diff --git a/backend/src/routes/guacamole.ts b/backend/src/routes/guacamole.ts
index 8da4d88..067b7c4 100644
--- a/backend/src/routes/guacamole.ts
+++ b/backend/src/routes/guacamole.ts
@@ -76,6 +76,11 @@ export async function guacamoleRoutes(app: FastifyInstance) {
       const settings: Record<string, unknown> = { hostname, username, password: target.secrets.password ?? '' }
       if (port) settings.port = port
       if (domain) settings.domain = domain
+      // Self-hosted RDP/VNC targets almost always present a self-signed cert; FreeRDP
+      // (via guacd) rejects those by default, so trust them rather than failing the
+      // connection. There's no MITM concern here since ArchNest connects directly to
+      // a hostname/IP the user configured themselves.
+      if (protocol === 'rdp') settings['ignore-cert'] = 'true'
 
       const token = new Crypt(CRYPT_CYPHER, CRYPT_KEY).encrypt({
         connection: { type: protocol, settings },