Wayk Bastion management

Hi,

First, thank you for trying Wayk Bastion!

Q1) Wayk Bastion stores log files within containers. I would have to collect and audit data for security. I would like to review logon attempts, authentication attempts, failures etc . - standard security audit stuff. Is there a neat way to do so (built-in log sink? ) or I need to craft a hacky way to export docker logs containers?

A1) Docker has a built-in mechanism to capture the logs, but default it will store them in local files and you can export them using the "docker logs" command like this:

docker logs den-server > den-server.log

However, if you need to capture logs in a continuous fashion, Docker supports multiple logging drivers. You can use the syslog logging driver using the -SyslogServer configuration parameter:

Set-WaykBastionConfig -SyslogServer "url-for-your-syslog-server"

This will automatically inject the syslog server configuration in all containers the next time you launch Wayk Bastion. If you find another Docker logging driver that may better suit your needs, just ask and we'll add the corresponding option on our side.

Q2) Wayk Bastion consists of several components, but I don't understand what exactly these are all doing. Could someone guide me to documentation?

den-server - Wayk Bastion server
den-lucid - OAuth authentication service
den-picky - X.509 certificate authority
den-gateway - Devolutions Gateway
den-mongo - MongoDB database container
den-traefik - Local reverse proxy

By default, all those 6 containers run within a Docker network, without exposing their ports on the host directly. Wayk Bastion and the other microservices are configured to be accessed through traefik, a reverse proxy from which everything is exposed externally. A complete traefik configuration is generated based on the ListenerUrl and ExternalUrl configuration parameters, such that you have a fully functional setup without having to deal with complex reverse proxy rules in front of Wayk Bastion. You can see the traefik container as the entry point to all other microservices running inside this local Docker network.

Out of those 6 containers, two can be optionally deployed separately - the MongoDB container (if you choose to manage it yourself) and Devolutions Gateway (which can be deployed for high availability with multiple instances).

https://docs.devolutions.net/wayk/bastion/database-management.html
https://docs.devolutions.net/gateway/getting-started.html

By default, Wayk Bastion will automatically configure and launch a managed instance of MongoDB and Devolutions Gateway to get started quickly. In a second step, you can deploy MongoDB and Devolutions Gateway separately, but we've seen a lot of customers don't feel the need for it and like to run everything in a single VM.

Q3) What configuration needs to be done to split containers onto dedicated hosts / VM clusters for HA / load balancing? Some of these could be deployed to seemingly Service Fabric for instance, and it seems you guys like Microsoft tech :-)

A3) Right now there are only two components truly ready for high availability: MongoDB and Devolutions Gateway. Those can be deployed separately with multiple instances. Since the Devolutions Gateway is doing the peer-to-peer protocol relaying, it will consume CPU and bandwidth resources. If you have a lot of concurrent connections, this is the one you need to deploy separately and possibility in multiple instances. Do you have an idea how many concurrent connections you may have at your peak?

As for Azure Service Fabric, I've heard about it, but I've never given it a try. If you're a customer I'd be interested in learning more about it for HA deployments, because it looks way simpler than Kubernetes. Have you heard about Azure Stack HCI + Kubernetes? Is this something you're looking into? Just curious to see how much people are seriously considering it, as it still looks very difficult to deploy and operate (at least from where I stand).

Q4) Your public Wayk Den uses Websockets (wss:// ) - is there a way to make hosted Wayk Bastion use Websockets too? Is there a performance difference?

A4) This is just a relic from the past, we actually ignore this part of the URL and always use both HTTPS and WSS now. It used to be only WebSocket traffic, now it's both HTTP and WebSockets. Since WebSocket does a persistent connection, it requires more resources to handle in the server, so in modern versions of our protocol only the Wayk Agent uses it, and Wayk Client only does HTTP calls. We need the WebSocket connection for the Wayk Agent to "phone home" with Wayk Bastion in order to be reachable for the peer-to-peer messages used to establish new connections.

