Windows Apps on AWS via Browser

Host Windows Apps on AWS. Access Them From Any Browser.

Run your Windows applications on EC2 and give multiple concurrent users secure browser access — no RDP client, no exposed port 3389, no VPN. Just a URL, sign-in, and the app.

The old way: open a port, cross your fingers.

Traditional web-RDP setups have you editing security groups, opening custom gateway ports to the internet, and adding Windows Firewall inbound rules just to reach one VM. WebStream replaces that ritual with a single identity-gated TLS endpoint — and delivers the application, not the whole machine.

How It Works on AWS

From EC2 instance to browser access in four steps

Most teams complete this within hours using WebStream Core — the free evaluation edition.

1. Launch WebStream on EC2

Deploy via AWS Marketplace or install the MSI on an EC2 Windows instance in your own account. Your VPC, your security groups, your data.

2. Publish your application

Add the Windows application to the App Collection — a line-of-business system, productivity tool, or vendor product. No code changes.

3. Expose one TLS endpoint

Users connect to a single HTTPS URL. RDP port 3389 stays closed to the internet; the instance stays behind your security groups.

4. Users sign in and work

SSO/MFA-gated access from any HTML5 browser, with multiple concurrent users per host and every session audited.

Want the detailed walkthrough? The WebStream ACP manual covers deployment step by step, and the AWS integration page explains the architecture.

Security

No inbound RDP. Governance on every session.

Browser access should reduce your attack surface, not widen it.

Port 3389 stays closed

No RDP endpoint is published to the internet. Users reach WebStream over TLS; WebStream reaches the app on your private network.

Identity in front of everything

SSO and MFA through your identity provider gate every session. No shared local accounts, no credential sprawl.

The app, not the machine

Users receive the published application — not a desktop, not a shell, not network access to the EC2 instance.

Data movement policy

File upload/download, clipboard, and print/PDF governed per policy — control what leaves the AWS environment.

Full audit trail

Every session is attributable and logged, with session recording available where compliance requires it.

Your AWS account

Everything runs in your VPC under your controls — no third-party hosted gateway in the data path.

Comparison

WebStream vs DIY web-RDP on AWS

How governed browser delivery compares with publishing an RDP gateway from an EC2 instance.

Area DIY web-RDP gateway WebStream on AWS
Network exposureCustom gateway port opened in security groups and Windows FirewallOne TLS endpoint; RDP never internet-facing
What users receiveThe full VM desktopThe published application only
AuthenticationWindows credentials at the gatewaySSO / MFA via your identity provider
Concurrent usersPer-VM RDP session limits, manual managementManaged concurrent sessions with entitlements
Data movement controlAll-or-nothing RDP settingsFile, clipboard, print/PDF per policy
AuditWindows event logs, if collectedFull per-session audit trail, optional recording
Setup effortSecurity groups, firewall rules, certificates per VMDeploy once; publish apps from the console

Migrating legacy apps to AWS rather than just accessing them? See AWS legacy application access for the migration-unblocking story.

Watch the Full WebStream Demo

From a Windows app to browser access

The full end-to-end demo: browser login, launching Notepad and LibreOffice, file workflows, and starting a free WebStream Core trial on AWS.

Full WebStream demo — Windows applications on AWS, delivered through the browser.

Get Started

Get your AWS-hosted app into the browser

Tell us what you run on AWS (or plan to) and we’ll help you get browser access working. Prefer to give us full detail? Use the full assessment form.

FAQ

Common questions

Do I need to open RDP port 3389 to the internet?

No — and you shouldn’t. With WebStream, users connect to a single TLS endpoint in the browser. RDP is never exposed to the internet, and the EC2 instance stays behind your security groups.

Do users need an RDP client or any software?

No. Any modern HTML5 browser works — Chrome, Edge, Safari, Firefox — on any device. There is no RDP client, VPN, plug-in, or agent to install.

Can multiple users access the same AWS-hosted application concurrently?

Yes. WebStream manages concurrent sessions on your EC2 Windows hosts, with each session identity-gated, governed by policy, and separately audited. Add EC2 capacity as concurrency grows.

How do I deploy WebStream on AWS?

Launch WebStream on an EC2 Windows instance — via AWS Marketplace or by installing the MSI — publish your application, and share the URL. Most teams have a working browser session within hours. The manual includes a step-by-step quick start.

Is this more secure than publishing an RDP gateway?

Yes. Instead of exposing a remote desktop protocol endpoint, WebStream exposes one TLS web endpoint with SSO/MFA in front. Users receive only the published application — not a desktop or network access — and every session has file, clipboard, and print policy plus a full audit trail.

Get Started

Your app on AWS. Their browser. Nothing in between.

Start free with WebStream Core on your own EC2 instance — or via AWS Marketplace — and have a working browser session within hours.