Skip to content

Latest commit

 

History

History
1337 lines (774 loc) · 81.2 KB

CHANGELOG.md

File metadata and controls

1337 lines (774 loc) · 81.2 KB

Changelog

This document provides a list of notable changes introduced in Devolutions Gateway service, installer and Jetsocat.

2024.3.6 (2024-12-02)

Features

  • dgw: persistent job queue for crash resistance (#1108) (2420b07d21)

    This year we added some background tasks in the Gateway that should not be canceled, or if they are, should be restarted later. Essentially two tasks: mass deletion of recordings (relatively important, but it's always possible to launch indexing in DVLS in case of a problem) and remuxing recordings to webm format (good to have). If the service is killed in the middle of one of these operations, we should resume execution on the next startup.

    This persistent job queue is implemented using Turso’s libSQL. Using libSQL (or SQLite) for implementing the queue allow us to benefit from all the work put into implementing a reliable, secure and performant disk-based database instead of attempting to implement our own ad-hoc storage and debugging it forever.

  • dgw: add agent version field to heartbeat API (#1122) (83fbddb5a4)

  • jetsocat: Schannel diagnostics for Windows (#1125) (991d856dea) (ARC-255)

    These diagnostics will return detailed information about how Windows will understand the specified certification chain.

Bug Fixes

2024.3.5 (2024-11-12)

Bug Fixes

2024.3.4 (2024-11-08)

Features

  • jetsocat: make doctor returns links to x509.io (#1059) (ce68fdd1d3)

    Returns a link to x509.io Certificate Viewer in order to inspect the certification chain conveniently.

  • dgw: shadowing player web-component (#1075) (5169f60622)

  • dgw: /jet/jrec/delete endpoint for mass deletion (#1093) (341d455f6c) (DGW-219)

    A new endpoint not taking any parameter via the request path. Instead, a list of session IDs is provided in the request body.

Improvements

  • dgw: disallow SCOPE tokens missing the jti claim (#1082) (78396b5e14)

    DVLS generates this claim since its version 2022.1.9. This version is almost three years old, and already completely phased out, as such it’s more than reasonable to stop supporting this kind of token.

Bug Fixes

  • dgw: the recording policy wasn't set for RDP via web (#1044) (01fb589311)

  • dgw: support for .cast files that have two slices with the same timestamp in recording player (#1054) (8ed5163f3a)

  • dgw: allow any header to be set in browser JavaScript HTTP requests (#1083) (0a7c80898a)

    We don’t expose any header particularly sensitive from the Devolutions Gateway, and the future HTTP bridge will always require a token which is only issued on a per-need basis. In fact, in such cases we actually want to allow virtually any header to be used for web-based integration of various web services (e.g.: VMware dashboard). The restriction imposed by the token requirement is strong enough.

  • dgw: better custom recording paths handling in heartbeat endpoint (#1097) (c1d047c190) (DGW-218)

    On Windows, the std::fs::canonicalize function returns Windows NT UNC paths, but our code detecting the mount point does not understand that. We use dunce to handle that for us instead.

2024.3.3 (2024-10-02)

Features

Bug Fixes

  • pwsh: trace more info when importing Certificate from PFX (#992) (5de155738a)

  • dgw: set dwShareMode for recording files on Windows (#1007) (4df3c854ca)

    On Windows, the default default share_mode set when opening a new file is FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE.

    We now override the share_mode and set it to FILE_SHARE_READ.

    This makes the recording process more robust by ensuring no other process can write or delete the files while the Devolutions Gateway is actively writing it.

  • jetsocat,dgw: add backpressure in JMUX proxy (41ea3ee3f0)

    The memory consumption of the JMUX proxy was unbounded because we used an unbounded mpsc channel for message passing.

    Here is a jetsocat-bench.nu run against master:

  • dgw: start the recording player immediately when tab is open (#1024) (6506b08ee2) (RDMW-16402)

2024.3.2 (2024-08-20)

Features

Improvements

  • dgw: log KDC domain when throwing the error (#963) (873217c804)

    We now print the name of the requested domain when the requested domain didn't match the authorized (expected) domain.

  • dgw: accept subject name even if it does not match the hostname (1f40b45bae)

    Configurations where the certificate subject name does not match the hostname are now accepted. Instead, a few warning and debug log records are added to help discover configuration issues in case of problem. The problem with the strict approach we had previously is that we may reject valid configurations where the hostname was actually matched by one of the subject alternative names in the certificate.

Performance

Build

  • dgw: update cryptography dependencies (787027cbf9)

    We keep using ring as our crypto provider for now.

2024.3.1 (2024-08-01)

Features

  • dgw: dynamically load XMF native lib on startup (#939) (86dee2631a)

    The DGATEWAY_LIB_XMF_PATH environment variable can be used optionally to specify the path to the XMF native library.

