diff --git a/public/docs-static/img/how-to-guides/browser-client/temporary-peers-filter.png b/public/docs-static/img/how-to-guides/browser-client/temporary-peers-filter.png new file mode 100644 index 00000000..948ba4cd Binary files /dev/null and b/public/docs-static/img/how-to-guides/browser-client/temporary-peers-filter.png differ diff --git a/public/docs-static/img/how-to-guides/browser-client/temporary-policies-filter.png b/public/docs-static/img/how-to-guides/browser-client/temporary-policies-filter.png new file mode 100644 index 00000000..00661768 Binary files /dev/null and b/public/docs-static/img/how-to-guides/browser-client/temporary-policies-filter.png differ diff --git a/src/pages/about-netbird/browser-client-architecture.mdx b/src/pages/about-netbird/browser-client-architecture.mdx index d7786d81..97da3a47 100644 --- a/src/pages/about-netbird/browser-client-architecture.mdx +++ b/src/pages/about-netbird/browser-client-architecture.mdx @@ -54,6 +54,27 @@ RDP connections use the IronRDP WASM module with a custom RDCleanPath bridge: - **Function**: Bridges RDP traffic from the RDCleanPath proxy through NetBird tunnels to the target RDP server - **Security**: Handles certificate validation and caching +### Management Server +To support the Browser Client functionality, the NetBird management server uses two resources: + +#### Temporary Peer +The WebAssembly NetBird Client will register as a temporary peer with the management server. The temporary peer will live as long as the connection is active. +Once the connection is closed, the temporary peer will be automatically removed from the management server. This happens after 10 minutes of inactivity. +For the WebAssembly NetBird Client all peers will be named as `{browser}-browser-client` (e.g. `safari-17-browser-client`). + +

+ temporary-peers-filter +

+ +#### Temporary Policy +To allow the registered WebAssembly NetBird Client to connect to the target peer, a temporary policy will be created. The temporary policy will allow access to the target peer on ports 22 (SSH), 3389 (RDP). +The policy will be created P2P with no groups required. This way the client will only connect to one other peer. Once either of the peers (source or destination) is removed, the temporary policy will be automatically removed from the management server. +The policies for the WebAssembly NetBird Client will be named as `Temporary access policy for peer {browser-client-name}` (e.g. `Temporary access policy for peer safari-17-browser-client`). + +

+ temporary-policies-filter +

+ ## Connection Flow ### 1. Temporary Access Registration