Standalone gateway, Management?

Hi John,

Thank you for trying out the Devolutions Gateway standalone deployment!

The Devolutions Gateway, when deployed as a standalone product, is designed to provide basic functionality without advanced management features.
Authenticated users can open sessions as needed, but there is no way to save session information besides some basic auto-completion based on previously opened sessions.
It was designed similarly to the "Quick Connect" feature of RDM.
You can also think of it as the Windows built-in RDP client mstsc: a menu for launching remote desktop sessions, except it’s on the web, and it supports other protocols besides RDP.

For more advanced management, you should look into Devolutions Server or Hub Business.
These products offer very comprehensive management capabilities and are shipping the web clients as well.
If you are looking for an on-premise solution, Devolutions Server is what you want, and it comes with a Free Edition: https://devolutions.net/server/

Please let us know if you need further assistance or if you have any other questions.

Best regards,

Ok thanks for the quick response, although its a bit disappointing about the standalone edition. Hoping the gateway standalone could at least be used as a web client like it currently is but with some basic configuration functionality such as local user auth with each user / group having preconfigured sessions set for read only web client access. Hoped it would be a lightweight web gateway client for users to access via existing Zero Trust Network Access which obviously is setup using EntraID auth for users to access there. office desktops via a browser without VPN clients.

So ill use the Gateway via DPH for now, well at least till your collegues on the DS team publish there working docker compose file for me to test!!!

Out of interest, the Gateway via DS and DPH, does it just use HTTP (7171) / HTTPS (8181) traffic or is RDP (3389) still involved somewhere? Reason I ask is I am wondering if it would still work behind our ZTNA which requires the web auth to gain access. Have a play if I get a chance, in theory it should work coming from DPH / DS at least. Well, if it is from a pre Auth'd browser session.

Ill post a feature request too for GW standalone changes, surely it would not involve too much work to implement my thoughts above,

Definitely send feature requests; we’ll create internal tickets to include these in our planning process and track the progress. User voice is very important in our prioritization process :)

thanks, that I'm very much aware of, your importance of 'user voice'...... lol

Side topic, any idea what could cause this error trying to install the gateway for DPH this time, obv its cert related but wondered if you would know already?



FYI I used a PFX with a password and those errors are all over the place scope wise.

Hi John

The first error ("Invalid ASN.1 DER Encoding") is the relevant one; the PowerShell script is just continuing after that first error and of course failing in different ways.

Can I ask the origin of the certificate you are using? i.e. Did you export it from Windows Certificate Store, convert from another format, something like that?

What's the output of `certutil --dump {path-to-pfx.file}`?

This really could be caused by a number of things, but ultimately the certificate has an issue in how it's formatted, or there's something specific about the certificate that's triggering an edge case on our side.

Please let me know if something isnt' clear or you have other questions

Thanks and kind regards,

Hi John

The first error ("Invalid ASN.1 DER Encoding") is the relevant one; the PowerShell script is just continuing after that first error and of course failing in different ways.

Can I ask the origin of the certificate you are using? i.e. Did you export it from Windows Certificate Store, convert from another format, something like that?

What's the output of `certutil --dump {path-to-pfx.file}`?

This really could be caused by a number of things, but ultimately the certificate has an issue in how it's formatted, or there's something specific about the certificate that's triggering an edge case on our side.

Please let me know if something isnt' clear or you have other questions

Thanks and kind regards,

I've always used Certify the Web to request and deploy my windows certs, in this case I just requested a new certificate with the external fqdn as the certa only domain / subject, then for this cert I didn't use any deployment methods only store the pfx in programdata, the CA it's from is only Let's encrypt and I didn't change any other parameters so should be RSA 2048 with a specific password for the PFX file?

Are there any docs relating to gateways Cert requirements?

Hi John

The installer just invokes the PowerShell module for the configuration steps, so no there isn't any difference there. It's just a more convenient front end.

Are you sure the file on disk is sound? For example, the result is consistent with passing a corrupt or "not a pfx" file to the PowerShell module.

As a sanity check, fi you double click the .pfx in Windows Explorer, are you prompted to import the certificate into the Windows certificate store? Does `certutil --dump {path-to-pfx}` give proper output?