  • dgw: remux webm files when video recording ends (#943) (cc787ef691)

Bug Fixes

  • dgw: fix recording player parsing problem (#937) (cdf08a3e2c) (DPS-11197)

    • Remove usage of btoa, it fails on different charset.

    • Add 1 millisecond if the time of previous event is the same at the next event. Otherwise, the player will throw an error.

  • webapp: fix RDP connection form - set pre connection blob as not required (#950) (c684994fce)

  • webapp: add tooltip ellipsis for long netscan service names (#946) (5e4b3080d6) (DGW-204)

  • dgw: [breaking] jet_rec claim is now a string (#957) (59bb0af249)

    Possible values are:

    • none: No policy to enforce (recording is optional)

    • stream: An external application (e.g.: RDM) must push the recording stream via a separate websocket connection

    • proxy: Session must be recorded directly at Devolutions Gateway level (not implemented yet)

    Note: Up until now, Devolutions Gateway was rejecting sessions when this claim was found because it couldn’t upheld the policy. It’s effectively not breaking anything which wasn’t already broken previously.

2024.3.0 (2024-07-24)

Features

  • agent: Devolutions Gateway service updater (#889) (92f86bf51b)

  • dgw: add API to trigger Devolutions Gateway update (#890) (799e518c15)

  • dgw: support .cast terminal recording files (#900) (d1f7559a3e)

    The .cast extension is used for "asciicast" files, i.e.: asciinema cast files. This is a widely used terminal playback format.

Bug Fixes

  • dgw: preserve DGW access URI base in recording player (#899) (92f87c8cea)

    This is notably important for DVLS side by side setups.

  • dgw: fix cast file not working in recording player page (#904) (c6985152a2)

  • dgw: enforce recording policy (#906) (13ed397eee) (DGW-86)

    When recording flag is set and recording stream is closed, the associated session is killed within 10 seconds.

  • dgw: support for jet_rec claim in JMUX tokens (#909) (8b0c3eb80b)

  • dgw: recording player now scales with the size of the window (#922) (4cb95a5e0c) (DGW-198)

2024.2.3 (2024-06-18)

Bug Fixes

2024.2.2 (2024-06-18)

Features

Bug Fixes

  • dgw: IP restrictions fallback for ngrok TCP listeners (#881) (c2635ec6dc) (DGW-193)

    Now properly fallbacks to disabling IP restriction rules for TCP listeners as well.

  • dgw: rework network interface DTO definition (#871) (bc2cb96f9d) (DGW-133)

2024.2.1 (2024-05-22)

Bug Fixes

2024.2.0 (2024-05-21)

Features

  • webapp: allow ssh client to use encrypted ssh keys (#856) (6424c40ecb)

Improvements

Bug Fixes

  • webapp: new version button is available even when a more recent version is used (#846) (2b92c9ab3b) (DGW-182)

  • webapp: fix misaligned "Fill form" buttons when the hostname is too long (#844) (1b8a6ebe9c) (DGW-180)

  • webapp: fix force rescan button (#847) (a08dd3159e) (DGW-185)

  • webapp: add tooltip to menu warning icon when session is closed (#852) (b4ed845695) (DGW-145)

  • webapp: prevent suspicious "e" console logs (#851) (cbf9bd360e) (DGW-164)

    Downgrade the Primeng package as the log was introduced in version 16.5.0.

  • webapp: connect session button stays grayed out intermittently (#855) (3fdce898e5) (DGW-183)

  • dgw: write new JRL into a temporary file, and swap on success (#857) (d91f1cfb6a) (DGW-104)

    It’s preferable to proceed like this to avoid losing current JRL file if the file is truncated without being rewritten successfully immediately.

  • pwsh: fix reading .pem files from PowerShell runspace (#859) (98437f6f4e)

  • webapp: format the error backtrace to show line breaks (#860) (7e50a04dbd) (DGW-169)

  • webapp: menu icon does not update on error for RDP, ARD, VNC (#861) (235e3a72f5) (DGW-168)

  • webapp: tooltip for the selected protocol is always set to RDP (#862) (717d53e149) (DGW-187)

  • dgw: prevent error traces caused by browser behavior (#864) (25b86ea1b3) (DGW-128)

    Since those are not actual errors, this was creating noise in the logs.

Performance

  • dgw: keep HTTP connections open for 10 minutes (#863) (245e2cfb26)

    Most browsers will keep HTTP connections open to increase throughput when performing subsequent transactions. For simplicity, we don’t distinguish between idle and non-idle connections.

Build

2024.1.6 (2024-05-06)

Features

  • webapp: add ssh key authentication (#796) (a884cbb8ff)

  • dgw: add /jet/jrec/play endpoint (#806) (3e7aa30da7) (DGW-111)

  • webapp: network scanning (#826) (1e4a18a23c) (DGW-119)

  • dgw: return disk space available for recordings (#827) (c0776d43de) (DGW-100)

    The total and available space used for storing recordings is now returned inside the heartbeat response.

