Devolution Server: Expose to the Web/Internet, how to secure (reverse proxy?)

Hello Ma
Thank you for reaching out to our forum. When it comes to securing your Devolutions Server for exposure on a WAN, using a reverse proxy can be highly beneficial.
Adding HTTPS with SSL certificates provides an extra layer of security, as does implementing MFA for added protection. You can also restrict access with conditional access policies and GeoIP security features, allowing you to limit access based on specific countries or IP ranges,using sql certificate as well to add another layer of security to your data.

Consider whitelisting certain addresses required by Devolutions Server within your firewall, and changing the default ports for Devolutions Server and Gateway to custom ones for additional security. Be sure to secure the VM hosting Devolutions Server by keeping it up-to-date with Windows updates, disabling unused ports, and enabling auditing for key logs with daily reports. Limiting internal access to the Devolutions Server is another valuable step. Finally, using the PAM module offers robust security for managing accounts and credentials.

In summary, I've outlined ways to harden your Devolutions Server on multiple levels: network, account, and database security.

Let me know if you need further assistance.

Hi Maeck,

To add to Michel's response, I’d say it largely comes down to your comfort level and experience with exposing applications on the Internet. There’s nothing inherently problematic about exposing Devolutions Server, as it’s a web application developed with modern security practices and frameworks. Implementing MFA, Conditional Access, GeoIP fencing, and TOR filtering must be considered in this scenario of course.

That said, the threat landscape is broad, and you'll need to assess whether you have the expertise to deploy and maintain additional controls to protect what is probably a critical asset. A defense-in-depth strategy would involve layering multiple security measures between users and the sensitive information you want to protect.

Adding a reverse proxy would provide limited risk reduction in itself unless it has security features to filter out potentially malicious traffic before it reaches Devolutions Server. A Web Application Firewall (WAF) would be more effective for this use case, though WAFs come with their own complexities. If the reverse proxy includes pre-authentication** , it could help by blocking any unauthenticated requests from reaching Devolutions Server.

If you’re looking to move away from traditional VPNs, modern solutions within the Zero Trust Network Access (ZTNA) or SASE market could allow you to more seamlessly access your applications from anywhere without exposing them directly.

As for Devolutions Gateway, it was designed for remote access and meant to be exposed. Some customers still add an extra layer of network protection in front of it based on their internal security standards, but at its core, it’s similar to exposing a VPN server or appliance.

You’ll find some useful resources below—some related to your initial question and others on hardening Devolutions Server in general:

Azure pre-authentication to a Devolutions Server data source in Remote Desktop Manager - Devolutions Documentation
Devolutions Server security hardening - Devolutions Documentation
Security checklist - Devolutions Documentation


** Accessing DVLS through RDM using Pre-Authentication is only supported for Entra ID Application Proxy though.