All page types are there and look mostly correct

cloud

@@ -0,0 +1,110 @@
+git push origin -d 1.11.0-s.0
+git push origin -d 1.11.0-s.1
+git push origin -d 1.11.0-s.2
+git push origin -d 1.11.0-s.3
+git push origin -d 1.11.0-s.4
+git push origin -d 1.11.0-s.5
+git push origin -d 1.11.1-s.0
+git push origin -d 1.12.0-s.0
+git push origin -d 1.12.2-s.0
+git push origin -d 1.12.2-s.1
+git push origin -d 1.12.2-s.2
+git push origin -d 1.12.2-s.3
+git push origin -d 1.12.2-s.4
+git push origin -d 1.12.2-s.5
+git push origin -d 1.13.0.s.0
+git push origin -d 1.13.1-s.0
+git push origin -d 1.14.0-s.2
+git push origin -d 1.14.1-s.0
+git push origin -d 1.14.1-s.1
+git push origin -d 1.14.1-s.2
+git push origin -d 1.14.1-s.3
+git push origin -d 1.15.0-s.0
+git push origin -d 1.15.0-s.1
+git push origin -d 1.15.0-s.2
+git push origin -d 1.15.0-s.3
+git push origin -d 1.15.0-s.4
+git push origin -d 1.15.0-s.5
+git push origin -d 1.15.1-s.0
+git push origin -d 1.15.1-s.1
+git push origin -d 1.15.3-s.0
+git push origin -d 1.15.3-s.1
+git push origin -d 1.15.4-s.0
+git push origin -d 1.15.4-s.1
+git push origin -d 1.15.4-s.10
+git push origin -d 1.15.4-s.2
+git push origin -d 1.15.4-s.3
+git push origin -d 1.15.4-s.4
+git push origin -d 1.15.4-s.5
+git push origin -d 1.15.4-s.6
+git push origin -d 1.15.4-s.7
+git push origin -d 1.15.4-s.8
+git push origin -d 1.15.4-s.9
+git push origin -d 1.16.0-s.0
+git push origin -d 1.16.0-s.1
+git push origin -d 1.16.1-s.0
+git push origin -d 1.16.1-s.1
+git push origin -d 1.16.2-s.0
+git push origin -d 1.16.2-s.1
+git push origin -d 1.16.2-s.10
+git push origin -d 1.16.2-s.11
+git push origin -d 1.16.2-s.12
+git push origin -d 1.16.2-s.13
+git push origin -d 1.16.2-s.14
+git push origin -d 1.16.2-s.15
+git push origin -d 1.16.2-s.16
+git push origin -d 1.16.2-s.17
+git push origin -d 1.16.2-s.18
+git push origin -d 1.16.2-s.19
+git push origin -d 1.16.2-s.2
+git push origin -d 1.16.2-s.20
+git push origin -d 1.16.2-s.21
+git push origin -d 1.16.2-s.22
+git push origin -d 1.16.2-s.3
+git push origin -d 1.16.2-s.4
+git push origin -d 1.16.2-s.5
+git push origin -d 1.16.2-s.6
+git push origin -d 1.16.2-s.7
+git push origin -d 1.16.2-s.8
+git push origin -d 1.16.2-s.9
+git push origin -d 1.17.0-s.0
+git push origin -d 1.17.0-s.1
+git push origin -d 1.17.0-s.2
+git push origin -d 1.17.0-s.3
+git push origin -d 1.17.0-s.4
+git push origin -d 1.17.1-s.0
+git push origin -d 1.17.1-s.1
+git push origin -d 1.17.1-s.2
+git push origin -d 1.17.1-s.3
+git push origin -d 1.17.1-s.4
+git push origin -d 1.17.1-s.5
+git push origin -d 1.17.1-s.6
+git push origin -d 1.17.1-s.7
+git push origin -d 1.18.0-s.0
+git push origin -d 1.18.0-s.1
+git push origin -d 1.18.0-s.2
+git push origin -d 1.18.1-s.0
+git push origin -d 1.18.1-s.1
+git push origin -d 1.18.1-s.2
+git push origin -d 1.18.1-s.3
+git push origin -d 1.18.1-s.4
+git push origin -d 1.18.1-s.5
+git push origin -d 1.18.1-s.6
+git push origin -d 1.18.1-s.7
+git push origin -d 1.18.2-s.0
+git push origin -d 1.18.2-s.1
+git push origin -d 1.18.2-s.2
+git push origin -d 1.18.2-s.3
+git push origin -d 1.18.2-s.4
+git push origin -d 1.18.2-s.5
+git push origin -d 1.18.3-s.0
+git push origin -d 1.18.3-s.1
+git push origin -d 1.18.3-s.2
+git push origin -d 1.18.3-s.3
+git push origin -d 1.18.4-s.0
+git push origin -d 1.18.4-s.1
+git push origin -d 1.18.4-s.2
+git push origin -d 1.18.4-s.3
+git push origin -d 1.18.4-s.4
+git push origin -d 1.18.4-s.5
+git push origin -d 1.18.4-s.6

messages/en-US.json

@@ -1872,6 +1872,7 @@
     "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
     "billingCurrentKeys": "Current Keys",
     "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingManageLicenseSubscriptionDescription": "Manage your subscription for paid self-hosted license keys and download invoices.",
     "billingConfirmUpgrade": "Confirm Upgrade",
     "billingConfirmDowngrade": "Confirm Downgrade",
     "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
@@ -1969,6 +1970,36 @@
     "timeIsInSeconds": "Time is in seconds",
     "requireDeviceApproval": "Require Device Approvals",
     "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
+    "sshSettings": "SSH Settings",
+    "rdpSettings": "RDP Settings",
+    "vncSettings": "VNC Settings",
+    "sshServer": "SSH Server",
+    "rdpServer": "RDP Server",
+    "vncServer": "VNC Server",
+    "sshServerDescription": "Set up the authentication method, daemon location, and server destination",
+    "rdpServerDescription": "Configure the destination and port of the RDP server",
+    "vncServerDescription": "Configure the destination and port of the VNC server",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Standard SSH Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Uses a Pangolin auth daemon to manage SSH authentication on the site or remote host.",
+    "sshServerModeNative": "Native SSH Server",
+    "sshServerModeNativeDescription": "SSH authentication is handled natively by an existing SSH server without a separate auth daemon.",
+    "sshAuthenticationMethod": "Authentication Method",
+    "sshAuthMethodManual": "Manual Authentication",
+    "sshAuthMethodManualDescription": "Requires existing host credentials. Bypasses automatic provisioning.",
+    "sshAuthMethodAutomated": "Automated Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatically creates users, groups, and sudo permissions on host.",
+    "sshAuthDaemonLocation": "Auth Daemon Location",
+    "sshDaemonLocationSiteDescription": "Executes locally on the machine hosting the site connector.",
+    "sshDaemonLocationRemote": "On Remote Host",
+    "sshDaemonLocationRemoteDescription": "Executes on a separate target machine on the same network.",
+    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
+    "sshDaemonPort": "Daemon Port",
+    "sshServerDestination": "Server Destination",
+    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
+    "destination": "Destination",
+    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
     "sshAccess": "SSH Access",
     "roleAllowSsh": "Allow SSH",
     "roleAllowSshAllow": "Allow",
@@ -2963,7 +2994,7 @@
     "learnMore": "Learn more",
     "backToHome": "Go back to home",
     "needToSignInToOrg": "Need to use your organization's identity provider?",
-    "maintenanceMode": "Maintenance Mode",
+    "maintenanceMode": "Maintenance Page",
     "maintenanceModeDescription": "Display a maintenance page to visitors",
     "maintenanceModeType": "Maintenance Mode Type",
     "showMaintenancePage": "Show a maintenance page to visitors",
@@ -2993,6 +3024,7 @@
     "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
     "createInternalResourceDialogDestinationRequired": "Destination is required",
     "available": "Available",
+    "disabledResourceDescription": "When disabled, the resource will be inaccessible by everyone.",
     "archived": "Archived",
     "noArchivedDevices": "No archived devices found",
     "deviceArchived": "Device archived",

next.config.ts

@@ -5,6 +5,7 @@ const withNextIntl = createNextIntlPlugin();
 
 const nextConfig: NextConfig = {
     reactStrictMode: false,
+    transpilePackages: ["@novnc/novnc"],
     eslint: {
         ignoreDuringBuilds: true
     },

package-lock.json

@@ -11,11 +11,14 @@
             "dependencies": {
                 "@asteasolutions/zod-to-openapi": "8.4.1",
                 "@aws-sdk/client-s3": "3.1011.0",
+                "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+                "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
                 "@faker-js/faker": "10.3.0",
                 "@headlessui/react": "2.2.9",
                 "@hookform/resolvers": "5.2.2",
                 "@monaco-editor/react": "4.7.0",
                 "@node-rs/argon2": "2.0.2",
+                "@novnc/novnc": "^1.7.0",
                 "@oslojs/crypto": "1.0.1",
                 "@oslojs/encoding": "1.1.0",
                 "@radix-ui/react-avatar": "1.1.11",
@@ -44,6 +47,9 @@
                 "@tailwindcss/forms": "0.5.11",
                 "@tanstack/react-query": "5.90.21",
                 "@tanstack/react-table": "8.21.3",
+                "@xterm/addon-fit": "^0.11.0",
+                "@xterm/addon-web-links": "^0.12.0",
+                "@xterm/xterm": "^6.0.0",
                 "arctic": "3.7.0",
                 "axios": "1.15.0",
                 "better-sqlite3": "11.9.1",
@@ -1058,7 +1064,6 @@
             "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/code-frame": "^7.29.0",
                 "@babel/generator": "^7.29.0",
@@ -1460,6 +1465,16 @@
             "integrity": "sha512-P5LUNhtbj6YfI3iJjw5EL9eUAG6OitD0W3fWQcpQjDRc/QIsL0tRNuO1PcDvPccWL1fSTXXdE1ds+l95DV/OFA==",
             "license": "MIT"
         },
+        "node_modules/@devolutions/iron-remote-desktop": {
+            "version": "0.0.0",
+            "resolved": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+            "integrity": "sha512-9o7PkCw9fdvGTPs0hgsUJG10QleGgcdsSCw1ekLpUOlVXtWCuiuPH+0bPDFhLWxqbVA+8pyVhwqdOI+t1T3TNA=="
+        },
+        "node_modules/@devolutions/iron-remote-desktop-rdp": {
+            "version": "0.0.0",
+            "resolved": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
+            "integrity": "sha512-O0YVpOJDwUzekH3N2QKj+48WP+56wI0sj4VmaJkGoW5XgyAj2ONn2k3i+vk17Eavx+Vg6vAg3lwYRAOK4kKIDQ=="
+        },
         "node_modules/@dotenvx/dotenvx": {
             "version": "1.54.1",
             "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.54.1.tgz",
@@ -2354,7 +2369,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2377,7 +2391,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2400,7 +2413,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2417,7 +2429,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2434,7 +2445,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2451,7 +2461,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2468,7 +2477,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2485,7 +2493,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2502,7 +2509,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2519,7 +2525,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2536,7 +2541,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2553,7 +2557,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2576,7 +2579,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2599,7 +2601,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2622,7 +2623,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2645,7 +2645,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2668,7 +2667,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2691,7 +2689,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2714,7 +2711,6 @@
             "cpu": [
                 "wasm32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
             "optional": true,
             "dependencies": {
@@ -2734,7 +2730,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2754,7 +2749,6 @@
             "cpu": [
                 "ia32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2774,7 +2768,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -3034,7 +3027,6 @@
             "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^14.21.3 || >=16"
             },
@@ -3654,6 +3646,12 @@
                 "node": ">=12.4.0"
             }
         },
+        "node_modules/@novnc/novnc": {
+            "version": "1.7.0",
+            "resolved": "https://registry.npmjs.org/@novnc/novnc/-/novnc-1.7.0.tgz",
+            "integrity": "sha512-ucEJOx4T2avIRCleodk7YobZj5O2Ga2AeLfQ69A/yjG9HHba2+PDgwSkN3FttrmG+70ZGx21sElNFouK13RzyA==",
+            "license": "MPL-2.0"
+        },
         "node_modules/@oslojs/asn1": {
             "version": "1.0.0",
             "resolved": "https://registry.npmjs.org/@oslojs/asn1/-/asn1-1.0.0.tgz",
@@ -6981,7 +6979,6 @@
             "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
             "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=20.0.0"
             },
@@ -8442,7 +8439,6 @@
             "version": "5.90.21",
             "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
             "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
             "dependencies": {
                 "@tanstack/query-core": "5.90.20"
             },
@@ -8558,7 +8554,6 @@
             "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*"
             }
@@ -8906,7 +8901,6 @@
             "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/body-parser": "*",
                 "@types/express-serve-static-core": "^5.0.0",
@@ -9002,7 +8996,6 @@
             "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "undici-types": "~7.18.0"
             }
@@ -9030,7 +9023,6 @@
             "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*",
                 "pg-protocol": "*",
@@ -9056,7 +9048,6 @@
             "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
             "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
             "devOptional": true,
-            "peer": true,
             "dependencies": {
                 "csstype": "^3.2.2"
             }
@@ -9067,7 +9058,6 @@
             "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "peerDependencies": {
                 "@types/react": "^19.2.0"
             }
@@ -9154,7 +9144,8 @@
             "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
             "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
             "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
         },
         "node_modules/@types/ws": {
             "version": "8.18.1",
@@ -9228,7 +9219,6 @@
             "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@typescript-eslint/scope-manager": "8.56.1",
                 "@typescript-eslint/types": "8.56.1",
@@ -9683,6 +9673,27 @@
                 "win32"
             ]
         },
+        "node_modules/@xterm/addon-fit": {
+            "version": "0.11.0",
+            "resolved": "https://registry.npmjs.org/@xterm/addon-fit/-/addon-fit-0.11.0.tgz",
+            "integrity": "sha512-jYcgT6xtVYhnhgxh3QgYDnnNMYTcf8ElbxxFzX0IZo+vabQqSPAjC3c1wJrKB5E19VwQei89QCiZZP86DCPF7g==",
+            "license": "MIT"
+        },
+        "node_modules/@xterm/addon-web-links": {
+            "version": "0.12.0",
+            "resolved": "https://registry.npmjs.org/@xterm/addon-web-links/-/addon-web-links-0.12.0.tgz",
+            "integrity": "sha512-4Smom3RPyVp7ZMYOYDoC/9eGJJJqYhnPLGGqJ6wOBfB8VxPViJNSKdgRYb8NpaM6YSelEKbA2SStD7lGyqaobw==",
+            "license": "MIT"
+        },
+        "node_modules/@xterm/xterm": {
+            "version": "6.0.0",
+            "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-6.0.0.tgz",
+            "integrity": "sha512-TQwDdQGtwwDt+2cgKDLn0IRaSxYu1tSUjgKarSDkUM0ZNiSRXFpjxEsvc/Zgc5kq5omJ+V0a8/kIM2WD3sMOYg==",
+            "license": "MIT",
+            "workspaces": [
+                "addons/*"
+            ]
+        },
         "node_modules/accepts": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz",
@@ -9702,7 +9713,6 @@
             "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "acorn": "bin/acorn"
             },
@@ -10152,7 +10162,6 @@
             "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/types": "^7.26.0"
             }
@@ -10224,7 +10233,6 @@
             "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "bindings": "^1.5.0",
                 "prebuild-install": "^7.1.1"
@@ -10353,7 +10361,6 @@
                 }
             ],
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "baseline-browser-mapping": "^2.9.0",
                 "caniuse-lite": "^1.0.30001759",
@@ -11260,7 +11267,6 @@
             "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
             "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
             "license": "ISC",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             }
@@ -11701,6 +11707,7 @@
             "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
             "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
             "engines": {
                 "node": ">=20"
             },
@@ -12335,7 +12342,6 @@
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "esbuild": "bin/esbuild"
             },
@@ -12421,7 +12427,6 @@
             "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.2",
@@ -12558,7 +12563,6 @@
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@rtsao/scc": "^1.1.0",
                 "array-includes": "^3.1.9",
@@ -12952,7 +12956,6 @@
             "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
             "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "accepts": "^2.0.0",
                 "body-parser": "^2.2.1",
@@ -15370,6 +15373,7 @@
             "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
             "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "dompurify": "3.2.7",
                 "marked": "14.0.0"
@@ -15380,6 +15384,7 @@
             "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
             "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
             "license": "MIT",
+            "peer": true,
             "bin": {
                 "marked": "bin/marked.js"
             },
@@ -15468,7 +15473,6 @@
             "resolved": "https://registry.npmjs.org/next/-/next-15.5.15.tgz",
             "integrity": "sha512-VSqCrJwtLVGwAVE0Sb/yikrQfkwkZW9p+lL/J4+xe+G3ZA+QnWPqgcfH1tDUEuk9y+pthzzVFp4L/U8JerMfMQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@next/env": "15.5.15",
                 "@swc/helpers": "0.5.15",
@@ -16428,7 +16432,6 @@
             "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
             "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "pg-connection-string": "^2.12.0",
                 "pg-pool": "^3.13.0",
@@ -16936,7 +16939,6 @@
             "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
             "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=0.10.0"
             }
@@ -16968,7 +16970,6 @@
             "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
             "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
@@ -17261,7 +17262,6 @@
             "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
             "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=18.0.0"
             },
@@ -18723,8 +18723,7 @@
             "version": "4.2.2",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
             "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.2",
@@ -19199,7 +19198,6 @@
             "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
             "devOptional": true,
             "license": "Apache-2.0",
-            "peer": true,
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -19627,7 +19625,6 @@
             "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
             "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@colors/colors": "^1.6.0",
                 "@dabh/diagnostics": "^2.0.8",
@@ -19834,7 +19831,6 @@
             "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
             "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/sponsors/colinhacks"
             }

package.json

@@ -34,11 +34,14 @@
     "dependencies": {
         "@asteasolutions/zod-to-openapi": "8.4.1",
         "@aws-sdk/client-s3": "3.1011.0",
+        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
         "@faker-js/faker": "10.3.0",
         "@headlessui/react": "2.2.9",
         "@hookform/resolvers": "5.2.2",
         "@monaco-editor/react": "4.7.0",
         "@node-rs/argon2": "2.0.2",
+        "@novnc/novnc": "^1.7.0",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
         "@radix-ui/react-avatar": "1.1.11",
@@ -67,6 +70,9 @@
         "@tailwindcss/forms": "0.5.11",
         "@tanstack/react-query": "5.90.21",
         "@tanstack/react-table": "8.21.3",
+        "@xterm/addon-fit": "^0.11.0",
+        "@xterm/addon-web-links": "^0.12.0",
+        "@xterm/xterm": "^6.0.0",
         "arctic": "3.7.0",
         "axios": "1.15.0",
         "better-sqlite3": "11.9.1",

server/auth/actions.ts

@@ -158,7 +158,12 @@ export enum ActionsEnum {
     createHealthCheck = "createHealthCheck",
     updateHealthCheck = "updateHealthCheck",
     deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    createBrowserGatewayTarget = "createBrowserGatewayTarget",
+    updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
+    deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
+    getBrowserGatewayTarget = "getBrowserGatewayTarget",
+    listBrowserGatewayTargets = "listBrowserGatewayTargets"
 }
 
 export async function checkUserActionPermission(

server/db/pg/schema/privateSchema.ts

@@ -580,6 +580,24 @@ export const trialNotifications = pgTable("trialNotifications", {
     sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });
 
+export const browserGatewayTarget = pgTable("browserGatewayTarget", {
+    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: varchar("authToken").notNull(),
+    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: varchar("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +645,6 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;

server/db/pg/schema/schema.ts

@@ -147,7 +147,6 @@ export const resources = pgTable("resources", {
     headers: text("headers"), // comma-separated list of headers to add to the request
     proxyProtocol: boolean("proxyProtocol").notNull().default(false),
     proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
     maintenanceModeEnabled: boolean("maintenanceModeEnabled")
         .notNull()
         .default(false),
@@ -159,7 +158,15 @@ export const resources = pgTable("resources", {
     maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
     postAuthPath: text("postAuthPath"),
     health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: boolean("wildcard").notNull().default(false)
+    wildcard: boolean("wildcard").notNull().default(false),
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });
 
 export const labels = pgTable("labels", {
@@ -351,8 +358,11 @@ export const siteResources = pgTable("siteResources", {
     udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
     disableIcmp: boolean("disableIcmp").notNull().default(false),
     authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
     authDaemonMode: varchar("authDaemonMode", { length: 32 })
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
         .default("site"),
     domainId: varchar("domainId").references(() => domains.domainId, {
         onDelete: "set null"

server/db/sqlite/schema/privateSchema.ts

@@ -588,6 +588,26 @@ export const trialNotifications = sqliteTable("trialNotifications", {
     sentAt: integer("sentAt").notNull()
 });
 
+export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
+    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
+        autoIncrement: true
+    }),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: text("authToken").notNull(),
+    type: text("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: text("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +647,6 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;

server/db/sqlite/schema/schema.ts

@@ -180,7 +180,15 @@ export const resources = sqliteTable("resources", {
     maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
     postAuthPath: text("postAuthPath"),
     health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
+    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
+    browserAccessType: text("browserAccessType").default("http"), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });
 
 export const labels = sqliteTable("labels", {
@@ -386,8 +394,11 @@ export const siteResources = sqliteTable("siteResources", {
         .notNull()
         .default(false),
     authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
     authDaemonMode: text("authDaemonMode")
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
         .default("site"),
     domainId: text("domainId").references(() => domains.domainId, {
         onDelete: "set null"

server/private/lib/acmeCertSync.ts

@@ -780,9 +780,9 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
             }
         }
 
-        logger.debug(
-            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
-        );
+        // logger.debug(
+        //     `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
+        // );
 
         for (const domain of allDomains) {
             try {

server/private/lib/traefik/getTraefikConfig.ts

@@ -12,6 +12,7 @@
  */
 
 import {
+    browserGatewayTarget,
     certificates,
     db,
     domainNamespaces,
@@ -277,6 +278,115 @@ export async function getTraefikConfig(
         });
     });
 