    If the system does not support this operation, the fields are excluded from the response.

  • dgw: add /jet/jrec/delete/<ID> endpoint (#834) (0965f4e2a7) (DGW-96)

    This new endpoint is used for deleting recordings and allow the service provider (e.g.: DVLS) to delete them according to its policy.

  • dgw: add recording_storage_is_writeable in heartbeat (#835) (a209dc6933) (DGW-175)

  • dgw: WebM player for remote desktop recordings (#832) (58362b9c4a) (DGW-110)

    Adds a video and xterm player at the GET /jet/jrec/play endpoint which supports multiple videos and builds the page dynamically based on the type of recording.

Improvements

Bug Fixes

  • dgw: error code on service startup failure (#816) (66e7ce2599) (DGW-174)

    Instead of panicking when failing to start the service, we instead attempt to log the error to the log file and return an error code.

  • webapp: login screen not shown when opening /jet/webapp/client/ (#839) (b58b03832f) (DGW-176)

  • installer: [breaking] install Gateway service as NetworkService (#838) (1c8a7d2e0a)

Performance

  • dgw: use a buffer of 1k bytes for ARD VNC sessions (#809) (5697097561) (DGW-138)

    Apple ARD uses the so-called MVS video codec. It is a tricky codec: Apple didn't implement proper congestion control, so it's basically just TCP controlling the flow (not by much). Our MVS implementation for the web client is obviously not as fast as the native one, and can’t keep up when there are too much data in transit. To reduce the amount of data in transit, we reduced the size of the copy buffer when using web socket forwarding endpoint and if the application protocol of the session is set to ARD.

Build

2024.1.5 (2024-04-04)

Bug Fixes

  • installer: prevent possible prompt for firewall access in Windows installer (f9760f2a1b)

2024.1.4 (2024-03-22)

Bug Fixes

Build

2024.1.3 (2024-03-08)

Features

  • webapp: version number at the bottom of the app menu (#752) (e46b4fc5a9)

  • webapp: check if a new version is available (#757) (d2d8811c36)

  • webapp: bump iron-remote-gui-vnc to 0.2.1 (#754) (6c3df0c18e)

    • Support for client-side rendered hardware-accelerated cursors

Improvements

Bug Fixes

  • webapp: update IronVNC to 0.1.6 (#749) (ffc4427dca)

    • fix connection not shut down properly

  • webapp: shutdown not called when closing from left menu (#750) (ace64d3eb6) (DGW-167)

  • installer: properly write ARP InstallLocation on fresh installs (270c4e981d)

  • webapp: show error backtrace for VNC, ARD and RDP clients (#751) (c5caf5ab25) (DGW-162)

2024.1.2 (2024-03-05)

Bug Fixes

2024.1.1 (2024-02-29)

Features

  • webapp: bump IronVNC and IronRDP packages (#730) (dd46b48559)

    • RDP: enable performance flags
    • VNC: disable MVS codec for ARD
    • VNC: clipboard support

Bug Fixes

  • installer: layout tweaks for better HiDPI support (#724) (dd864ba80e)

  • webapp: disable debug logging by default (#726) (27d70c9af4)

    Remove console.logs and turn off debugwasm for IronRDP and IronVNC.

  • webapp: UI issues in sidebar menu and web form (#727) (6b605780c3)

  • dgw: fix Linux issues with network scanner (#715) (0c6f644724)

  • webapp: update SSH and Telnet packages (#728) (5bc14ec9c7)

    Fixes a bug when the hostname is incorrect where the connection to the Gateway was being lost, and close session elegantly.

Documentation

2024.1.0 (2024-02-26)

Features

  • dgw: standalone web application V1 🎉

  • installer: new Windows installer built using WixSharp

  • pwsh: add powershell user management with argon2 password hashing (#658) (7157ad6082)

  • installer: add ngrok configuration support (#669) (2caeabab2e)

  • dgw: debug option to set the webapp path (#663) (7da20760f1)

    The DGATEWAY_WEBAPP_PATH env variable is conserved. A new stable and documented configuration key is added: WebApp.StaticRootPath. The environment variable will be checked first, then the key in the config file, and if nothing is specified, we fall back to a webapp folder along the executable.

  • dgw: network scan HTTP API (#689) (846f21d660)

Improvements

  • dgw: use all resolved addresses when connecting (#601) (fe4dc63e40) (DGW-125)

    This patch ensures Devolutions Gateway does not immediately discard resolved addresses which are not emitted first by Tokio’s lookup_host.

    Typically, the first address is enough and there is no need to try subsequent ones. Therefore, it is not expected for this change to cause any additional latence in the the vast majority of the cases. However, just to be on the safe side and enable easier troubleshooting, a WARN-level log is emitted when failing at connecting to a resolved address. If latence were to be introduced by this patch, we can easily be made aware of the problem and investigate further (network configuration, etc).