Q5) I have noticed severe lags when using Wayk Bastion sometimes. Like there was no reaction and only after few seconds it has been "played back" on my screen I have had alternate remote session tool open (Windows Quick Assist) and it hasn't been experiencing performance issues - how do I come around troubleshooting that with Wayk Bastion?

A5) Is this with the native Wayk Client, or the web client? Is this with all of your machines, or only some of them? There are ways to tweak performance settings if the connection latency or bandwidth are not optional. We had a customer recently trying to make it work with a really bad network connection, so we made an article about it: https://docs.devolutions.net/wayk/client/performance.html

Q6) If Wayk Agent has a personal password enabled, could you please elaborate on the security model of this? Where is the password validated? Is it sent to Wayk Bastion? Is there a way for agent to publish its password to Wayk Bastion?

A6) The personal password is only meant for "attended" access, with a human present at the computer that can tell you the password. This password does not leave the computer, and is only usable inside a user session. For unattended access, you need to use Secure Remote Delegation (SRD) and use system accounts to connect. By default, the account used to connect gives you "console" access, or access to the computer regardless of what the current user session is, unless you use the Wayk enhanced session mode to make it work like RDP.

Q7) Is there a way to enable Azure AD login to web console instead of built-in user/password ? I would love to integrate Azure AD into Wayk Bastion if possible, centralized access provisioning sounds like a big win for this product.

A7) We do not support Azure AD, but we support Windows Active Directory through LDAP integration. In theory, it might be possible to support Azure AD Domain Services through LDAP integration as well, but we have never tried it. True Azure AD integration would be done through OAuth federation, which we haven't done yet. What matters for the current integration is being able to contact a domain controller with LDAP. Here is the topic covering Active Directory integration.

Q8) Teamviewer has a "native connector" inside Intune - do you consider talking to Microsoft on enabling your built-in connector for remote sessions?

A8) I have to admit I have no idea what this TeamViewer native connector inside Intune is, so you'll have to educate me a bit here :) Can you explain what it is, and what it does? You can also just explain what you'd like to see regardless of what TeamViewer does in that regard.

I know it is a lot of questions, but it's fine, I'm still trying to catch up on the missing parts of the documentation. Do not hesitate to ask questions, I'll answer them, and thanks again for taking the time to look into Wayk Bastion!

Best regards,

Hey there!

Thanks for patience and all the help you provided, really useful! :-)

Reg. Q8) : Teamviewer in Enterprise editions has the ability to connect to Intune, so admins can manage modern-workplace devices with instant remove connection without leaving Intune console. This would be quite a nice integration for all modern-endpoint solutions


For this to work this needs Teamveiwer connector to be installed:


More details here:

https://docs.microsoft.com/en-us/mem/intune/remote-actions/teamviewer-support

This made me think - since Teamviewer can get that integration, maybe you could too?

Thanks for a great product nonetheless!

By the way - https://blog.devolutions.net/2020/02/introducing-wayk-den-free-edition - is this offer still available for Wayk Bastion or has been replaced with Wayk Bastion Enterprise that requires CALs?

Thanks!

Alex P

Hi Alex,

I don't know much about Intune, and it's not a product easily deployed for quick testing by a developer, but it turns out we are in the process of deploying it ourselves internally, so I will ask the people in charge of the Intune deployment at Devolutions to show me what it looks like. I wouldn't be surprised that Intune integration may require proper Azure AD integration in Wayk Bastion which we don't have, but I'll find out what would be required to make it happen. Is this a nice-to-have feature request?

Regarding Wayk Bastion licensing, you need Wayk Bastion CALs for your technicians. The free 90-day Wayk Bastion trial includes a site license for an unlimited number of technicians. If you need to extend your trial, you can contact our customer support.

Best regards,

Definitevly it's a nice-to-have feature request. Is there a better suited place to make "wishlist" from users (like uservoice?) or should I stick to posts here on forum in future?

Thanks for clarification on licensing - I'm most certainly willing to get these :-)

Best regards!

Alex P.