Gateway should contact DVLS Server, not the other way around
2 votes
Hello.
In the context of using the gateway to connect to customer infrastructure, it would make sense if the Gateway were to initiate an outgoing connection to the DVLS Server.
This is the way Zabbix and other tools with proxies work.
Currently, we need to request TCP 7171 and TCP 8181 to initiate connection towards the customer, which is not always acceptable for CISO.
Thank you.
Marcel
All Comments (2)
Hi Marcel,
Thanks for the suggestion, let me make sure we’re aligned on the goal.
Are you asking for no inbound connections into the customer network? If so, that implies DVLS would need to relay the session traffic, not just control messages. Concretely, do you mean this model?
RDM / Web Client → DVLS (broker/relay) → Devolutions Gateway → Target
In that model DVLS keeps a long-lived, outbound tunnel from Gateway and proxies the RDP/SSH/etc. data. This removes inbound rules to the customer but is a significant architectural change (capacity, throughput, HA, auditing on the DVLS side). Unfortunately, I don’t see such a feature being implemented anytime soon as it goes against our current design.
—or—
Are you specifically referring to reversing the control plane only (e.g., session listing, revocation list updates, orchestration) so that Gateway initiates an outbound, persistent connection to DVLS, but clients still connect directly to Gateway for session data? We already do something similar in Hub Business for certain flows, so it’s not impossible, but it won’t remove client to Gateway connectivity requirements.
A few details that would help us size this correctly:
- Is the hard requirement “no inbound to customer at all”, or only “DVLS must not initiate to Gateway”?
- Can the customer environment allow egress TCP 443 only (possibly via an HTTP proxy)?
Note that if you need "no inbound to customer at all", while I don’t see DVLS becoming a relay server, you are not out of luck either as it’s possible to achieve such a thing by integrating Cloudflare or Ngrok.
We can’t promise anything yet, but your constraints are clear. Understanding which of the two models you need will help us evaluate feasibility and next steps.
Best regards,
Benoit Cortier
Hello Benoit.
Thank you for your feedback.
We haven't explored the Cloudflare / Ngrok options, as we didn't know that these are options.
Can you provide some documentation about how we could achieve this ?
As for the model, it seems model 1 with the relay would be the better option.
We forgot that RDM still connects to the GW directly. It would make sense if we could gather the traffic through a relay and then reach the customer gateway.
We understand this is a complete architectural change.
We do not expect such a change immediatly, but I wanted to get a feeling if it would be a possibility and in what timeframe. I guess you answered that.
About the details:
- Is the hard requirement “no inbound to customer at all”, or only “DVLS must not initiate to Gateway”?
- no inbound to customer would be the better scenario, as this would remove creating in-bound NAT rules on the customer firewall, which get harder to explain to CISO's.
- Can the customer environment allow egress TCP 443 only (possibly via an HTTP proxy)?
- outgoing rules usually are totally fine.
Best regards.
Marcel