+    // Query browser gateway targets for this exit node
+    const browserGatewayRows = await db
+        .select({
+            // Resource fields
+            resourceId: resources.resourceId,
+            resourceName: resources.name,
+            fullDomain: resources.fullDomain,
+            ssl: resources.ssl,
+            subdomain: resources.subdomain,
+            domainId: resources.domainId,
+            enabled: resources.enabled,
+            wildcard: resources.wildcard,
+            domainCertResolver: domains.certResolver,
+            preferWildcardCert: domains.preferWildcardCert,
+            domainNamespaceId: domainNamespaces.domainNamespaceId,
+            // Browser gateway target fields
+            browserGatewayTargetId: browserGatewayTarget.browserGatewayTargetId,
+            bgType: browserGatewayTarget.type,
+            // Site fields
+            siteId: sites.siteId,
+            siteType: sites.type,
+            siteOnline: sites.online,
+            subnet: sites.subnet,
+            siteExitNodeId: sites.exitNodeId
+        })
+        .from(browserGatewayTarget)
+        .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+        .innerJoin(
+            resources,
+            eq(resources.resourceId, browserGatewayTarget.resourceId)
+        )
+        .leftJoin(domains, eq(domains.domainId, resources.domainId))
+        .leftJoin(
+            domainNamespaces,
+            eq(domainNamespaces.domainId, resources.domainId)
+        )
+        .where(
+            and(
+                eq(resources.enabled, true),
+                or(
+                    eq(sites.exitNodeId, exitNodeId),
+                    and(
+                        isNull(sites.exitNodeId),
+                        sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
+                        eq(sites.type, "local"),
+                        sql`(${build != "saas" ? 1 : 0} = 1)`
+                    )
+                ),
+                inArray(sites.type, siteTypes)
+            )
+        );
+
+    // Group browser gateway targets by resource
+    type BrowserGatewayResourceEntry = {
+        resourceId: number;
+        name: string;
+        fullDomain: string | null;
+        ssl: boolean | null;
+        subdomain: string | null;
+        domainId: string | null;
+        enabled: boolean | null;
+        wildcard: boolean | null;
+        domainCertResolver: string | null;
+        preferWildcardCert: boolean | null;
+        targets: {
+            browserGatewayTargetId: number;
+            bgType: string;
+            siteId: number;
+            siteType: string;
+            siteOnline: boolean | null;
+            subnet: string | null;
+            siteExitNodeId: number | null;
+        }[];
+    };
+    const browserGatewayResourcesMap = new Map<
+        number,
+        BrowserGatewayResourceEntry
+    >();
+
+    for (const row of browserGatewayRows) {
+        if (filterOutNamespaceDomains && row.domainNamespaceId) {
+            continue;
+        }
+        if (!browserGatewayResourcesMap.has(row.resourceId)) {
+            browserGatewayResourcesMap.set(row.resourceId, {
+                resourceId: row.resourceId,
+                name: sanitize(row.resourceName) || "",
+                fullDomain: row.fullDomain,
+                ssl: row.ssl,
+                subdomain: row.subdomain,
+                domainId: row.domainId,
+                enabled: row.enabled,
+                wildcard: row.wildcard,
+                domainCertResolver: row.domainCertResolver,
+                preferWildcardCert: row.preferWildcardCert,
+                targets: []
+            });
+        }
+        browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
+            browserGatewayTargetId: row.browserGatewayTargetId,
+            bgType: row.bgType,
+            siteId: row.siteId,
+            siteType: row.siteType,
+            siteOnline: row.siteOnline,
+            subnet: row.subnet,
+            siteExitNodeId: row.siteExitNodeId
+        });
+    }
+
     let siteResourcesWithFullDomain: {
         siteResourceId: number;
         fullDomain: string | null;
@@ -324,6 +434,12 @@ export async function getTraefikConfig(
                 domains.add(sr.fullDomain);
             }
         }
+        // Include browser gateway resource domains
+        for (const bgResource of browserGatewayResourcesMap.values()) {
+            if (bgResource.enabled && bgResource.ssl && bgResource.fullDomain) {
+                domains.add(bgResource.fullDomain);
+            }
+        }
         // get the valid certs for these domains
         validCerts = await getValidCertificatesForDomains(domains, true); // we are caching here because this is called often
         // logger.debug(`Valid certs for domains: ${JSON.stringify(validCerts)}`);
@@ -589,7 +705,7 @@ export async function getTraefikConfig(
                             resource.ssl ? entrypointHttps : entrypointHttp
                         ],
                         service: maintenanceServiceName,
-                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`)) `,
                         priority: 2001,
                         ...(resource.ssl ? { tls } : {})
                     };
@@ -925,6 +1041,185 @@ export async function getTraefikConfig(
         }
     }
 
+    // Generate Traefik config for browser gateway resources
+    const browserGatewayPort = 39999;
+    for (const [, bgResource] of browserGatewayResourcesMap.entries()) {
+        if (!bgResource.enabled) continue;
+        if (!bgResource.domainId) continue;
+        if (!bgResource.fullDomain) continue;
+
+        if (!config_output.http.routers) config_output.http.routers = {};
+        if (!config_output.http.services) config_output.http.services = {};
+
+        const fullDomain = bgResource.fullDomain;
+        const additionalMiddlewares =
+            config.getRawConfig().traefik.additional_middlewares || [];
+        const routerMiddlewares = [
+            badgerMiddlewareName,
+            ...additionalMiddlewares
+        ];
+
+        const hostRule = `Host(\`${fullDomain}\`)`;
+
+        // Build TLS config
+        let tls = {};
+        if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
+            const domainParts = fullDomain.split(".");
+            let wildCard: string;
+            if (domainParts.length <= 2) {
+                wildCard = `*.${domainParts.join(".")}`;
+            } else {
+                wildCard = `*.${domainParts.slice(1).join(".")}`;
+            }
+            if (!bgResource.subdomain) {
+                wildCard = fullDomain;
+            }
+
+            const globalDefaultResolver =
+                config.getRawConfig().traefik.cert_resolver;
+            const globalDefaultPreferWildcard =
+                config.getRawConfig().traefik.prefer_wildcard_cert;
+            const resolverName = bgResource.domainCertResolver
+                ? bgResource.domainCertResolver.trim()
+                : globalDefaultResolver;
+            const preferWildcard =
+                bgResource.preferWildcardCert !== undefined &&
+                bgResource.preferWildcardCert !== null
+                    ? bgResource.preferWildcardCert
+                    : globalDefaultPreferWildcard;
+
+            tls = {
+                certResolver: resolverName,
+                ...(preferWildcard ? { domains: [{ main: wildCard }] } : {})
+            };
+        } else {
+            const matchingCert = validCerts.find(
+                (cert) => cert.queriedDomain === fullDomain
+            );
+            if (!matchingCert) {
+                logger.debug(
+                    `No matching certificate found for browser gateway domain: ${fullDomain}`
+                );
+                continue;
+            }
+        }
+
+        const bgUiServiceName = `bg-r${bgResource.resourceId}-ui-service`;
+
+        if (bgResource.ssl) {
+            const redirectRouterName = `bg-r${bgResource.resourceId}-redirect`;
+            config_output.http.routers![redirectRouterName] = {
+                entryPoints: [config.getRawConfig().traefik.http_entrypoint],
+                middlewares: [redirectHttpsMiddlewareName],
+                service: bgUiServiceName,
+                rule: hostRule,
+                priority: 100
+            };
+        }
+
+        // Collect online sites for this resource (for any type)
+        const anySiteOnline = bgResource.targets.some((t) => t.siteOnline);
+
+        // Group targets by type and generate per-type websocket routers and services
+        const typeMap = new Map<string, typeof bgResource.targets>();
+        for (const t of bgResource.targets) {
+            if (!typeMap.has(t.bgType)) typeMap.set(t.bgType, []);
+            typeMap.get(t.bgType)!.push(t);
+        }
+
+        for (const [bgType, typedTargets] of typeMap.entries()) {
+            const bgKey = `bg-r${bgResource.resourceId}-${bgType}`;
+            const bgRouterName = `${bgKey}-router`;
+            const bgServiceName = `${bgKey}-service`;
+            const bgRule = `${hostRule} && PathPrefix(\`/gateway/${bgType}\`)`;
+
+            const servers = typedTargets
+                .filter((t) => {
+                    if (!t.siteOnline && anySiteOnline) return false;
+                    if (t.siteType === "newt") return !!t.subnet;
+                    return false; // browser gateway only supported on newt sites
+                })
+                .map((t) => ({
+                    url: `http://${t.subnet!.split("/")[0]}:${browserGatewayPort}`
+                }))
+                .filter((v, i, a) => a.findIndex((u) => u.url === v.url) === i);
+
+            config_output.http.routers![bgRouterName] = {
+                entryPoints: [
+                    bgResource.ssl
+                        ? config.getRawConfig().traefik.https_entrypoint
+                        : config.getRawConfig().traefik.http_entrypoint
+                ],
+                middlewares: routerMiddlewares,
+                service: bgServiceName,
+                rule: bgRule,
+                priority: 110, // highest - websocket path takes precedence
+                ...(bgResource.ssl ? { tls } : {})
+            };
+
+            config_output.http.services![bgServiceName] = {
+                loadBalancer: {
+                    servers
+                }
+            };
+        }
+
+        // UI: serve the browser gateway page from the internal pangolin instance.
+        // The primary type is used for the path rewrite (e.g. /rdp), mirroring
+        // how the maintenance page rewrites everything to /maintenance-screen.
+        const primaryType = typeMap.keys().next().value as string;
+        const internalHost = config.getRawConfig().server.internal_hostname;
+        const internalPort = config.getRawConfig().server.next_port;
+        const uiRewriteMiddlewareName = `bg-r${bgResource.resourceId}-ui-rewrite`;
+        const entrypoint = bgResource.ssl
+            ? config.getRawConfig().traefik.https_entrypoint
+            : config.getRawConfig().traefik.http_entrypoint;
+
+        if (!config_output.http.middlewares) {
+            config_output.http.middlewares = {};
+        }
+
+        config_output.http.middlewares![uiRewriteMiddlewareName] = {
+            replacePathRegex: {
+                regex: "^/(.*)",
+                replacement: `/${primaryType}`
+            }
+        };
+
+        config_output.http.services![bgUiServiceName] = {
+            loadBalancer: {
+                servers: [
+                    {
+                        url: `http://${internalHost}:${internalPort}`
+                    }
+                ]
+            }
+        };
+
+        // Assets router at higher priority so /_next files load without rewrite
+        config_output.http.routers![
+            `bg-r${bgResource.resourceId}-assets-router`
+        ] = {
+            entryPoints: [entrypoint],
+            middlewares: routerMiddlewares,
+            service: bgUiServiceName,
+            rule: `${hostRule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
+            priority: 101,
+            ...(bgResource.ssl ? { tls } : {})
+        };
+
+        // Catch-all router rewrites everything on the domain to /{primaryType}
+        config_output.http.routers![`bg-r${bgResource.resourceId}-ui-router`] =
+            {
+                entryPoints: [entrypoint],
+                middlewares: [...routerMiddlewares, uiRewriteMiddlewareName],
+                service: bgUiServiceName,
+                rule: hostRule,
+                priority: 100,
+                ...(bgResource.ssl ? { tls } : {})
+            };
+    }
+
     // Add Traefik routes for siteResource aliases (HTTP mode + SSL) so that
     // Traefik generates TLS certificates for those domains even when no
     // matching resource exists yet.
@@ -1040,7 +1335,7 @@ export async function getTraefikConfig(
             config_output.http.routers[`${siteResourceRouterName}-assets`] = {
                 entryPoints: [config.getRawConfig().traefik.https_entrypoint],
                 service: siteResourceServiceName,
-                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                 priority: 101,
                 tls
             };
@@ -1143,7 +1438,7 @@ export async function getTraefikConfig(
                         config.getRawConfig().traefik.https_entrypoint
                     ],
                     service: "landing-service",
-                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`))`,
+                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                     priority: 203,
                     tls: tls
                 };

server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts

@@ -0,0 +1,187 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+import { generateId } from "@server/auth/sessions/app";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive(),
+    type: z.enum(["ssh", "rdp", "vnc"]),
+    destination: z.string().nonempty(),
+    destinationPort: z.number().int().min(1).max(65535)
+});
+
+export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
+    description: "Create a browser gateway target for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+            .limit(1);
+
+        if (!site) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site with ID ${siteId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const plainToken = generateId(48);
+        const encryptedToken = encrypt(
+            plainToken,
+            config.getRawConfig().server.secret!
+        );
+
+        const [record] = await db
+            .insert(browserGatewayTarget)
+            .values({
+                resourceId,
+                siteId,
+                type,
+                destination,
+                destinationPort,
+                authToken: encryptedToken
+            })
+            .returning();
+
+        if (site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, siteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [record],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(
+            `Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
+        );
+
+        return response<CreateBrowserGatewayTargetResponse>(res, {
+            data: record,
+            success: true,
+            error: false,
+            message: "Browser gateway target created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts

@@ -0,0 +1,130 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db, newts, sites } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Delete a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        await db
+            .delete(browserGatewayTarget)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            );
+
+        if (existing.site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, existing.bgt.siteId))
+                .limit(1);
+
+            if (newt) {
+                await removeBrowserGatewayTarget(
+                    newt.newtId,
+                    browserGatewayTargetId,
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Browser gateway target deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to delete browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts

@@ -0,0 +1,109 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Get a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function getBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [result] = await db
+            .select({ bgt: browserGatewayTarget })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!result) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        return response<GetBrowserGatewayTargetResponse>(res, {
+            data: result.bgt,
+            success: true,
+            error: false,
+            message: "Browser gateway target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to retrieve browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/index.ts

@@ -0,0 +1,18 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createBrowserGatewayTarget";
+export * from "./updateBrowserGatewayTarget";
+export * from "./deleteBrowserGatewayTarget";
+export * from "./getBrowserGatewayTarget";
+export * from "./listBrowserGatewayTargets";

server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts

@@ -0,0 +1,148 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.number().int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative())
+});
+
+export type ListBrowserGatewayTargetsResponse = {
+    targets: BrowserGatewayTarget[];
+    total: number;
+    limit: number;
+    offset: number;
+};
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
+    description: "List browser gateway targets for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        query: querySchema
+    },
+    responses: {}
+});
+
+export async function listBrowserGatewayTargets(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { limit, offset } = parsedQuery.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const targets = await db
+            .select()
+            .from(browserGatewayTarget)
+            .where(eq(browserGatewayTarget.resourceId, resourceId))
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListBrowserGatewayTargetsResponse>(res, {
+            data: {
+                targets: targets,
+                total: targets.length,
+                limit,
+                offset
+            },
+            success: true,
+            error: false,
+            message: "Browser gateway targets retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to list browser gateway targets"
+            )
+        );
+    }
+}

server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts

@@ -0,0 +1,180 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive().optional(),
+    type: z.enum(["ssh", "rdp", "vnc"]).optional(),
+    destination: z.string().nonempty().optional(),
+    destinationPort: z.number().int().min(1).max(65535).optional()
+});
+
+export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Update a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        const updateValues: Partial<BrowserGatewayTarget> = {};
+        if (siteId !== undefined) updateValues.siteId = siteId;
+        if (type !== undefined) updateValues.type = type;
+        if (destination !== undefined) updateValues.destination = destination;
+        if (destinationPort !== undefined)
+            updateValues.destinationPort = destinationPort;
+
+        const [updated] = await db
+            .update(browserGatewayTarget)
+            .set(updateValues)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            )
+            .returning();
+
+        const targetSiteId = siteId ?? existing.bgt.siteId;
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, targetSiteId))
+            .limit(1);
+
+        if (site && site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, targetSiteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [updated],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
+
+        return response<UpdateBrowserGatewayTargetResponse>(res, {
+            data: updated,
+            success: true,
+            error: false,
+            message: "Browser gateway target updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to update browser gateway target"
+            )
+        );
+    }
+}

server/private/routers/external.ts

@@ -31,6 +31,7 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
 import * as labels from "#private/routers/labels";
 
 import {
@@ -829,3 +830,48 @@ authenticated.get(
     verifyUserHasAction(ActionsEnum.getTarget),
     healthChecks.getHealthCheckStatusHistory
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);

server/private/routers/integration.ts

@@ -16,6 +16,7 @@ import * as org from "#private/routers/org";
 import * as logs from "#private/routers/auditLogs";
 import * as alertEvents from "#private/routers/alertEvents";
 import * as certificates from "#private/routers/certificates";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
 
 import {
     verifyApiKeyHasAction,
@@ -215,3 +216,43 @@ authenticated.delete(
     logActionAudit(ActionsEnum.removeUserRole),
     user.removeUserRole
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyLimits,
+    verifyApiKeyHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);

server/private/routers/remoteExitNode/exitNodeReconnectScheduler.ts

@@ -1,202 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import axios from "axios";
-import { db, exitNodes, newts, sites } from "@server/db";
-import { eq } from "drizzle-orm";
-import logger from "@server/logger";
-import redisManager from "#private/lib/redis";
-import { sendToClient } from "#private/routers/ws";
-
-const INITIAL_DELAY_MS = 15 * 1000; // 15 seconds before first check
-const CHECK_INTERVAL_MS = 10 * 1000; // Check every 10 seconds
-const MAX_DURATION_MS = 5 * 60 * 1000; // Give up after 5 minutes
-const REDIS_PENDING_SET = "exit-node-reconnect-pending";
-const REDIS_HASH_PREFIX = "exit-node-reconnect:";
-
-interface PendingReconnect {
-    startTime: number;
-    reachableAt: string;
-}
-
-// In-memory tracking for this node
-const pendingReconnects = new Map<number, PendingReconnect>();
-
-let schedulerInterval: NodeJS.Timeout | null = null;
-
-/**
- * Schedules a reconnect check for newts connected to the given exit node.
- * Called when an exit node transitions from offline to online.
- */
-export async function scheduleExitNodeReconnect(
-    exitNodeId: number,
-    reachableAt: string
-): Promise<void> {
-    logger.info(
-        `Scheduling newt reconnect for exit node ${exitNodeId} (reachableAt: ${reachableAt})`
-    );
-
-    const entry: PendingReconnect = {
-        startTime: Date.now(),
-        reachableAt
-    };
-
-    pendingReconnects.set(exitNodeId, entry);
-
-    // Store in Redis if available for cross-node coordination
-    if (redisManager.isRedisEnabled()) {
-        await redisManager.sadd(REDIS_PENDING_SET, exitNodeId.toString());
-        await redisManager.hset(
-            `${REDIS_HASH_PREFIX}${exitNodeId}`,
-            "startTime",
-            entry.startTime.toString()
-        );
-        await redisManager.hset(
-            `${REDIS_HASH_PREFIX}${exitNodeId}`,
-            "reachableAt",
-            reachableAt
-        );
-    }
-}
-
-/**
- * Starts the background interval that checks pending exit node reconnects.
- */
-export function startExitNodeReconnectScheduler(): void {
-    if (schedulerInterval) {
-        return;
-    }
-
-    schedulerInterval = setInterval(async () => {
-        try {
-            await processPendingReconnects();
-        } catch (error) {
-            logger.error("Error in exit node reconnect scheduler", { error });
-        }
-    }, CHECK_INTERVAL_MS);
-
-    logger.debug("Started exit node reconnect scheduler");
-}
-
-async function processPendingReconnects(): Promise<void> {
-    // Merge in-memory and Redis-tracked pending reconnects
-    const toProcess = new Map(pendingReconnects);
-
-    if (redisManager.isRedisEnabled()) {
-        const redisIds = await redisManager.smembers(REDIS_PENDING_SET);
-        for (const idStr of redisIds) {
-            const id = parseInt(idStr, 10);
-            if (!toProcess.has(id)) {
-                const startTimeStr = await redisManager.hget(
-                    `${REDIS_HASH_PREFIX}${id}`,
-                    "startTime"
-                );
-                const reachableAt = await redisManager.hget(
-                    `${REDIS_HASH_PREFIX}${id}`,
-                    "reachableAt"
-                );
-                if (startTimeStr && reachableAt) {
-                    toProcess.set(id, {
-                        startTime: parseInt(startTimeStr, 10),
-                        reachableAt
-                    });
-                }
-            }
-        }
-    }
-
-    const now = Date.now();
-
-    for (const [exitNodeId, entry] of toProcess) {
-        const elapsed = now - entry.startTime;
-
-        // Give up after max duration
-        if (elapsed >= MAX_DURATION_MS) {
-            logger.warn(
-                `Exit node reconnect check timed out for exit node ${exitNodeId} after 5 minutes`
-            );
-            await removePending(exitNodeId);
-            continue;
-        }
-
-        // Respect initial delay
-        if (elapsed < INITIAL_DELAY_MS) {
-            continue;
-        }
-
-        // Check if the exit node HTTP endpoint is reachable
-        const pingUrl = `${entry.reachableAt}/ping`;
-        try {
-            await axios.get(pingUrl, { timeout: 5000 });
-        } catch {
-            logger.debug(
-                `Exit node ${exitNodeId} not yet reachable at ${pingUrl}`
-            );
-            continue;
-        }
-
-        // Node is reachable — send reconnect to all connected newts
-        logger.info(
-            `Exit node ${exitNodeId} is reachable. Sending newt/wg/reconnect to connected newts.`
-        );
-
-        await sendReconnectToNewts(exitNodeId);
-        await removePending(exitNodeId);
-    }
-}
-
-async function sendReconnectToNewts(exitNodeId: number): Promise<void> {
-    try {
-        const connectedNewts = await db
-            .select({ newtId: newts.newtId })
-            .from(newts)
-            .innerJoin(sites, eq(newts.siteId, sites.siteId))
-            .where(eq(sites.exitNodeId, exitNodeId));
-
-        if (connectedNewts.length === 0) {
-            logger.debug(
-                `No newts found for exit node ${exitNodeId}, nothing to reconnect`
-            );
-            return;
-        }
-
-        logger.info(
-            `Sending newt/wg/reconnect to ${connectedNewts.length} newt(s) for exit node ${exitNodeId}`
-        );
-
-        const reconnectMessage = {
-            type: "newt/wg/reconnect",
-            data: {}
-        };
-
-        await Promise.allSettled(
-            connectedNewts.map(({ newtId }) =>
-                sendToClient(newtId, reconnectMessage)
-            )
-        );
-    } catch (error) {
-        logger.error(
-            `Failed to send reconnect messages for exit node ${exitNodeId}`,
-            { error }
-        );
-    }
-}
-
-async function removePending(exitNodeId: number): Promise<void> {
-    pendingReconnects.delete(exitNodeId);
-
-    if (redisManager.isRedisEnabled()) {
-        await redisManager.srem(REDIS_PENDING_SET, exitNodeId.toString());
-        await redisManager.del(`${REDIS_HASH_PREFIX}${exitNodeId}`);
-    }
-}

server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts

@@ -16,7 +16,6 @@ import { MessageHandler } from "@server/routers/ws";
 import { RemoteExitNode } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { scheduleExitNodeReconnect } from "./exitNodeReconnectScheduler";
 
 /**
  * Handles ping messages from clients and responds with pong
@@ -38,13 +37,6 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
     }
 
     try {
-        // Fetch the current state before updating so we can detect the offline→online transition
-        const [currentExitNode] = await db
-            .select({ online: exitNodes.online, reachableAt: exitNodes.reachableAt })
-            .from(exitNodes)
-            .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId))
-            .limit(1);
-
         // Update the exit node's last ping timestamp
         await db
             .update(exitNodes)
@@ -53,16 +45,6 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
                 online: true
             })
             .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId));
-
-        // If the exit node was offline and is now coming online, schedule newt reconnects
-        if (currentExitNode && !currentExitNode.online && currentExitNode.reachableAt) {
-            scheduleExitNodeReconnect(
-                remoteExitNode.exitNodeId,
-                currentExitNode.reachableAt
-            ).catch((error) => {
-                logger.error("Failed to schedule exit node reconnect", { error });
-            });
-        }
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }

server/private/routers/remoteExitNode/index.ts

@@ -22,4 +22,3 @@ export * from "./listRemoteExitNodes";
 export * from "./pickRemoteExitNodeDefaults";
 export * from "./quickStartRemoteExitNode";
 export * from "./offlineChecker";
-export * from "./exitNodeReconnectScheduler";

server/private/routers/ssh/signSshKey.ts

@@ -23,7 +23,8 @@ import {
     roundTripMessageTracker,
     siteResources,
     siteNetworks,
-    userOrgs
+    userOrgs,
+    sites
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
@@ -48,7 +49,8 @@ const bodySchema = z
     .strictObject({
         publicKey: z.string().nonempty(),
         resourceId: z.number().int().positive().optional(),
-        resource: z.string().nonempty().optional() // this is either the nice id or the alias
+        resource: z.string().nonempty().optional(), // this is either the nice id or the alias
+        username: z.string().nonempty().optional()
     })
     .refine(
         (data) => {
@@ -63,19 +65,19 @@ const bodySchema = z
     );
 
 export type SignSshKeyResponse = {
-    certificate: string;
+    certificate?: string;
     messageIds: number[];
-    messageId: number;
+    messageId?: number;
     sshUsername: string;
     sshHost: string;
     resourceId: number;
     siteIds: number[];
     siteId: number;
-    keyId: string;
-    validPrincipals: string[];
-    validAfter: string;
-    validBefore: string;
-    expiresIn: number;
+    keyId?: string;
+    validPrincipals?: string[];
+    validAfter?: string;
+    validBefore?: string;
+    expiresIn?: number;
 };
 
