Skip to main content
The Formal Connector supports proxying Remote Desktop Protocol (RDP) connections to Windows servers and other RDP-enabled hosts. Connections are authenticated and authorized through Formal’s identity and policy system, with full session logging.

Requirements

Networking

The Connector listener port used for RDP must be accessible from your client machine. You may assign any port except 8080 (the Connector’s health check port). Ensure your security groups are configured to allow traffic on the designated port.

Native Users

RDP resources require Native Users configured with the Windows credentials (username and password) of the target host. The Connector uses these credentials to authenticate against the upstream RDP server on behalf of the connecting Formal user. If the target host is part of a domain, the native user username can use either the UPN format (user@domain.com) or the down-level format (DOMAIN\user). For standalone hosts, use the local username directly (just user).

Connect to RDP

To connect through the Formal Connector, point your RDP client at the Connector’s hostname and listener port. Use your Formal identity as the username. The username format follows the standard Formal identity convention: 
idp:formal:human:john@example.com
The password should be your Formal access token, available from the Control Plane.
Open Remote Desktop Connection (mstsc.exe) and enter CONNECTOR_HOSTNAME:CONNECTOR_LISTENER_PORT in the Computer field. Alternatively, launch it from the command line:
mstsc.exe /v:CONNECTOR_HOSTNAME:CONNECTOR_LISTENER_PORT
When prompted, enter your Formal identity as the username (e.g. idp:formal:human:john@example.com) and your Formal access token as the password.
Replace CONNECTOR_HOSTNAME, CONNECTOR_LISTENER_PORT, and FORMAL_ACCESS_TOKEN with the appropriate values for your environment.

Policy Evaluation

Formal supports the following policy evaluation stages for RDP:
  • Session: Evaluate and enforce policies at connection time
Policies are evaluated after Formal identity resolution and before the connection is forwarded to the upstream RDP server. You can use block and quarantine policies to restrict access based on user identity, resource tags, spaces, and other attributes.

Example: Restrict Access to a Group

package formal.v2

import future.keywords.if

default session := {
  "action": "block"
}

session := {
  "action": "allow",
  "reason": "User is in rdp-users group"
} if {
  "rdp-users" in input.user.groups
}