    If this proves to be a problem in the future, we can add filtering options. For instance, on a network where IPv4 is not supported or disabled, we may want to filter out all the IPv4 addresses which may be resolved by the Devolutions Gateway.

  • dgw: improve logs quality for JMUX proxy (abaa7b23bb)

    Notably, status codes like ECONNRESET or ECONNABORTED are not considered anymore as actual errors, and will be logged accordingly.

  • dgw: improve JMUX proxy error display in logs (#666) (a42b9d6395)

Bug Fixes

  • dgw: upgrade Windows store resolve error log (#617) (4c4df605d0)

    This can help with troubleshooting configuration problems with Windows system certificate store.

  • dgw: better status code for unreachable KDC server (#618) (d0cbd7f6db)

  • dgw: spurious warning when using a wildcard certificate (#647) (b2244a9ab4)

  • dgw: ensure the hostname matches TLS certificate (#648) (6ebee46634)

    Warning logs are ignored at this point (logger not yet initialized), so it doesn’t really help. Since specifying a hostname not matching the TLS subject name is a configuration error, we now return an error upon loading the configuration.Log warnings are ignored at this point, so it doesn’t really help.

  • dgw: better support for ngrok free plan (#718) (dc58835e20) (DGW-134)

    Our installer is allowing the 0.0.0.0/0 CIDR by default because premium plans need the IP restrictions to be configured or just all external traffic. However this doesn’t play well with the free plan. This patch is using a dirty trick to detect the free plan and ignores the IP restriction configuration when it is detected.

Build

2023.3.0 (2023-10-30)

Features

  • pwsh: add (Get|Set|Reset)-DGatewayConfigPath cmdlets (#572) (d162015843) (DGW-113)

  • pwsh: verbosity profile, ngrok tunnel configuration (#577) (51c4d9cee3) (DGW-112)

  • dgw: support for Windows Certificate Store (#576) (913f9fad03) (DGW-105)

    New configuration keys:

    • TlsCertificateSource: Source for the TLS certificate (External or System).
    • TlsCertificateSubjectName: Subject name of the certificate.
    • TlsCertificateStoreName: Name of the System Certificate Store.
    • TlsCertificateStoreLocation: Location of the System Certificate Store.

  • pwsh: add new TLS configuration options (#581) (3c12469989) (DGW-120)

  • dgw: support for PFX files (#583) (9ab145d7ea) (DGW-121)

    PFX files may now be specified in the TlsCertificateFile option. Furthermore, a new optional option is added: TlsPrivateKeyPassword. This option may be used when the PFX file is encrypted using a passkey.

Improvements

  • dgw: [breaking] adjust ngrok options (#575) (c30de99d5b)

    Some ngrok options are not making much sense for Devolutions Gateway and were removed:

    • PROXY protocol: we do not handle PROXY protocol in Devolutions Gateway and instead make use of Conn::peer_addr to find the original client IP.
    • Basic Authentication: we have our own way to handle the authentication using Json Web Tokens.
    • Schemes: only HTTPS should be used when exposing a Devolutions Gateway on internet.

    The Authtoken key was also renamed to AuthToken for readability.

Documentation

2023.2.4 (2023-10-16)

Features

  • dgw: new VerbosityProfile option (#570) (969c42f7a7)

    This adds a stable option to configure log verbosity.

Improvements

  • dgw: add support for more X.509 cert PEM labels (#519) (67e9a483a2)

    Devolutions Gateway will now recognize X509 CERTIFICATE and TRUSTED CERTIFICATE as valid PEM labels for X.509 certificates.

  • dgw: more trace records for RDP extension (#518) (84134481f2)

    This will help when troubleshooting web client issues.

  • dgw: improve logs quality (#557) (fb1ffd07f7) (#528) (433e25382e)

    • Records additional info on running sessions
    • Improves file rotation

Bug Fixes

Build

2023.2.3 (2023-08-15)

Bug Fixes

  • dgw: error 500 when recording folder is missing (#502) (3b1992e647) (DGW-99)

    When listing the recordings, if the recording directory does not exist, it means that there is no recording yet (and the folder will be created later). However, Devolutions Gateway is attempting to read this folder anyway and the HTTP error 500 (Internal Server Error) is returned. This patch fixes this by returning an empty list as appropriate.

  • dgw: typo in TLS forward route (#510) (7cea3c055a) (DGW-102)

    The name of the endpoint was wrong, and thus /jet/fwd/tls was returning the 404 Not Found status. Furthermore, the with_tls option was not properly set.

Documentation

2023.2.2 (2023-06-27)

Features

Improvements

  • dgw: durations in seconds in ngrok config (#485)

    Previously, a Duration was deserialized from a string using the humantime_serde crate. With this patch, the duration is specified in seconds using an integer.

