Installing a separate client for each access type is not sustainable. A piece of software for VPN, a different client for VDI, a separate tool for RDP, a terminal for SSH, a kubeconfig for Kubernetes, shared password spreadsheets for legacy systems… This model carries the habits of the past, not the security needs of today.
Over time, every laptop turns into a small access mess. Agents accumulate, updates lag behind, support teams wrestle with installation issues, and privileged passwords drift closer to user devices. The organization thinks it is granting access; it is actually distributing control.
And not every device can carry that load. Chromebooks, kiosks, mobile devices, and contractor laptops often cannot run the required clients at all. Exceptions are opened so work does not stop, and temporary workarounds become permanent.
The weakest point of this architecture is audit. Session recording, screen watermarking, clipboard DLP, file-transfer control, and mid-session risk evaluation are not natural parts of access — they get patched in through bolt-on products.
Remote access should not be the sum of separate tools. It should be one identity, one portal, one audit layer, and one secure path.
Five protocols rendered to the browser through a single HTTPS endpoint, with an enterprise audit and policy layer built directly into the gateway.
RDP, VNC, SSH, Kubernetes exec and Telnet are rendered into an HTML5 canvas and terminal inside the user's existing browser. Chromebooks, locked-down workstations, mobile devices, contractor laptops — anywhere with a modern browser becomes a fully capable workstation.
The gateway terminates all five protocols behind a single TLS-protected WebSocket endpoint. Firewall rules collapse to one rule, perimeter exposure drops to one port, and remote teams stop needing UDP, port 3389, or split-tunnel exceptions.
Backend credentials live in a vault and are injected just-in-time when a session starts. The user authenticates to the portal with their own identity and MFA; the gateway pulls the privileged credential at launch and hands it directly to the protocol engine. Rotation, retirement, and per-session secret handling become automatic.
Every session can be recorded as standard MP4, watermarked with the operator identity per frame, and continuously evaluated against policy. Keystrokes and clipboard events are logged with regex-aware masking for passwords and PII. The same gateway that rendered the session also owns its audit trail.
Five protocols, plus the enterprise layer we built on top of them.
Network Level Authentication, TLS-protected sessions, drive redirection, audio and clipboard support, dynamic resolution adjustment, and printer redirection are all native. RemoteApp publishes a single Windows application (an ERP client, AutoCAD, a legacy accounting tool) as a window in the user's browser — no full desktop, no taskbar exposure, no peer applications. Legacy modernization without VDI overhead.
Connects to TightVNC, RealVNC, UltraVNC, x11vnc and any RFB-compatible server. Multiple authentication schemes (password, ARD, VeNCrypt with TLS), bidirectional clipboard, cursor rendering modes, and color-depth tuning for low-bandwidth links. Mac and Linux desktops with built-in screen sharing become first-class portal targets.
Full xterm-compatible terminal with key, agent, password and certificate authentication. SFTP runs over the same SSH connection — a built-in file panel lets users drag-and-drop uploads or pick files for download without leaving the browser. Locale and keyboard layouts are handled natively, and session text can be searched and copied like any web page.
Operators get an interactive shell inside any pod through the Kubernetes API exec endpoint, scoped by namespace and container. There is no kubectl to install, no kubeconfig file to distribute, no service account to leak onto a laptop. RBAC happens once at the portal, audit happens at the gateway, and SREs reach the cluster from any browser.
Some assets still expect Telnet — older Cisco IOS pre-SSH, OT/SCADA HMIs, mainframe gateways. The portal handles them with the same rendering, audit, and watermark layer applied to every other protocol. Telnet is opt-in per policy and the operator sees a clear advisory when launching a cleartext protocol.
Privileged credentials for the target system live in the platform vault, never on the user's device. When a session is launched, the gateway pulls the credential, hands it to the protocol engine, and the user is signed in without ever seeing or typing the secret. Rotation runs on the schedule the operator defines — including after every session if the asset requires it.
Recording is configurable per asset, per user group, or per session — administrators decide where it's mandatory (compliance-scoped systems, third-party contractors) and where it's optional. Output is standard H.264 MP4, written to the gateway's local storage with retention controls. Recordings are searchable by user, asset, and timestamp; auditors can replay any session directly in the browser.
Every rendered frame carries a watermark composed from the live session context — operator identity, source IP, asset name, timestamp — using an administrator-defined template. The watermark is rendered server-side into the stream, so a client-side ad blocker or DOM manipulation cannot remove it. It deters screen photography, makes leaked screenshots traceable, and reinforces that every action is observed.
The audit and policy layer that turns clientless access into an enterprise-grade privileged-access control.
Every active session is continuously re-evaluated against the same conditional access policy that authorized it. If the operator's IP shifts country, the endpoint trust score drops, the device leaves managed posture, or behavior turns anomalous, the gateway can disconnect, force a step-up MFA challenge, downgrade the session to read-only, or alert the security team — without waiting for the next login.
Every keystroke, every clipboard event, and every file transfer is logged with session, asset, and timestamp context. Sensitive patterns — password complexity heuristics, credit-card numbers, national identifiers, custom regex — are auto-masked before they reach the log, so the audit trail stays complete without becoming a secondary breach vector.
Clipboard contents flowing between the user's browser and the remote asset are inspected against policy. Administrators allow inbound copy only, deny clipboard altogether on regulated assets, or mask matching patterns inline — for example, redacting credit-card numbers on outbound paste while leaving the rest of the text intact.
Upload and download are separate permissions, configurable per asset and per role. Size caps, MIME-type allow-lists, virus scanning through the platform's WAAP inspection engine, and per-transfer audit entries turn a normally invisible exfiltration channel into a controlled, observable one.
High-sensitivity assets can require a minimum endpoint trust score from the platform's endpoint trust manager before the launch button activates. A contractor laptop without disk encryption, a personal device missing patches, or a workstation flagged for malware never reaches the launch page for those assets — without the operator having to remember separate rules.
Authorized operators can join a running session as a second viewer — silently for observation, or interactively for guided support. Junior administrators get over-the-shoulder mentoring, security teams investigate suspicious activity in real time, and incident response teams reach the screen without waiting for a recording to be reviewed after the fact.
PCI-DSS, HIPAA, ISO 27001 scoped systems require every privileged session to be recorded, watermarked, and traceable to a named operator. The portal makes that the default for the assets the auditor cares about, and stays out of the way for the rest.
Contractors get scoped, time-windowed access to specific assets — never the network, never a shared admin password, never a long-lived VPN account. Each session is recorded, watermarked with the contractor's identity, and visible in the support queue for live oversight.
SREs reach any pod across any cluster from any browser, without kubectl installations, kubeconfig sprawl, or per-cluster service-account tokens on laptops. RBAC, audit, and policy live in the portal, not in scattered command-line tooling.
A legacy Windows ERP client publishes through RDP RemoteApp; a Cisco device pre-dating SSH opens over Telnet with mandatory recording; an HMI on a segmented OT network is reachable only through the audited portal. Old assets keep working while access modernizes around them.
Browser-only access to RDP, VNC, SSH, Kubernetes and legacy systems — with recording, watermark, vault, and policy built in. We'll walk through a live deployment on your assets.