 // registry.registerPath({
@@ -126,7 +128,8 @@ export async function signSshKey(
         const {
             publicKey,
             resourceId,
-            resource: resourceQueryString
+            resource: resourceQueryString,
+            username
         } = parsedBody.data;
         const userId = req.user?.userId;
         const roleIds = req.userOrgRoleIds ?? [];
@@ -174,101 +177,6 @@ export async function signSshKey(
             );
         }
 
-        let usernameToUse;
-        if (!userOrg.pamUsername) {
-            if (req.user?.email) {
-                // Extract username from email (first part before @)
-                usernameToUse = req.user?.email
-                    .split("@")[0]
-                    .replace(/[^a-zA-Z0-9_-]/g, "");
-                if (!usernameToUse) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Unable to extract username from email"
-                        )
-                    );
-                }
-            } else if (req.user?.username) {
-                usernameToUse = req.user.username;
-                // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
-                usernameToUse = usernameToUse.replace(/[^a-zA-Z0-9_-]/g, "-");
-                if (!usernameToUse) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Username is not valid for SSH certificate"
-                        )
-                    );
-                }
-            } else {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "User does not have a valid email or username for SSH certificate"
-                    )
-                );
-            }
-
-            // prefix with p-
-            usernameToUse = `p-${usernameToUse}`;
-
-            // check if we have a existing user in this org with the same
-            const [existingUserWithSameName] = await db
-                .select()
-                .from(userOrgs)
-                .where(
-                    and(
-                        eq(userOrgs.orgId, orgId),
-                        eq(userOrgs.pamUsername, usernameToUse)
-                    )
-                )
-                .limit(1);
-
-            if (existingUserWithSameName) {
-                let foundUniqueUsername = false;
-                for (let attempt = 0; attempt < 20; attempt++) {
-                    const randomNum = Math.floor(Math.random() * 101); // 0 to 100
-                    const candidateUsername = `${usernameToUse}${randomNum}`;
-
-                    const [existingUser] = await db
-                        .select()
-                        .from(userOrgs)
-                        .where(
-                            and(
-                                eq(userOrgs.orgId, orgId),
-                                eq(userOrgs.pamUsername, candidateUsername)
-                            )
-                        )
-                        .limit(1);
-
-                    if (!existingUser) {
-                        usernameToUse = candidateUsername;
-                        foundUniqueUsername = true;
-                        break;
-                    }
-                }
-
-                if (!foundUniqueUsername) {
-                    return next(
-                        createHttpError(
-                            HttpCode.CONFLICT,
-                            "Unable to generate a unique username for SSH certificate"
-                        )
-                    );
-                }
-            }
-
-            await db
-                .update(userOrgs)
-                .set({ pamUsername: usernameToUse })
-                .where(
-                    and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId))
-                );
-        } else {
-            usernameToUse = userOrg.pamUsername;
-        }
-
         // Get and decrypt the org's CA keys
         const caKeys = await getOrgCAKeys(
             orgId,
@@ -361,90 +269,303 @@ export async function signSshKey(
             );
         }
 
-        const roleRows = await db
-            .select({
-                sshSudoCommands: roles.sshSudoCommands,
-                sshUnixGroups: roles.sshUnixGroups,
-                sshCreateHomeDir: roles.sshCreateHomeDir,
-                sshSudoMode: roles.sshSudoMode
-            })
-            .from(roles)
-            .innerJoin(
-                roleSiteResources,
-                eq(roleSiteResources.roleId, roles.roleId)
-            )
-            .where(
-                and(
-                    inArray(roles.roleId, roleIds),
-                    eq(
-                        roleSiteResources.siteResourceId,
-                        resource.siteResourceId
-                    )
-                )
-            );
-
-        const parsedSudoCommands: string[] = [];
-        const parsedGroupsSet = new Set<string>();
-        let homedir: boolean | null = null;
-        const sudoModeOrder = { none: 0, commands: 1, full: 2 };
-        let sudoMode: "none" | "commands" | "full" = "none";
-        for (const roleRow of roleRows) {
-            try {
-                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
-            } catch {
-                // skip
-            }
-            try {
-                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-                if (Array.isArray(grps))
-                    grps.forEach((g: string) => parsedGroupsSet.add(g));
-            } catch {
-                // skip
-            }
-            if (roleRow?.sshCreateHomeDir === true) homedir = true;
-            const m = roleRow?.sshSudoMode ?? "none";
-            if (
-                sudoModeOrder[m as keyof typeof sudoModeOrder] >
-                sudoModeOrder[sudoMode]
-            ) {
-                sudoMode = m as "none" | "commands" | "full";
-            }
-        }
-        const parsedGroups = Array.from(parsedGroupsSet);
-        if (homedir === null && roleRows.length > 0) {
-            homedir = roleRows[0].sshCreateHomeDir ?? null;
-        }
-
-        const sites = await db
+        const sitesFromNetworks = await db
             .select({ siteId: siteNetworks.siteId })
             .from(siteNetworks)
             .where(eq(siteNetworks.networkId, resource.networkId!));
 
-        const siteIds = sites.map((site) => site.siteId);
+        const siteIds = sitesFromNetworks.map((site) => site.siteId);
 
-        // Sign the public key
-        const now = BigInt(Math.floor(Date.now() / 1000));
-        // only valid for 5 minutes
-        const validFor = 300n;
+        let expiresIn: number | undefined;
+        let messageIds: number[] = [];
+        let cert:
+            | {
+                  certificate: string;
+                  keyId: string;
+                  validPrincipals: string[];
+                  validAfter: Date;
+                  validBefore: Date;
+              }
+            | undefined;
+        // if the pam mode is push then we generate the user's pam username and use that or pull it from the userOrgs table
+        // if the mode is passthrough then just use what was provided because the user will log in themselves
+        let usernameToUse;
+        if (resource.pamMode === "push") {
+            if (!userOrg.pamUsername) {
+                if (req.user?.email) {
+                    // Extract username from email (first part before @)
+                    usernameToUse = req.user?.email
+                        .split("@")[0]
+                        .replace(/[^a-zA-Z0-9_-]/g, "");
+                    if (!usernameToUse) {
+                        return next(
+                            createHttpError(
+                                HttpCode.BAD_REQUEST,
+                                "Unable to extract username from email"
+                            )
+                        );
+                    }
+                } else if (req.user?.username) {
+                    usernameToUse = req.user.username;
+                    // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
+                    usernameToUse = usernameToUse.replace(
+                        /[^a-zA-Z0-9_-]/g,
+                        "-"
+                    );
+                    if (!usernameToUse) {
+                        return next(
+                            createHttpError(
+                                HttpCode.BAD_REQUEST,
+                                "Username is not valid for SSH certificate"
+                            )
+                        );
+                    }
+                } else {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "User does not have a valid email or username for SSH certificate"
+                        )
+                    );
+                }
 
-        const cert = signPublicKey(caKeys.privateKeyPem, publicKey, {
-            keyId: `${usernameToUse}@${resource.niceId}`,
-            validPrincipals: [usernameToUse, resource.niceId],
-            validAfter: now - 60n, // Start 1 min ago for clock skew
-            validBefore: now + validFor
-        });
+                // prefix with p-
+                usernameToUse = `p-${usernameToUse}`;
+
+                // check if we have a existing user in this org with the same
+                const [existingUserWithSameName] = await db
+                    .select()
+                    .from(userOrgs)
+                    .where(
+                        and(
+                            eq(userOrgs.orgId, orgId),
+                            eq(userOrgs.pamUsername, usernameToUse)
+                        )
+                    )
+                    .limit(1);
+
+                if (existingUserWithSameName) {
+                    let foundUniqueUsername = false;
+                    for (let attempt = 0; attempt < 20; attempt++) {
+                        const randomNum = Math.floor(Math.random() * 101); // 0 to 100
+                        const candidateUsername = `${usernameToUse}${randomNum}`;
+
+                        const [existingUser] = await db
+                            .select()
+                            .from(userOrgs)
+                            .where(
+                                and(
+                                    eq(userOrgs.orgId, orgId),
+                                    eq(userOrgs.pamUsername, candidateUsername)
+                                )
+                            )
+                            .limit(1);
+
+                        if (!existingUser) {
+                            usernameToUse = candidateUsername;
+                            foundUniqueUsername = true;
+                            break;
+                        }
+                    }
+
+                    if (!foundUniqueUsername) {
+                        return next(
+                            createHttpError(
+                                HttpCode.CONFLICT,
+                                "Unable to generate a unique username for SSH certificate"
+                            )
+                        );
+                    }
+                }
+
+                await db
+                    .update(userOrgs)
+                    .set({ pamUsername: usernameToUse })
+                    .where(
+                        and(
+                            eq(userOrgs.orgId, orgId),
+                            eq(userOrgs.userId, userId)
+                        )
+                    );
+            } else {
+                usernameToUse = userOrg.pamUsername;
+            }
+
+            const roleRows = await db
+                .select({
+                    sshSudoCommands: roles.sshSudoCommands,
+                    sshUnixGroups: roles.sshUnixGroups,
+                    sshCreateHomeDir: roles.sshCreateHomeDir,
+                    sshSudoMode: roles.sshSudoMode
+                })
+                .from(roles)
+                .innerJoin(
+                    roleSiteResources,
+                    eq(roleSiteResources.roleId, roles.roleId)
+                )
+                .where(
+                    and(
+                        inArray(roles.roleId, roleIds),
+                        eq(
+                            roleSiteResources.siteResourceId,
+                            resource.siteResourceId
+                        )
+                    )
+                );
+
+            const parsedSudoCommands: string[] = [];
+            const parsedGroupsSet = new Set<string>();
+            let homedir: boolean | null = null;
+            const sudoModeOrder = { none: 0, commands: 1, full: 2 };
+            let sudoMode: "none" | "commands" | "full" = "none";
+            for (const roleRow of roleRows) {
+                try {
+                    const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+                    if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
+                } catch {
+                    // skip
+                }
+                try {
+                    const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+                    if (Array.isArray(grps))
+                        grps.forEach((g: string) => parsedGroupsSet.add(g));
+                } catch {
+                    // skip
+                }
+                if (roleRow?.sshCreateHomeDir === true) homedir = true;
+                const m = roleRow?.sshSudoMode ?? "none";
+                if (
+                    sudoModeOrder[m as keyof typeof sudoModeOrder] >
+                    sudoModeOrder[sudoMode]
+                ) {
+                    sudoMode = m as "none" | "commands" | "full";
+                }
+            }
+            const parsedGroups = Array.from(parsedGroupsSet);
+            if (homedir === null && roleRows.length > 0) {
+                homedir = roleRows[0].sshCreateHomeDir ?? null;
+            }
+
+            // Sign the public key
+            const now = BigInt(Math.floor(Date.now() / 1000));
+            // only valid for 5 minutes
+            const validFor = 300n;
+            expiresIn = Number(validFor); // seconds
+
+            const cert = signPublicKey(caKeys.privateKeyPem, publicKey, {
+                keyId: `${usernameToUse}@${resource.niceId}`,
+                validPrincipals: [usernameToUse, resource.niceId],
+                validAfter: now - 60n, // Start 1 min ago for clock skew
+                validBefore: now + validFor
+            });
+
+            const messageIds: number[] = [];
+            for (const siteId of siteIds) {
+                // get the site
+                const [newt] = await db
+                    .select()
+                    .from(newts)
+                    .where(eq(newts.siteId, siteId))
+                    .limit(1);
+
+                if (!newt) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Site associated with resource not found"
+                        )
+                    );
+                }
+
+                const [message] = await db
+                    .insert(roundTripMessageTracker)
+                    .values({
+                        wsClientId: newt.newtId,
+                        messageType: `newt/pam/connection`,
+                        sentAt: Math.floor(Date.now() / 1000)
+                    })
+                    .returning();
+
+                if (!message) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Failed to create message tracker entry"
+                        )
+                    );
+                }
+
+                messageIds.push(message.messageId);
+
+                await sendToClient(newt.newtId, {
+                    type: `newt/pam/connection`,
+                    data: {
+                        messageId: message.messageId,
+                        orgId: orgId,
+                        agentPort: resource.authDaemonPort ?? 22123,
+                        authDaemonMode: resource.authDaemonMode, // site, remote, native where native is the pty mode
+                        externalAuthDaemon:
+                            resource.authDaemonMode === "remote", // keep this for backward compatibility but new newts are using the authDaemonMode field
+                        agentHost: resource.destination,
+                        caCert: caKeys.publicKeyOpenSSH,
+                        username: usernameToUse,
+                        niceId: resource.niceId,
+                        metadata: {
+                            sudoMode: sudoMode,
+                            sudoCommands: parsedSudoCommands,
+                            homedir: homedir,
+                            groups: parsedGroups
+                        }
+                    }
+                });
+            }
+        } else if (resource.pamMode === "passthrough") {
+            usernameToUse = username;
+            if (!usernameToUse) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Username must be provided when PAM mode is passthrough"
+                    )
+                );
+            }
+        } else {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Invalid PAM mode configured for resource"
+                )
+            );
+        }
+
+        let sshHost: string | undefined;
+        if (
+            resource.authDaemonMode === "site" ||
+            resource.authDaemonMode === "remote"
+        ) {
+            if (resource.alias && resource.alias != "") {
+                sshHost = resource.alias;
+            } else {
+                sshHost = resource.destination;
+            }
+        } else if (resource.authDaemonMode === "native") {
+            if (siteIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Multiple sites associated with resource, unable to determine SSH host when in native mode"
+                    )
+                );
+            }
 
-        const messageIds: number[] = [];
-        for (const siteId of siteIds) {
             // get the site
-            const [newt] = await db
+            const [site] = await db
                 .select()
-                .from(newts)
-                .where(eq(newts.siteId, siteId))
+                .from(sites)
+                .where(eq(sites.siteId, siteIds[0]))
                 .limit(1);
 
-            if (!newt) {
+            if (!site) {
                 return next(
                     createHttpError(
                         HttpCode.INTERNAL_SERVER_ERROR,
@@ -453,54 +574,26 @@ export async function signSshKey(
                 );
             }
 
-            const [message] = await db
-                .insert(roundTripMessageTracker)
-                .values({
-                    wsClientId: newt.newtId,
-                    messageType: `newt/pam/connection`,
-                    sentAt: Math.floor(Date.now() / 1000)
-                })
-                .returning();
-
-            if (!message) {
+            if (!site.address) {
                 return next(
                     createHttpError(
                         HttpCode.INTERNAL_SERVER_ERROR,
-                        "Failed to create message tracker entry"
+                        "Site address not configured, unable to determine SSH host when in native mode"
                     )
                 );
             }
 
-            messageIds.push(message.messageId);
-
-            await sendToClient(newt.newtId, {
-                type: `newt/pam/connection`,
-                data: {
-                    messageId: message.messageId,
-                    orgId: orgId,
-                    agentPort: resource.authDaemonPort ?? 22123,
-                    externalAuthDaemon: resource.authDaemonMode === "remote",
-                    agentHost: resource.destination,
-                    caCert: caKeys.publicKeyOpenSSH,
-                    username: usernameToUse,
-                    niceId: resource.niceId,
-                    metadata: {
-                        sudoMode: sudoMode,
-                        sudoCommands: parsedSudoCommands,
-                        homedir: homedir,
-                        groups: parsedGroups
-                    }
-                }
-            });
+            // its the address but split off the cidr if there is one
+            sshHost = site.address.split("/")[0];
         }
 
-        const expiresIn = Number(validFor); // seconds
-
-        let sshHost;
-        if (resource.alias && resource.alias != "") {
-            sshHost = resource.alias;
-        } else {
-            sshHost = resource.destination;
+        if (!sshHost) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Unable to determine SSH host for the resource"
+                )
+            );
         }
 
         await logsDb.insert(actionAuditLog).values({
@@ -527,7 +620,7 @@ export async function signSshKey(
                 : undefined,
             metadata: {
                 resourceName: resource.name,
-                siteId: siteIds[0],
+                siteIds: siteIds,
                 sshUsername: usernameToUse,
                 sshHost: sshHost
             },
@@ -537,18 +630,18 @@ export async function signSshKey(
 
         return response<SignSshKeyResponse>(res, {
             data: {
-                certificate: cert.certificate,
+                certificate: cert?.certificate,
                 messageIds: messageIds,
-                messageId: messageIds[0], // just pick the first one for backward compatibility
+                messageId: messageIds[0], // just pick the first one for backward compatibility with older olms
                 sshUsername: usernameToUse,
-                sshHost: sshHost,
+                sshHost: sshHost, // just pick the first one for backward compatibility with older olms
                 resourceId: resource.siteResourceId,
                 siteIds: siteIds,
-                siteId: siteIds[0], // just pick the first one for backward compatibility
-                keyId: cert.keyId,
-                validPrincipals: cert.validPrincipals,
-                validAfter: cert.validAfter.toISOString(),
-                validBefore: cert.validBefore.toISOString(),
+                siteId: siteIds[0], // just pick the first one for backward compatibility with older olms
+                keyId: cert?.keyId,
+                validPrincipals: cert?.validPrincipals,
+                validAfter: cert?.validAfter.toISOString(),
+                validBefore: cert?.validBefore.toISOString(),
                 expiresIn
             },
             success: true,

server/private/routers/ws/messageHandlers.ts

@@ -14,8 +14,7 @@
 import {
     handleRemoteExitNodeRegisterMessage,
     handleRemoteExitNodePingMessage,
-    startRemoteExitNodeOfflineChecker,
-    startExitNodeReconnectScheduler
+    startRemoteExitNodeOfflineChecker
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
@@ -30,5 +29,4 @@ export const messageHandlers: Record<string, MessageHandler> = {
 
 if (build != "saas") {
     startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
-    startExitNodeReconnectScheduler(); // check pending exit node reconnects and notify newts
 }

server/routers/internal.ts

@@ -42,6 +42,8 @@ internalRouter.get("/idp", idp.listIdps);
 
 internalRouter.get("/idp/:idpId", idp.getIdp);
 
+internalRouter.get("/resource/browser-target", resource.getBrowserTarget);
+
 // Gerbil routes
 const gerbilRouter = Router();
 internalRouter.use("/gerbil", gerbilRouter);

server/routers/newt/buildConfiguration.ts

@@ -1,4 +1,6 @@
 import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
     clients,
     clientSiteResourcesAssociationsCache,
     clientSitesAssociationsCache,
@@ -16,6 +18,7 @@ import logger from "@server/logger";
 import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
+import { decrypt } from "@server/lib/crypto";
 import {
     formatEndpoint,
     generateSubnetProxyTargetV2,
@@ -233,6 +236,11 @@ export async function buildTargetConfigurationForNewtClient(
         .from(targetHealthCheck)
         .where(eq(targetHealthCheck.siteId, siteId));
 
+    const allBrowserGatewayTargets = await db
+        .select()
+        .from(browserGatewayTarget)
+        .where(eq(browserGatewayTarget.siteId, siteId));
+
     const { tcpTargets, udpTargets } = allTargets.reduce(
         (acc, target) => {
             // Filter out invalid targets
@@ -304,9 +312,22 @@ export async function buildTargetConfigurationForNewtClient(
         (target) => target !== null
     );
 
+    const serverSecret = config.getRawConfig().server.secret!;
+    const browserGatewayTargets = allBrowserGatewayTargets.map((t) => {
+        const decryptAuthToken = decrypt(t.authToken, serverSecret);
+        return {
+            id: t.browserGatewayTargetId,
+            type: t.type,
+            destination: t.destination,
+            destinationPort: t.destinationPort,
+            authToken: decryptAuthToken
+        };
+    });
+
     return {
         validHealthCheckTargets,
         tcpTargets,
-        udpTargets
+        udpTargets,
+        browserGatewayTargets
     };
 }

server/routers/newt/handleNewtRegisterMessage.ts

@@ -43,8 +43,13 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
 
     const siteId = newt.siteId;
 
-    const { publicKey, pingResults, newtVersion, backwardsCompatible, chainId } =
-        message.data;
+    const {
+        publicKey,
+        pingResults,
+        newtVersion,
+        backwardsCompatible,
+        chainId
+    } = message.data;
     if (!publicKey) {
         logger.warn("Public key not provided");
         return;
@@ -191,8 +196,12 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
             .where(eq(newts.newtId, newt.newtId));
     }
 
