Feature Request

We are currently using RDM via Parallels Client where a software is installed to record every click so we can document all changes made on our customers as an MSP. Both on servers and on websites such as M365, Azure and DNS. This is a requirement for our ISO certification. We would however love to use RDM locally with the gateway screen recording, but we had a meeting and got told that only possibility was screen recording on all open sessions simultaneously and optionally in low framerate video which can have play back issues and take up a lot of storage. A feature that screen captures only the active session or the entire app window on every click or every 1 to 2 seconds through the gateway instead of video would solve our issues and would allow us a hopefully better and smoother experience with the RDM. Screenshots take up less storage and don't have compatibility issues with viewing / playback.

Is there any plans to include a native Reverse Proxy functionallity into the Gateway agent installations? The inclution of Reverse Proxy functionallity would make the Gateway product a very viable option to handle customers/remote sites access at scale.

It could be a nice function in the devolutions server interface to get the possibility to restart the gateway service and also schedule a restart to when no useres is connected like when doing a update of the gateway.

I am opening this feature request on behalf of a customer regarding bandwidth performance for Website sessions routed through Devolutions Gateway. The main topic is file transfer throughput when using a Website session through the Gateway compared to a direct connection. Customer-reported results: Through Devolutions Gateway: approximately 2 MB/s Without Devolutions Gateway: approximately 100 MB/s During internal testing, we also observed a notable difference in bandwidth results: Through Devolutions Gateway: approximately 95 Kb/s Without Devolutions Gateway: approximately 260 Mb/s Could the team review the current bandwidth behaviour for Website sessions through Devolutions Gateway and evaluate whether performance improvements, configuration recommendations, or documentation updates could be considered? Thank you.

Hi We have 85 gateways running and we have our own SSL Certificate on all the gateways to support the HTTPS, it will be nice with a function to rollout a new cert directly from the Devolution server interface also now SSL Certs life time is getting shorter and shorter its a big job to go to all gateways and replace the cert each time is should be renewed.

Hi! Regarding Installation on a Windows Server it would be good to have a supported option to define another gateway service account than NETWORK SERVICE. For example - session recording to SMB-Share requires authentication. It is actually possible to access a share and use it for session recording when changing the gateway service account to one that has access to that share. But there are caveats: you need to manually adept NTFS permissions for the gateway folder within "Program Data" for the new service user triggering gateway update from devolutions server/RDM fails (ERROR listener{port=7171}:https{client=xx.xx.x.xxx:61728}:request{method=POST path=/jet/update}: devolutions_gateway::http: error=500 Internal Server Error at devolutions-gateway\src\api\update.rs:68:9: failed to write the new `update.json` manifest on disk [source: Access is denied. (os error 5)])) everytime you modify the gateway-configuration from the server console (companion tab), the service-account automatically changes back to NETWORK SERVICE BR

A feature to implement session recording for entries based on what user/user group are executing it. Currently the recording is configured per entry (inherited from vaults, specific entries and so forth). This is fine and all, but what i feel would be a great addition to this would be an extended option to have session recording on a user-based permission level. So that i can edit a specifi user or user-group and force recording when they connect to a entry regardless if the entry have been configured for recoring or not. The session recording is then collected from the user rather than the entry. Let’s say a supplier is given permission to login to the system and then get handed permission to view certain entries and for some reason those entries have been configured wrongly regarding the recordings so that they’re not turned on. Or maybe the entry should not be recording every connection to it, because it contains sensetive information of some kind or for whatever other reason. But nevertheless, we would like to see what the supplier was doing on the server to safeguard ourselves in case something happens. Basically, adding a configuration on user level to force recordings.

So we installed a gateway that uses a specific external IP address. Only this address can access some resources inside other networks. We would like to be able to run Powershell scripts (even without a AD active) on the servers the gateway can connect to.

HI simliere with the uptions to update devolutions gateway from the DVLS portal will it be nice if the devolutions agent is autoupdating og that its posibel from the DVLS portal and posibel to see version status an nother good thing will be the posibility to control the Agent from the DVLS so its posible to enable the functions on the agent that way ex enable DVLS GW update function with out to go to the server and update the config ini file

Hello, I’m posting here on behalf of one of our clients. They are currently configuring session recordings through gateways within a gateway farm. While planning to record sessions, they encountered a limitation related to the user vault. At the moment, it is not possible to record sessions via the gateway for user vaults, nor can recording be enforced on entries stored in the user vault. Would it be possible to have session recording via the gateway disabled by default for the user vault, with the option for administrators to enable it if they wish to enforce recording through the gateway? We’d be interested to hear your thoughts on this. Thank you in advance, and I look forward to your reply. Best regards,

Hi, we are using RDM and are on the road to get an PAM Tool. Cause of using RDM now for 14 years, we had a look on many diffrent PAM Tools. All of them are not able to open an SAP GUI connection without RDS. Is it possible to use it by tunneling through the Devolutions gateway?

Hello, Can support be added for the Devolutions Gateway to work through an Entra Private Network Connector to allow for remote access? Alternatively and it would be even better IMO for Devolutions Hub for Business to handle the proxy of the connections instead of having to use a 3rd party to provide the access. I know support is there for Ngrok and Cloudflare Tunnels which support a TCP protocols which I don't believe Entra PNC supports. With that being said, having to purchase another tool isn't as trivial to get the remote access from anywhere capabilities working that the Devolutions Gateway offers. Thank you!

