clientless · zero inbound ports

Remote access that's secure by design, not by configuration.

Browser-based RDP, VNC, and SSH to any host — even behind firewalls and NAT. Nothing to install. Credentials never leave the gateway.

Start free trial See how it works
Inbound ports opened
0
Client installs required
0
Credentials in the browser
0

01the old way

Every remote-access tool asks you to weaken the network first.

VPNs & jump boxes

  • Open inbound firewall holes and forward ports
  • Push agents and certificates to every laptop
  • Hand desktop credentials to the endpoint
  • Hope nobody screenshots the password manager

LazyConMan

  • The connector dials out — no inbound rules, ever
  • Operators just open a browser tab
  • Credentials are injected server-side, never sent down
  • Every session is authorized, scoped, and audited

02how it works

One outbound tunnel does all the reaching.

One outbound TLS tunnel, multiplexed — private hosts reachable with zero inbound ports.

  1. 01

    The connector dials out

    A small agent opens the reverse tunnel. Firewalls only see outbound TLS — nothing to open.

  2. 02

    The gateway brokers the session

    Pick a target; the gateway authorizes you, mints a short-lived token, and routes through the right connector.

  3. 03

    The desktop renders in your tab

    RDP and VNC paint to a canvas, SSH to a real terminal — credentials injected gateway-side, never sent down.

03the app

Your whole fleet, one tab.

Pick a target; the live session opens in the browser — terminal or desktop, always over the tunnel.

app.lazyconman.com / sessions MFA verified
prod-db-01 — ssh win-rdp-bastion 
operator@gateway:~$ session open prod-db-01
 authorized · org=acme · role=operator
 routed via connector eu-west-1 (outbound tunnel)
 credentials injected gateway-side — not sent to browser
Last login: from 10.0.0.4 over mutual-TLS
root@prod-db-01:~# uptime
 14:22:07 up 87 days,  load average: 0.04, 0.08, 0.02
root@prod-db-01:~#

04security model

The hard guarantees, not a checklist of buzzwords.

Credentials never reach the browser

Secrets are injected server-side. The tab never sees a password.

Outbound-only, mutually authenticated

Connectors dial out over mutual-TLS. The gateway never reaches into your network.

Mandatory MFA, short-lived tokens

TOTP before any access — and every session gets its own short-lived token.

Per-tenant isolation, encrypted at rest

Every row scoped by org with Postgres row-level security and a per-org encryption key.

Full, append-only audit trail

Who connected to what, when, and for how long — recorded per tenant.

One hardened front door

Only the control plane is public. Engine, database, and targets stay hidden.

05what you get

Three protocols. One browser tab.

GUI desktops

RDP & VNC in the canvas

Windows, Linux, and macOS desktops in the browser — no plugin, no client.

Shells

A real SSH terminal

Full xterm — copy, paste, resize, scrollback — over the same tunnel.

Reach

Behind firewalls & NAT

If the connector can dial out, you can reach the host. No public IP, no port forwarding.

Teams

Orgs, roles & grants

Owners, admins, operators — each scoped to only the targets they're granted.

06pricing

Start on a 7-day trial. No card required.

Small

For a single team getting started.

  • Core targets & connectors
  • RDP · VNC · SSH
  • Mandatory MFA & audit log
Start free
Most teams

Medium

Room to grow across environments.

  • Higher target & session limits
  • More connectors & members
  • Everything in Small
Start free trial

Large

For broad, multi-environment access.

  • Top-tier quotas
  • Longer recording retention
  • Everything in Medium
Start free

Converts to a paid plan via Stripe when you're ready. Cancel anytime.

Open a tab. Reach everything.

Up in minutes — no inbound ports, no client install, no credentials on the wire.

Start your free trial

7-day trial · no card required