I am using zac console to configure the identities, services and policies.
I have a Windows server as identity configured to host (bound) rdp service configured with port 3389.
Have all the required ports opened on firewall. Have 2 Windows Edge clients (one inside and one outside the network) configured to dial to the service.
I see all identities showing those services. RDP is not working with the systems. Weirdly, I am able to ping to the host both from inside and outside..
Have policies and services linking the host identity with Bind policy and others with Dial policy..
Hi @antogeorge, welcome to the community and to OpenZiti!
Community-based assistance is always "as we can get to it" (from the maintainers) and at the whim of other community members. If you require urgent support, it's probably best to try to establish a network with NetFoundry which will come with 24x7 support.
As for the problem with RDP, you've not provided enough information for anyone to assist you. When a service isn't working, here's the checklist of things you should check:
is the client side identity on?
is the client side identity enabled?
do you see the relevant service listed for the given identity on the client?
is the server side identity on?
is the server side identity enabled?
do you see the relevant service listed for the given identity on the server?
look at the client's data/tunneler/service logs (for windows it'll be at Main Menu -> Advanced Settings -> Service Logs). Do you see any "error" or "warn" messages that are useful to relay? Do they help explain the issue? Do you see the service you're trying to access being "dialed"?
look at the logs in the controller, does the controller have any errors?
change the server's log level to DEBUG and restart the ZDEW using the big green button to make sure you have a clean log
look at the server's logs (same as above), make sure the service is 'binding', do you see something like this at "DEBUG" level? "start_binding() server1.4 requesting BIND on ch[OCI us-ashburn-1 Edge Router 1]"
in 99% of cases, the logs have something useful in them that helps point at the issue.
I would say it's usually like 80% of the time in the client logs are enough, 15% the controller and 4% are at the hosting tunneler side. So looking at the logs in the order I specified is usually the right move.
Look at your logs and if you can't figure it out from the logs let us know
i have no issue RDP and use it almost on daily basis.
Looking at your post you seem to
Single Controller + ZitiRouter on single VM
Windows Server hosting RDP on the network with this Controller+ZitiRouter?
Trying to RDP from remote via Openziti
If you jmay, provide how you configure the Configurations?
Intercept : This can be any fqdn or the ipv4 of your windows server. , ensure service role being set to the role your service configured to. Port 3389
Host configuration: for simplicity , you might want to disable forward ,just set TCP , the ipv4 of your windows server , port 3389
Above ensure IPv4 /fqdn : 3389 will be intercepted and forward to your host configuration
Create a Service - attached intercept/host configuration to it and assign a attribute role to it. example: myrdp
finally are access policies
Ensure the following being configured
Bind Policy - Select Service Attributes ← myrdp (or the roles attribute you assigned) Select Identity Attributes ←- This is not your user identity , ensure you set to the ziti router role attribute or alternatively use @yourziti-router for specific ziti router
Dial Policy - Select Service Attributes ←- myrdp (or the roles attribute you assigned) Select Identity Attributes ← This is most confusing part for new comer , ensure this is either #role-attributes of your user identity or @user-identity
once above are being set, review service and you should see Proper associate entities being associated especially terminators , ensure terminator is the zitirouter that you configured
Your controller and router must be reachable by your windows edge client .
Your controller will be listening to api and data plane ports so ensure firewalls not blocked
Edge router ports (e.g 10080) must also be reachable from outside
Check on
If you edge client can enroll and receive services , your connection to controller api seem ok
Next check your Zac on the service you configured ensure it actually created the fabric circuit which should show a terminator assigned to that service.
Your windows rdp must permit that router internal ip for 3389 ports . Windows might not permit that if not configured properly (use internal machine to perform rdp to that windows machine if you have not done so )
One line of log is not enough, and that's not an error message that's an INFO message.
You need to look through the logs for actual errors. So far, we don't have enough information to be able to help. Stop your tunnel, remove any saved logs, start your tunnel, reproduce the error and post the logs here and I'll look at them
I have opened 1280,8440, 8441,8442,8443,3389,3022 and 10080 on the firewall. On top of that, I am unable to RDP to that system using the ziti service URL from within the network also.
Couple of things to be noted:
None of the identities - except the router is shown online on Zac.
On the Edge Desktop of the identities - host and client show the service as available to them.
Those are the actual errors that we needed to see. You an clearly see "connection refused". That happens for a myriad of reasons. My expectation is that the router is advertising an address that the clients can't connect to.
imo the easiest way to troubleshoot this is to download the ziti CLI to any remote computer (probably best to use any of your) and use it to diagnose if the entire configuration of the overlay network. I am gonna write this up someday but until then i'll keep posting it...
Running verify traffic
The ziti cli has a handy function that I also ran before trying a tunneler that can also help you test to make sure your overlay is setup properly: ziti ops verify traffic --mode both. Please run that and you'll feel better that you're setup is correct and somewhere along the way some sort of unexpected error happened.
Run that command and you'll see something that looks like this:
Here’s the error I receive when I run the command on the server:
Using username: admin from identity 'default' in config file: /root/.config/ziti/ziti-cli.json
Enter password:
Token: ba3ae336-6fad-42ee-a3da-a114e9dd5a49
Saving identity 'default' to /root/.config/ziti/ziti-cli.json
INFO generating P-384 EC key
INFO generating P-384 EC key
INFO waiting 10s for terminator for service: 2026-01-27-1208.traffic
INFO successfully bound service: 2026-01-27-1208.traffic.