    In other words, this code:

    #[serde(default, skip_serializing_if = "Option::is_none", with = "humantime_serde")]
pub heartbeat_interval: Option<Duration>,

    Is changed into this:

    #[serde(skip_serializing_if = "Option::is_none")]
pub heartbeat_interval: Option<u64>,

  • dgw: make Ngrok listeners appear in configuration diagnostic (#485)

Bug Fixes

  • dgw: truncated payload after PCB reading (#483) (875967f15b) (DGW-97)

    Too many bytes are consumed when PCB string is missing the null-terminator.

    Indeed, until now the number of bytes to consume was found by computing the size of the previously decoded PCB when re-encoded. IronRDP will always encode PCB string with a null-terminator (just like mstcs client). This is generally correct, but will cause payload truncation when the received PCB string did not originally contain the null-terminator.

    This patch is changing this. The "cursor API" is used instead, and cursor position after reading the PCB can be used to find the number of bytes actually read (even if re-encoding the PDU would give a different result).

2023.2.1 (2023-06-09)

Improvements

  • jetsocat: JETSOCAT_LOG instead of RUST_LOG (db06a3d32)

Bug Fixes

  • jetsocat / dgw: ignore case for hosts and schemes (6666623219)

    Case is irrelevant when comparing hostnames and schemes. Note: using eq_ignore_ascii_case is okay because we don’t really expect unicode in such context.

  • dgw: KDC proxy auth using token in path (2173ecec4d) (DGW-94)

2023.2.0 (2023-05-31)

Features

  • dgw: /jet/jrec endpoint for session recording (#404) (bbc0c41941) (DGW-64) (#408) (51355a1ac4) (#410) (8a28a44d5d) (#417) (56578f8785) (1816b9586f)

    Adds new JREC token type for session recording. Adds new jet_rft (recording file type) private claim. Handles /jet/jrec route for WSS to file streaming.

  • dgw: /jet/heartbeat endpoint (#406) (605d3871de)

    The /jet/heartbeat endpoint requires a scope token for the "gateway.heartbeat.read" scope. It is very similar to /jet/health, but returns additional information that should not be publicly available such as the current number of running sessions.

  • dgw: /jet/jrec/list endpoint (#412) (332c86fc5e)

  • dgw: /jet/jrec/pull/{id}/{filename} endpoint (#416) (8187f8bb2e) (#431) (66dc4e3009)

    Recording files can be fetched using this new endpoint and a JREC token with the jet_rop operation set to pull.

  • dgw: ngrok tunnel support (711164010a) (9e29a1d3ce)

  • dgw: add ldap, ldaps application protocols (#432) (bdb34ef27e)

  • dgw: add known application protocol "tunnel" (c3142870f2) (ARC-142)

    This is known as Devolutions Gateway Tunnel on RDM side.

Improvements

  • dgw: [breaking] move jet/{tcp,tls} endpoints under /jet/fwd (#407)

    That is:

    • /jet/tcp/jet/fwd/tcp
    • /jet/tls/jet/fwd/tls

    This is a breaking change, but these routes were not yet used by any other Devolutions product until 2023.2.x releases, so it is safe to change this at this point.

  • jetsocat: default port in WebSocket URLs (#413) (354e097d4e)

    With this change, port may be omitted from the WebSocket URL. In such case, the default port will be used (either 80 or 443).

  • dgw: log version on start (#414) (7391114a4d)

    Useful when troubleshooting issues using user’s logs.

  • dgw: improve HTTP error reporting (#415) (ad19a2fa7c)

  • pwsh: use .NET 6 RSA APIs when available (#435) (974d8ee1da)

    Use .NET 6 RSA public/private key APIs when available.

  • dgw: graceful shutdown (ef1d12d468)

  • dgw: do not enforce scheme in /jet/fwd routes (#430) (54e467f803)

    This was inconsistent with other routes such as /jet/jmux where dst_hst will have the http or https scheme, but this is simply used as a filter policy and Devolutions Gateway will not wrap the stream further into an "https protocol layer".

    Instead, we rely on the requested URI to choose between plain TCP and TLS wrapping at proxy level (i.e.: /jet/fwd/tcp vs /jet/fwd/tls).

Performance

  • dgw: re-use TLS client config (#433) (b6ebb01aad)

    As of rustls 0.21, it’s possible to disable the TLS resumption that is not supported by some services such as CredSSP.

    This allow us to reuse the same TLS client config and connector for all proxy-based TLS connections. (TlsConnector is just a wrapper around the config providing the connect method.)