-    const { tcpTargets, udpTargets, validHealthCheckTargets } =
-        await buildTargetConfigurationForNewtClient(siteId, newtVersion);
+    const {
+        tcpTargets,
+        udpTargets,
+        validHealthCheckTargets,
+        browserGatewayTargets
+    } = await buildTargetConfigurationForNewtClient(siteId, newtVersion);
 
     logger.debug(
         `Sending health check targets to newt ${newt.newtId}: ${JSON.stringify(validHealthCheckTargets)}`
@@ -212,6 +221,7 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
                     tcp: tcpTargets
                 },
                 healthCheckTargets: validHealthCheckTargets,
+                browserGatewayTargets: browserGatewayTargets,
                 chainId: chainId
             }
         },

server/routers/newt/sync.ts

@@ -9,8 +9,12 @@ import {
 import { canCompress } from "@server/lib/clientVersionChecks";
 
 export async function sendNewtSyncMessage(newt: Newt, site: Site) {
-    const { tcpTargets, udpTargets, validHealthCheckTargets } =
-        await buildTargetConfigurationForNewtClient(site.siteId);
+    const {
+        tcpTargets,
+        udpTargets,
+        validHealthCheckTargets,
+        browserGatewayTargets
+    } = await buildTargetConfigurationForNewtClient(site.siteId);
 
     let exitNode: ExitNode | undefined;
     if (site.exitNodeId) {
@@ -36,7 +40,8 @@ export async function sendNewtSyncMessage(newt: Newt, site: Site) {
                 },
                 healthCheckTargets: validHealthCheckTargets,
                 peers: peers,
-                clientTargets: targets
+                clientTargets: targets,
+                browserGatewayTargets: browserGatewayTargets
             }
         },
         {

server/routers/newt/targets.ts

@@ -1,7 +1,9 @@
-import { Target, TargetHealthCheck } from "@server/db";
+import { BrowserGatewayTarget, Target, TargetHealthCheck } from "@server/db";
 import { sendToClient } from "#dynamic/routers/ws";
 import logger from "@server/logger";
 import { canCompress } from "@server/lib/clientVersionChecks";
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
 
 export async function addTargets(
     newtId: string,
@@ -239,3 +241,55 @@ export async function removeTargets(
         { incrementConfigVersion: true, compress: canCompress(version, "newt") }
     );
 }
+
+export async function sendBrowserGatewayTargets(
+    newtId: string,
+    targets: BrowserGatewayTarget[],
+    version?: string | null
+) {
+    if (targets.length === 0) return;
+
+    const payload = targets.map((t) => {
+        const decryptAuthToken = decrypt(
+            t.authToken,
+            config.getRawConfig().server.secret!
+        );
+        return {
+            id: t.browserGatewayTargetId,
+            resourceId: t.resourceId,
+            siteId: t.siteId,
+            type: t.type,
+            destination: t.destination,
+            destinationPort: t.destinationPort,
+            authToken: decryptAuthToken
+        };
+    });
+
+    await sendToClient(
+        newtId,
+        {
+            type: "newt/browsergateway/add",
+            data: {
+                targets: payload
+            }
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "newt") }
+    );
+}
+
+export async function removeBrowserGatewayTarget(
+    newtId: string,
+    browserGatewayTargetId: number,
+    version?: string | null
+) {
+    await sendToClient(
+        newtId,
+        {
+            type: "newt/browsergateway/remove",
+            data: {
+                ids: [browserGatewayTargetId]
+            }
+        },
+        { incrementConfigVersion: true, compress: canCompress(version, "newt") }
+    );
+}

server/routers/resource/getBrowserTarget.ts

@@ -0,0 +1,109 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db } from "@server/db";
+import { resources, targets } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+
+const getBrowserTargetSchema = z
+    .object({
+        fullDomain: z.string().min(1, "fullDomain is required")
+    })
+    .strict();
+
+export type GetBrowserTargetResponse = {
+    ip: string;
+    port: number;
+    authToken: string;
+    orgId: string;
+    resourceId: number;
+    niceId: string;
+    pamMode: "passthrough" | "push" | null;
+    authDaemonMode: "site" | "remote" | "native" | null;
+};
+
+export async function getBrowserTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsed = getBrowserTargetSchema.safeParse(req.query);
+        if (!parsed.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsed.error).toString()
+                )
+            );
+        }
+
+        const { fullDomain } = parsed.data;
+
+        logger.info(`Retrieving browser target for domain: ${fullDomain}`);
+
+        const [browserTarget] = await db
+            .select({
+                destination: browserGatewayTarget.destination,
+                destinationPort: browserGatewayTarget.destinationPort,
+                authToken: browserGatewayTarget.authToken,
+                resourceId: resources.resourceId,
+                niceId: resources.niceId,
+                orgId: resources.orgId,
+                pamMode: resources.pamMode,
+                authDaemonMode: resources.authDaemonMode
+            })
+            .from(browserGatewayTarget)
+            .innerJoin(
+                resources,
+                eq(browserGatewayTarget.resourceId, resources.resourceId)
+            )
+            .where(eq(resources.fullDomain, fullDomain))
+            .limit(1);
+
+        const decryptedAuthToken = decrypt(
+            browserTarget.authToken,
+            config.getRawConfig().server.secret!
+        );
+
+        if (!browserTarget) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "No resource found for this domain"
+                )
+            );
+        }
+
+        return response<GetBrowserTargetResponse>(res, {
+            data: {
+                ip: browserTarget.destination,
+                port: browserTarget.destinationPort,
+                authToken: decryptedAuthToken,
+                pamMode: browserTarget.pamMode,
+                authDaemonMode: browserTarget.authDaemonMode,
+                orgId: browserTarget.orgId,
+                resourceId: browserTarget.resourceId,
+                niceId: browserTarget.niceId
+            },
+            success: true,
+            error: false,
+            message: "Browser target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred while retrieving the browser target"
+            )
+        );
+    }
+}

server/routers/resource/index.ts

@@ -33,3 +33,4 @@ export * from "./removeUserFromResource";
 export * from "./listAllResourceNames";
 export * from "./removeEmailFromResourceWhitelist";
 export * from "./getStatusHistory";
+export * from "./getBrowserTarget";

server/routers/resource/listResources.ts

@@ -1,4 +1,5 @@
 import {
+    browserGatewayTarget,
     db,
     labels,
     resourceHeaderAuth,
@@ -145,6 +146,7 @@ export type ResourceWithTargets = {
     headerAuthId: number | null;
     wildcard: boolean;
     health: string | null;
+    browserAccessType: string | null;
     targets: Array<{
         targetId: number;
         ip: string;
@@ -183,7 +185,8 @@ function queryResourcesBase() {
             headerAuthId: resourceHeaderAuth.headerAuthId,
             headerAuthExtendedCompatibilityId:
                 resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
-            health: resources.health
+            health: resources.health,
+            browserAccessType: resources.browserAccessType
         })
         .from(resources)
         .leftJoin(
@@ -482,6 +485,30 @@ export async function listResources(
                       )
                       .leftJoin(sites, eq(targets.siteId, sites.siteId));
 
+        const allBgTargetSites =
+            resourceIdList.length === 0
+                ? []
+                : await db
+                      .select({
+                          resourceId: browserGatewayTarget.resourceId,
+                          siteId: browserGatewayTarget.siteId,
+                          siteName: sites.name,
+                          siteNiceId: sites.niceId,
+                          siteOnline: sites.online,
+                          siteType: sites.type
+                      })
+                      .from(browserGatewayTarget)
+                      .where(
+                          inArray(
+                              browserGatewayTarget.resourceId,
+                              resourceIdList
+                          )
+                      )
+                      .leftJoin(
+                          sites,
+                          eq(sites.siteId, browserGatewayTarget.siteId)
+                      );
+
         // avoids TS issues with reduce/never[]
         const map = new Map<number, ResourceWithTargets>();
 
@@ -502,6 +529,7 @@ export async function listResources(
                     protocol: row.protocol,
                     proxyPort: row.proxyPort,
                     wildcard: row.wildcard,
+                    browserAccessType: row.browserAccessType,
                     enabled: row.enabled,
                     domainId: row.domainId,
                     headerAuthId: row.headerAuthId,
@@ -545,6 +573,21 @@ export async function listResources(
                     online: isLocal ? undefined : Boolean(t.siteOnline)
                 });
             }
+            const bgRaw = allBgTargetSites.filter(
+                (t) => t.resourceId === entry.resourceId
+            );
+            for (const t of bgRaw) {
+                if (typeof t.siteId !== "number" || siteById.has(t.siteId)) {
+                    continue;
+                }
+                const isLocal = t.siteType === "local";
+                siteById.set(t.siteId, {
+                    siteId: t.siteId,
+                    siteName: t.siteName ?? "",
+                    siteNiceId: t.siteNiceId ?? "",
+                    online: isLocal ? undefined : Boolean(t.siteOnline)
+                });
+            }
             entry.sites = Array.from(siteById.values());
         }
 

server/routers/resource/updateResource.ts

@@ -24,7 +24,10 @@ import {
 import { registry } from "@server/openApi";
 import { OpenAPITags } from "@server/openApi";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
-import { validateAndConstructDomain, checkWildcardDomainConflict } from "@server/lib/domainUtils";
+import {
+    validateAndConstructDomain,
+    checkWildcardDomainConflict
+} from "@server/lib/domainUtils";
 import { build } from "@server/build";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
@@ -68,7 +71,12 @@ const updateHttpResourceBodySchema = z
         maintenanceTitle: z.string().max(255).nullable().optional(),
         maintenanceMessage: z.string().max(2000).nullable().optional(),
         maintenanceEstimatedTime: z.string().max(100).nullable().optional(),
-        postAuthPath: z.string().nullable().optional()
+        postAuthPath: z.string().nullable().optional(),
+        browserAccessType: z.enum(["http", "ssh", "rdp", "vnc"]).optional(),
+        // SSH settings
+        pamMode: z.enum(["passthrough", "push"]).optional(),
+        authDaemonMode: z.enum(["site", "remote", "native"]).optional(),
+        authDaemonPort: z.int().min(1).max(65535).nullable().optional()
     })
     .refine((data) => Object.keys(data).length > 0, {
         error: "At least one field must be provided for update"

src/app/[orgId]/settings/(private)/billing/page.tsx

@@ -1352,6 +1352,12 @@ export default function BillingPage() {
                                     {t("billingModifyCurrentPlan") ||
                                         "Modify Current Plan"}
                                 </Button>
+                                <p className="text-sm text-muted-foreground mt-2">
+                                    {t(
+                                        "billingManageLicenseSubscriptionDescription"
+                                    ) ||
+                                        "Manage your subscription for paid self-hosted license keys and download invoices."}
+                                </p>
                             </div>
                         </div>
                     </SettingsSectionBody>

src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx

@@ -507,7 +507,9 @@ export default function GeneralForm() {
                     name: data.name,
                     niceId: data.niceId,
                     subdomain: data.subdomain
-                        ? toASCII(finalizeSubdomainSanitize(data.subdomain, true))
+                        ? toASCII(
+                              finalizeSubdomainSanitize(data.subdomain, true)
+                          )
                         : undefined,
                     domainId: data.domainId,
                     proxyPort: data.proxyPort
@@ -555,13 +557,15 @@ export default function GeneralForm() {
     return (
         <>
             <SettingsContainer>
-                {resource?.resourceId && resource?.orgId && (
-                    <UptimeAlertSection
-                        orgId={resource.orgId}
-                        resourceId={resource.resourceId}
-                        startingName={resource.name}
-                    />
-                )}
+                {resource?.resourceId &&
+                    resource?.orgId &&
+                    resource.browserAccessType == "http" && (
+                        <UptimeAlertSection
+                            orgId={resource.orgId}
+                            resourceId={resource.resourceId}
+                            startingName={resource.name}
+                        />
+                    )}
                 <SettingsSection>
                     <SettingsSectionHeader>
                         <SettingsSectionTitle>
@@ -580,43 +584,44 @@ export default function GeneralForm() {
                                     className="space-y-4"
                                     id="general-settings-form"
                                 >
-                                    <FormField
-                                        control={form.control}
-                                        name="name"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("name")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input {...field} />
-                                                </FormControl>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
+                                    <div className="grid grid-cols-2 gap-4">
+                                        <FormField
+                                            control={form.control}
+                                            name="name"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("name")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input {...field} />
+                                                    </FormControl>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
 
-                                    <FormField
-                                        control={form.control}
-                                        name="niceId"
-                                        render={({ field }) => (
-                                            <FormItem>
-                                                <FormLabel>
-                                                    {t("identifier")}
-                                                </FormLabel>
-                                                <FormControl>
-                                                    <Input
-                                                        {...field}
-                                                        placeholder={t(
-                                                            "enterIdentifier"
-                                                        )}
-                                                        className="flex-1"
-                                                    />
-                                                </FormControl>
-                                                <FormMessage />
-                                            </FormItem>
-                                        )}
-                                    />
+                                        <FormField
+                                            control={form.control}
+                                            name="niceId"
+                                            render={({ field }) => (
+                                                <FormItem>
+                                                    <FormLabel>
+                                                        {t("identifier")}
+                                                    </FormLabel>
+                                                    <FormControl>
+                                                        <Input
+                                                            {...field}
+                                                            placeholder={t(
+                                                                "enterIdentifier"
+                                                            )}
+                                                        />
+                                                    </FormControl>
+                                                    <FormMessage />
+                                                </FormItem>
+                                            )}
+                                        />
+                                    </div>
 
                                     {!resource.http && (
                                         <>
@@ -726,28 +731,31 @@ export default function GeneralForm() {
                                         control={form.control}
                                         name="enabled"
                                         render={() => (
-                                            <FormItem className="col-span-2">
-                                                <div className="flex items-center space-x-2">
-                                                    <FormControl>
-                                                        <SwitchInput
-                                                            id="enable-resource"
-                                                            defaultChecked={
-                                                                resource.enabled
-                                                            }
-                                                            label={t(
-                                                                "resourceEnable"
-                                                            )}
-                                                            onCheckedChange={(
+                                            <FormItem>
+                                                <FormControl>
+                                                    <SwitchInput
+                                                        id="enable-resource"
+                                                        defaultChecked={
+                                                            resource.enabled
+                                                        }
+                                                        label={t(
+                                                            "resourceEnable"
+                                                        )}
+                                                        onCheckedChange={(
+                                                            val
+                                                        ) =>
+                                                            form.setValue(
+                                                                "enabled",
                                                                 val
-                                                            ) =>
-                                                                form.setValue(
-                                                                    "enabled",
-                                                                    val
-                                                                )
-                                                            }
-                                                        />
-                                                    </FormControl>
-                                                </div>
+                                                            )
+                                                        }
+                                                    />
+                                                </FormControl>
+                                                <FormDescription>
+                                                    {t(
+                                                        "disabledResourceDescription"
+                                                    )}
+                                                </FormDescription>
                                                 <FormMessage />
                                             </FormItem>
                                         )}

src/app/[orgId]/settings/resources/proxy/[niceId]/http/page.tsx

@@ -121,6 +121,10 @@ export default function ReverseProxyTargetsPage(props: {
     const params = use(props.params);
     const { resource, updateResource } = useResourceContext();
 
+    const [targetMode, setTargetMode] = useState<
+        "http" | "ssh" | "rdp" | "vnc"
+    >((resource.browserAccessType as "http" | "ssh" | "rdp" | "vnc") || "http");
+
     const { data: remoteTargets = [], isLoading: isLoadingTargets } = useQuery(
         resourceQueries.resourceTargets({
             resourceId: resource.resourceId
@@ -137,9 +141,12 @@ export default function ReverseProxyTargetsPage(props: {
                 orgId={params.orgId}
                 initialTargets={remoteTargets}
                 resource={resource}
+                targetMode={targetMode}
+                setTargetMode={setTargetMode}
+                updateResource={updateResource}
             />
 
-            {resource.http && (
+            {resource.http && targetMode === "http" && (
                 <ProxyResourceHttpForm
                     resource={resource}
                     updateResource={updateResource}
@@ -159,11 +166,17 @@ export default function ReverseProxyTargetsPage(props: {
 function ProxyResourceTargetsForm({
     orgId,
     initialTargets,
-    resource
+    resource,
+    targetMode,
+    setTargetMode,
+    updateResource
 }: {
     initialTargets: LocalTarget[];
     orgId: string;
     resource: GetResourceResponse;
+    targetMode: "http" | "ssh" | "rdp" | "vnc";
+    setTargetMode: (mode: "http" | "ssh" | "rdp" | "vnc") => void;
+    updateResource: ResourceContextType["updateResource"];
 }) {
     const t = useTranslations();
     const api = createApiClient(useEnvContext());
@@ -201,6 +214,11 @@ function ProxyResourceTargetsForm({
     const [selectedTargetForHealthCheck, setSelectedTargetForHealthCheck] =
         useState<LocalTarget | null>(null);
 
+    const [bgDestination, setBgDestination] = useState("");
+    const [bgDestinationPort, setBgDestinationPort] = useState("");
+    const [bgSiteId, setBgSiteId] = useState<number | null>(null);
+    const [bgTargetId, setBgTargetId] = useState<number | null>(null);
+
     const initializeDockerForSite = async (siteId: number) => {
         if (dockerStates.has(siteId)) {
             return; // Already initialized
@@ -270,6 +288,41 @@ function ProxyResourceTargetsForm({
         })
     );
 
+    const { data: bgTargetsResponse } = useQuery({
+        queryKey: ["browserGatewayTargets", resource.resourceId, orgId],
+        queryFn: async () => {
+            const res = await api.get(
+                `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-targets`
+            );
+            return res.data.data as {
+                targets: Array<{
+                    browserGatewayTargetId: number;
+                    resourceId: number;
+                    siteId: number;
+                    type: string;
+                    destination: string;
+                    destinationPort: number;
+                }>;
+            };
+        }
+    });
+
+    useEffect(() => {
+        if (!bgTargetsResponse?.targets?.length) return;
+        const bgt = bgTargetsResponse.targets[0];
+        setTargetMode(bgt.type as "ssh" | "rdp" | "vnc");
+        setBgDestination(bgt.destination);
+        setBgDestinationPort(String(bgt.destinationPort));
+        setBgSiteId(bgt.siteId);
+        setBgTargetId(bgt.browserGatewayTargetId);
+    }, [bgTargetsResponse]);
+
+    useEffect(() => {
+        if (sites.length > 0 && bgSiteId === null) {
+            setBgSiteId(sites[0].siteId);
+        }
+    }, [sites, bgSiteId]);
+
     const updateTarget = useCallback(
         (targetId: number, data: Partial<LocalTarget>) => {
             setTargets((prevTargets) => {
@@ -356,7 +409,7 @@ function ProxyResourceTargetsForm({
                     }
                 };
 
-                   return (
+                return (
                     <div className="flex items-center justify-center w-full">
                         {row.original.siteType === "newt" ? (
                             <Button
@@ -375,7 +428,6 @@ function ProxyResourceTargetsForm({
                                     {getStatusText(status)}
                                 </div>
                             </Button>
-
                         ) : (
                             <span>-</span>
                         )}
@@ -404,9 +456,15 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId,
-                                        config.path === null && config.pathMatchType === null
-                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                    updateTarget(
+                                        row.original.targetId,
+                                        config.path === null &&
+                                            config.pathMatchType === null
+                                            ? {
+                                                  ...config,
+                                                  rewritePath: null,
+                                                  rewritePathType: null
+                                              }
                                             : config
                                     )
                                 }
@@ -432,9 +490,15 @@ function ProxyResourceTargetsForm({
                                     pathMatchType: row.original.pathMatchType
                                 }}
                                 onChange={(config) =>
-                                    updateTarget(row.original.targetId,
-                                        config.path === null && config.pathMatchType === null
-                                            ? { ...config, rewritePath: null, rewritePathType: null }
+                                    updateTarget(
+                                        row.original.targetId,
+                                        config.path === null &&
+                                            config.pathMatchType === null
+                                            ? {
+                                                  ...config,
+                                                  rewritePath: null,
+                                                  rewritePathType: null
+                                              }
                                             : config
                                     )
                                 }
@@ -717,6 +781,55 @@ function ProxyResourceTargetsForm({
     const [, formAction, isSubmitting] = useActionState(saveTargets, null);
 
     async function saveTargets() {
+        if (targetMode !== "http") {
+            try {
+                if (!bgDestination || !bgDestinationPort) {
+                    if (bgTargetId) {
+                        await api.delete(
+                            `/org/${orgId}/browser-gateway-target/${bgTargetId}`
+                        );
+                        setBgTargetId(null);
+                    }
+                } else if (bgTargetId) {
+                    await api.post(
+                        `/org/${orgId}/browser-gateway-target/${bgTargetId}`,
+                        {
+                            type: targetMode,
+                            destination: bgDestination,
+                            destinationPort: Number(bgDestinationPort),
+                            siteId: bgSiteId
+                        }
+                    );
+                } else {
+                    const res = await api.put(
+                        `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-target`,
+                        {
+                            siteId: bgSiteId ?? sites[0]?.siteId,
+                            type: targetMode,
+                            destination: bgDestination,
+                            destinationPort: Number(bgDestinationPort)
+                        }
+                    );
+                    setBgTargetId(res.data.data.browserGatewayTargetId);
+                }
+                toast({
+                    title: t("settingsUpdated"),
+                    description: t("settingsUpdatedDescription")
+                });
+            } catch (err) {
+                console.error(err);
+                toast({
+                    variant: "destructive",
+                    title: t("settingsErrorUpdate"),
+                    description: formatAxiosError(
+                        err,
+                        t("settingsErrorUpdateDescription")
+                    )
+                });
+            }
+            return;
+        }
+
         // Validate that no targets have blank IPs or invalid ports
         const targetsWithInvalidFields = targets.filter(
             (target) =>
@@ -791,12 +904,14 @@ function ProxyResourceTargetsForm({
             }
 
             toast({
-                title: targets.length === 0
-                    ? t("targetTargetsCleared")
-                    : t("settingsUpdated"),
-                description: targets.length === 0
-                    ? t("targetTargetsClearedDescription")
-                    : t("settingsUpdatedDescription")
+                title:
+                    targets.length === 0
+                        ? t("targetTargetsCleared")
+                        : t("settingsUpdated"),
+                description:
+                    targets.length === 0
+                        ? t("targetTargetsClearedDescription")
+                        : t("settingsUpdatedDescription")
             });
 