INFO Server is listening for a connection and will exit when one is received.
ERROR failed to bind error="timeout waiting for message reply: context deadline exceeded" _context="ch{ziti-sdk[router=tls:localhost:3022]}->u{classic}->i{R0RldVgxGu/bNDx}" connId=1 serviceName=2026-01-27-1208.traffic sessionId=73a4d2bf-cd48-49c3-8638-c2f6baa50c28
ERROR failed to establish listener serviceName=2026-01-27-1208.traffic connId=1 error="timeout waiting for message reply: context deadline exceeded" router=router2 serviceId=6UVnUhrH0qpx6SzHAQhwju
ERROR creating listener failed after 5002ms: timeout waiting for message reply: context deadline exceeded router=router2 serviceName=2026-01-27-1208.traffic
INFO notify error handler of error: timeout waiting for message reply: context deadline exceeded
ERROR failed to bind connId=2 sessionId=73a4d2bf-cd48-49c3-8638-c2f6baa50c28 error="channel closed" _context="ch{ziti-sdk[router=tls:localhost:3022]}->u{classic}->i{R0RldVgxGu/bNDx}" serviceName=2026-01-27-1208.traffic
ERROR unable to send unbind msg for conn connId=2 sessionId=73a4d2bf-cd48-49c3-8638-c2f6baa50c28 _context="ch{ziti-sdk[router=tls:localhost:3022]}->u{classic}->i{R0RldVgxGu/bNDx}" serviceName=2026-01-27-1208.traffic error="channel closed"
ERROR failed to establish listener serviceName=2026-01-27-1208.traffic error="channel closed" connId=2 router=router2 serviceId=6UVnUhrH0qpx6SzHAQhwju
ERROR failed to send close message marker= error="channel closed" connId=2
ERROR creating listener failed after 145ms: channel closed serviceName=2026-01-27-1208.traffic router=router2
INFO notify error handler of error: channel closed
FATAL terminator not found for service: 2026-01-27-1208.traffic
It looks to me that your router is advertising "localhost". That's a configuration issue and would prevent any client not on that same computer from connecting. You need to fix your router's advertised address.
I added ziti ops verify network a while back but they haven't been used much lately but it might help here.
Run them on your controller and router. For example I made a "bad" configuration and tried it:
ziti ops verify network --controller-config-file ip-172-31-47-200.yaml.bad
INFO Verifying controller config: ip-172-31-47-200.yaml.bad
ERROR controller advertise address at localhoost:8440 cannot be reached.
INFO verifying 2 web entries
INFO verifying 1 web bindPoints
INFO web entry[client-management], bindPoint[0] address at ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8441 is available.
INFO web entry[client-management], bindPoint[0] is valid
INFO verifying 2 web bindPoints
panic: input is invalid:
and
ziti ops verify network --router-config-file ip-172-31-47-200-edge-router.yaml.bad
INFO Verifying router config: ip-172-31-47-200-edge-router.yaml.bad
INFO ctrl endpoint at ec2-3-18-113-172.us-east-2.compute.amazonaws.com:8440 is available.
INFO verifying 2 web link listeners
INFO link listener[0] at ec2-3-18-113-172.us-east-2.compute.amazonaws.com:10080 is available.
INFO link listener[0] is valid
INFO link listener[1] at ec2-3-18-113-172.us-east-2.compute.amazonaws.com:20080 is available.
INFO link listener[1] is valid
INFO verifying 2 web edge listeners
WARNING listener binding[0] ports differ. make sure this is intentionalog. address port: 8442, advertise port: 1234
ERROR listener binding[0] at locallhost:1234 cannot be reached.
INFO listener binding[1] has binding tunnel and doesn't need to be verified
INFO listener binding[1] is valid
ERROR One or more error. Review the output above for errors.
see if anything in there helps. i expect one or both will have errors...
However you started your overlay, I would just reinstall it all with a proper advertised address as it's just easier at this point to start over (in my opinion) and get the advertised addresses right.
How did you start the overlay? You just need to find where the config files are if not a quickstart, I would expect them to work fine unless it's in a docker container and then it'll be -- far more difficult but knowing what your .env file or command looks like would be enough
#
# this is the ziti-controller.service bootstrapping inputs file where answers are recorded for generating a
# configuration
#
# the controller's permanent FQDN (required)
ZITI_CTRL_ADVERTISED_ADDRESS='ztna.xxxxxx.com'
# the controller's advertised and listening port (default: 1280)
ZITI_CTRL_ADVERTISED_PORT='1280'
# name of the default user (default: admin)
ZITI_USER='admin'
# password will be scrubbed from this file after creating default admin during database initialization
ZITI_PWD=''
# additional arguments to: ziti create config controller
ZITI_BOOTSTRAP_CONFIG_ARGS=''
ZITI_BOOTSTRAP_LOG_FILE='/tmp/tmp.HrEhWOmq9r'
ZITI_BOOTSTRAP_NOW='2026-01-04T18:12:56+00:00'
ZITI_CA_FILE='root'
ZITI_CLIENT_FILE='client'
ZITI_CTRL_BIND_ADDRESS='0.0.0.0'
ZITI_CTRL_DATABASE_FILE='bbolt.db'
ZITI_HOME='/var/lib/private/ziti-controller'
ZITI_INTERMEDIATE_FILE='intermediate'
ZITI_NETWORK_NAME='ctrl'
ZITI_PKI_ROOT='pki'
ZITI_SERVER_FILE='server'
, ensure this is either 