Comparison
MyWorkspace vs Standalone RDP: Managed Access vs Raw Protocol
RDP is the standard Windows remote desktop protocol — reliable and built into every Windows machine. MyWorkspace wraps that capability in a managed access layer: browser-based sessions, centralized administration, and no exposed ports. The protocol works underneath; the management layer works on top.
Feature comparison
Managed access vs raw protocol
| Feature | MyWorkspace | Standalone RDP |
|---|---|---|
| Exposed ports required | None (outbound only) | TCP 3389 inbound |
| Centralized access management | ||
| Built-in multi-factor authentication | ||
| RDP file / credential management | Not needed | Per-user .rdp files |
| Browser-native (no client) | ||
| Session audit logging | Manual setup | |
| Works through corporate firewalls | Requires port opening | |
| User provisioning | Admin dashboard | Per-machine local config |
| LAN performance | Good (relay hop) | Optimal (direct) |
| Windows licensing impact | None | None |
Architecture
What changes and what stays the same
Standalone RDP: direct protocol exposure
When you expose RDP directly, users connect to port 3389 (or a custom port) on the target machine. This requires either public IP exposure, port forwarding through a firewall, or a VPN for access. Each machine must be individually configured for remote access, and credentials are managed per-machine or through Active Directory.
MyWorkspace: brokered access without port exposure
MyWorkspace places an agent on the target machine that maintains an outbound connection to relay infrastructure. Users authenticate through the web portal and receive a browser-rendered session. The RDP port remains closed to inbound traffic — the agent handles the local connection internally. Administrators manage all access from a single dashboard.
Where standalone RDP still fits
For LAN-only access within a trusted office network, direct RDP offers the lowest possible latency with zero additional infrastructure. It is built into Windows at no additional cost and integrates directly with Group Policy. For small teams on a single network where internet access to desktops is not needed, standalone RDP is straightforward and effective.
Security model
Closing the RDP exposure gap
Exposed RDP is one of the most common attack vectors for ransomware. Automated scanners continuously probe port 3389 across the internet. MyWorkspace removes this exposure entirely while preserving remote desktop functionality.
- ✓Port 3389 never exposed to the internet — the attack surface is eliminated, not mitigated
- ✓Mandatory 2FA before any session — brute-force credential attacks become irrelevant
- ✓Centralized session logging — every connection is recorded with user identity, time, and duration
- ✓Instant access revocation — disable a user from the admin panel; no machine-level changes needed
Administration
From per-machine config to centralized control
Standalone RDP requires configuring each machine individually: enabling remote desktop, managing firewall rules, distributing credentials or .rdp files, and tracking who has access to what. MyWorkspace consolidates this into a single admin interface.
Machine enrollment
Install the agent on a machine once. It appears in the admin dashboard automatically — no firewall rules, no port forwarding, no DNS configuration.
User assignment
Assign users to machines from the dashboard. They see their assigned machines in the portal — no .rdp files to distribute or manage.
Visibility
See all active sessions, connection history, and access assignments in one place. Standalone RDP offers no centralized visibility without additional tooling.
FAQ
Common questions about RDP vs managed access
MyWorkspace can connect to Windows machines that have RDP enabled, but the protocol is never directly exposed to the user or the internet. The connection between the relay agent and the target machine uses RDP locally, while the user interacts through a browser-rendered session over HTTPS. The RDP port remains closed to external traffic.
Yes. MyWorkspace does not disable RDP on target machines. If your team needs native RDP for specific workflows (like local LAN connections or specialized tools that require the RDP client), both can coexist. MyWorkspace simply provides an additional managed access path that does not require port exposure.
MyWorkspace does not change your RDP licensing requirements. If your Windows machines require Remote Desktop Services CALs for multi-user access, those requirements remain the same. MyWorkspace manages the access layer — it does not replace the underlying Windows remote session infrastructure.
RDP drive redirection maps local drives into the remote session. MyWorkspace does not redirect local drives by default — users work within the remote machine's file system. File transfer policies are controlled by administrators, allowing organizations to enforce data residency requirements by keeping files on managed machines.
On a LAN, direct RDP has lower latency since there is no intermediary. Over the internet, MyWorkspace's relay infrastructure often provides comparable or better performance because it avoids the need for VPN tunneling or port forwarding, and uses optimized routing. The difference is typically imperceptible for standard office work.
Managed remote desktop access without port exposure
See how MyWorkspace wraps RDP in a managed access layer. We'll walk you through setup, administration, and how it coexists with your current RDP infrastructure.