Devolutions Gateway

Ctrl + k

Devolutions Gateway

Devolutions Gateway

Announcement

Official announcements for Devolutions Gateway.

Feature Request

Request new features for Devolutions Gateway.

Support

Get help with Devolutions Gateway.

Kerberos failure via Devolutions Gateway (KDC proxy) caused by duplicate UPN across forests

Support (French)

Get help with Devolutions Gateway in French.

Support (German)

Get help with Devolutions Gateway in German.

Bug Report

Report bugs in Devolutions Gateway.

Recent Posts

Richard Markiewicz

Published 3 days ago

Option to change Windows Service-Account of Gateway Service

Hello stefannitsch-fitz I've been looking at this issue and I had hoped to make some changes for 2026.1.3; I'm not sure if that's still feasible but I'll keep you posted and at the latest we'll probably be looking at 2026.2 (next month). There are a few things I want to clarify with you, based on the work I've already done. First, you wrote everytime you modify the gateway-configuration from the server console (companion tab), the service-account automatically changes back to NETWORK SERVICE Are you sure this is accurate? The reason the service account gets updated is that the Windows MSI treats every update as a "major upgrade" (versus a patch). In Windows Installer, this means that the existing product gets uninstalled and then the new version gets installed, rather than just replacing the updated files. So the service is recreated in this scenario and the user account customization gets lost. The thing is, I don't see another path that can happen and it shouldn't happen by editing the configuration. Can it be that you actually mean this happens when updating Gateway by the console? Or perhaps when you noticed this, it coincidentally happened at the same time as an update? Please let me know, because if what you say is true then further investigation is needed. Secondly, can I ask what kind of account you're using for Gateway? Is it a well-known account (e.g. LOCAL SERVICE), a virtual account, or maybe a gMSA / MSA? The key with those kind of accounts is that they don't need a password. If you're using a regular Windows / domain account (which as I understand it, would not be recommended) things are more complicated because it's harder to support an upgrade path without needing to re-specify the password on every upgrade (that may not be so bad for manual updates, but is much more complicated via DVLS or Agent). I understand the problem with the other issues you've raised. Please, let me know if something isn't clear Kind regards,

Feature Request

Published 10 days ago

Screen recording for only current session, and in screenshots instead of low framerate video

Hi Marc-André Yes we are using RDM on a remote server through Parallels Client and on that server we are using SoftActivity TS Monitor to take screenshots of every click so we have documentation of all changes made. Since it takes screenshots of the entire app, it only records the active session, where as how i understand the native RDM recording feature will record every open session simultaneously even if they are not currently worked on. This makes our current solution a lot more storage efficient, while also being easier to sort through since low fps videos that the RDM screen recording uses can often cause trouble during playback. And high fps video captures a lot more data than necessary. Especially if it also records inactive sessions. In our work flow we often have multiple sessions open that we use throughout the day, which would quickly congest the storage server. If RDM could only record the current session in screenshots, either every second or two, we could use RDM natively and locally for hopefully much smoother performance than our current remote app solution - and maybe even take advantage of some other devolutions gateway features such as Entra SSO. -Malthe