We'd like to deploy Devolutions-Gateway on a fleet of raspberry pi via docker. Having an ARM64 image on docker hub would be very usefull so as to not have to maintain our own docker image.

Hi, At the moment it's not possible to configure the Dell iDRAC (Web) entry with the Devolutions Gateway type in the VPN/Tunnel/Gateway section. Is it possible to add this in a feature release?

As stated here Devolutions Gateway only works connecting directly to a RDP server and not to a server behind RDGW.

Hello, currently I'm a bit confused about the overall product lineup, so I hope you might be able to help me. What I want to achieve is being able to connect to my server clientless from a web browser. This is just for personal use - so one person only. From what I gathered the standalone gateway is free for that use case and it was easy to implement that. Now I can access my server via browser. Opening the port to the internet seemed risky to me, that's why I'd open that via a cloudflare tunnel. I read in other posts here though, that it is fine to open the gateway to the internet. In that case I'd at least like to have some 2FA implemented and not just username and password. Is it possible though, to configure the standalone version with 2FA? If not, what is the easiest most straightforward way to implement web access to one machine with 2FA or comparable with your products? Kind regards, Alexander

Hello everyone The need to allow access to the gateway server on the non-standard port 8181 is very inconvenient and, in those environments where non-standard ports are blocked from outgoing, makes it impossible to use the tool. So the RFC is to be able to manage the tunneling of an RDP session only on the standard port 443. Thanks

Hello. In the context of using the gateway to connect to customer infrastructure, it would make sense if the Gateway were to initiate an outgoing connection to the DVLS Server. This is the way Zabbix and other tools with proxies work. Currently, we need to request TCP 7171 and TCP 8181 to initiate connection towards the customer, which is not always acceptable for CISO. Thank you. Marcel

Hello, All of our entries are in gateway mode. Users can use the DVLS web UI to launch RDP and SSH sessions, as these are well handled in gateway mode. However, we are currently unable to start HTTP/HTTPS entries from the DVLS web UI, since this type of session is launched as a normal session (not through the gateway). Could you please implement gateway mode support for HTTPS in the DVLS web UI? Thank you.

Hello, Before installing the Gateway, I used the "Check if host is online" feature in RDM daily to verify whether the host responded to ping and whether a specific port was open. However, this function doesn’t work through the Gateway, as the session is still initiated directly from RDM. Implementing this feature through the Gateway could be very useful. thank you

Hello, William advised me to open a request here regarding Certificate Pinning. It would be nice if the connection between DVLS and DGW would be using Certificate Pinning. As our gateways will be residing inside our customers infrastructure (were a MSP) there is the risk of a MITM DGW answering to our DVLS. As this Gateway would be "spoofed" it may exploit our DVLS resulting in a big security hit

Hi, Due to the security risk associated with sending credentials to the client where RDM is running, even if they are encrypted and ephemeral, there is still an encryption key that could potentially be used to recover the password. It would be highly beneficial to have a feature that allows credential injection, at least from the PAM vault, directly from the gateway or a server inside the private network (similar to how the PSM server works in CyberArk). This would significantly enhance security by ensuring that all passwords remain within the internal network, reducing the risk of exposure a lot more. Kai

will it be possible in the future to network segregate access to different subnets from the gateway, so we do not need to use more gateways than necessary? as this example : Gateway pool: have access to these subnets (10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24), and then use user groups to control access Admins would have access to all three subnets. The development would have access to only 10.10.30.0/24.

Hello, I might have an interesting usecase which i'm not sure there is a solution for yet, if there is I would like to know. We have saveral vaults, actually a vault for each in-house project we have. Each of these vaults have specific users in them which maintain(create/read/update) the entries. I did it this so so that the projectowner can maintain the vault and I don't have to maintain every vault individually after the inital creation. All these users are synced with Entra ID, but that's not relevant to my issue. We have three physical offices currently and each office has an on-premise Devolutions Gateway running in the DMZ. This DMZ subnet connects through our company firewall with each seperate subnet(VLAN) which houses a project. This works perfectly but it seems I just made a massive security gap which I missed initially. Each user can create his/her own entry in their vault, I can limit their gateway selection if I want too but what i cannot seem to limit is which subnet(vlan) the user is able to connect to when he/she establishes a connection. For example: Office A houses projects 1, 2 and 3 Office B houses project 4,5 User X works on project 1, which resides physically in office A and uses the Vault for project 1. Because the project is housed in Office A the user must connect to the Devolutions Gateway in Office A. All is fine up until now because what is preventing the user from making records that can make connections to projects 2 and 3? Our firewall doesn't know which users makes which connection and I don't want to make a gateway for each project because that would create a massive overhead on our systems and management. It seems to me that there needs to be a security mechanism in place which can limit a user to specific subnets he can connect to.

At the moment it's possible to disable VPN/tunnel/gateway settings when a user has edit rights in a vault. Setting up Devolutions gateway in VPN/tunnel/gateway is always a company policy and should be forced by inheritance so when a user adds a new entry session recording is configured by the settings on the vault and can't be changed.