    Making one of these can be expensive, and should be once per process rather than once per connection.

    source

Bug Fixes

  • jetsocat: gracefully handle invalid native root certificates

    In tokio-tungstenite crate, the rustls::RootCertStore::add method was used to add all the root certificates found by rustls_native_certs crate. This is a problem when an ancient or invalid certificate is present in the native root store. rustls documentation says the following:

    This is suitable for a small set of root certificates that are expected to parse successfully. For large collections of roots (for example from a system store) it is expected that some of them might not be valid according to the rules rustls implements. As long as a relatively limited number of certificates are affected, this should not be a cause for concern. Use RootCertStore::add_parsable_certificates in order to add as many valid roots as possible and to understand how many certificates have been diagnosed as malformed.

    It has been updated to use RootCertStore::add_parsable_certificates instead for maximal compability with system store.

    Parse the given DER-encoded certificates and add all that can be parsed in a best-effort fashion.

    This is because large collections of root certificates often include ancient or syntactically invalid certificates.

2023.1.3 (2023-03-16)

Bug Fixes

Features

2023.1.2 (2023-03-13)

Improvements

  • dgw: size-based log rotation (#393) (e3acafcfcd) (DGW-34)

    Set a maximum size of 3 MB for each file and a maximum of 10 log files. With this change, Devolutions Gateway should never consume more than 30 MB for its logs.

  • pwsh: sort certification chain from leaf to root (#394) (f7ff93c6df) (DGW-80)

  • installer: improved error handling in Windows installer (#397) (2766e5fffe) (DGW-78)

    PowerShell configuration commands are now executed as custom actions instead of WixSilentExec. Errors are tracked and, if the installer is running with UI, an appropriate error message is shown to the user.

    PowerShell command output is redirected to a temporary file; in the case of an error we provide the user the path to that file. A general command execution error will display a string error value.

    Custom actions are refactored slightly for consistency and readability:

    • Internal functions now only return void, BOOL, or HRESULT where possible. Errors are always handled as HRESULT and other results (e.g. Win32 error codes, LSTATUS, null references) are converted to HRESULT and handled with the different WiX macros (e.g. ExitOnWin32Error).
    • Consolidate on WixGetProperty instead of MsiGetProperty and be careful to release the resulting strings (ReleaseStr)
    • Consolidate on nullptr instead of NULL

  • installer: rollback on error in Windows installer (#397) (2766e5fffe) (DGW-76)

    For first time installs, if the installation fails, files that may have been created by the configuration process are cleaned up.

2023.1.1 (2023-02-22)

Improvements

  • dgw: better TLS leaf certificate public key extracting (#390) (a4dec08e23)

    Use x509-cert crate to extract the public key from the leaf TLS certificate. x509-cert supports more certificates.

Build

2023.1.0 (2023-02-14)

Features

  • dgw: clean path PDU extension for RDP (3bc0643818) (ARC-109)

  • installer: show *.cer when browsing for certificate files (#383) (2de4a3880d)

    .cer is another popular extension for certificate files.

  • jetsocat: file-based pipes (#385) (62394d3b48)

    • write-file://<PATH>: write file at the specified location
    • read-file://<PATH>: read wile at the specified location

  • dgw: add service version to health check JSON response (d9f5472120)

Bug Fixes

  • jetsocat: use rustls-native-certs on macOS and Linux (#382) (7305ce42be)

    Let rustls use the platform’s native certificate store.

Build

2022.3.4 (2023-01-16)

Bug Fixes

  • pwsh: nil UUID when creating an empty DGatewayConfig (#372) (370ed02947) (DGW-73)

    Without this patch, the nil UUID is used as the "missing" value instead of $null.

  • installer: ensure default config on install, properly set access URI host (a506c871ee) (DGW-72)

    Ensures a default config is created using the Devolutions Gateway binary before applying "Configure now".

  • installer: avoid Unicode char literals (#376) (8d94f94b81) (DGW-74)

    Unicode character literals in source files can be problematic, depending on the editor and encoding. Instead, avoid the issue by masking the character with an asterisk instead of a Unicode "bullet".

Build

Documentation

Features

  • dgw: add Telnet protocol variant (b89d553095) (DGW-70)

    This change is making possible to omit the port in the target host field. The Telnet default port will be inferred as appropriate.

2022.3.3 (2022-12-12)

Improvements

  • dgw: set default TCP port to 8181 (#364) (9df3a0e6d0) (DGW-66)

  • Normalize file extensions (#367) (5d26d7338f) (DGW-67)

    By convention:

    • .pem -> public key
    • .key -> private key
    • .crt -> certificate

    Note that this is merely a convention, not a standard, and file openers should be able to select a .key file when choosing a public key (through the drop-down menu typically)

  • installer: start the Gateway service at install time (#363) (b07ccd4ed9)

Bug Fixes

2022.3.2 (2022-11-25)

Improvements

  • installer: install service as "Local Service" again (fewer permissions) (#353, #354)
  • jetsocat: automatically clean old log files (#346) (d0325307e7)
  • dgw: IPv6 support (#350) (d591085a69)
  • dgw: support for full TLS certificate chain (#359) (ee1f560fd5)

Features

  • installer: enable configuration of Devolutions Gateway via installer UI on Windows (#348) (6392ed9f86)

Build

2022.3.1 (2022-10-03)

Improvements

Features

  • dgw: extend subkey capabilities to KDC tokens (#334) (cdc53d0e98)

    With this change, a subkey is allowed to sign a short-lived KDC token.