             setTargetsToRemove([]);
@@ -829,102 +944,187 @@ function ProxyResourceTargetsForm({
                     </SettingsSectionDescription>
                 </SettingsSectionHeader>
                 <SettingsSectionBody>
-                    {targets.length > 0 ? (
+                    <div className="flex items-center gap-3 mb-4">
+                        <span className="text-sm font-medium">Target Type</span>
+                        <Select
+                            value={targetMode}
+                            onValueChange={async (v) => {
+                                const mode = v as
+                                    | "http"
+                                    | "ssh"
+                                    | "rdp"
+                                    | "vnc";
+                                setTargetMode(mode);
+                                try {
+                                    await api.post(
+                                        `/resource/${resource.resourceId}`,
+                                        { browserAccessType: mode }
+                                    );
+                                    updateResource({ browserAccessType: mode });
+                                } catch (err) {
+                                    toast({
+                                        variant: "destructive",
+                                        title: t("settingsErrorUpdate"),
+                                        description: formatAxiosError(
+                                            err,
+                                            t("settingsErrorUpdateDescription")
+                                        )
+                                    });
+                                }
+                            }}
+                        >
+                            <SelectTrigger className="w-36">
+                                <SelectValue />
+                            </SelectTrigger>
+                            <SelectContent>
+                                <SelectItem value="http">HTTP</SelectItem>
+                                <SelectItem value="ssh">SSH</SelectItem>
+                                <SelectItem value="rdp">RDP</SelectItem>
+                                <SelectItem value="vnc">VNC</SelectItem>
+                            </SelectContent>
+                        </Select>
+                    </div>
+                    {targetMode === "http" ? (
                         <>
-                            <div className="overflow-x-auto">
-                                <Table>
-                                    <TableHeader>
-                                        {table
-                                            .getHeaderGroups()
-                                            .map((headerGroup) => (
-                                                <TableRow key={headerGroup.id}>
-                                                    {headerGroup.headers.map(
-                                                        (header) => {
-                                                            const isActionsColumn =
-                                                                header.column
-                                                                    .id ===
-                                                                "actions";
-                                                            return (
-                                                                <TableHead
-                                                                    key={
-                                                                        header.id
-                                                                    }
-                                                                    className={
-                                                                        isActionsColumn
-                                                                            ? "sticky right-0 z-10 w-auto min-w-fit bg-card"
-                                                                            : ""
-                                                                    }
-                                                                >
-                                                                    {header.isPlaceholder
-                                                                        ? null
-                                                                        : flexRender(
-                                                                              header
-                                                                                  .column
-                                                                                  .columnDef
-                                                                                  .header,
-                                                                              header.getContext()
-                                                                          )}
-                                                                </TableHead>
-                                                            );
-                                                        }
-                                                    )}
-                                                </TableRow>
-                                            ))}
-                                    </TableHeader>
-                                    <TableBody>
-                                        {table.getRowModel().rows?.length ? (
-                                            table
-                                                .getRowModel()
-                                                .rows.map((row) => (
-                                                    <TableRow key={row.id}>
-                                                        {row
-                                                            .getVisibleCells()
-                                                            .map((cell) => {
-                                                                const isActionsColumn =
-                                                                    cell.column
-                                                                        .id ===
-                                                                    "actions";
-                                                                return (
-                                                                    <TableCell
-                                                                        key={
-                                                                            cell.id
-                                                                        }
-                                                                        className={
-                                                                            isActionsColumn
-                                                                                ? "sticky right-0 z-10 w-auto min-w-fit bg-card"
-                                                                                : ""
-                                                                        }
-                                                                    >
-                                                                        {flexRender(
+                            {targets.length > 0 ? (
+                                <>
+                                    <div className="overflow-x-auto">
+                                        <Table>
+                                            <TableHeader>
+                                                {table
+                                                    .getHeaderGroups()
+                                                    .map((headerGroup) => (
+                                                        <TableRow
+                                                            key={headerGroup.id}
+                                                        >
+                                                            {headerGroup.headers.map(
+                                                                (header) => {
+                                                                    const isActionsColumn =
+                                                                        header
+                                                                            .column
+                                                                            .id ===
+                                                                        "actions";
+                                                                    return (
+                                                                        <TableHead
+                                                                            key={
+                                                                                header.id
+                                                                            }
+                                                                            className={
+                                                                                isActionsColumn
+                                                                                    ? "sticky right-0 z-10 w-auto min-w-fit bg-card"
+                                                                                    : ""
+                                                                            }
+                                                                        >
+                                                                            {header.isPlaceholder
+                                                                                ? null
+                                                                                : flexRender(
+                                                                                      header
+                                                                                          .column
+                                                                                          .columnDef
+                                                                                          .header,
+                                                                                      header.getContext()
+                                                                                  )}
+                                                                        </TableHead>
+                                                                    );
+                                                                }
+                                                            )}
+                                                        </TableRow>
+                                                    ))}
+                                            </TableHeader>
+                                            <TableBody>
+                                                {table.getRowModel().rows
+                                                    ?.length ? (
+                                                    table
+                                                        .getRowModel()
+                                                        .rows.map((row) => (
+                                                            <TableRow
+                                                                key={row.id}
+                                                            >
+                                                                {row
+                                                                    .getVisibleCells()
+                                                                    .map(
+                                                                        (
                                                                             cell
-                                                                                .column
-                                                                                .columnDef
-                                                                                .cell,
-                                                                            cell.getContext()
-                                                                        )}
-                                                                    </TableCell>
-                                                                );
-                                                            })}
+                                                                        ) => {
+                                                                            const isActionsColumn =
+                                                                                cell
+                                                                                    .column
+                                                                                    .id ===
+                                                                                "actions";
+                                                                            return (
+                                                                                <TableCell
+                                                                                    key={
+                                                                                        cell.id
+                                                                                    }
+                                                                                    className={
+                                                                                        isActionsColumn
+                                                                                            ? "sticky right-0 z-10 w-auto min-w-fit bg-card"
+                                                                                            : ""
+                                                                                    }
+                                                                                >
+                                                                                    {flexRender(
+                                                                                        cell
+                                                                                            .column
+                                                                                            .columnDef
+                                                                                            .cell,
+                                                                                        cell.getContext()
+                                                                                    )}
+                                                                                </TableCell>
+                                                                            );
+                                                                        }
+                                                                    )}
+                                                            </TableRow>
+                                                        ))
+                                                ) : (
+                                                    <TableRow>
+                                                        <TableCell
+                                                            colSpan={
+                                                                columns.length
+                                                            }
+                                                            className="h-24 text-center"
+                                                        >
+                                                            {t("targetNoOne")}
+                                                        </TableCell>
                                                     </TableRow>
-                                                ))
-                                        ) : (
-                                            <TableRow>
-                                                <TableCell
-                                                    colSpan={columns.length}
-                                                    className="h-24 text-center"
+                                                )}
+                                            </TableBody>
+                                            {/* <TableCaption> */}
+                                            {/*     {t('targetNoOneDescription')} */}
+                                            {/* </TableCaption> */}
+                                        </Table>
+                                    </div>
+                                    <div className="flex items-center justify-between mb-4">
+                                        <div className="flex items-center justify-between w-full gap-2">
+                                            <Button
+                                                onClick={addNewTarget}
+                                                variant="outline"
+                                            >
+                                                <Plus className="h-4 w-4 mr-2" />
+                                                {t("addTarget")}
+                                            </Button>
+                                            <div className="flex items-center gap-2">
+                                                <Switch
+                                                    id="advanced-mode-toggle"
+                                                    checked={isAdvancedMode}
+                                                    onCheckedChange={
+                                                        setIsAdvancedMode
+                                                    }
+                                                />
+                                                <label
+                                                    htmlFor="advanced-mode-toggle"
+                                                    className="text-sm"
                                                 >
-                                                    {t("targetNoOne")}
-                                                </TableCell>
-                                            </TableRow>
-                                        )}
-                                    </TableBody>
-                                    {/* <TableCaption> */}
-                                    {/*     {t('targetNoOneDescription')} */}
-                                    {/* </TableCaption> */}
-                                </Table>
-                            </div>
-                            <div className="flex items-center justify-between mb-4">
-                                <div className="flex items-center justify-between w-full gap-2">
+                                                    {t("advancedMode")}
+                                                </label>
+                                            </div>
+                                        </div>
+                                    </div>
+                                </>
+                            ) : (
+                                <div className="text-center py-8 border-2 border-dashed border-muted rounded-lg p-4">
+                                    <p className="text-muted-foreground mb-4">
+                                        {t("targetNoOne")}
+                                    </p>
                                     <Button
                                         onClick={addNewTarget}
                                         variant="outline"
@@ -932,50 +1132,91 @@ function ProxyResourceTargetsForm({
                                         <Plus className="h-4 w-4 mr-2" />
                                         {t("addTarget")}
                                     </Button>
-                                    <div className="flex items-center gap-2">
-                                        <Switch
-                                            id="advanced-mode-toggle"
-                                            checked={isAdvancedMode}
-                                            onCheckedChange={setIsAdvancedMode}
-                                        />
-                                        <label
-                                            htmlFor="advanced-mode-toggle"
-                                            className="text-sm"
-                                        >
-                                            {t("advancedMode")}
-                                        </label>
-                                    </div>
                                 </div>
-                            </div>
+                            )}
+                            {build === "saas" &&
+                                targets.length > 1 &&
+                                new Set(targets.map((t) => t.siteId)).size >
+                                    1 && (
+                                    <p className="text-sm text-muted-foreground mt-3">
+                                        {t("proxyMultiSiteRoundRobinNodeHelp")}{" "}
+                                        <a
+                                            href="https://docs.pangolin.net/manage/resources/public/targets#distributing-sites-load-across-servers"
+                                            target="_blank"
+                                            rel="noopener noreferrer"
+                                            className="text-primary hover:underline inline-flex items-center gap-1"
+                                        >
+                                            {t("learnMore")}
+                                            <ExternalLink className="size-3.5 shrink-0" />
+                                        </a>
+                                        .
+                                    </p>
+                                )}
                         </>
                     ) : (
-                        <div className="text-center py-8 border-2 border-dashed border-muted rounded-lg p-4">
-                            <p className="text-muted-foreground mb-4">
-                                {t("targetNoOne")}
-                            </p>
-                            <Button onClick={addNewTarget} variant="outline">
-                                <Plus className="h-4 w-4 mr-2" />
-                                {t("addTarget")}
-                            </Button>
+                        <div className="space-y-4">
+                            <div className="grid grid-cols-2 gap-4">
+                                <div className="space-y-2">
+                                    <label className="text-sm font-medium">
+                                        Destination
+                                    </label>
+                                    <Input
+                                        placeholder="192.168.1.1"
+                                        value={bgDestination}
+                                        onChange={(e) =>
+                                            setBgDestination(e.target.value)
+                                        }
+                                    />
+                                </div>
+                                <div className="space-y-2">
+                                    <label className="text-sm font-medium">
+                                        Port
+                                    </label>
+                                    <Input
+                                        type="number"
+                                        placeholder={
+                                            targetMode === "rdp"
+                                                ? "3389"
+                                                : targetMode === "ssh"
+                                                  ? "22"
+                                                  : "5900"
+                                        }
+                                        value={bgDestinationPort}
+                                        onChange={(e) =>
+                                            setBgDestinationPort(e.target.value)
+                                        }
+                                    />
+                                </div>
+                            </div>
+                            {sites.length > 1 && (
+                                <div className="space-y-2">
+                                    <label className="text-sm font-medium">
+                                        Site
+                                    </label>
+                                    <Select
+                                        value={bgSiteId ? String(bgSiteId) : ""}
+                                        onValueChange={(v) =>
+                                            setBgSiteId(Number(v))
+                                        }
+                                    >
+                                        <SelectTrigger>
+                                            <SelectValue placeholder="Select a site" />
+                                        </SelectTrigger>
+                                        <SelectContent>
+                                            {sites.map((site) => (
+                                                <SelectItem
+                                                    key={site.siteId}
+                                                    value={String(site.siteId)}
+                                                >
+                                                    {site.name}
+                                                </SelectItem>
+                                            ))}
+                                        </SelectContent>
+                                    </Select>
+                                </div>
+                            )}
                         </div>
                     )}
-                    {build === "saas" &&
-                        targets.length > 1 &&
-                        new Set(targets.map((t) => t.siteId)).size > 1 && (
-                            <p className="text-sm text-muted-foreground mt-3">
-                                {t("proxyMultiSiteRoundRobinNodeHelp")}{" "}
-                                <a
-                                    href="https://docs.pangolin.net/manage/resources/public/targets#distributing-sites-load-across-servers"
-                                    target="_blank"
-                                    rel="noopener noreferrer"
-                                    className="text-primary hover:underline inline-flex items-center gap-1"
-                                >
-                                    {t("learnMore")}
-                                    <ExternalLink className="size-3.5 shrink-0" />
-                                </a>
-                                .
-                            </p>
-                        )}
                 </SettingsSectionBody>
 
                 <form className="self-end mt-4" action={formAction}>

src/app/[orgId]/settings/resources/proxy/[niceId]/layout.tsx

@@ -86,8 +86,8 @@ export default async function ResourceLayout(props: ResourceLayoutProps) {
             href: `/{orgId}/settings/resources/proxy/{niceId}/general`
         },
         {
-            title: t("proxy"),
-            href: `/{orgId}/settings/resources/proxy/{niceId}/proxy`
+            title: t(`${resource.browserAccessType}Settings`),
+            href: `/{orgId}/settings/resources/proxy/{niceId}/${resource.browserAccessType}`
         }
     ];
 

src/app/[orgId]/settings/resources/proxy/[niceId]/page.tsx

@@ -10,6 +10,6 @@ export default async function ResourcePage(props: {
 }) {
     const params = await props.params;
     redirect(
-        `/${params.orgId}/settings/resources/proxy/${params.niceId}/proxy`
+        `/${params.orgId}/settings/resources/proxy/${params.niceId}/general`
     );
 }

src/app/[orgId]/settings/resources/proxy/[niceId]/rdp/page.tsx

@@ -0,0 +1,250 @@
+"use client";
+
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
+import { type Selectedsite } from "@app/components/site-selector";
+import { Button } from "@app/components/ui/button";
+import { toast } from "@app/hooks/useToast";
+import { useResourceContext } from "@app/hooks/useResourceContext";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { createApiClient } from "@app/lib/api";
+import { formatAxiosError } from "@app/lib/api/formatAxiosError";
+import { useQuery } from "@tanstack/react-query";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { use, useActionState, useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { GetResourceResponse } from "@server/routers/resource";
+import type { ResourceContextType } from "@app/contexts/resourceContext";
+
+type ExistingTarget = {
+    browserGatewayTargetId: number;
+    siteId: number;
+};
+
+const sshFormSchema = z.object({
+    authDaemonPort: z.string().refine(
+        (val) => {
+            if (!val) return true;
+            const n = Number(val);
+            return Number.isInteger(n) && n >= 1 && n <= 65535;
+        },
+        { message: "Port must be between 1 and 65535" }
+    )
+});
+
+export default function SshSettingsPage(props: {
+    params: Promise<{ orgId: string }>;
+}) {
+    const params = use(props.params);
+    const { resource, updateResource } = useResourceContext();
+
+    return (
+        <SettingsContainer>
+            <SshServerForm
+                orgId={params.orgId}
+                resource={resource}
+                updateResource={updateResource}
+            />
+        </SettingsContainer>
+    );
+}
+
+function SshServerForm({
+    orgId,
+    resource,
+    updateResource
+}: {
+    orgId: string;
+    resource: GetResourceResponse;
+    updateResource: ResourceContextType["updateResource"];
+}) {
+    const t = useTranslations();
+    const api = createApiClient(useEnvContext());
+    const router = useRouter();
+
+    // Standard mode: multi-site
+    const [selectedSites, setSelectedSites] = useState<Selectedsite[]>([]);
+    const [bgDestination, setBgDestination] = useState("");
+    const [bgDestinationPort, setBgDestinationPort] = useState("22");
+    const [existingTargets, setExistingTargets] = useState<ExistingTarget[]>(
+        []
+    );
+
+    // Native mode: single site
+    const [selectedNativeSite, setSelectedNativeSite] =
+        useState<Selectedsite | null>(null);
+    const [nativeExistingTarget, setNativeExistingTarget] =
+        useState<ExistingTarget | null>(null);
+
+    const { data: bgTargetsResponse } = useQuery({
+        queryKey: ["browserGatewayTargets", resource.resourceId, orgId],
+        queryFn: async () => {
+            const res = await api.get(
+                `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-targets`
+            );
+            return res.data.data as {
+                targets: Array<{
+                    browserGatewayTargetId: number;
+                    resourceId: number;
+                    siteId: number;
+                    siteName?: string;
+                    type: string;
+                    destination: string;
+                    destinationPort: number;
+                }>;
+            };
+        }
+    });
+
+    useEffect(() => {
+        if (!bgTargetsResponse?.targets?.length) return;
+        const targets = bgTargetsResponse.targets;
+        const first = targets[0];
+
+        setBgDestination(first.destination);
+        setBgDestinationPort(String(first.destinationPort));
+        setExistingTargets(
+            targets.map((t) => ({
+                browserGatewayTargetId: t.browserGatewayTargetId,
+                siteId: t.siteId
+            }))
+        );
+        setSelectedSites(
+            targets.map((t) => ({
+                siteId: t.siteId,
+                name: t.siteName ?? String(t.siteId),
+                type: "newt" as const
+            }))
+        );
+    }, [bgTargetsResponse]);
+
+    const [, formAction, isSubmitting] = useActionState(save, null);
+
+    async function save() {
+        try {
+            if (bgDestination && bgDestinationPort) {
+                const selectedSiteIds = new Set(
+                    selectedSites.map((s) => s.siteId)
+                );
+                const existingSiteIds = new Set(
+                    existingTargets.map((t) => t.siteId)
+                );
+
+                const toDelete = existingTargets.filter(
+                    (t) => !selectedSiteIds.has(t.siteId)
+                );
+                await Promise.all(
+                    toDelete.map((t) =>
+                        api.delete(
+                            `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`
+                        )
+                    )
+                );
+
+                const toUpdate = existingTargets.filter((t) =>
+                    selectedSiteIds.has(t.siteId)
+                );
+                await Promise.all(
+                    toUpdate.map((t) =>
+                        api.post(
+                            `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`,
+                            {
+                                type: "rdp",
+                                destination: bgDestination,
+                                destinationPort: Number(bgDestinationPort),
+                                siteId: t.siteId
+                            }
+                        )
+                    )
+                );
+
+                const toCreate = selectedSites.filter(
+                    (s) => !existingSiteIds.has(s.siteId)
+                );
+                const created = await Promise.all(
+                    toCreate.map((s) =>
+                        api.put(
+                            `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-target`,
+                            {
+                                siteId: s.siteId,
+                                type: "rdp",
+                                destination: bgDestination,
+                                destinationPort: Number(bgDestinationPort)
+                            }
+                        )
+                    )
+                );
+
+                const newTargets: ExistingTarget[] = created.map((res, i) => ({
+                    browserGatewayTargetId:
+                        res.data.data.browserGatewayTargetId,
+                    siteId: toCreate[i].siteId
+                }));
+                setExistingTargets([...toUpdate, ...newTargets]);
+            }
+
+            toast({
+                title: t("settingsUpdated"),
+                description: t("settingsUpdatedDescription")
+            });
+            router.refresh();
+        } catch (err) {
+            console.error(err);
+            toast({
+                variant: "destructive",
+                title: t("settingsErrorUpdate"),
+                description: formatAxiosError(
+                    err,
+                    t("settingsErrorUpdateDescription")
+                )
+            });
+        }
+    }
+
+    return (
+        <SettingsSection>
+            <SettingsSectionHeader>
+                <SettingsSectionTitle>{t("rdpServer")}</SettingsSectionTitle>
+                <SettingsSectionDescription>
+                    {t("rdpServerDescription")}
+                </SettingsSectionDescription>
+            </SettingsSectionHeader>
+            <SettingsSectionBody>
+                <SettingsSectionForm variant="half">
+                    <BrowserGatewayTargetForm
+                        orgId={orgId}
+                        multiSite={true}
+                        selectedSites={selectedSites}
+                        onSitesChange={setSelectedSites}
+                        destination={bgDestination}
+                        destinationPort={bgDestinationPort}
+                        onDestinationChange={setBgDestination}
+                        onDestinationPortChange={setBgDestinationPort}
+                        learnMoreHref="https://docs.pangolin.net/manage/resources/public/rdp"
+                        defaultPort={3389}
+                    />
+                </SettingsSectionForm>
+            </SettingsSectionBody>
+            <form action={formAction} className="flex justify-end mt-4">
+                <Button
+                    disabled={isSubmitting}
+                    loading={isSubmitting}
+                    type="submit"
+                >
+                    {t("saveSettings")}
+                </Button>
+            </form>
+        </SettingsSection>
+    );
+}

