RustDesk Setup

Enroll Windows machines into ITDocs for one-click remote access — no third-party relay required.

How it works

ITDocs integrates with RustDesk to give you remote access directly from any asset record. The flow is:

  1. You self-host a RustDesk relay server (hbbs + hbbr) on your network
  2. You configure the relay URL and an enrollment token in ITDocs Settings
  3. You run a PowerShell enrollment script on each Windows machine — it installs RustDesk, configures it to use your relay, registers the device in ITDocs, and stores the credentials securely in the vault
  4. From any asset record in ITDocs, click Connect to launch RustDesk directly into that machine
ℹī¸

The enrollment script installs RustDesk on the target machine, configures it to use your self-hosted relay, and registers the device in ITDocs automatically.

1 Self-host the RustDesk relay server

The relay server handles connection brokering between your ITDocs instance and the enrolled devices. It requires two components — hbbs (the rendezvous/ID server) and hbbr (the relay server).

Required open ports

21115
TCP
hbbs — NAT type test
21116
TCP + UDP
hbbs — ID registration & heartbeat
21117
TCP
hbbr — relay connections
21118
TCP
hbbr — web client (optional)
21119
TCP
hbbs — web client (optional)

Open these on your firewall/router for any machines that need to reach the relay from outside your network. For internal-only use, no external port forwarding is needed.

docker-compose.yml

Create a folder for the relay server and add a docker-compose.yml:

services:
  hbbs:
    image: rustdesk/rustdesk-server:latest
    container_name: rustdesk-hbbs
    command: hbbs
    restart: unless-stopped
    ports:
      - "21115:21115"
      - "21116:21116"
      - "21116:21116/udp"
      - "21119:21119"
    volumes:
      - rustdesk_data:/root
    networks:
      - rustdesk
    depends_on:
      - hbbr

  hbbr:
    image: rustdesk/rustdesk-server:latest
    container_name: rustdesk-hbbr
    command: hbbr
    restart: unless-stopped
    ports:
      - "21117:21117"
      - "21118:21118"
    volumes:
      - rustdesk_data:/root
    networks:
      - rustdesk

volumes:
  rustdesk_data:

networks:
  rustdesk:
    driver: bridge

Start the server:

docker compose up -d

Get your public key

Once running, the server generates a key pair. You’ll need the public key to configure RustDesk clients so they only trust your relay server.

docker exec rustdesk-hbbs cat /root/id_ed25519.pub

Copy the output — you’ll need it when configuring the RustDesk client and when building your server config string.

Build your server config string

RustDesk clients use a single encoded config string that bundles your relay server address and public key. Use the RustDesk config generator or build it manually:

# Format: {"host":"YOUR_SERVER_IP","key":"YOUR_PUBLIC_KEY","api":""}
# Encode to base64 and prefix with "9" for the config string
echo -n '{"host":"192.168.1.x","key":"YOUR_PUBLIC_KEY","api":""}' | base64
ℹī¸

The easiest way to get your config string is to open RustDesk on any machine, paste in your server IP and public key under Settings → Network, then copy the resulting config string from the same screen.

2 Configure RustDesk in ITDocs

Go to Settings → Remote Access in your ITDocs instance.

FieldValue
Enabled Toggle on
Server URL The IP or hostname of your relay server (e.g. 192.168.4.15). This is for display only — it’s baked into the enrollment script.
Server Config String The base64 config string from the previous step. Baked into the enrollment script so techs don’t need to edit it.
Enrollment Token Click Rotate token to generate one. The plain token is shown once — copy it immediately. It’s baked into the enrollment script to authenticate device registrations.
⚠ī¸

Rotating the token invalidates the old one immediately. Any enrollment scripts using the old token will stop working. Re-download the script after rotating.

Click Save once all fields are filled in.

3 Enroll a Windows device

Download the enrollment script

In Settings → Remote Access, scroll to the Enrolling a device section. Optionally enter a Pre-fill Org Short ID — this is the 9-digit number from the org’s URL in ITDocs. If set, the script will automatically associate the device with that org and techs won’t need to edit anything.

Click Download enroll-rustdesk.ps1. The script is pre-filled with your server URL, config string, enrollment token, and org ID.

Run the script on the target machine

Copy enroll-rustdesk.ps1 to the target Windows machine, then run it as Administrator:

powershell -ExecutionPolicy Bypass -File .\enroll-rustdesk.ps1

The script will:

  • Download and install RustDesk on the target machine if not already present
  • Configure RustDesk to use your self-hosted relay server and config string
  • Generate a random password and set it on the RustDesk installation
  • Register the device in ITDocs — creating or updating the asset record
  • Store the RustDesk credentials encrypted in the ITDocs vault
✅

Once enrolled, the device appears in ITDocs under the org’s Configurations tab with a Connect button on the asset record.

Unenrolling a device

To remove a device’s RustDesk enrollment, open the asset record in ITDocs and click Unenroll. This clears the RustDesk ID from the asset and deletes the associated vault entry. The device will no longer be connectable from ITDocs.

4 Connect to a device

  1. Open the asset record for the target device in ITDocs
  2. Click the Connect button — this retrieves the RustDesk ID and decrypted password from the vault
  3. Your browser will launch a rustdesk:// URI which opens RustDesk directly into that machine
ℹī¸

RustDesk must be installed on the machine you’re connecting from. The enrollment script handles installation on target machines, but you also need RustDesk installed locally to handle the rustdesk:// URI. Download it from rustdesk.com.

Every connect action is audited — ITDocs logs who connected to which device and when, visible in Settings → Audit Logs.

RustDesk Pro (optional)

⭐
RustDesk Pro Server PAID
If you need a web-based management console, user access controls, audit logs on the RustDesk side, or a hosted relay, RustDesk Pro adds those on top of the open-source server. It’s not required for ITDocs integration — everything above works with the free rustdesk-server OSS image. Pro is worth considering if you manage many clients and want relay-side visibility separate from ITDocs.

Troubleshooting

Enrollment script fails or times out â–ļ

Check that the enrollment token in the script matches the current token in ITDocs Settings. If the token was rotated after the script was downloaded, re-download a fresh script. Also verify the ITDocs API is reachable from the target machine (FRONTEND_URL in your .env must be accessible).

Connect button opens RustDesk but can’t reach the device â–ļ

Verify that ports 21115, 21116 (TCP + UDP), and 21117 are open on the machine running your relay server. Check that both rustdesk-hbbs and rustdesk-hbbr containers are running (docker compose ps). Also confirm the target machine has RustDesk running and is registered with your relay (not the public RustDesk servers).

rustdesk:// link does nothing when clicked â–ļ

RustDesk needs to be installed on the machine you’re connecting from. The enrollment script installs it on target machines, but you also need it locally. Download from rustdesk.com. On first install it registers the rustdesk:// URI handler — if already installed, try restarting RustDesk and then your browser.

Device enrolled but showing under wrong org â–ļ

The org is determined by the orgShortId baked into the enrollment script at download time. Re-download the script from the correct org’s page (enter the org’s 9-digit short ID in the Pre-fill Org Short ID field before downloading), then re-run the script on the device.

How do I get the RustDesk ID of a machine before enrolling? â–ļ

You don’t need it upfront — the enrollment script installs RustDesk, starts it, and reads the ID automatically during enrollment.