2022.3.0 (2022-09-21)

Bug Fixes

  • dgw: revert service as "Local Service" (c4f8d24d5d)

  • dgw: Content-Type header present twice for Json responses (#315) (c0976d85f3)

    Indeed, Content-Type is a "singleton field": a single member is anticipated as the field value.

    RFC9110 says:

    Although Content-Type is defined as a singleton field, it is sometimes incorrectly generated multiple times, resulting in a combined field value that appears to be a list. Recipients often attempt to handle this error by using the last syntactically valid member of the list, leading to potential interoperability and security issues if different implementations have different error handling behaviors.

  • jmux-proxy: properly cancel proxy task (#327) (f62143eb4a)

    Previously, JMUX proxy task wasn't properly shut down because tokio tasks are detached by default (similar to std::thread::spawn). This adds a helper wrapper to explicitely specify whether a task should be joined or detached.

Features

  • OpenAPI document and auto-generated C# and TypeScript clients

  • dgw: retrieve KDC token from the path (f9b66c11f5)

  • dgw: subkey tokens (#287) (bebee0ed59)

  • dgw: support for CORS calls (#288) (388b1f6efb)

  • dgw: expose gateway ID in configuration endpoint (f15d33a072)

  • dgw: add general claim jet_gw_id (#293) (7a22ea1d0d)

    When this claim is specified, a given token can only be used on a Gateway with the very same ID.

  • dgw: wildcard scope tokens (#294) (1c98c151f9)

  • dgw: config pushing endpoint (8ff1ebed0d)

  • dgw: lossless and simpler config DTO (ba6830144d)

  • dgw: subscriber API (a80282ebd7)

  • dgw: add --config-init-only cli option (89cd2b775e)

  • dgw: limit JMUX wildcard addresses (#302) (8a95130e51)

    The same port must be used.

  • dgw: jet/health endpoint now returns Gateway identity

    The Accept HTTP header must be set to application/json for this.

  • powershell: update module (71e15a4d52)

    • Deprecate PrivateKeyFile and CertificateFile in favor of TlsPrivateKeyFile and TlsCertificateFile. This change is backward compatible (older naming are recognized by cmdlets).

    • Add Id, Subscriber and SubProvisionerPublicKey to config class.

    • Allow Set-DGatewayConfig to set Id, Subscriber and SubProvisionerPublicKey values.

  • dgw: forced session termination support (16c119b025)

    This adds the endpoint POST /jet/session/<id>/terminate. This is similar to what we had back in Wayk Bastion except it’s not P2P.

  • dgw: maximum session lifetime enforcing (9b801624fc)

    This adds a new claim jet_ttl specifying the maximum lifetime for a given session. Devolutions Gateway will kill the session if it is still running after the deadline.

  • jetsocat: HTTP proxy listener (04bd6da206)

    HTTP proxy listener now handles both HTTPS (tunneling) proxy requests and HTTP (regular forwarding).

Security

  • dgw: Smaller token reuse interval for RDP sessions (832d00b6c1)

    With this change, we do not allow reuse for RDP sessions more than a few seconds following the previous use. The interval is 10 seconds which is expected to give plenty of time to RDP handshake and negotiations. Once this interval is exceeded, we consider the RDP session is fully started and the same token can't be reused anymore.

    Two reasons why this is beneficial:

    • Security wise: the reuse interval is considerably shortened
    • Feature wise: more efficient forced RDP session termination

    Regarding the second point: Windows’ mstsc will keep alive the session by re-opening it immediately. Because we allow token reuse in a limited fashion for RDP, as long as the association token is not expired, the terminate action has effectively no visible effect (besides that multiple sessions occurred). Reducing the reuse interval greatly improves the situation.

2022.2.2 (2022-06-14)

  • Update dependencies with CVE reports

  • pwsh: update token generation cmdlet

  • dgw: remove unused /jet/sessions/count route

  • dgw: lossless unknown application strings

    With this change, unknown application protocols will display session information as well. Previously, any unknown value was just treated as the "unknown" string.