src/app/[orgId]/settings/resources/proxy/[niceId]/ssh/page.tsx

@@ -0,0 +1,524 @@
+"use client";
+
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { StrategySelect, StrategyOption } from "@app/components/StrategySelect";
+import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
+import {
+    SitesSelector,
+    type Selectedsite
+} from "@app/components/site-selector";
+import { Button } from "@app/components/ui/button";
+import { Input } from "@app/components/ui/input";
+import {
+    Form,
+    FormControl,
+    FormField,
+    FormItem,
+    FormLabel,
+    FormMessage
+} from "@app/components/ui/form";
+import {
+    Popover,
+    PopoverContent,
+    PopoverTrigger
+} from "@app/components/ui/popover";
+import { ChevronsUpDown, ExternalLink } from "lucide-react";
+import { Badge } from "@app/components/ui/badge";
+import { toast } from "@app/hooks/useToast";
+import { useResourceContext } from "@app/hooks/useResourceContext";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { createApiClient } from "@app/lib/api";
+import { formatAxiosError } from "@app/lib/api/formatAxiosError";
+import { useQuery } from "@tanstack/react-query";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { use, useActionState, useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { GetResourceResponse } from "@server/routers/resource";
+import type { ResourceContextType } from "@app/contexts/resourceContext";
+
+type ExistingTarget = {
+    browserGatewayTargetId: number;
+    siteId: number;
+};
+
+const sshFormSchema = z.object({
+    authDaemonPort: z.string().refine(
+        (val) => {
+            if (!val) return true;
+            const n = Number(val);
+            return Number.isInteger(n) && n >= 1 && n <= 65535;
+        },
+        { message: "Port must be between 1 and 65535" }
+    )
+});
+
+export default function SshSettingsPage(props: {
+    params: Promise<{ orgId: string }>;
+}) {
+    const params = use(props.params);
+    const { resource, updateResource } = useResourceContext();
+
+    return (
+        <SettingsContainer>
+            <SshServerForm
+                orgId={params.orgId}
+                resource={resource}
+                updateResource={updateResource}
+            />
+        </SettingsContainer>
+    );
+}
+
+function SshServerForm({
+    orgId,
+    resource,
+    updateResource
+}: {
+    orgId: string;
+    resource: GetResourceResponse;
+    updateResource: ResourceContextType["updateResource"];
+}) {
+    const t = useTranslations();
+    const api = createApiClient(useEnvContext());
+    const router = useRouter();
+
+    const isNativeInitially = resource.authDaemonMode === "native";
+
+    const [sshServerMode, setSshServerMode] = useState<"standard" | "native">(
+        isNativeInitially ? "native" : "standard"
+    );
+    const isNative = sshServerMode === "native";
+
+    const [pamMode, setPamMode] = useState<"passthrough" | "push">(
+        (resource.pamMode as "passthrough" | "push") || "passthrough"
+    );
+
+    const [standardDaemonLocation, setStandardDaemonLocation] = useState<
+        "site" | "remote"
+    >(
+        isNativeInitially
+            ? "site"
+            : (resource.authDaemonMode as "site" | "remote") || "site"
+    );
+
+    const form = useForm({
+        resolver: zodResolver(sshFormSchema),
+        defaultValues: {
+            authDaemonPort: (resource as any).authDaemonPort
+                ? String((resource as any).authDaemonPort)
+                : "22123"
+        }
+    });
+
+    // Standard mode: multi-site
+    const [selectedSites, setSelectedSites] = useState<Selectedsite[]>([]);
+    const [selectedSite, setSelectedSite] = useState<Selectedsite | null>(null);
+    const [bgDestination, setBgDestination] = useState("");
+    const [bgDestinationPort, setBgDestinationPort] = useState("22");
+    const [existingTargets, setExistingTargets] = useState<ExistingTarget[]>(
+        []
+    );
+
+    // Native mode: single site
+    const [selectedNativeSite, setSelectedNativeSite] =
+        useState<Selectedsite | null>(null);
+    const [nativeExistingTarget, setNativeExistingTarget] =
+        useState<ExistingTarget | null>(null);
+    const [nativeSiteOpen, setNativeSiteOpen] = useState(false);
+
+    const { data: bgTargetsResponse } = useQuery({
+        queryKey: ["browserGatewayTargets", resource.resourceId, orgId],
+        queryFn: async () => {
+            const res = await api.get(
+                `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-targets`
+            );
+            return res.data.data as {
+                targets: Array<{
+                    browserGatewayTargetId: number;
+                    resourceId: number;
+                    siteId: number;
+                    siteName?: string;
+                    type: string;
+                    destination: string;
+                    destinationPort: number;
+                }>;
+            };
+        }
+    });
+
+    useEffect(() => {
+        if (!bgTargetsResponse?.targets?.length) return;
+        const targets = bgTargetsResponse.targets;
+        const first = targets[0];
+        if (isNativeInitially) {
+            setSelectedNativeSite({
+                siteId: first.siteId,
+                name: first.siteName ?? String(first.siteId),
+                type: "newt" as const
+            });
+            setNativeExistingTarget({
+                browserGatewayTargetId: first.browserGatewayTargetId,
+                siteId: first.siteId
+            });
+        } else {
+            setBgDestination(first.destination);
+            setBgDestinationPort(String(first.destinationPort));
+            setExistingTargets(
+                targets.map((t) => ({
+                    browserGatewayTargetId: t.browserGatewayTargetId,
+                    siteId: t.siteId
+                }))
+            );
+            setSelectedSites(
+                targets.map((t) => ({
+                    siteId: t.siteId,
+                    name: t.siteName ?? String(t.siteId),
+                    type: "newt" as const
+                }))
+            );
+        }
+    }, [bgTargetsResponse]);
+
+    const [, formAction, isSubmitting] = useActionState(save, null);
+
+    async function save() {
+        const isValid = await form.trigger();
+        if (!isValid) return;
+
+        const effectiveMode = isNative ? "native" : standardDaemonLocation;
+        const portVal = form.getValues().authDaemonPort;
+        const effectivePort =
+            !isNative && standardDaemonLocation === "remote" && portVal
+                ? Number(portVal)
+                : null;
+
+        try {
+            await api.post(`/resource/${resource.resourceId}`, {
+                pamMode,
+                authDaemonMode: effectiveMode,
+                authDaemonPort: effectivePort
+            });
+
+            updateResource({
+                ...resource,
+                pamMode,
+                authDaemonMode: effectiveMode
+            });
+
+            if (isNative) {
+                if (selectedNativeSite) {
+                    if (nativeExistingTarget) {
+                        await api.post(
+                            `/org/${orgId}/browser-gateway-target/${nativeExistingTarget.browserGatewayTargetId}`,
+                            {
+                                type: "ssh",
+                                destination: "localhost",
+                                destinationPort: 22,
+                                siteId: selectedNativeSite.siteId
+                            }
+                        );
+                    } else {
+                        const res = await api.put(
+                            `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-target`,
+                            {
+                                siteId: selectedNativeSite.siteId,
+                                type: "ssh",
+                                destination: "localhost",
+                                destinationPort: 22
+                            }
+                        );
+                        setNativeExistingTarget({
+                            browserGatewayTargetId:
+                                res.data.data.browserGatewayTargetId,
+                            siteId: selectedNativeSite.siteId
+                        });
+                    }
+                }
+            } else {
+                if (bgDestination && bgDestinationPort) {
+                    const selectedSiteIds = new Set(
+                        selectedSites.map((s) => s.siteId)
+                    );
+                    const existingSiteIds = new Set(
+                        existingTargets.map((t) => t.siteId)
+                    );
+
+                    const toDelete = existingTargets.filter(
+                        (t) => !selectedSiteIds.has(t.siteId)
+                    );
+                    await Promise.all(
+                        toDelete.map((t) =>
+                            api.delete(
+                                `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`
+                            )
+                        )
+                    );
+
+                    const toUpdate = existingTargets.filter((t) =>
+                        selectedSiteIds.has(t.siteId)
+                    );
+                    await Promise.all(
+                        toUpdate.map((t) =>
+                            api.post(
+                                `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`,
+                                {
+                                    type: "ssh",
+                                    destination: bgDestination,
+                                    destinationPort: Number(bgDestinationPort),
+                                    siteId: t.siteId
+                                }
+                            )
+                        )
+                    );
+
+                    const toCreate = selectedSites.filter(
+                        (s) => !existingSiteIds.has(s.siteId)
+                    );
+                    const created = await Promise.all(
+                        toCreate.map((s) =>
+                            api.put(
+                                `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-target`,
+                                {
+                                    siteId: s.siteId,
+                                    type: "ssh",
+                                    destination: bgDestination,
+                                    destinationPort: Number(bgDestinationPort)
+                                }
+                            )
+                        )
+                    );
+
+                    const newTargets: ExistingTarget[] = created.map(
+                        (res, i) => ({
+                            browserGatewayTargetId:
+                                res.data.data.browserGatewayTargetId,
+                            siteId: toCreate[i].siteId
+                        })
+                    );
+                    setExistingTargets([...toUpdate, ...newTargets]);
+                }
+            }
+
+            toast({
+                title: t("settingsUpdated"),
+                description: t("settingsUpdatedDescription")
+            });
+            router.refresh();
+        } catch (err) {
+            console.error(err);
+            toast({
+                variant: "destructive",
+                title: t("settingsErrorUpdate"),
+                description: formatAxiosError(
+                    err,
+                    t("settingsErrorUpdateDescription")
+                )
+            });
+        }
+    }
+
+    const authMethodOptions: StrategyOption<"passthrough" | "push">[] = [
+        {
+            id: "passthrough",
+            title: t("sshAuthMethodManual"),
+            description: t("sshAuthMethodManualDescription")
+        },
+        {
+            id: "push",
+            title: t("sshAuthMethodAutomated"),
+            description: t("sshAuthMethodAutomatedDescription")
+        }
+    ];
+
+    const daemonLocationOptions: StrategyOption<"site" | "remote">[] = [
+        {
+            id: "site",
+            title: t("internalResourceAuthDaemonSite"),
+            description: t("sshDaemonLocationSiteDescription")
+        },
+        {
+            id: "remote",
+            title: t("sshDaemonLocationRemote"),
+            description: t("sshDaemonLocationRemoteDescription")
+        }
+    ];
+
+    const showDaemonLocation = !isNative && pamMode === "push";
+    const showDaemonPort =
+        !isNative && pamMode === "push" && standardDaemonLocation === "remote";
+
+    return (
+        <SettingsSection>
+            <SettingsSectionHeader>
+                <SettingsSectionTitle>{t("sshServer")}</SettingsSectionTitle>
+                <SettingsSectionDescription>
+                    {t("sshServerDescription")}
+                </SettingsSectionDescription>
+            </SettingsSectionHeader>
+            <SettingsSectionBody>
+                <SettingsSectionForm variant="half">
+                    <div className="space-y-3">
+                        <p className="text-sm font-semibold">
+                            {t("sshServerMode")}
+                        </p>
+                        <Badge variant="secondary">
+                            {sshServerMode == "standard"
+                                ? t("sshServerModeStandard")
+                                : t("sshServerModePangolin")}
+                        </Badge>
+                    </div>
+
+                    <div className="space-y-3">
+                        <p className="text-sm font-semibold">
+                            {t("sshAuthenticationMethod")}
+                        </p>
+                        <StrategySelect<"passthrough" | "push">
+                            value={pamMode}
+                            options={authMethodOptions}
+                            onChange={setPamMode}
+                            cols={2}
+                        />
+                    </div>
+
+                    {showDaemonLocation && (
+                        <div className="space-y-3">
+                            <p className="text-sm font-semibold">
+                                {t("sshAuthDaemonLocation")}
+                            </p>
+                            <StrategySelect<"site" | "remote">
+                                value={standardDaemonLocation}
+                                options={daemonLocationOptions}
+                                onChange={setStandardDaemonLocation}
+                                cols={2}
+                            />
+                            <p className="text-sm text-muted-foreground">
+                                {t("sshDaemonDisclaimer")}{" "}
+                                <a
+                                    href="https://docs.pangolin.net/manage/resources/public/ssh"
+                                    target="_blank"
+                                    rel="noopener noreferrer"
+                                    className="text-primary hover:underline inline-flex items-center gap-1"
+                                >
+                                    {t("learnMore")}
+                                    <ExternalLink className="size-3.5 shrink-0" />
+                                </a>
+                            </p>
+                        </div>
+                    )}
+
+                    {showDaemonPort && (
+                        <Form {...form}>
+                            <FormField
+                                control={form.control}
+                                name="authDaemonPort"
+                                render={({ field }) => (
+                                    <FormItem>
+                                        <FormLabel>
+                                            {t("sshDaemonPort")}
+                                        </FormLabel>
+                                        <FormControl>
+                                            <Input
+                                                type="number"
+                                                min={1}
+                                                max={65535}
+                                                {...field}
+                                            />
+                                        </FormControl>
+                                        <FormMessage />
+                                    </FormItem>
+                                )}
+                            />
+                        </Form>
+                    )}
+
+                    <div className="space-y-3">
+                        <div>
+                            <h2 className="text-1xl font-semibold tracking-tight flex items-center gap-2">
+                                {t("sshServerDestination")}
+                            </h2>
+                            <p className="text-sm text-muted-foreground">
+                                {t("sshServerDestinationDescription")}
+                            </p>
+                        </div>
+                        {isNative ? (
+                            <Popover
+                                open={nativeSiteOpen}
+                                onOpenChange={setNativeSiteOpen}
+                            >
+                                <PopoverTrigger asChild>
+                                    <Button
+                                        variant="outline"
+                                        role="combobox"
+                                        className="w-full max-w-xs justify-between font-normal"
+                                    >
+                                        <span className="truncate">
+                                            {selectedNativeSite?.name ??
+                                                t("siteSelect")}
+                                        </span>
+                                        <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                                    </Button>
+                                </PopoverTrigger>
+                                <PopoverContent className="w-[var(--radix-popover-trigger-width)] p-0">
+                                    <SitesSelector
+                                        orgId={orgId}
+                                        selectedSite={selectedNativeSite}
+                                        onSelectSite={(site) => {
+                                            setSelectedNativeSite(site);
+                                            setNativeSiteOpen(false);
+                                        }}
+                                    />
+                                </PopoverContent>
+                            </Popover>
+                        ) : standardDaemonLocation !== "site" ? (
+                            <BrowserGatewayTargetForm
+                                orgId={orgId}
+                                multiSite={true}
+                                selectedSites={selectedSites}
+                                onSitesChange={setSelectedSites}
+                                destination={bgDestination}
+                                destinationPort={bgDestinationPort}
+                                onDestinationChange={setBgDestination}
+                                onDestinationPortChange={setBgDestinationPort}
+                                learnMoreHref="https://docs.pangolin.net/manage/resources/public/ssh"
+                                defaultPort={22}
+                            />
+                        ) : (
+                            <BrowserGatewayTargetForm
+                                orgId={orgId}
+                                multiSite={false}
+                                selectedSite={selectedSite}
+                                onSiteChange={setSelectedSite}
+                                destination={bgDestination}
+                                destinationPort={bgDestinationPort}
+                                onDestinationChange={setBgDestination}
+                                onDestinationPortChange={setBgDestinationPort}
+                                learnMoreHref="https://docs.pangolin.net/manage/resources/public/ssh"
+                                defaultPort={22}
+                            />
+                        )}
+                    </div>
+                </SettingsSectionForm>
+            </SettingsSectionBody>
+            <form action={formAction} className="flex justify-end mt-4">
+                <Button
+                    disabled={isSubmitting}
+                    loading={isSubmitting}
+                    type="submit"
+                >
+                    {t("saveSettings")}
+                </Button>
+            </form>
+        </SettingsSection>
+    );
+}

src/app/[orgId]/settings/resources/proxy/[niceId]/vnc/page.tsx

@@ -0,0 +1,248 @@
+"use client";
+
+import {
+    SettingsContainer,
+    SettingsSection,
+    SettingsSectionBody,
+    SettingsSectionDescription,
+    SettingsSectionForm,
+    SettingsSectionHeader,
+    SettingsSectionTitle
+} from "@app/components/Settings";
+import { BrowserGatewayTargetForm } from "@app/components/BrowserGatewayTargetForm";
+import { type Selectedsite } from "@app/components/site-selector";
+import { Button } from "@app/components/ui/button";
+import { toast } from "@app/hooks/useToast";
+import { useResourceContext } from "@app/hooks/useResourceContext";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { createApiClient } from "@app/lib/api";
+import { formatAxiosError } from "@app/lib/api/formatAxiosError";
+import { useQuery } from "@tanstack/react-query";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { use, useActionState, useEffect, useState } from "react";
+import { z } from "zod";
+import { GetResourceResponse } from "@server/routers/resource";
+import type { ResourceContextType } from "@app/contexts/resourceContext";
+
+type ExistingTarget = {
+    browserGatewayTargetId: number;
+    siteId: number;
+};
+
+const sshFormSchema = z.object({
+    authDaemonPort: z.string().refine(
+        (val) => {
+            if (!val) return true;
+            const n = Number(val);
+            return Number.isInteger(n) && n >= 1 && n <= 65535;
+        },
+        { message: "Port must be between 1 and 65535" }
+    )
+});
+
+export default function SshSettingsPage(props: {
+    params: Promise<{ orgId: string }>;
+}) {
+    const params = use(props.params);
+    const { resource, updateResource } = useResourceContext();
+
+    return (
+        <SettingsContainer>
+            <SshServerForm
+                orgId={params.orgId}
+                resource={resource}
+                updateResource={updateResource}
+            />
+        </SettingsContainer>
+    );
+}
+
+function SshServerForm({
+    orgId,
+    resource,
+    updateResource
+}: {
+    orgId: string;
+    resource: GetResourceResponse;
+    updateResource: ResourceContextType["updateResource"];
+}) {
+    const t = useTranslations();
+    const api = createApiClient(useEnvContext());
+    const router = useRouter();
+
+    // Standard mode: multi-site
+    const [selectedSites, setSelectedSites] = useState<Selectedsite[]>([]);
+    const [bgDestination, setBgDestination] = useState("");
+    const [bgDestinationPort, setBgDestinationPort] = useState("22");
+    const [existingTargets, setExistingTargets] = useState<ExistingTarget[]>(
+        []
+    );
+
+    // Native mode: single site
+    const [selectedNativeSite, setSelectedNativeSite] =
+        useState<Selectedsite | null>(null);
+    const [nativeExistingTarget, setNativeExistingTarget] =
+        useState<ExistingTarget | null>(null);
+
+    const { data: bgTargetsResponse } = useQuery({
+        queryKey: ["browserGatewayTargets", resource.resourceId, orgId],
+        queryFn: async () => {
+            const res = await api.get(
+                `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-targets`
+            );
+            return res.data.data as {
+                targets: Array<{
+                    browserGatewayTargetId: number;
+                    resourceId: number;
+                    siteId: number;
+                    siteName?: string;
+                    type: string;
+                    destination: string;
+                    destinationPort: number;
+                }>;
+            };
+        }
+    });
+
+    useEffect(() => {
+        if (!bgTargetsResponse?.targets?.length) return;
+        const targets = bgTargetsResponse.targets;
+        const first = targets[0];
+
+        setBgDestination(first.destination);
+        setBgDestinationPort(String(first.destinationPort));
+        setExistingTargets(
+            targets.map((t) => ({
+                browserGatewayTargetId: t.browserGatewayTargetId,
+                siteId: t.siteId
+            }))
+        );
+        setSelectedSites(
+            targets.map((t) => ({
+                siteId: t.siteId,
+                name: t.siteName ?? String(t.siteId),
+                type: "newt" as const
+            }))
+        );
+    }, [bgTargetsResponse]);
+
+    const [, formAction, isSubmitting] = useActionState(save, null);
+
+    async function save() {
+        try {
+            if (bgDestination && bgDestinationPort) {
+                const selectedSiteIds = new Set(
+                    selectedSites.map((s) => s.siteId)
+                );
+                const existingSiteIds = new Set(
+                    existingTargets.map((t) => t.siteId)
+                );
+
+                const toDelete = existingTargets.filter(
+                    (t) => !selectedSiteIds.has(t.siteId)
+                );
+                await Promise.all(
+                    toDelete.map((t) =>
+                        api.delete(
+                            `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`
+                        )
+                    )
+                );
+
+                const toUpdate = existingTargets.filter((t) =>
+                    selectedSiteIds.has(t.siteId)
+                );
+                await Promise.all(
+                    toUpdate.map((t) =>
+                        api.post(
+                            `/org/${orgId}/browser-gateway-target/${t.browserGatewayTargetId}`,
+                            {
+                                type: "vnc",
+                                destination: bgDestination,
+                                destinationPort: Number(bgDestinationPort),
+                                siteId: t.siteId
+                            }
+                        )
+                    )
+                );
+
+                const toCreate = selectedSites.filter(
+                    (s) => !existingSiteIds.has(s.siteId)
+                );
+                const created = await Promise.all(
+                    toCreate.map((s) =>
+                        api.put(
+                            `/org/${orgId}/resource/${resource.resourceId}/browser-gateway-target`,
+                            {
+                                siteId: s.siteId,
+                                type: "vnc",
+                                destination: bgDestination,
+                                destinationPort: Number(bgDestinationPort)
+                            }
+                        )
+                    )
+                );
+
+                const newTargets: ExistingTarget[] = created.map((res, i) => ({
+                    browserGatewayTargetId:
+                        res.data.data.browserGatewayTargetId,
+                    siteId: toCreate[i].siteId
+                }));
+                setExistingTargets([...toUpdate, ...newTargets]);
+            }
+
+            toast({
+                title: t("settingsUpdated"),
+                description: t("settingsUpdatedDescription")
+            });
+            router.refresh();
+        } catch (err) {
+            console.error(err);
+            toast({
+                variant: "destructive",
+                title: t("settingsErrorUpdate"),
+                description: formatAxiosError(
+                    err,
+                    t("settingsErrorUpdateDescription")
+                )
+            });
+        }
+    }
+
+    return (
+        <SettingsSection>
+            <SettingsSectionHeader>
+                <SettingsSectionTitle>{t("vncServer")}</SettingsSectionTitle>
+                <SettingsSectionDescription>
+                    {t("vncServerDescription")}
+                </SettingsSectionDescription>
+            </SettingsSectionHeader>
+            <SettingsSectionBody>
+                <SettingsSectionForm variant="half">
+                    <BrowserGatewayTargetForm
+                        orgId={orgId}
+                        multiSite={true}
+                        selectedSites={selectedSites}
+                        onSitesChange={setSelectedSites}
+                        destination={bgDestination}
+                        destinationPort={bgDestinationPort}
+                        onDestinationChange={setBgDestination}
+                        onDestinationPortChange={setBgDestinationPort}
+                        learnMoreHref="https://docs.pangolin.net/manage/resources/public/vnc"
+                        defaultPort={5900}
+                    />
+                </SettingsSectionForm>
+            </SettingsSectionBody>
+            <form action={formAction} className="flex justify-end mt-4">
+                <Button
+                    disabled={isSubmitting}
+                    loading={isSubmitting}
+                    type="submit"
+                >
+                    {t("saveSettings")}
+                </Button>
+            </form>
+        </SettingsSection>
+    );
+}

src/app/[orgId]/settings/resources/proxy/create/page.tsx

@@ -713,7 +713,7 @@ export default function Page() {
                     }
                 };
 
-                   return (
+                return (
                     <div className="flex items-center justify-center w-full">
                         {row.original.siteType === "newt" ? (
                             <Button
@@ -732,7 +732,6 @@ export default function Page() {
                                     {getStatusText(status)}
                                 </div>
                             </Button>
-
                         ) : (
                             <span>-</span>
                         )}
@@ -1427,10 +1426,12 @@ export default function Page() {
                                     )}
                                     {build === "saas" &&
                                         targets.length > 1 &&
-                                        new Set(targets.map((t) => t.siteId)).size >
-                                            1 && (
+                                        new Set(targets.map((t) => t.siteId))
+                                            .size > 1 && (
                                             <p className="text-sm text-muted-foreground mt-3">
-                                                {t("proxyMultiSiteRoundRobinNodeHelp")}{" "}
+                                                {t(
+                                                    "proxyMultiSiteRoundRobinNodeHelp"
+                                                )}{" "}
                                                 <a
                                                     href="https://docs.pangolin.net/manage/resources/public/targets#distributing-sites-load-across-servers"
                                                     target="_blank"
@@ -1627,7 +1628,7 @@ export default function Page() {
                                     type="button"
                                     onClick={() =>
                                         router.push(
-                                            `/${orgId}/settings/resources/proxy/${niceId}/proxy`
+                                            `/${orgId}/settings/resources/proxy/${niceId}`
                                         )
                                     }
                                 >

src/app/[orgId]/settings/resources/proxy/page.tsx

@@ -126,6 +126,7 @@ export default async function ProxyResourcesPage(
             fullDomain: resource.fullDomain ?? null,
             ssl: resource.ssl,
             wildcard: resource.wildcard,
+            browserAccessType: resource.browserAccessType,
             targets: resource.targets?.map((target) => ({
                 targetId: target.targetId,
                 ip: target.ip,