Feature Request

Published 12 days ago

Reverse Proxy for Gateway Agents

Hello gertvanniekerk I’m glad you’re evaluating our products again. As for the diagram, it’s slightly different in the details: you would install a Devolutions Gateway in your infrastructure or in the cloud (it could be anywhere as long as you’re able to reach it from your infrastructure and from the customer infrastructures), and you would install a Devolutions Agent in each customer’s infrastructure. The Devolutions Agent will perform the "call home" against the Devolutions Gateway, and a VPN-like tunnel will be open between the Devolutions Gateway and each Devolutions Agent instance. In this configuration, the Devolutions Gateway will be used as a rendezvous server: the Devolutions Agent connects to it, RDM connects to it, and the session is relayed without ports being opened in the target infrastructure, which is what you are after as I understand it. Will you support that we can place an reverse proxy (NGINX) in front of the Devolution server? I think it’s already possible for you to have a reverse proxy in front of both Devolutions Server and Devolutions Gateway. You just need to forward HTTP traffic for Devolutions Server, and both HTTP and TCP traffic for Devolutions Gateway (there is a HTTP listener and TCP listener). Can the port be changed to simply be 443, this makes outbound port requirement on the customers network much easier since almost everybody has 443 open For Devolutions Server, the port can be changed to 443. In fact I think it’s already the default, as per this documentation page: https://docs.devolutions.net/server/kb/knowledge-base/ports-firewalls/ For Devolutions Gateway, I think the default ports are 7171 and 8181, but that’s also something that can be changed either during the installation or by modifying the configuration file. Will this work for all types of your Gateway servers? (Windows, Linux and Docker) Yes, it’s planned for all platforms, for both Devolutions Gateway and Devolutions Agent. (Although I don’t think we provide docker images for the agent yet, that’s something we’ll provide too in the future.) We are running af trial on the software now. I've configured some gateway servers, it seems they needs to be signed with trusted certs as far as I understand? Yes, we highly recommend using TLS for encrypting the HTTP payload, and this needs to be trusted certificates. However, you can have your own certificate authority as long as each client machine is configured to trust this authority. Also the CRL also needs to work or can we simply just use the "Publish revocation list" once and everything will just work? (I'm thinking of the challenge of deploying + maintaining around 50 gateway servers) The "Publish revocation list" button you see for the Devolutions Gateway is different from the CRL of the (HTTP) server certificates. It’s a revocation list for long-lived tokens that you may or may not need for using the KDC proxy feature of the Devolutions Gateway. It’s okay to not publish it if you don’t use that feature. Please let me know if you have further questions. Best regards,

Feature Request

Marc-André Moreau

Published 12 days ago

Screen recording for only current session, and in screenshots instead of low framerate video

Hi, Help me understand your use case, as I'm not so sure. Right now, you're using RDM through Parallels Client, because Parallels has a session recording feature that you like, and this allows you to record everything done with RDM inside that Parallels session? You would like to replace this session recording feature by Devolutions Gateway, but since the recording is done for each session inside RDM, and not RDM as a whole, this means multiple video recordings, etc. You'd be happier if the recording could be done as screenshots instead of low frame rate videos due to storage concerns. Did I miss anything? Best regards,

Feature Request

Published 12 days ago

Restart develotion gateway service

we are using windows certificate store but the reason for the config update is that we have change from a star certificate to a host specific certificate so the name should be updated in the config and today the * cert was exspired and all the gateways we not have restarted after config update was failing on the certificate and needed to be restarted.

Feature Request

Marc-André Moreau

Published 12 days ago

Restart develotion gateway service

I think we have hot reload supported for the configuration already, have you simply assumed that it would not reload the configuration and that it should require a restart? On Windows, the simplest is to use the certificate in the Windows certificate store, it should definitely pick up the new certificate. If you tell me how you're currently setting the certificate I ask internally to see if that specific method should have the certificate automatically reloaded without restarting the whole service.

Feature Request

Published 12 days ago

Restart develotion gateway service

right now i hat a situation where it has been nice i havde change the certificate on all our gateways to a new one with a new name so the agents should restart to read the new config here will it be nice with the option to schedule a restart when no one is connected to the gateway.

Feature Request

Marc-André Moreau

Published 12 days ago

Restart develotion gateway service

Hi, Can you elaborate on the reasons why you would like to restart the Devolutions Gateway service remotely, or on a schedule? There is a feature to do centralized updating of Devolutions Gateway already, which restarts the service during the update process, but nothing that can restart without updating. Best regards,

Feature Request

stefanhornbogen

Published 12 days ago

Data limit for (website) entries through the Devolutions Gateway

We use DVLS with RDM to manage Applianes, Switches, Firewalls and therefor need a useable upload speed for firmware images and so on. The current speed is unusable and causes a lot of frustration for administrators. They need to bypass for these use cases, but this is bad for security. Please fix this very soon - this request is internal open since over a year.

