Use Remote Desktop Manager with Azure AD App Proxy Pre Auth and Devolution Password Server

Hello, I am a bit surprised and sorry that it is not working. I will see if I can possibly improve the support for pre-authentication in a future version.
Thank you for reporting the issue, and I will keep you informed of any progress.

Best regards

Hey Nicolas, can you give us an update yet?

Kind Regards
Stefan Redlin

Hello Stefan. To be honest, I haven't had the time to look into this yet. I will check with the IT team to set up an environment similar to yours. Thanks for the reminder, I will make an effort to free up some time next week at least to investigate the issue.

Best Regards!

Hey Nicolas, if it would help you we can also show you our configuration so that we can look at the problem together. We could also test here, since the system is not yet productive.

If this would help we are happy to assist you.

Kind Regards
Stefan Redlin

Hey Nicolas, can you give us an update yet?

Kind Regards
Stefan Redlin

Good evening Sredlin,

I apologize once again for the delay. Unfortunately, I missed an email from the IT department several days ago, which informed me about issues with setting up the instance. I have taken the opportunity to review my email rules to ensure that I do not overlook such things in the future.

We have finally managed to create an instance today that replicates the conditions of the bug and reproduce it. Therefore, I will start working on fixing it tomorrow and will get back to you with concrete results soon.

I'm truly sorry for the inconvenience and for my mistake, which significantly slowed down the process.

Best regards,
Nicolas Girot

Hello Sredlin,

I have started to study the problem in detail, and unfortunately, I won't have an easy solution as I initially hoped.

Currently, our server validation system prevents me from implementing a simple solution, and we will need some time to invest in revising our authentication mechanism from the RDM server to support pre-authentication through a proxy.

I am opening a ticket for the request with a high priority level so that we can determine when we can proceed with the improvement in our planning. I would have really preferred to offer you a quick solution and fit it in between tasks :(.

Best regards,
Nicolas Girot

Also want to chime in here as potential new customer currently running a POC. It is very important to us, we are able to have the RDM working through Azure Application Proxy. Pass-through auth is unfortunately a "no-go".

Thanks,
Henrik Walther

Hello Henrik, rest assured that this is a feature I will push to have integrated as quickly as possible.

Yours sincerely.
Nicolas.

Commenting in order to raise awareness - highly anticipated feature, necessary for us to be able to apply exisiting policies and features while exposing the system on the internet. Anything less, is too much of a security risk, and is limiting us in the ability to publish the system.

Thanks.

We will integrate this for our next development cycle. A 2023.3 version should be released in a few weeks, and the next cycle should bring 2024.1 in February. However, as soon as we have made the necessary changes to support this feature, there is a strong likelihood that we will also include it in an update of the 2023.3 version.

Thanks again for your feedback. Please don't hesitate if you have any questions.

Nicolas

Hey Nicolas, are there any updates regarding this feature?

Hello sredlin,

the fix is well scheduled for the upcoming release 2024.1, which is set to be released in February.
However, development related to this specific issue will only commence in mid-January, unless other features planned for this release progress ahead of schedule.

Thank you again for your patience, everyone.

Hey Nicolas, are there any updates regarding this feature?

Hi there

We are also very interested in this feature.

Best regards, John

Hi there!

I haven't forgotten you :)
I will personally start working on this feature tomorrow.

Thanks!

sounds great, this capability will be very beneficial.

Additionaly, could this be made possible for DVLS gateway too? Some of the benefits include;

• alieviating the need for static IP (or dynamic DNS)
• maintenance of firewall forwarding rules
• improved security of using pre-auth before traffic ingresses to internal network

Hi,

For Devolutions Gateway, there are specific challenges involved in supporting Azure App Proxy: we use WebSocket and TCP transports, none of which are supported with pre-authentication right now (it's only possible with passthrough mode, and only for WebSockets).

Even if we were to support a pure WebSocket mode used even from the Remote Desktop Manager desktop application, Azure App Proxy would provide no additional security value, since WebSockets still would be in passthrough mode. In other words, Azure App Proxy can only do pre-authentication on HTTPS traffic, which is fine for DVLS but not Devolutions Gateway.

You can find more information on the Azure App Proxy FAQ:
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-faq#websocket
The important part is this: There is no SSO applied to the WebSocket request.

The good news is that Devolutions Gateway already does a form of pre-authentication with DVLS through short-lived tokens that need to be requested for each connection. You would still get the main advantages of Azure App Proxy with Devolutions Gateway if you put DVLS behind it, but expose Devolutions Gateway "directly". It won't accept connections that haven't be pre-authorized from DVLS, so if you put Azure App Proxy pre-auth in front of DVLS, it becomes a side benefit.

Best regards,

Thanks Marc-Andre, that all makes sense. It would be nice if there was a way to reverse proxy the gateway traffic via some sort of cloud hosted platform that accomodated pre-auth, but can appreciate there are technical challenges to achieving that.

While I trust that the gateway token validation provides a degree of protection, I suspect some organizations may have security concerns about unauthenticated internet users being able to directly reach the gateway server, which itself would likely have extensive access to internal resources.

How is it going? :)

Hey Nicolas, is there any progress on this?

Hello Sredlin,

Sorry for the delay, I was away last week due to the school break. I'm still working on this task this week, as the implementation is requiring considerably more work than initially anticipated, involving several sensitive aspects of authentication.

I'm optimistic about finalizing it this week and then passing it on to QA. Following that, we will release a minor update with the feature.

Hello,

I'm just checking in on the progress. Indeed, I'm still working on it :) The problem turned out to be much more complex than anticipated, and I have come to a solution that I hope will be suitable. We should be entering the testing phase soon. After that, we should be able to build a new version of both RDM and DVLS containing the new elements necessary for the pre-authentication process using Azure Proxy.

Best regards.

Hello,

As Nicolas wrote a week ago, the implementation has been more challenging than we planned. We are currently working on our next major release, 2024.2, and backporting all changes for the feature in 2024.1 could introduce instability. Therefore, our plan is to release the feature with our 2024.2 release. A beta version should be available at the beginning of June. Please let us know if this is a problem for you.

Best regards,

Hi,

Windows clients are working great. Thank you. How about mac clients? When will they get this feature?

Hello,

Integrating the Pre-authenciation through Azure proxy is in our plans for RDM Mac but we don't really have an ETA for it although we have hope to be able to release it somewhere toward the end of 2024 if everything go well.

Best regards,