Feature Request

A feature to implement session recording for entries based on what user/user group are executing it. Currently the recording is configured per entry (inherited from vaults, specific entries and so forth). This is fine and all, but what i feel would be a great addition to this would be an extended option to have session recording on a user-based permission level. So that i can edit a specifi user or user-group and force recording when they connect to a entry regardless if the entry have been configured for recoring or not. The session recording is then collected from the user rather than the entry. Let’s say a supplier is given permission to login to the system and then get handed permission to view certain entries and for some reason those entries have been configured wrongly regarding the recordings so that they’re not turned on. Or maybe the entry should not be recording every connection to it, because it contains sensetive information of some kind or for whatever other reason. But nevertheless, we would like to see what the supplier was doing on the server to safeguard ourselves in case something happens. Basically, adding a configuration on user level to force recordings.

So we installed a gateway that uses a specific external IP address. Only this address can access some resources inside other networks. We would like to be able to run Powershell scripts (even without a AD active) on the servers the gateway can connect to.

HI simliere with the uptions to update devolutions gateway from the DVLS portal will it be nice if the devolutions agent is autoupdating og that its posibel from the DVLS portal and posibel to see version status an nother good thing will be the posibility to control the Agent from the DVLS so its posible to enable the functions on the agent that way ex enable DVLS GW update function with out to go to the server and update the config ini file

Hello, I’m posting here on behalf of one of our clients. They are currently configuring session recordings through gateways within a gateway farm. While planning to record sessions, they encountered a limitation related to the user vault. At the moment, it is not possible to record sessions via the gateway for user vaults, nor can recording be enforced on entries stored in the user vault. Would it be possible to have session recording via the gateway disabled by default for the user vault, with the option for administrators to enable it if they wish to enforce recording through the gateway? We’d be interested to hear your thoughts on this. Thank you in advance, and I look forward to your reply. Best regards,

Hi, we are using RDM and are on the road to get an PAM Tool. Cause of using RDM now for 14 years, we had a look on many diffrent PAM Tools. All of them are not able to open an SAP GUI connection without RDS. Is it possible to use it by tunneling through the Devolutions gateway?

Hello, Can support be added for the Devolutions Gateway to work through an Entra Private Network Connector to allow for remote access? Alternatively and it would be even better IMO for Devolutions Hub for Business to handle the proxy of the connections instead of having to use a 3rd party to provide the access. I know support is there for Ngrok and Cloudflare Tunnels which support a TCP protocols which I don't believe Entra PNC supports. With that being said, having to purchase another tool isn't as trivial to get the remote access from anywhere capabilities working that the Devolutions Gateway offers. Thank you!

We'd like to deploy Devolutions-Gateway on a fleet of raspberry pi via docker. Having an ARM64 image on docker hub would be very usefull so as to not have to maintain our own docker image.

Hi, At the moment it's not possible to configure the Dell iDRAC (Web) entry with the Devolutions Gateway type in the VPN/Tunnel/Gateway section. Is it possible to add this in a feature release?

As stated here Devolutions Gateway only works connecting directly to a RDP server and not to a server behind RDGW.

Hello, currently I'm a bit confused about the overall product lineup, so I hope you might be able to help me. What I want to achieve is being able to connect to my server clientless from a web browser. This is just for personal use - so one person only. From what I gathered the standalone gateway is free for that use case and it was easy to implement that. Now I can access my server via browser. Opening the port to the internet seemed risky to me, that's why I'd open that via a cloudflare tunnel. I read in other posts here though, that it is fine to open the gateway to the internet. In that case I'd at least like to have some 2FA implemented and not just username and password. Is it possible though, to configure the standalone version with 2FA? If not, what is the easiest most straightforward way to implement web access to one machine with 2FA or comparable with your products? Kind regards, Alexander

Hello everyone The need to allow access to the gateway server on the non-standard port 8181 is very inconvenient and, in those environments where non-standard ports are blocked from outgoing, makes it impossible to use the tool. So the RFC is to be able to manage the tunneling of an RDP session only on the standard port 443. Thanks

Hello. In the context of using the gateway to connect to customer infrastructure, it would make sense if the Gateway were to initiate an outgoing connection to the DVLS Server. This is the way Zabbix and other tools with proxies work. Currently, we need to request TCP 7171 and TCP 8181 to initiate connection towards the customer, which is not always acceptable for CISO. Thank you. Marcel

Hello, All of our entries are in gateway mode. Users can use the DVLS web UI to launch RDP and SSH sessions, as these are well handled in gateway mode. However, we are currently unable to start HTTP/HTTPS entries from the DVLS web UI, since this type of session is launched as a normal session (not through the gateway). Could you please implement gateway mode support for HTTPS in the DVLS web UI? Thank you.