Feature Request

Published 12 days ago

Data limit for (website) entries through the Devolutions Gateway

Hi there! We use Remote Desktop Manager and Devolutions Gateway from within a jump zone to effectively limit open ports and accesses to server and management VLANs by the firewall. This might not be the original intended use case for the Gateway. However, that provides an effective way to protect our systems and avoids bypassing RDM. Updating our Dell VxRail vSAN Cluster requires uploading large Dell VxRail update bundles (>16 GB) over https to the VMware Virtual Center Service Appliance. With the Gateway's low bandwith those uploads take forever and tend to fail. Either because of timeouts or certifcate issues. Additionally, the vCenter Client Web-UI isn't accessible after an upload failed. [image] [image] Would be great if the developers at Devolutions could find a solution to get rid of this Gateway's limitation. Best regards Roman

Feature Request

Published 13 days ago

Data limit for (website) entries through the Devolutions Gateway

I am opening this feature request on behalf of a customer regarding bandwidth performance for Website sessions routed through Devolutions Gateway. The main topic is file transfer throughput when using a Website session through the Gateway compared to a direct connection. Customer-reported results: Through Devolutions Gateway: approximately 2 MB/s Without Devolutions Gateway: approximately 100 MB/s During internal testing, we also observed a notable difference in bandwidth results: Through Devolutions Gateway: approximately 95 Kb/s Without Devolutions Gateway: approximately 260 Mb/s Could the team review the current bandwidth behaviour for Website sessions through Devolutions Gateway and evaluate whether performance improvements, configuration recommendations, or documentation updates could be considered? Thank you.

Feature Request

Published 13 days ago

Screen recording for only current session, and in screenshots instead of low framerate video

I see on your roadmap that you plan on rebuilding the session recording engine. Perhaps this can be implemented alongside that? I feel like this would benefit many customers, not only us. Especially in the EU where GDPR is important

Feature Request

William Alphonso

Published 16 days ago

Devolutions Server & Gateway side-by-side via Azure Application Proxy

Hello Dave, Thank you for taking the time to document the setup and behaviour here. Since we already have a session scheduled together, I am assigning myself this thread as well so I can keep both discussions aligned. We will follow up here after our session with any findings or recommendations from the review. In the meantime, I will leave the thread open in case anyone else from the community has additional input or has tested a similar setup with Azure Application Proxy and a side-by-side Devolutions Gateway deployment. Best regards,

Published 18 days ago

Update SSL Certificate From Central

We have solved this by using win-acme to renew a lets encrypt cert automatically on all the gateways

Feature Request

Published 18 days ago

Restart develotion gateway service

It could be a nice function in the devolutions server interface to get the possibility to restart the gateway service and also schedule a restart to when no useres is connected like when doing a update of the gateway.

Feature Request

Published 18 days ago

Reverse Proxy for Gateway Agents

This sounds really interesting if this is truly an "call home" network design Devolutions is working on. We're an MSP company which POC'ed your software around 2-3 years ago, and the main reason we did not choose you was because as an MSP with many customers where we manage our servers in their site/network, we always have a hard requirement for the software we use needs to be able to call home in order for us to be able to use it. Back then you also license per gateway which would have costed way to much for us, I can see the licensing has changed and this is no longer the case. Benoit Cortier I've quickly sketched this on draw.io, is it correct that this is the flow of traffic that will hope to support is the upcoming release? Other questions Will you support that we can place an reverse proxy (NGINX) in front of the Devolution server? Can the port be changed to simply be 443, this makes outbound port requirement on the customers network much easier since almost everybody has 443 open Will this work for all types of your Gateway servers? (Windows, Linux and Docker) We are running af trial on the software now. I've configured some gateway servers, it seems they needs to be signed with trusted certs as far as I understand? Also the CRL also needs to work or can we simply just use the "Publish revocation list" once and everything will just work? (I'm thinking of the challenge of deploying + maintaining around 50 gateway servers) [image] Regards. Gert