2022.2.1 (2022-05-30)

  • Migrate logging infrastructure to tracing

  • dgw: duplicate /jmux and /KdcProxy endpoints under /jet

  • dgw: log files are now rotated on a daily basis (old log files are deleted automatically)

  • dgw: new LogDirective config option

  • dgw: downgrade health route logs to debug level

  • dgw: JMUX filtering through claims (* is used to generate an "allow all" rule)

  • dgw: optional application protocol claim in JMUX tokens to find good default ports

  • dgw: PowerShell via SSH application protocol has been renamed from pwsh to ssh-pwsh

  • dgw: new known application protocols

    • PowerShell via WinRM (winrm-http-pwsh, winrm-https-pwsh)
    • VNC (vnc)
    • SCP (scp)
    • HTTP (http)
    • HTTPS (https)

  • jetsocat: process watcher option (--watch-parent, --watch-process)

  • jetsocat: pipe timeout option (--pipe-timeout)

  • jetsocat: HTTP(S) tunneling (proxy) listener for JMUX proxy (http-listen://<BINDING_ADDRESS>)

2022.1.1 (2022-03-09)

  • diagnostics/configuration endpoint now also returns Gateway's version

  • New diagnostics/clock endpoint to troubleshoot clock drift

  • Initial KDC proxy implementation

  • Windows installer (MSI) now installs Gateway service as "Local Service" (fewer permissions)

2021.1.7 (2021-12-07)

  • JMUX multiplexing protocol implementation for jetsocat and gateway server

  • Improve various startup validations and diagnostics

  • Support for generic plain TCP forwarding (e.g.: raw SSH forwarding)

    This requires sending a preconnection PDU containing an appropriate token

  • Duplicate root HTTP endpoints under /jet (this help simplifying routing configurations)

  • Support for alternative hosts to try in successive order

  • Token reuse mitigation based on IP address (RDP protocol requires to connect multiple times and previously used token can't just be rejected)

2021.1.6 (2021-08-11)

  • jetsocat now builds for Apple Silicon (aarch64-apple-darwin)

  • Update SOGAR and replace sogar-cli with sogar-core

  • Authorization improvements (PR#174, PR#175)

  • Add an endpoint to retrieve logs (GET /diagnostics/logs)

  • Add an endpoint to retrieve configuration (GET /diagnostics/configuration)

  • Add an endpoint to list sessions (GET /sessions)

2021.1.5 (2021-06-22)

  • jetsocat tool has been rewritten and CLI overhauled

  • SOGAR registry support

    • Recorded sessions can be pushed to a registry
    • Devolutions Gateway itself can be used as a registry

2021.1.4 (2021-05-04)

  • Add logs to track all HTTP requests received and processed

  • Add Linux service registration support in debian package

  • Add Install/Uninstall package commands in PowerShell module

2021.1.3 (2021-04-13)

  • Fix infinite loop issue when the precondition pdu was not completely received

  • Fix possible stability issue with protocol peeking

2021.1.2 (2021-03-26)

  • Fix broken Linux container image (missing executable)

  • Add PowerShell module .zip/.nupkg to release artifacts

  • Add experimental session recording plugin architecture

2021.1.1 (2021-02-19)

  • Fix missing internal version number update

2021.1.0 (2021-02-19)

  • Internal upgrade from futures 0.1 to 0.3

  • TCP listener now routes both RDP and JET

  • Remove unneeded dummy HTTP listener

2020.3.1 (2020-12-03)

  • Fix IIS ARR websocket issue (SEC_WEBSOCKET_PROTOCOL header)

  • Update Devolutions Gateway to internal version 0.14.0

2020.3.0 (2020-10-27)

  • Initial PowerShell module public release

  • Update Devolutions Gateway to internal version 0.14.0

  • Support file to configure the Devolutions-Gateway (gateway.json)

  • Update CLI parameters to match parameters defined in file

  • WAYK-2211: candidate gathering jet token restriction

0.12.0 (2020-08-25)

  • Add Jet V3 connection test support

  • Add /jet/health route alias for /health (for simplified reverse proxy rules)

0.11.0 (2020-05-28)

  • Fix websocket connection. Enable HTTP upgrade for the hyper connection.

  • Add jet instance name in health response.

0.10.9 (2020-05-13)

  • Fix websocket listener. An error was returned by the tls acceptor. Ignore those errors.

0.10.8 (2020-05-12)

  • Don't panic if listeners future returns an error. Just print the error and close the application

0.10.7 (2020-05-12)

  • Exactly same as 0.10.6 (forced re-deployment)

0.10.6 (2020-05-12)

  • Exactly same as 0.10.5 (forced re-deployment)

0.10.5 (2020-05-11)

  • Exactly same as 0.10.4 (forced re-deployment)

0.10.4 (2020-05-11)

  • Add module name in logs.

  • Add curl to Docker container.

0.10.3 (2020-05-08)

  • Exactly same as 0.10.2 (forced re-deployment)

0.10.2 (2020-05-05)

  • Remove color from logs

0.10.1 (2020-03-26)

  • Exactly same as 0.10.0 (workaround to deploy a new version in prod without issue with ACI)

0.10.0 (2020-03-23)

  • Add provisioner public key

  • DVC with GFX integration

  • Fixes an issue where some associations were not removed (ghost associations).