src/app/rdp/RdpClient.tsx

@@ -0,0 +1,522 @@
+"use client";
+
+import { useEffect, useRef, useState } from "react";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { toast } from "@app/hooks/useToast";
+import type {
+    UserInteraction,
+    IronError,
+    FileTransferProvider
+} from "@devolutions/iron-remote-desktop/dist";
+import type {
+    RdpFileTransferProvider,
+    FileInfo
+} from "@devolutions/iron-remote-desktop-rdp/dist";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+
+declare module "react" {
+    namespace JSX {
+        interface IntrinsicElements {
+            "iron-remote-desktop": React.DetailedHTMLProps<
+                React.HTMLAttributes<HTMLElement> & {
+                    scale?: string;
+                    verbose?: string;
+                    flexcenter?: string;
+                    module?: unknown;
+                },
+                HTMLElement
+            >;
+        }
+    }
+}
+
+type FormState = {
+    username: string;
+    password: string;
+    domain: string;
+    kdcProxyUrl: string;
+    pcb: string;
+    enableClipboard: boolean;
+};
+
+const isIronError = (error: unknown): error is IronError => {
+    return (
+        typeof error === "object" &&
+        error !== null &&
+        typeof (error as IronError).backtrace === "function" &&
+        typeof (error as IronError).kind === "function"
+    );
+};
+
+export default function RdpClient({
+    target,
+    error
+}: {
+    target: GetBrowserTargetResponse | null;
+    error: string | null;
+}) {
+    const STORAGE_KEY = "pangolin_rdp_credentials";
+
+    const [form, setForm] = useState<FormState>(() => {
+        try {
+            const saved = localStorage.getItem(STORAGE_KEY);
+            if (saved) return JSON.parse(saved) as FormState;
+        } catch {
+            // ignore
+        }
+        return {
+            username: "",
+            password: "",
+            domain: "",
+            kdcProxyUrl: "",
+            pcb: "",
+            enableClipboard: true
+        };
+    });
+
+    const [showLogin, setShowLogin] = useState(true);
+    const [moduleReady, setModuleReady] = useState(false);
+    const [connecting, setConnecting] = useState(false);
+    const [unicodeMode, setUnicodeMode] = useState(false);
+    const [cursorOverrideActive, setCursorOverrideActive] = useState(false);
+
+    const userInteractionRef = useRef<UserInteraction | null>(null);
+    const backendRef = useRef<unknown>(null);
+    // Holds the RdpFileTransferProvider constructor so we can create a fresh
+    // instance per session (avoids stale upload state across reconnects).
+    const fileTransferClassRef = useRef<typeof RdpFileTransferProvider | null>(
+        null
+    );
+    // Active session's provider instance; replaced on each connect.
+    const fileTransferRef = useRef<RdpFileTransferProvider | null>(null);
+    const extensionsRef = useRef<{
+        displayControl: (enable: boolean) => unknown;
+        preConnectionBlob: (pcb: string) => unknown;
+        kdcProxyUrl: (url: string) => unknown;
+    } | null>(null);
+
+    // Load the iron-remote-desktop modules client-side and register the
+    // `<iron-remote-desktop>` custom element.
+    useEffect(() => {
+        let cancelled = false;
+        (async () => {
+            const [coreMod, rdpMod] = await Promise.all([
+                import("@devolutions/iron-remote-desktop/dist"),
+                import("@devolutions/iron-remote-desktop-rdp/dist")
+            ]);
+            if (cancelled) return;
+
+            await rdpMod.init("INFO");
+
+            backendRef.current = rdpMod.Backend;
+            extensionsRef.current = {
+                displayControl: rdpMod.displayControl,
+                preConnectionBlob: rdpMod.preConnectionBlob,
+                kdcProxyUrl: rdpMod.kdcProxyUrl
+            };
+
+            // Store the class; a fresh instance is created per session.
+            fileTransferClassRef.current =
+                rdpMod.RdpFileTransferProvider as unknown as typeof RdpFileTransferProvider;
+
+            // Importing the package registers the custom element as a side
+            // effect. Touch the default export to avoid tree-shaking.
+            void coreMod;
+
+            setModuleReady(true);
+        })().catch((err) => {
+            console.error("Failed to load iron-remote-desktop modules", err);
+            toast({
+                variant: "destructive",
+                title: "Failed to load RDP module",
+                description: `${err}`
+            });
+        });
+
+        return () => {
+            cancelled = true;
+        };
+    }, []);
+
+    // Attach the "ready" listener synchronously the moment the custom
+    // element mounts. The custom element dispatches `ready` from its own
+    // `onMount`, so a deferred useEffect can race and miss it.
+    const remoteElementRef = (el: HTMLElement | null) => {
+        if (!el) return;
+        const onReady = (e: Event) => {
+            const event = e as CustomEvent;
+            userInteractionRef.current = event.detail.irgUserInteraction;
+        };
+        el.addEventListener("ready", onReady);
+    };
+
+    const update = <K extends keyof FormState>(key: K, value: FormState[K]) => {
+        setForm((prev) => ({ ...prev, [key]: value }));
+    };
+
+    const startSession = async () => {
+        setConnecting(true);
+        const userInteraction = userInteractionRef.current;
+        const exts = extensionsRef.current;
+        if (!userInteraction || !exts) {
+            setConnecting(false);
+            toast({
+                variant: "destructive",
+                title: "Not ready",
+                description: "RDP module is still initializing"
+            });
+            return;
+        }
+
+        userInteraction.setEnableClipboard(form.enableClipboard);
+
+        // Dispose any previous session's provider and create a fresh one so
+        // there is no stale upload state from a prior connection.
+        fileTransferRef.current?.dispose();
+        const ProviderClass = fileTransferClassRef.current;
+        const fileTransfer = ProviderClass ? new ProviderClass() : null;
+        fileTransferRef.current = fileTransfer;
+
+        if (fileTransfer) {
+            // Auto-download files when the remote copies them to clipboard.
+            fileTransfer.on("files-available", (files: FileInfo[]) => {
+                const downloadable = files.filter((f) => !f.isDirectory);
+                if (downloadable.length === 0) return;
+                toast({
+                    title: `Downloading ${downloadable.length} file(s) from remote…`
+                });
+                for (let i = 0; i < files.length; i++) {
+                    const file = files[i];
+                    if (file.isDirectory) continue;
+                    const { completion } = fileTransfer.downloadFile(file, i);
+                    completion
+                        .then((blob) => {
+                            const url = URL.createObjectURL(blob);
+                            const a = document.createElement("a");
+                            a.href = url;
+                            a.download = file.name;
+                            a.click();
+                            URL.revokeObjectURL(url);
+                        })
+                        .catch((err) => {
+                            toast({
+                                variant: "destructive",
+                                title: `Download failed: ${file.name}`,
+                                description: `${err}`
+                            });
+                        });
+                }
+            });
+
+            // Notify when individual uploads complete (remote pasted a file).
+            fileTransfer.on("upload-complete", (file: File) => {
+                toast({ title: `Uploaded: ${file.name}` });
+            });
+
+            // Register with the web component so CLIPRDR extensions are
+            // wired up before connect() builds the session.
+            userInteraction.enableFileTransfer(
+                fileTransfer as unknown as FileTransferProvider
+            );
+        }
+
+        if (!target) {
+            setConnecting(false);
+            toast({
+                variant: "destructive",
+                title: "No target",
+                description: "No connection target available"
+            });
+            return;
+        }
+
+        const destination = `${target.ip}:${target.port}`;
+
+        const builder = userInteraction
+            .configBuilder()
+            .withUsername(form.username)
+            .withPassword(form.password)
+            .withDestination(destination)
+            .withProxyAddress(
+                `${window.location.protocol === "https:" ? "wss" : "ws"}://${window.location.host}/gateway/rdp`
+            )
+            .withServerDomain(form.domain)
+            .withAuthToken(target.authToken)
+            .withDesktopSize({
+                width: window.innerWidth,
+                height: window.innerHeight
+            })
+            .withExtension(exts.displayControl(true));
+
+        if (form.pcb !== "") {
+            builder.withExtension(exts.preConnectionBlob(form.pcb));
+        }
+        if (form.kdcProxyUrl !== "") {
+            builder.withExtension(exts.kdcProxyUrl(form.kdcProxyUrl));
+        }
+
+        try {
+            const sessionInfo = await userInteraction.connect(builder.build());
+
+            try {
+                localStorage.setItem(STORAGE_KEY, JSON.stringify(form));
+            } catch {
+                // ignore
+            }
+            setConnecting(false);
+            setShowLogin(false);
+            userInteraction.setVisibility(true);
+
+            const termInfo = await sessionInfo.run();
+            fileTransferRef.current?.dispose();
+            fileTransferRef.current = null;
+            setShowLogin(true);
+        } catch (err) {
+            setConnecting(false);
+            setShowLogin(true);
+            if (isIronError(err)) {
+                toast({
+                    variant: "destructive",
+                    title: "Connection failed",
+                    description: err.backtrace()
+                });
+            } else {
+                toast({
+                    variant: "destructive",
+                    title: "Connection failed",
+                    description: `${err}`
+                });
+            }
+        }
+    };
+
+    const ui = () => userInteractionRef.current;
+
+    const toggleCursorKind = () => {
+        const u = ui();
+        if (!u) return;
+        if (cursorOverrideActive) {
+            u.setCursorStyleOverride(null);
+        } else {
+            u.setCursorStyleOverride('url("crosshair.png") 7 7, default');
+        }
+        setCursorOverrideActive((v) => !v);
+    };
+
+    if (error) {
+        return (
+            <div className="min-h-screen bg-background flex items-center justify-center">
+                <p className="text-destructive">{error}</p>
+            </div>
+        );
+    }
+
+    return (
+        <div className="min-h-screen bg-background">
+            {showLogin && (
+                <div className="mx-auto max-w-2xl p-6">
+                    <h1 className="mb-4 text-2xl font-semibold">RDP</h1>
+
+                    <div className="space-y-4">
+                        <Field label="Domain" id="domain">
+                            <Input
+                                id="domain"
+                                value={form.domain}
+                                onChange={(e) =>
+                                    update("domain", e.target.value)
+                                }
+                            />
+                        </Field>
+                        <Field label="Username" id="username">
+                            <Input
+                                id="username"
+                                value={form.username}
+                                onChange={(e) =>
+                                    update("username", e.target.value)
+                                }
+                            />
+                        </Field>
+                        <Field label="Password" id="password">
+                            <Input
+                                id="password"
+                                type="password"
+                                value={form.password}
+                                onChange={(e) =>
+                                    update("password", e.target.value)
+                                }
+                            />
+                        </Field>
+                        {/* 
+                        <Field label="Pre Connection Blob (optional)" id="pcb">
+                            <Input
+                                id="pcb"
+                                value={form.pcb}
+                                onChange={(e) => update("pcb", e.target.value)}
+                            />
+                        </Field> */}
+
+                        {/* <Field
+                            label="KDC Proxy URL (optional)"
+                            id="kdcProxyUrl"
+                        >
+                            <Input
+                                id="kdcProxyUrl"
+                                value={form.kdcProxyUrl}
+                                onChange={(e) =>
+                                    update("kdcProxyUrl", e.target.value)
+                                }
+                            />
+                        </Field> */}
+                        {/* <div className="flex items-center gap-2">
+                            <Checkbox
+                                id="enable_clipboard"
+                                checked={form.enableClipboard}
+                                onCheckedChange={(checked) =>
+                                    update("enableClipboard", checked === true)
+                                }
+                            />
+                            <Label htmlFor="enable_clipboard">
+                                Enable Clipboard
+                            </Label>
+                        </div> */}
+                        <Button
+                            onClick={startSession}
+                            disabled={!moduleReady}
+                            loading={connecting}
+                            className="w-full"
+                        >
+                            {moduleReady ? "Connect" : "Loading module..."}
+                        </Button>
+                    </div>
+                </div>
+            )}
+
+            <div
+                className="flex h-screen flex-col bg-neutral-900"
+                style={{ display: showLogin ? "none" : "flex" }}
+            >
+                <div className="flex flex-wrap items-center gap-2 bg-black p-2 text-white">
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => ui()?.setScale(1)}
+                    >
+                        Fit
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => ui()?.setScale(2)}
+                    >
+                        Full
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => ui()?.setScale(3)}
+                    >
+                        Real
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => ui()?.ctrlAltDel()}
+                    >
+                        Ctrl+Alt+Del
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => ui()?.metaKey()}
+                    >
+                        Meta
+                    </Button>
+                    {/* <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={toggleCursorKind}
+                    >
+                        Toggle cursor
+                    </Button> */}
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={async () => {
+                            const ft = fileTransferRef.current;
+                            if (!ft) return;
+                            const files = await ft.showFilePicker({
+                                multiple: true
+                            });
+                            if (files.length === 0) return;
+                            try {
+                                ft.uploadFiles(files);
+                                toast({
+                                    title: "Files ready to paste",
+                                    description: `${files.length} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.`
+                                });
+                            } catch (err) {
+                                toast({
+                                    variant: "destructive",
+                                    title: "Upload failed",
+                                    description: `${err}`
+                                });
+                            }
+                        }}
+                    >
+                        Upload files
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="destructive"
+                        onClick={() => {
+                            ui()?.shutdown();
+                            setShowLogin(true);
+                        }}
+                    >
+                        Terminate
+                    </Button>
+                    <label className="ml-2 flex items-center gap-2">
+                        <input
+                            type="checkbox"
+                            checked={unicodeMode}
+                            onChange={(e) => {
+                                setUnicodeMode(e.target.checked);
+                                ui()?.setKeyboardUnicodeMode(e.target.checked);
+                            }}
+                        />
+                        Unicode keyboard mode
+                    </label>
+                </div>
+
+                {moduleReady && (
+                    <iron-remote-desktop
+                        ref={remoteElementRef}
+                        verbose="true"
+                        scale="fit"
+                        flexcenter="true"
+                        module={backendRef.current}
+                    />
+                )}
+            </div>
+        </div>
+    );
+}
+
+function Field({
+    label,
+    id,
+    children
+}: {
+    label: string;
+    id: string;
+    children: React.ReactNode;
+}) {
+    return (
+        <div className="space-y-1.5">
+            <Label htmlFor={id}>{label}</Label>
+            {children}
+        </div>
+    );
+}

src/app/rdp/page.tsx

@@ -0,0 +1,33 @@
+import { headers } from "next/headers";
+import { priv } from "@app/lib/api";
+import { AxiosResponse } from "axios";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+import RdpClient from "./RdpClient";
+
+export const dynamic = "force-dynamic";
+
+export const metadata = {
+    title: "RDP"
+};
+
+export default async function RdpPage() {
+    const headersList = await headers();
+    const host = headersList.get("host") || "";
+    const hostname = host.split(":")[0];
+
+    let target: { ip: string; port: number; authToken: string } | null = null;
+    let error: string | null = null;
+
+    try {
+        const res = await priv.get<AxiosResponse<GetBrowserTargetResponse>>(
+            `/resource/browser-target?fullDomain=${encodeURIComponent(hostname)}`
+        );
+        target = res.data.data;
+        console.log("Fetched browser target:", target);
+    } catch (error) {
+        console.error("Error fetching browser target:", error);
+        error = "No resource found for this domain";
+    }
+
+    return <RdpClient target={target} error={error} />;
+}

src/app/ssh/SshClient.tsx

@@ -0,0 +1,453 @@
+"use client";
+
+import "@xterm/xterm/css/xterm.css";
+import { useEffect, useRef, useState } from "react";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { Textarea } from "@/components/ui/textarea";
+import type { SignSshKeyResponse } from "@server/private/routers/ssh";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+
+type FormState = {
+    username: string;
+    password: string;
+    privateKey: string;
+};
+
+type ConnectCredentials = {
+    username: string;
+    password?: string;
+    privateKey?: string;
+    certificate?: string;
+};
+
+export default function SshClient({
+    target,
+    error,
+    signedKeyData,
+    privateKey: signedPrivateKey
+}: {
+    target: GetBrowserTargetResponse | null;
+    error: string | null;
+    signedKeyData?: SignSshKeyResponse | null;
+    privateKey?: string | null;
+}) {
+    const STORAGE_KEY = "pangolin_ssh_credentials";
+
+    const [form, setForm] = useState<FormState>(() => {
+        try {
+            const saved = localStorage.getItem(STORAGE_KEY);
+            if (saved) return JSON.parse(saved) as FormState;
+        } catch {
+            // ignore
+        }
+        return { username: "", password: "", privateKey: "" };
+    });
+
+    const fileInputRef = useRef<HTMLInputElement>(null);
+
+    function handleKeyFile(e: React.ChangeEvent<HTMLInputElement>) {
+        const file = e.target.files?.[0];
+        if (!file) return;
+        const reader = new FileReader();
+        reader.onload = (ev) => {
+            const text = ev.target?.result;
+            if (typeof text === "string") {
+                setForm((prev) => ({ ...prev, privateKey: text }));
+            }
+        };
+        reader.readAsText(file);
+        // Reset input so the same file can be re-selected if needed.
+        e.target.value = "";
+    }
+
+    const [connected, setConnected] = useState(false);
+    const [connecting, setConnecting] = useState(false);
+    const [connectError, setConnectError] = useState<string | null>(null);
+
+    const terminalRef = useRef<HTMLDivElement>(null);
+    const xtermRef = useRef<import("@xterm/xterm").Terminal | null>(null);
+    const fitAddonRef = useRef<import("@xterm/addon-fit").FitAddon | null>(
+        null
+    );
+    const wsRef = useRef<WebSocket | null>(null);
+
+    // Mount the terminal div once connected.
+    useEffect(() => {
+        if (!connected || !terminalRef.current) return;
+
+        let cancelled = false;
+
+        (async () => {
+            const [{ Terminal }, { FitAddon }, { WebLinksAddon }] =
+                await Promise.all([
+                    import("@xterm/xterm"),
+                    import("@xterm/addon-fit"),
+                    import("@xterm/addon-web-links")
+                ]);
+            if (cancelled || !terminalRef.current) return;
+
+            const terminal = new Terminal({
+                cursorBlink: true,
+                fontSize: 14,
+                fontFamily: "Menlo, Monaco, 'Courier New', monospace",
+                theme: {
+                    background: "#0d0d0d",
+                    foreground: "#f0f0f0"
+                },
+                scrollback: 5000
+            });
+
+            const fitAddon = new FitAddon();
+            const webLinksAddon = new WebLinksAddon();
+            terminal.loadAddon(fitAddon);
+            terminal.loadAddon(webLinksAddon);
+
+            terminal.open(terminalRef.current);
+            fitAddon.fit();
+
+            xtermRef.current = terminal;
+            fitAddonRef.current = fitAddon;
+
+            // Send user keystrokes to the WebSocket.
+            terminal.onData((data) => {
+                if (wsRef.current?.readyState === WebSocket.OPEN) {
+                    wsRef.current.send(JSON.stringify({ type: "data", data }));
+                }
+            });
+
+            // Send resize events.
+            terminal.onResize(({ cols, rows }) => {
+                if (wsRef.current?.readyState === WebSocket.OPEN) {
+                    wsRef.current.send(
+                        JSON.stringify({ type: "resize", cols, rows })
+                    );
+                }
+            });
+
+            // Send the initial size once the terminal is rendered.
+            const { cols, rows } = terminal;
+            if (wsRef.current?.readyState === WebSocket.OPEN) {
+                wsRef.current.send(
+                    JSON.stringify({ type: "resize", cols, rows })
+                );
+            }
+        })().catch(console.error);
+
+        return () => {
+            cancelled = true;
+        };
+    }, [connected]);
+
+    // Refit terminal when the window resizes.
+    useEffect(() => {
+        const onResize = () => fitAddonRef.current?.fit();
+        window.addEventListener("resize", onResize);
+        return () => window.removeEventListener("resize", onResize);
+    }, []);
+
+    // Cleanup on unmount.
+    useEffect(() => {
+        return () => {
+            wsRef.current?.close();
+            xtermRef.current?.dispose();
+        };
+    }, []);
+
+    // Auto-connect when signed key data is provided (push PAM mode).
+    useEffect(() => {
+        if (signedKeyData && signedPrivateKey && target) {
+            connect({
+                username: signedKeyData.sshUsername,
+                privateKey: signedPrivateKey,
+                certificate: signedKeyData.certificate
+            });
+        }
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, []);
+
+    function connect(override?: ConnectCredentials) {
+        setConnectError(null);
+        setConnecting(true);
+
+        if (!target) {
+            setConnectError("No target specified");
+            setConnecting(false);
+            return;
+        }
+
+        const username = override?.username ?? form.username;
+        const password = override?.password ?? form.password;
+        const privateKey = override?.privateKey ?? form.privateKey;
+        const certificate = override?.certificate;
+
+        const proxyAddress = `${window.location.protocol === "https:" ? "wss" : "ws"}://${window.location.host}/gateway/ssh`;
+        const url = new URL(proxyAddress);
+        url.searchParams.set("host", target.ip ?? "");
+        url.searchParams.set("port", String(target.port ?? 22));
+        url.searchParams.set("username", username);
+        url.searchParams.set("authToken", target.authToken ?? "");
+
+        const ws = new WebSocket(url.toString(), ["ssh"]);
+        wsRef.current = ws;
+
+        ws.onopen = () => {
+            // Send credentials as the first frame so the proxy can complete
+            // SSH authentication before piping pty data.
+            ws.send(
+                JSON.stringify({
+                    type: "auth",
+                    password,
+                    privateKey,
+                    certificate
+                })
+            );
+            if (!override) {
+                try {
+                    localStorage.setItem(STORAGE_KEY, JSON.stringify(form));
+                } catch {
+                    // ignore
+                }
+            }
+            setConnecting(false);
+            setConnected(true);
+        };
+
+        ws.onmessage = (evt) => {
+            if (typeof evt.data === "string") {
+                try {
+                    const msg = JSON.parse(evt.data as string) as {
+                        type: string;
+                        data?: string;
+                        error?: string;
+                    };
+                    if (msg.type === "data" && msg.data) {
+                        xtermRef.current?.write(msg.data);
+                    } else if (msg.type === "error") {
+                        xtermRef.current?.writeln(
+                            `\r\n\x1b[31mError: ${msg.error}\x1b[0m\r\n`
+                        );
+                    }
+                } catch {
+                    xtermRef.current?.write(evt.data);
+                }
+            } else if (evt.data instanceof Blob) {
+                evt.data.text().then((t) => xtermRef.current?.write(t));
+            }
+        };
+
+        ws.onerror = () => {
+            setConnecting(false);
+            setConnected(false);
+            setConnectError("WebSocket connection failed");
+        };
+
+        ws.onclose = (evt) => {
+            setConnecting(false);
+            setConnected(false);
+            xtermRef.current?.writeln(
+                `\r\n\x1b[33mConnection closed (code ${evt.code})\x1b[0m\r\n`
+            );
+        };
+    }
+
+    function disconnect() {
+        wsRef.current?.close();
+        xtermRef.current?.dispose();
+        xtermRef.current = null;
+        setConnected(false);
+    }
+
+    if (error) {
+        return (
+            <div className="min-h-screen bg-background flex items-center justify-center">
+                <p className="text-destructive">{error}</p>
+            </div>
+        );
+    }
+
+    // In push mode, show a connecting/connected state without the login form.
+    if (signedKeyData && signedPrivateKey) {
+        return (
+            <div className="min-h-screen bg-background">
+                {!connected && (
+                    <div className="flex min-h-screen items-center justify-center">
+                        <p className="text-muted-foreground">
+                            {connectError
+                                ? connectError
+                                : connecting
+                                  ? "Connecting…"
+                                  : "Initializing…"}
+                        </p>
+                    </div>
+                )}
+                {connected && (
+                    <div className="flex h-screen flex-col bg-neutral-900">
+                        <div className="flex flex-wrap items-center gap-2 bg-black p-2 text-white">
+                            <Button
+                                size="sm"
+                                variant="destructive"
+                                onClick={disconnect}
+                            >
+                                Terminate
+                            </Button>
+                        </div>
+                        <div
+                            ref={terminalRef}
+                            className="flex-1 overflow-hidden"
+                            style={{ minHeight: 0 }}
+                        />
+                    </div>
+                )}
+            </div>
+        );
+    }
+
+    return (
+        <div className="min-h-screen bg-background">
+            {!connected && (
+                <div className="mx-auto max-w-2xl p-6">
+                    <h1 className="mb-4 text-2xl font-semibold">SSH</h1>
+
+                    <div className="space-y-4">
+                        <Field label="Username" id="username">
+                            <Input
+                                id="username"
+                                value={form.username}
+                                onChange={(e) =>
+                                    setForm({
+                                        ...form,
+                                        username: e.target.value
+                                    })
+                                }
+                                placeholder="root"
+                            />
+                        </Field>
+                        <Field label="Password" id="password">
+                            <Input
+                                id="password"
+                                type="password"
+                                value={form.password}
+                                onChange={(e) =>
+                                    setForm({
+                                        ...form,
+                                        password: e.target.value
+                                    })
+                                }
+                                placeholder={
+                                    form.privateKey
+                                        ? "Optional with key auth"
+                                        : ""
+                                }
+                            />
+                        </Field>
+
+                        <Field label="Private Key (optional)" id="privateKey">
+                            <Textarea
+                                id="privateKey"
+                                value={form.privateKey}
+                                onChange={(e) =>
+                                    setForm({
+                                        ...form,
+                                        privateKey: e.target.value
+                                    })
+                                }
+                                placeholder="Paste your private key here (PEM format)…"
+                                rows={5}
+                                className="font-mono text-xs"
+                            />
+                            <div className="mt-1.5 flex items-center gap-2">
+                                <Button
+                                    type="button"
+                                    variant="outline"
+                                    size="sm"
+                                    onClick={() =>
+                                        fileInputRef.current?.click()
+                                    }
+                                >
+                                    Upload key file
+                                </Button>
+                                {form.privateKey && (
+                                    <button
+                                        type="button"
+                                        className="text-xs text-muted-foreground underline"
+                                        onClick={() =>
+                                            setForm((prev) => ({
+                                                ...prev,
+                                                privateKey: ""
+                                            }))
+                                        }
+                                    >
+                                        Clear
+                                    </button>
+                                )}
+                            </div>
+                            <input
+                                ref={fileInputRef}
+                                type="file"
+                                className="hidden"
+                                accept=".pem,.key,.pub,*"
+                                onChange={handleKeyFile}
+                            />
+                        </Field>
+
+                        {connectError && (
+                            <p className="text-destructive text-sm">
+                                {connectError}
+                            </p>
+                        )}
+
+                        <Button
+                            onClick={() => connect()}
+                            loading={connecting}
+                            disabled={
+                                !form.username ||
+                                (!form.password && !form.privateKey)
+                            }
+                            className="w-full"
+                        >
+                            {connecting ? "Connecting..." : "Connect"}
+                        </Button>
+                    </div>
+                </div>
+            )}
+
+            {connected && (
+                <div className="flex h-screen flex-col bg-neutral-900">
+                    <div className="flex flex-wrap items-center gap-2 bg-black p-2 text-white">
+                        <Button
+                            size="sm"
+                            variant="destructive"
+                            onClick={disconnect}
+                        >
+                            Terminate
+                        </Button>
+                    </div>
+                    <div
+                        ref={terminalRef}
+                        className="flex-1 overflow-hidden"
+                        style={{ minHeight: 0 }}
+                    />
+                </div>
+            )}
+        </div>
+    );
+}
+
+function Field({
+    label,
+    id,
+    children
+}: {
+    label: string;
+    id: string;
+    children: React.ReactNode;
+}) {
+    return (
+        <div className="space-y-1.5">
+            <Label htmlFor={id}>{label}</Label>
+            {children}
+        </div>
+    );
+}