Feature Request

Published 19 days ago

Devolutions Server & Gateway side-by-side via Azure Application Proxy

Hello Everyone! I wonder if someone could help, or has come across this issue before. We are currently evaluating the Devolutions Team Starter Pack and trying to get Gateway to work with Devolutions Server via an Azure/Entra Reverse Proxy/ Application Proxy. Current Setup: We have a Windows 2025 server installed on prem running Devolutions Server with a side-by-side installation of Gateway server. We have existing Azure connectors on the LAN for other applications, so we have created a Enterprise Application in Azure to access the Devolutions Server via web and RDM with MFA SSO Enabled. This is all working fine and we can access our estate on RDM and Devolutions server using this setup. Issue: When trying to configure the Gateway server using the same reverse Proxy address within Devolutions server, it fails on the ping test and therfore marks it as "down". If we specify the internal address for the Gateway server it finds it and works without issue, however when connecting to sessions via the Gateway server, this only works when on the internal network, externally it fails (even though if we go into a RDP entry within the vault and test the Gateway connection, it passes) Reading the forum post here ( Best practices for Devolutions Server & Gateway deployment ) it sounds like the Gateway server should be accessible via the same URL as the Devolutions server because the IIS handles the redirects. Has anyone got this to work using the same entra reverse proxy address? Thanks! Dave

Published 19 days ago

Screen recording for only current session, and in screenshots instead of low framerate video

We are currently using RDM via Parallels Client where a software is installed to record every click so we can document all changes made on our customers as an MSP. Both on servers and on websites such as M365, Azure and DNS. This is a requirement for our ISO certification. We would however love to use RDM locally with the gateway screen recording, but we had a meeting and got told that only possibility was screen recording on all open sessions simultaneously and optionally in low framerate video which can have play back issues and take up a lot of storage. A feature that screen captures only the active session or the entire app window on every click or every 1 to 2 seconds through the gateway instead of video would solve our issues and would allow us a hopefully better and smoother experience with the RDM. Screenshots take up less storage and don't have compatibility issues with viewing / playback.

Feature Request

Published 21 days ago

Option to change Windows Service-Account of Gateway Service

Hi! We recognize the need for a better supported workflow here. As per internal discussions, we are looking into: Updating the installer to ensure it does not overwrite a custom service account on updates. Providing documentation about the required permissions for a custom Windows service account running the gateway. We’ll keep you posted on any progress for official support and documentation. Best regards,

Feature Request

stefannitsch-fitz

Published 21 days ago

Option to change Windows Service-Account of Gateway Service

Hi! Regarding Installation on a Windows Server it would be good to have a supported option to define another gateway service account than NETWORK SERVICE. For example - session recording to SMB-Share requires authentication. It is actually possible to access a share and use it for session recording when changing the gateway service account to one that has access to that share. But there are caveats: you need to manually adept NTFS permissions for the gateway folder within "Program Data" for the new service user triggering gateway update from devolutions server/RDM fails (ERROR listener{port=7171}:https{client=xx.xx.x.xxx:61728}:request{method=POST path=/jet/update}: devolutions_gateway::http: error=500 Internal Server Error at devolutions-gateway\src\api\update.rs:68:9: failed to write the new `update.json` manifest on disk [source: Access is denied. (os error 5)])) everytime you modify the gateway-configuration from the server console (companion tab), the service-account automatically changes back to NETWORK SERVICE BR

Feature Request

External resources

Devolutions Documentation

Technical SupportEmail : service@devolutions.netPhone : + 1 844 463.0419