the Azure AD portal and retrieved the Object ID of the group through this way instead of the Graph API. Please double check if the GUID matches. How did you test that Azure AD auth works?
  2. There are some customisation options in place already, like setting a logo. You can find these in the global settings of the Zero Trust dashboard.
  3. You can "publish" RDP in two ways, either as a public hostname or via private endpoints, requiring that every user needs to run the WARP client to get access. Either way, you can't just configure a public hostname, point an RDP client to the FQDN and port 443 and it works. Have a read through this article to understand the details more: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/use_cases/rdp/

Comment 1 on Answer

Thank you.

  1. I actually found out that the login is not working at all now. It was before so I'm not sure what happened. When opening from an Incognito window, and clicking “Azure AD”, it immediately says “That account does not have access.”
  2. Got it, thanks!
  3. So basically, public endpoints (such as using the command “cloudflared access rdp --hostname RemoteDesktop.MyCompany.com”) work with both Cloudflared and Warp, but the “private endpoint” feature requires WARP, rather than Cloudflared?
  4. At login, the user gets a prompt for “approving access from a command line tool” when using the “cloudflared access” app. It seems like WARP would get around this message since it’s not a command line tool like Cloudflared? So Warp is simply a less lightweight version of Cloudflared?
  5. I downloaded the Warp client from http://1.1.1.1, but when I open the settings and add the Zero Trust team name, it says not found.

My response to comment 1

  1. You can Test Azure AD login in the settings where you add the IdP, to check whats wrong.
  2. :)
  3. No, public endpoints require cloudflared to authenticate, private endpoints work with WARP only.
  4. Yes, WARP doesn't need this prompt since it authenticates the user once during the device onboarding, and from thereon out, every connection to private endpoints will just get let through. And no, WARP is not a more lightweight version than cloudflared. cloudflared is the daemon that is responsible for creating and running the outbound-only tunnel where the traffic will go through. It can also be used to proxy non-HTTP app traffic targeting a public hostname, like in the "cloudflared access" command example. The WARP client is normally, without Zero Trust, used to force a device to use Cloudflare's network to transport your traffic. When paired with Zero Trust, it acts as the agent on the endpoints device to do device attestation and running the Wireguard tunnel to connect to your private endpoints.
  5. You have to set your own custom team name in the Zero Trust settings before the WARP client will find the team.