Hello, Before installing the Gateway, I used the "Check if host is online" feature in RDM daily to verify whether the host responded to ping and whether a specific port was open. However, this function doesn’t work through the Gateway, as the session is still initiated directly from RDM. Implementing this feature through the Gateway could be very useful. thank you

Hello, William advised me to open a request here regarding Certificate Pinning. It would be nice if the connection between DVLS and DGW would be using Certificate Pinning. As our gateways will be residing inside our customers infrastructure (were a MSP) there is the risk of a MITM DGW answering to our DVLS. As this Gateway would be "spoofed" it may exploit our DVLS resulting in a big security hit

Hi, Due to the security risk associated with sending credentials to the client where RDM is running, even if they are encrypted and ephemeral, there is still an encryption key that could potentially be used to recover the password. It would be highly beneficial to have a feature that allows credential injection, at least from the PAM vault, directly from the gateway or a server inside the private network (similar to how the PSM server works in CyberArk). This would significantly enhance security by ensuring that all passwords remain within the internal network, reducing the risk of exposure a lot more. Kai

will it be possible in the future to network segregate access to different subnets from the gateway, so we do not need to use more gateways than necessary? as this example : Gateway pool: have access to these subnets (10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24), and then use user groups to control access Admins would have access to all three subnets. The development would have access to only 10.10.30.0/24.

Hello, I might have an interesting usecase which i'm not sure there is a solution for yet, if there is I would like to know. We have saveral vaults, actually a vault for each in-house project we have. Each of these vaults have specific users in them which maintain(create/read/update) the entries. I did it this so so that the projectowner can maintain the vault and I don't have to maintain every vault individually after the inital creation. All these users are synced with Entra ID, but that's not relevant to my issue. We have three physical offices currently and each office has an on-premise Devolutions Gateway running in the DMZ. This DMZ subnet connects through our company firewall with each seperate subnet(VLAN) which houses a project. This works perfectly but it seems I just made a massive security gap which I missed initially. Each user can create his/her own entry in their vault, I can limit their gateway selection if I want too but what i cannot seem to limit is which subnet(vlan) the user is able to connect to when he/she establishes a connection. For example: Office A houses projects 1, 2 and 3 Office B houses project 4,5 User X works on project 1, which resides physically in office A and uses the Vault for project 1. Because the project is housed in Office A the user must connect to the Devolutions Gateway in Office A. All is fine up until now because what is preventing the user from making records that can make connections to projects 2 and 3? Our firewall doesn't know which users makes which connection and I don't want to make a gateway for each project because that would create a massive overhead on our systems and management. It seems to me that there needs to be a security mechanism in place which can limit a user to specific subnets he can connect to.

At the moment it's possible to disable VPN/tunnel/gateway settings when a user has edit rights in a vault. Setting up Devolutions gateway in VPN/tunnel/gateway is always a company policy and should be forced by inheritance so when a user adds a new entry session recording is configured by the settings on the vault and can't be changed.

Hello, I believe adding the ability to update a Devolutions Gateway through a Devolutions Agent operating behind a proxy would be a valuable enhancement. Best regards,

I’ve installed gateway standalone, and successfully connected to an SSH server. Is there clipboard (copy/paste) support?

I had a play with the standalone Gateway edition today, it works and works well for the quick connect scenario, but there's no config or settings to it at all..... I would love to be able to at least use the basic local user auth, but with configuration functionality added, I wanted to be able to preconfigure sessions for specific users / groups that would then be read-only on the webclient, my ideal scenario would be for users to have RDP access to there. office desktop only and via a browser which would also play well with existing Zero Trust Network Access services.

Hi, We recently noticed, that the logging feature of RDM+RDGW is not sufficient, when it comes to Devolutions Gateway Tunnel with dynamic targets (SOCKS/HTTP Proxy listener). What is logged is only who and when started/stopped the tunnel, but not what connections went over it. This is a major security gap, as because it is possible to define a filter that would wildcard the target host it is then not possible to know what connections were made over this type of tunnels. In the diagnostic logs of the Gateway itself, there are some jmux lines containing target IP/port/protocol informations, but to corelate them with a particular open session, user information of who opened it etc. is very cumbersome and I am not even sure if the retention of this diagnostic informations is sufficiently long. In order to provide non-repudiality and a complex end-to-end secure connection logging, in my opinion this feature is a must. Especially that the gateway has all the informations needed. In addition to the minimal log informations like who, when started and when finished and of course target host/port/protocol it would be also a nice to have feature to get as well some basic statistics as number of bytes in/out. This should be really trivial to implement and would close a very important security gap, that currently allows to pass *not audited* connections over devolutions gateway that will be really hard to proof.

Good morning Devolutions team We have several screens used for monitoring and visualizing running systems. Our objective is to have the ability to view the current screen of a remote machine without allowing the user initiating the connection to make any changes—essentially receiving a live video stream only. Would it be possible to achieve this functionality using the RDM Agent in the future (is it perhaps on the roadmap)? We are aware of the session shadowing feature available in the latest release of Gateway. However, we have some concerns: If the session remains active and unterminated for an extended period (potentially several months for certain OT systems), the recording file may become significantly large. The current video quality is not ideal for our needs. A session shadowing option without recording, coupled with improved video quality, would also be sufficient.

[FEATURE REQUEST] RDM Gateway management - deploy self contained instances within docker containers?? I know I've touched on similar topics with some of you tech guys and we now have the docker containers to use, but is there any way of integrating the RDM Gateway management to be able to deploy isolated Gateway instances within docker containers themselves similar to how RDM can deploy gateways now just using containers as a mini gateway farm??? All the components to achieve this outcome should be in place now right so with some of your developer magic maybe put some of these blocks together to use in the recent RDM gateway manager??? This is a clone of another post in the RDM forum but as this is very much a linked topic wasn't sure where it should be posted too hence this clone post