Cua Docs

Automate a legacy Windows app behind a VPN

Use Cua Driver on a VPN-connected Windows machine to drive a legacy desktop app that has no API.

When a desktop app has no API and only runs behind the corporate VPN, drive it where it already runs, on the Windows box inside the network. Cua Driver runs on that machine and exposes the app through MCP stdio tools, so the desktop session, app traffic, and staged files stay inside the VPN boundary. No data leaves the VPN boundary.

Start from the Windows machine inside the VPN

Use a workstation, jump box, or RDP VM that is already connected to the VPN and can open the legacy app.

Connect with RDP if needed:

mstsc /v:payroll-jumpbox.corp.example

Confirm the app is installed or reachable from that desktop session before you install anything. For this recipe, assume the payroll client opens normally when you launch it by hand.

Install Cua Driver

Run the Windows installer in PowerShell on that same machine:

irm https://raw.githubusercontent.com/trycua/cua/main/libs/cua-driver/scripts/install.ps1 | iex

Open a new PowerShell window after the installer updates your user Path, then verify the CLI resolves:

cua-driver --version

Keep the daemon in the interactive session

Windows OpenSSH and services run in Session 0, which has no desktop. Register Cua Driver as an interactive-session daemon so window tools can see the RDP or console desktop:

cua-driver autostart enable
cua-driver autostart kick

Verify that the daemon is running and reports a real session number:

cua-driver status
# Cua Driver daemon is running
#   socket: \\.\pipe\cua-driver
#   pid: 12345
#   session: 2

For the full daemon setup, see Keep Cua Driver running. If you connect to this box over SSH, also read Drive a Windows app over SSH.

Check that Cua Driver sees the real GUI

Run tool calls from the same Windows machine:

cua-driver call list_apps
cua-driver call list_windows

The output should include the legacy app, such as Payroll Client or eGecko, and its active windows. It should not be an empty array:

[]

Empty output usually means the command is running outside the interactive desktop. Recheck cua-driver status, query session, and the autostart task.

Register Cua Driver with your agent

Add Cua Driver as an MCP stdio server. For Claude Code on Windows:

claude mcp add --transport stdio cua-driver -- cua-driver.exe mcp

Then verify the server entry:

claude mcp list

For other MCP clients, see Connect Cua Driver to an MCP client.

Drive the legacy app

Stage the input files on the Windows box first, for example C:\creds.txt and C:\Users\you\Desktop\new_hire.xlsx. Cua Driver does not read or write files directly. It drives the apps that open those files.

Start the agent from the Windows machine, then give it a concrete task:

Open the payroll client, log in with the credentials in C:\creds.txt, create a new employee from new_hire.xlsx, generate the onboarding report, and export it as PDF to the Desktop.

The agent should use launch_app to open the client, list_apps and list_windows to find the running process and target window, get_window_state to inspect the UI (it returns the accessibility tree and a screenshot), then click and type_text to complete the workflow.

Scale this out

When the same workflow must run across many employees, regions, or tenants at once, move it onto Cua Sandbox cloud Windows desktops and fan out the jobs. Start with Run sandboxes in parallel and Drive a sandbox with the SDK.

The driving logic stays the same. The host changes from your VPN-connected Windows box to a fleet of cloud desktops with the VPN configuration baked into the image. See Choose and build a sandbox image.