Run your Windows applications on EC2 and give multiple concurrent users secure browser access — no RDP client, no exposed port 3389, no VPN. Just a URL, sign-in, and the app.
Traditional web-RDP setups have you editing security groups, opening custom gateway ports to the internet, and adding Windows Firewall inbound rules just to reach one VM. WebStream replaces that ritual with a single identity-gated TLS endpoint — and delivers the application, not the whole machine.
Most teams complete this within hours using WebStream Core — the free evaluation edition.
Deploy via AWS Marketplace or install the MSI on an EC2 Windows instance in your own account. Your VPC, your security groups, your data.
Add the Windows application to the App Collection — a line-of-business system, productivity tool, or vendor product. No code changes.
Users connect to a single HTTPS URL. RDP port 3389 stays closed to the internet; the instance stays behind your security groups.
SSO/MFA-gated access from any HTML5 browser, with multiple concurrent users per host and every session audited.
Want the detailed walkthrough? The WebStream ACP manual covers deployment step by step, and the AWS integration page explains the architecture.
Browser access should reduce your attack surface, not widen it.
No RDP endpoint is published to the internet. Users reach WebStream over TLS; WebStream reaches the app on your private network.
SSO and MFA through your identity provider gate every session. No shared local accounts, no credential sprawl.
Users receive the published application — not a desktop, not a shell, not network access to the EC2 instance.
File upload/download, clipboard, and print/PDF governed per policy — control what leaves the AWS environment.
Every session is attributable and logged, with session recording available where compliance requires it.
Everything runs in your VPC under your controls — no third-party hosted gateway in the data path.
How governed browser delivery compares with publishing an RDP gateway from an EC2 instance.
| Area | DIY web-RDP gateway | WebStream on AWS |
|---|---|---|
| Network exposure | Custom gateway port opened in security groups and Windows Firewall | One TLS endpoint; RDP never internet-facing |
| What users receive | The full VM desktop | The published application only |
| Authentication | Windows credentials at the gateway | SSO / MFA via your identity provider |
| Concurrent users | Per-VM RDP session limits, manual management | Managed concurrent sessions with entitlements |
| Data movement control | All-or-nothing RDP settings | File, clipboard, print/PDF per policy |
| Audit | Windows event logs, if collected | Full per-session audit trail, optional recording |
| Setup effort | Security groups, firewall rules, certificates per VM | Deploy once; publish apps from the console |
Migrating legacy apps to AWS rather than just accessing them? See AWS legacy application access for the migration-unblocking story.
The full end-to-end demo: browser login, launching Notepad and LibreOffice, file workflows, and starting a free WebStream Core trial on AWS.
Full WebStream demo — Windows applications on AWS, delivered through the browser.
Tell us what you run on AWS (or plan to) and we’ll help you get browser access working. Prefer to give us full detail? Use the full assessment form.
No — and you shouldn’t. With WebStream, users connect to a single TLS endpoint in the browser. RDP is never exposed to the internet, and the EC2 instance stays behind your security groups.
No. Any modern HTML5 browser works — Chrome, Edge, Safari, Firefox — on any device. There is no RDP client, VPN, plug-in, or agent to install.
Yes. WebStream manages concurrent sessions on your EC2 Windows hosts, with each session identity-gated, governed by policy, and separately audited. Add EC2 capacity as concurrency grows.
Launch WebStream on an EC2 Windows instance — via AWS Marketplace or by installing the MSI — publish your application, and share the URL. Most teams have a working browser session within hours. The manual includes a step-by-step quick start.
Yes. Instead of exposing a remote desktop protocol endpoint, WebStream exposes one TLS web endpoint with SSO/MFA in front. Users receive only the published application — not a desktop or network access — and every session has file, clipboard, and print policy plus a full audit trail.
Start free with WebStream Core on your own EC2 instance — or via AWS Marketplace — and have a working browser session within hours.