Thanks and kind regards,

Hi John

The installer just invokes the PowerShell module for the configuration steps, so no there isn't any difference there. It's just a more convenient front end.

Thought so, the screenshot of the error is what hinted that was the case,

Are you sure the file on disk is sound? For example, the result is consistent with passing a corrupt or "not a pfx" file to the PowerShell module.

I'll take a look when I'm able, double check paths etc, as it's invoking powershell you don't think it might be affected by spaces in paths etc? Surely the installer is providing the paths to the scripts in quotes etc right?

As a sanity check, fi you double click the .pfx in Windows Explorer, are you prompted to import the certificate into the Windows certificate store? Does `certutil --dump {path-to-pfx}` give proper output?

Will let yp
kb

my fibdiTha, alonk with the outpus from that certutil cmd. and kind regards,

Hi John

Did you get a chance to look at this?

I'm pretty confident that the installer handles paths with spaces acceptably, but if you wanted to compare with PowerShell you can try directly

First you need to import the module, which can be found in %programfiles%/Devolutions/Gateway/PowerShell or downloaded from e.g. PSGallery

The command is `Import-DGatewayCertificate -CertificateFile {path-to-pfx} -Password {password}`

Let me know if you have some further questions or comments

Kind regards,

Thanks, ill, look when I get round to working on that job again. Although now Adam Listek finished his docker work I had wanted, I will begin to deploy that where possible, but not for production till Adam gets round to adding Gateway to the Compose stack.

Hi John

Did you get a chance to look at this?

I'm pretty confident that the installer handles paths with spaces acceptably, but if you wanted to compare with PowerShell you can try directly

First you need to import the module, which can be found in %programfiles%/Devolutions/Gateway/PowerShell or downloaded from e.g. PSGallery

The command is `Import-DGatewayCertificate -CertificateFile {path-to-pfx} -Password {password}`

Let me know if you have some further questions or comments

Kind regards,

Is it possible to setup gateway standalone via pwsh without systemd? I've been playing around with the cmdlets the *-ddgateway cmds such as start-dgateway errors with systemd not initiated from boot, the dkpg installer also didn't seem to work assuming it errors for a similar reason?

Hi John

The `Start-DGateway` PowerShell command just invokes `systemctl start devolutions-gateway.service`; so this is obviously predicated on the service being registered with systemd.

The .dpkg should take care of that, it is supposed to perform registration as a post-install action.

It's hard to know from the information given if something is going wrong on our side, or if this is a systemd issue. I searched around that error message but didn't find anything - can you paste the exact error message when you run `Start-DGateway`?

You can also check if we're registered with systemd by confirming if you have the devolutions-gateway.service file in /lib/systemd/system, and the drop-in directory at /lib/systemd/system/devolutions-gateway.service.d.

Please, let me know if something isn't clear

Best regards,

Hi John

The `Start-DGateway` PowerShell command just invokes `systemctl start devolutions-gateway.service`; so this is obviously predicated on the service being registered with systemd.

The .dpkg should take care of that, it is supposed to perform registration as a post-install action.

It's hard to know from the information given if something is going wrong on our side, or if this is a systemd issue. I searched around that error message but didn't find anything - can you paste the exact error message when you run `Start-DGateway`?

You can also check if we're registered with systemd by confirming if you have the devolutions-gateway.service file in /lib/systemd/system, and the drop-in directory at /lib/systemd/system/devolutions-gateway.service.d.

Please, let me know if something isn't clear

Best regards,

Thanks for the reply, do not forget I am trying to run Gateway from a docker container, in this case the DVLS Linux docker compose built by the DVLS team inc Adam etc. So, Its def SystemD related, I am waiting for the team to release the gateway compose now.

Hi John

Ok, in our case systemd is just typically used to make sure the Gateway service is "up"; so naturally the `Start-DGateway` command won't work if system isn't involved.

systemd isn't a hard requirement; there are many ways to e.g. start the service on boot or run manually. It's just invoking the binary with whatever arguments are needed.

I don't know anything about docker so it sounds like Adam is a better a resource than me for this.

If you have some specific questions for him I can point him at this thread for you.

Thanks and kind regards,