src/app/ssh/page.tsx

@@ -0,0 +1,92 @@
+import { headers } from "next/headers";
+import { priv } from "@app/lib/api";
+import { AxiosResponse } from "axios";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+import SshClient from "./SshClient";
+import { SignSshKeyResponse } from "@server/private/routers/ssh";
+import crypto from "crypto";
+
+function generateEphemeralKeyPair(): {
+    privateKeyPem: string;
+    publicKeyOpenSSH: string;
+} {
+    const { publicKey: pubKeyObj, privateKey: privKeyObj } =
+        crypto.generateKeyPairSync("ed25519");
+
+    const privateKeyPem = privKeyObj.export({
+        type: "pkcs8",
+        format: "pem"
+    }) as string;
+
+    // Build OpenSSH wire format: uint32-length-prefixed strings
+    const pubKeyDer = pubKeyObj.export({
+        type: "spki",
+        format: "der"
+    }) as Buffer;
+    const rawPubKey = pubKeyDer.subarray(pubKeyDer.length - 32); // last 32 bytes are the Ed25519 key
+
+    function encodeField(b: Buffer): Buffer {
+        const len = Buffer.allocUnsafe(4);
+        len.writeUInt32BE(b.length, 0);
+        return Buffer.concat([len, b]);
+    }
+
+    const keyBlob = Buffer.concat([
+        encodeField(Buffer.from("ssh-ed25519")),
+        encodeField(rawPubKey)
+    ]);
+    const publicKeyOpenSSH = `ssh-ed25519 ${keyBlob.toString("base64")}`;
+
+    return { privateKeyPem, publicKeyOpenSSH };
+}
+
+export const dynamic = "force-dynamic";
+
+export const metadata = {
+    title: "SSH"
+};
+
+export default async function SshPage() {
+    const headersList = await headers();
+    const host = headersList.get("host") || "";
+    const hostname = host.split(":")[0];
+
+    let target: GetBrowserTargetResponse | null = null;
+    let signedKeyData: SignSshKeyResponse | null = null;
+    let privateKey: string | null = null;
+    let error: string | null = null;
+
+    try {
+        const res = await priv.get<AxiosResponse<GetBrowserTargetResponse>>(
+            `/resource/browser-target?fullDomain=${encodeURIComponent(hostname)}`
+        );
+        target = res.data.data;
+
+        if (target.pamMode === "push") {
+            const { privateKeyPem, publicKeyOpenSSH } =
+                generateEphemeralKeyPair();
+            privateKey = privateKeyPem;
+            const res = await priv.post<AxiosResponse<SignSshKeyResponse>>(
+                `/org/${target.orgId}/ssh/sign-key`,
+                {
+                    publicKey: publicKeyOpenSSH,
+                    resource: target.niceId
+                }
+            );
+            signedKeyData = res.data.data;
+            console.log("Received signed SSH key:", signedKeyData);
+        }
+    } catch (error) {
+        console.error("Error fetching browser target:", error);
+        error = "No resource found for this domain";
+    }
+
+    return (
+        <SshClient
+            target={target}
+            error={error}
+            signedKeyData={signedKeyData}
+            privateKey={privateKey}
+        />
+    );
+}

src/app/vnc/VncClient.tsx

@@ -0,0 +1,245 @@
+"use client";
+
+import { useEffect, useRef, useState } from "react";
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { toast } from "@app/hooks/useToast";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+
+type FormState = {
+    password: string;
+};
+
+export default function VncClient({
+    target,
+    error
+}: {
+    target: GetBrowserTargetResponse | null;
+    error: string | null;
+}) {
+    const STORAGE_KEY = "pangolin_vnc_credentials";
+
+    const [form, setForm] = useState<FormState>(() => {
+        try {
+            const saved = localStorage.getItem(STORAGE_KEY);
+            if (saved) return JSON.parse(saved) as FormState;
+        } catch {
+            // ignore
+        }
+        return { password: "" };
+    });
+
+    const [connected, setConnected] = useState(false);
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const rfbRef = useRef<any>(null);
+    const screenRef = useRef<HTMLDivElement>(null);
+
+    const update = <K extends keyof FormState>(key: K, value: FormState[K]) => {
+        setForm((prev) => ({ ...prev, [key]: value }));
+    };
+
+    // Disconnect and clean up the RFB instance.
+    const disconnect = () => {
+        if (rfbRef.current) {
+            rfbRef.current.disconnect();
+            rfbRef.current = null;
+        }
+        setConnected(false);
+    };
+
+    // Clean up on unmount.
+    useEffect(() => {
+        return () => disconnect();
+    }, []); // eslint-disable-line react-hooks/exhaustive-deps
+
+    const connect = async () => {
+        if (!target) {
+            toast({
+                variant: "destructive",
+                title: "No target",
+                description: "No resource target is available"
+            });
+            return;
+        }
+
+        if (!screenRef.current) return;
+
+        // Disconnect any existing session first.
+        disconnect();
+
+        // noVNC has no ESM default export — import the module dynamically to
+        // keep it out of the server bundle, then grab the default export.
+        let RFB: new (
+            target: HTMLElement,
+            url: string,
+            options?: Record<string, unknown>
+        ) => unknown;
+        try {
+            // @ts-expect-error — @novnc/novnc ships plain JS with no bundled types
+            const mod = await import("@novnc/novnc");
+            RFB = mod.default ?? mod;
+        } catch (err) {
+            toast({
+                variant: "destructive",
+                title: "Failed to load noVNC",
+                description: `${err}`
+            });
+            return;
+        }
+
+        // Build the proxy WebSocket URL:
+        // ws://<proxyAddress>?authToken=<token>&host=<ip>&port=<port>
+        const proxyAddress = `${window.location.protocol === "https:" ? "wss" : "ws"}://${window.location.host}/gateway/vnc`;
+        const base = proxyAddress.replace(/\/$/, "");
+        const params = new URLSearchParams({
+            host: target.ip,
+            port: String(target.port),
+            authToken: target.authToken
+        });
+        const wsUrl = `${base}?${params.toString()}`;
+
+        // Clear the container so noVNC gets a clean mount point.
+        screenRef.current.innerHTML = "";
+
+        const options: Record<string, unknown> = {};
+        if (form.password) {
+            options.credentials = { password: form.password };
+        }
+
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const rfb: any = new RFB(screenRef.current, wsUrl, options);
+
+        rfb.scaleViewport = true;
+        rfb.resizeSession = true;
+
+        rfb.addEventListener("connect", () => {
+            try {
+                localStorage.setItem(STORAGE_KEY, JSON.stringify(form));
+            } catch {
+                // ignore
+            }
+            setConnected(true);
+        });
+
+        rfb.addEventListener(
+            "disconnect",
+            (e: { detail: { clean: boolean } }) => {
+                rfbRef.current = null;
+                setConnected(false);
+            }
+        );
+
+        rfb.addEventListener(
+            "securityfailure",
+            (e: { detail: { status: number; reason?: string } }) => {
+                toast({
+                    variant: "destructive",
+                    title: "Authentication failed",
+                    description: e.detail.reason ?? `Status ${e.detail.status}`
+                });
+            }
+        );
+
+        rfbRef.current = rfb;
+    };
+
+    if (error) {
+        return (
+            <div className="min-h-screen bg-background flex items-center justify-center">
+                <p className="text-destructive">{error}</p>
+            </div>
+        );
+    }
+
+    return (
+        <div className="min-h-screen bg-background">
+            {!connected && (
+                <div className="mx-auto max-w-2xl p-6">
+                    <h1 className="mb-4 text-2xl font-semibold">VNC</h1>
+
+                    <div className="space-y-4">
+                        <Field label="Password (optional)" id="password">
+                            <Input
+                                id="password"
+                                type="password"
+                                value={form.password}
+                                onChange={(e) =>
+                                    update("password", e.target.value)
+                                }
+                            />
+                        </Field>
+
+                        <Button onClick={connect} className="w-full">
+                            Connect
+                        </Button>
+                    </div>
+                </div>
+            )}
+
+            <div
+                className="flex h-screen flex-col bg-neutral-900"
+                style={{ display: connected ? "flex" : "none" }}
+            >
+                <div className="flex flex-wrap items-center gap-2 bg-black p-2 text-white">
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => {
+                            if (rfbRef.current) {
+                                rfbRef.current.sendCtrlAltDel();
+                            }
+                        }}
+                    >
+                        Ctrl+Alt+Del
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="secondary"
+                        onClick={() => {
+                            navigator.clipboard
+                                ?.readText()
+                                .then((text) => {
+                                    rfbRef.current?.clipboardPasteFrom(text);
+                                })
+                                .catch(() => {});
+                        }}
+                    >
+                        Paste clipboard
+                    </Button>
+                    <Button
+                        size="sm"
+                        variant="destructive"
+                        onClick={disconnect}
+                    >
+                        Terminate
+                    </Button>
+                </div>
+
+                {/* noVNC mounts a <canvas> inside this div */}
+                <div
+                    ref={screenRef}
+                    className="flex-1 overflow-hidden"
+                    style={{ background: "#000" }}
+                />
+            </div>
+        </div>
+    );
+}
+
+function Field({
+    label,
+    id,
+    children
+}: {
+    label: string;
+    id: string;
+    children: React.ReactNode;
+}) {
+    return (
+        <div className="space-y-1.5">
+            <Label htmlFor={id}>{label}</Label>
+            {children}
+        </div>
+    );
+}

src/app/vnc/page.tsx

@@ -0,0 +1,32 @@
+import { headers } from "next/headers";
+import { priv } from "@app/lib/api";
+import { AxiosResponse } from "axios";
+import { GetBrowserTargetResponse } from "@server/routers/resource";
+import VncClient from "./VncClient";
+
+export const dynamic = "force-dynamic";
+
+export const metadata = {
+    title: "VNC"
+};
+
+export default async function VncPage() {
+    const headersList = await headers();
+    const host = headersList.get("host") || "";
+    const hostname = host.split(":")[0];
+
+    let target: GetBrowserTargetResponse | null = null;
+    let error: string | null = null;
+
+    try {
+        const res = await priv.get<AxiosResponse<GetBrowserTargetResponse>>(
+            `/resource/browser-target?fullDomain=${encodeURIComponent(hostname)}`
+        );
+        target = res.data.data;
+    } catch (error) {
+        console.error("Error fetching browser target:", error);
+        error = "No resource found for this domain";
+    }
+
+    return <VncClient target={target} error={error} />;
+}

src/components/BrowserGatewayTargetForm.tsx

@@ -0,0 +1,146 @@
+"use client";
+
+import { ChevronsUpDown, ExternalLink } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { useState } from "react";
+import {
+    MultiSitesSelector,
+    formatMultiSitesSelectorLabel
+} from "./multi-site-selector";
+import { SitesSelector, type Selectedsite } from "./site-selector";
+import { Button } from "./ui/button";
+import { Input } from "./ui/input";
+import { Popover, PopoverContent, PopoverTrigger } from "./ui/popover";
+
+type SingleSiteProps = {
+    multiSite?: false;
+    selectedSite: Selectedsite | null;
+    onSiteChange: (site: Selectedsite | null) => void;
+};
+
+type MultiSiteProps = {
+    multiSite: true;
+    selectedSites: Selectedsite[];
+    onSitesChange: (sites: Selectedsite[]) => void;
+};
+
+export type BrowserGatewayTargetFormProps = {
+    orgId: string;
+    destination: string;
+    defaultPort: number;
+    destinationPort: string;
+    onDestinationChange: (v: string) => void;
+    onDestinationPortChange: (v: string) => void;
+    learnMoreHref?: string;
+} & (SingleSiteProps | MultiSiteProps);
+
+export function BrowserGatewayTargetForm(props: BrowserGatewayTargetFormProps) {
+    const t = useTranslations();
+    const [siteOpen, setSiteOpen] = useState(false);
+
+    const siteSelector =
+        props.multiSite === true ? (
+            <Popover open={siteOpen} onOpenChange={setSiteOpen}>
+                <PopoverTrigger asChild>
+                    <Button
+                        variant="outline"
+                        role="combobox"
+                        className="w-full justify-between font-normal"
+                    >
+                        <span className="truncate">
+                            {formatMultiSitesSelectorLabel(
+                                props.selectedSites,
+                                t
+                            )}
+                        </span>
+                        <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                    </Button>
+                </PopoverTrigger>
+                <PopoverContent className="w-[var(--radix-popover-trigger-width)] p-0">
+                    <MultiSitesSelector
+                        orgId={props.orgId}
+                        selectedSites={props.selectedSites}
+                        onSelectionChange={props.onSitesChange}
+                    />
+                </PopoverContent>
+            </Popover>
+        ) : (
+            <Popover open={siteOpen} onOpenChange={setSiteOpen}>
+                <PopoverTrigger asChild>
+                    <Button
+                        variant="outline"
+                        role="combobox"
+                        className="w-full justify-between font-normal"
+                    >
+                        <span className="truncate">
+                            {props.selectedSite?.name ?? t("siteSelect")}
+                        </span>
+                        <ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
+                    </Button>
+                </PopoverTrigger>
+                <PopoverContent className="w-[var(--radix-popover-trigger-width)] p-0">
+                    <SitesSelector
+                        orgId={props.orgId}
+                        selectedSite={props.selectedSite}
+                        onSelectSite={(site) => {
+                            props.onSiteChange(site);
+                            setSiteOpen(false);
+                        }}
+                    />
+                </PopoverContent>
+            </Popover>
+        );
+
+    return (
+        <div className="space-y-2">
+            <div className="grid grid-cols-3 gap-4">
+                <div className="space-y-2">
+                    <label className="text-sm font-semibold">
+                        {t("sites")}
+                    </label>
+                    {siteSelector}
+                </div>
+                <div className="space-y-2">
+                    <label className="text-sm font-semibold">
+                        {t("destination")}
+                    </label>
+                    <Input
+                        placeholder="192.168.1.1"
+                        value={props.destination}
+                        onChange={(e) =>
+                            props.onDestinationChange(e.target.value)
+                        }
+                    />
+                </div>
+                <div className="space-y-2">
+                    <label className="text-sm font-semibold">{t("port")}</label>
+                    <Input
+                        type="number"
+                        placeholder={props.defaultPort.toString()}
+                        value={props.destinationPort}
+                        onChange={(e) =>
+                            props.onDestinationPortChange(e.target.value)
+                        }
+                    />
+                </div>
+            </div>
+            {props.multiSite === true && props.selectedSites.length > 1 && (
+                <p className="text-sm text-muted-foreground">
+                    {t("bgTargetMultiSiteDisclaimer")}{" "}
+                    <a
+                        href={
+                            props.learnMoreHref ??
+                            "https://docs.pangolin.net/manage/resources/public/ssh"
+                        }
+                        target="_blank"
+                        rel="noopener noreferrer"
+                        className="text-primary hover:underline inline-flex items-center gap-1"
+                    >
+                        {t("learnMore")}
+                        <ExternalLink className="size-3.5 shrink-0" />
+                    </a>
+                </p>
+            )}
+        </div>
+    );
+}

src/components/ProxyResourcesTable.tsx

@@ -88,6 +88,7 @@ export type ResourceRow = {
     name: string;
     orgId: string;
     domain: string;
+    browserAccessType: string | null;
     authState: string;
     http: boolean;
     protocol: string;
@@ -411,6 +412,12 @@ export default function ProxyResourcesTable({
                 ),
                 cell: ({ row }) => {
                     const resourceRow = row.original;
+                    if (
+                        !resourceRow.http ||
+                        resourceRow.browserAccessType !== "http"
+                    ) {
+                        return <span>-</span>;
+                    }
                     return (
                         <TargetStatusCell
                             targets={resourceRow.targets}
@@ -439,6 +446,12 @@ export default function ProxyResourcesTable({
                 header: () => <span className="p-3">{t("uptime30d")}</span>,
                 cell: ({ row }) => {
                     const resourceRow = row.original;
+                    if (
+                        !resourceRow.http ||
+                        resourceRow.browserAccessType !== "http"
+                    ) {
+                        return <span>-</span>;
+                    }
                     return (
                         <UptimeMiniBar resourceId={resourceRow.id} days={30} />
                     );

src/components/ResourceInfoBox.tsx

@@ -4,11 +4,9 @@ import { Alert, AlertDescription, AlertTitle } from "@/components/ui/alert";
 import {
     ShieldCheck,
     ShieldOff,
-    Eye,
     EyeOff,
     CheckCircle2,
-    XCircle,
-    Clock
+    XCircle
 } from "lucide-react";
 import { useResourceContext } from "@app/hooks/useResourceContext";
 import CopyToClipboard from "@app/components/CopyToClipboard";
@@ -32,19 +30,40 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
 
     const fullUrl = `${resource.ssl ? "https" : "http"}://${toUnicode(resource.fullDomain || "")}`;
 
+    const showCertificate = !!(
+        resource.http &&
+        resource.domainId &&
+        resource.fullDomain &&
+        build != "oss"
+    );
+    const showType = !!(resource.http && resource.browserAccessType);
+    const showHealth =
+        !["ssh", "rdp", "vnc"].includes(resource.browserAccessType || "") &&
+        !!resource.health &&
+        resource.health !== "unknown";
+    const showVisibility = !resource.enabled;
+
+    const numSections = [
+        true, // URL or Protocol
+        true, // Authentication or Port
+        showType,
+        showCertificate,
+        showHealth,
+        showVisibility
+    ].filter(Boolean).length;
+
     return (
         <Alert>
             <AlertDescription>
-                {/* 4 cols because of the certs */}
-                <InfoSections cols={resource.http && build != "oss" ? 6 : 5}>
-                    <InfoSection>
+                <InfoSections cols={numSections}>
+                    {/* <InfoSection>
                         <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                         <InfoSectionContent>
                             <span className="inline-flex items-center">
                                 {resource.niceId}
                             </span>
                         </InfoSectionContent>
-                    </InfoSection>
+                    </InfoSection> */}
                     {resource.http ? (
                         <>
                             <InfoSection>
@@ -62,6 +81,18 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                     )}
                                 </InfoSectionContent>
                             </InfoSection>
+                            {showType && (
+                                <InfoSection>
+                                    <InfoSectionTitle>
+                                        {t("type")}
+                                    </InfoSectionTitle>
+                                    <InfoSectionContent>
+                                        <span className="inline-flex items-center">
+                                            {resource.browserAccessType!.toUpperCase()}
+                                        </span>
+                                    </InfoSectionContent>
+                                </InfoSection>
+                            )}
                             <InfoSection>
                                 <InfoSectionTitle>
                                     {t("authentication")}
@@ -84,24 +115,6 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                     )}
                                 </InfoSectionContent>
                             </InfoSection>
-                            {/* {isEnabled && (
-                                <InfoSection>
-                                    <InfoSectionTitle>Socket</InfoSectionTitle>
-                                    <InfoSectionContent>
-                                        {isAvailable ? (
-                                            <span className="flex items-center space-x-2">
-                                                <div className="w-2 h-2 bg-green-500 rounded-full"></div>
-                                                <span>Online</span>
-                                            </span>
-                                        ) : (
-                                            <span className="flex items-center space-x-2">
-                                                <div className="w-2 h-2 bg-neutral-500 rounded-full"></div>
-                                                <span>Offline</span>
-                                            </span>
-                                        )}
-                                    </InfoSectionContent>
-                                </InfoSection>
-                            )} */}
                         </>
                     ) : (
                         <>
@@ -149,74 +162,69 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                     {/*     </InfoSectionContent> */}
                     {/* </InfoSection> */}
                     {/* Certificate Status Column */}
-                    {resource.http &&
-                        resource.domainId &&
-                        resource.fullDomain &&
-                        build != "oss" && (
-                            <InfoSection>
-                                <InfoSectionTitle>
-                                    {t("certificateStatus", {
-                                        defaultValue: "Certificate"
-                                    })}
-                                </InfoSectionTitle>
-                                <InfoSectionContent>
-                                    <CertificateStatus
-                                        orgId={resource.orgId}
-                                        domainId={resource.domainId}
-                                        fullDomain={resource.fullDomain}
-                                        autoFetch={true}
-                                        showLabel={false}
-                                        polling={true}
-                                    />
-                                </InfoSectionContent>
-                            </InfoSection>
-                        )}
-                    <InfoSection>
-                        <InfoSectionTitle>{t("health")}</InfoSectionTitle>
-                        <InfoSectionContent>
-                            {resource.health === "healthy" && (
-                                <div className="flex items-center space-x-2">
-                                    <CheckCircle2 className="w-4 h-4 flex-shrink-0 text-green-500" />
-                                    <span>{t("resourcesTableHealthy")}</span>
-                                </div>
-                            )}
-                            {resource.health === "degraded" && (
-                                <div className="flex items-center space-x-2">
-                                    <CheckCircle2 className="w-4 h-4 flex-shrink-0 text-yellow-500" />
-                                    <span>{t("resourcesTableDegraded")}</span>
-                                </div>
-                            )}
-                            {resource.health === "unhealthy" && (
-                                <div className="flex items-center space-x-2">
-                                    <XCircle className="w-4 h-4 flex-shrink-0 text-destructive" />
-                                    <span>{t("resourcesTableUnhealthy")}</span>
-                                </div>
-                            )}
-                            {(!resource.health ||
-                                resource.health === "unknown") && (
-                                <div className="flex items-center space-x-2">
-                                    <Clock className="w-4 h-4 flex-shrink-0" />
-                                    <span>{t("resourcesTableUnknown")}</span>
-                                </div>
-                            )}
-                        </InfoSectionContent>
-                    </InfoSection>
-                    <InfoSection>
-                        <InfoSectionTitle>{t("visibility")}</InfoSectionTitle>
-                        <InfoSectionContent>
-                            {resource.enabled ? (
-                                <div className="flex items-center space-x-2">
-                                    <Eye className="w-4 h-4 flex-shrink-0 text-green-500" />
-                                    <span>{t("enabled")}</span>
-                                </div>
-                            ) : (
+                    {showCertificate && (
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("certificateStatus", {
+                                    defaultValue: "Certificate"
+                                })}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>
+                                <CertificateStatus
+                                    orgId={resource.orgId}
+                                    domainId={resource.domainId!}
+                                    fullDomain={resource.fullDomain!}
+                                    autoFetch={true}
+                                    showLabel={false}
+                                    polling={true}
+                                />
+                            </InfoSectionContent>
+                        </InfoSection>
+                    )}
+                    {showHealth && (
+                        <InfoSection>
+                            <InfoSectionTitle>{t("health")}</InfoSectionTitle>
+                            <InfoSectionContent>
+                                {resource.health === "healthy" && (
+                                    <div className="flex items-center space-x-2">
+                                        <CheckCircle2 className="w-4 h-4 flex-shrink-0 text-green-500" />
+                                        <span>
+                                            {t("resourcesTableHealthy")}
+                                        </span>
+                                    </div>
+                                )}
+                                {resource.health === "degraded" && (
+                                    <div className="flex items-center space-x-2">
+                                        <CheckCircle2 className="w-4 h-4 flex-shrink-0 text-yellow-500" />
+                                        <span>
+                                            {t("resourcesTableDegraded")}
+                                        </span>
+                                    </div>
+                                )}
+                                {resource.health === "unhealthy" && (
+                                    <div className="flex items-center space-x-2">
+                                        <XCircle className="w-4 h-4 flex-shrink-0 text-destructive" />
+                                        <span>
+                                            {t("resourcesTableUnhealthy")}
+                                        </span>
+                                    </div>
+                                )}
+                            </InfoSectionContent>
+                        </InfoSection>
+                    )}
+                    {showVisibility && (
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("visibility")}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>
                                 <div className="flex items-center space-x-2">
                                     <EyeOff className="w-4 h-4 flex-shrink-0 text-neutral-500" />
                                     <span>{t("disabled")}</span>
                                 </div>
-                            )}
-                        </InfoSectionContent>
-                    </InfoSection>
+                            </InfoSectionContent>
+                        </InfoSection>
+                    )}
                 </InfoSections>
             </AlertDescription>
         </Alert>

src/components/Settings.tsx

@@ -22,13 +22,24 @@ export function SettingsSectionHeader({
 
 export function SettingsSectionForm({
     children,
-    className
+    className,
+    variant = "compact"
 }: {
     children: React.ReactNode;
+    variant?: "half" | "compact";
     className?: string;
 }) {
     return (
-        <div className={cn("max-w-xl space-y-4", className)}>{children}</div>
+        <div
+            className={cn(
+                variant === "half"
+                    ? "max-w-3xl space-y-4"
+                    : "max-w-xl space-y-4",
+                className
+            )}
+        >
+            {children}
+        </div>
     );
 }
 

src/types/css-modules.d.ts

@@ -0,0 +1,3 @@
+// Allow importing plain CSS files as side-effect imports (e.g. xterm.css).
+declare module "*.css" {}
+declare module "@xterm/xterm/css/xterm.css" {}