> ## Documentation Index
> Fetch the complete documentation index at: https://docs.formal.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# RDP

> How to connect to an RDP Resource using the Formal Connector

The Formal Connector supports proxying Remote Desktop Protocol (RDP) connections to Windows servers and other RDP-enabled hosts. Connections are authenticated and authorized through Formal's identity and policy system, with full session logging.

## Requirements

### Networking

The Connector listener port used for RDP must be accessible from your client machine. You may assign any port except 8080 (the Connector's health check port). Ensure your security groups are configured to allow traffic on the designated port.

### Native Users

RDP resources require [Native Users](/docs/guides/core-concepts/resources/native_users) configured with the Windows credentials (username and password) of the target host. The Connector uses these credentials to authenticate against the upstream RDP server on behalf of the connecting Formal user.

If the target host is part of a domain, the native user username can use either the UPN format (`user@domain.com`) or the down-level format (`DOMAIN\user`). For standalone hosts, use the local username directly (just `user`).

## Connect to RDP

To connect through the Formal Connector, point your RDP client at the Connector's hostname and listener port. Use your Formal identity as the username.

The username format follows the standard Formal identity convention:

```
idp:formal:human:john@example.com
```

The password should be your Formal access token, available from the Control Plane.

<Warning>
  [FreeRDP](https://www.freerdp.com/) and derived clients don't yet support passwords longer than 512 characters. Since Formal access tokens exceed this limit, you must use [hashed tokens](/docs/guides/core-concepts/identities#using-hashed-access-tokens) instead.
</Warning>

<Tabs>
  <Tab title="Windows (mstsc)">
    Open **Remote Desktop Connection** (`mstsc.exe`) and enter `CONNECTOR_HOSTNAME:CONNECTOR_LISTENER_PORT` in the **Computer** field. Alternatively, launch it from the command line:

    ```bash theme={null}
    mstsc.exe /v:CONNECTOR_HOSTNAME:CONNECTOR_LISTENER_PORT
    ```

    When prompted, enter your Formal identity as the username (e.g. `idp:formal:human:john@example.com`) and your Formal access token as the password.
  </Tab>

  <Tab title="macOS (Windows App)">
    1. Install [Windows App](https://apps.apple.com/app/windows-app/id1295203466) from the Mac App Store
    2. Add a new PC with the address `CONNECTOR_HOSTNAME:CONNECTOR_LISTENER_PORT`
    3. Create a user account with your Formal identity as the username and your Formal access token as the password
    4. Connect to the PC
  </Tab>
</Tabs>

<Note>
  Replace `CONNECTOR_HOSTNAME`, `CONNECTOR_LISTENER_PORT`, and `FORMAL_ACCESS_TOKEN` with the appropriate values for your environment.
</Note>

## Policy Evaluation

Formal supports the following policy evaluation stages for RDP:

* **Session**: Evaluate and enforce policies at connection time

Policies are evaluated after Formal identity resolution and before the connection is forwarded to the upstream RDP server. You can use block and quarantine policies to restrict access based on user identity, resource tags, spaces, and other attributes.

### Example: Restrict Access to a Group

```rego theme={null}
package formal.v2

import future.keywords.if

default session := {
  "action": "block"
}

session := {
  "action": "allow",
  "reason": "User is in rdp-users group"
} if {
  "rdp-users" in input.user.groups
}
```
