v2024.1.2

Bug Fixes

• webapp: authentication list state is not preserved on error (#735) (f2852d99ad) (DGW-147)

• webapp: fix web form controls data submission (#736) (d2f793b71f) (DGW-151)

• webapp: add favicon (#738) (2fe051369d)

• webapp: configure angular production build (#737) (52b58b92bd) (DGW-144)

• webapp: web form UI - fix spinner for autocomplete (#740) (8649bd3eac)

• webapp: bump IronVNC and IronRDP packages (#744) (6677ed0a41)

  • RDP: fix performance flags
  • VNC: better error status codes on authentication
  • VNC: fix initial screen state not being properly painted

• pwsh: support for non-PEM, binary certificate files (#745) (6f7589f598) (DGW-135)

Documentation

• webapp: updated fontscdn link (#729) (989e5b98fc)

v2024.1.1

Features

• webapp: bump IronVNC and IronRDP packages (#730) (dd46b48559)

  • RDP: enable performance flags
  • VNC: disable MVS codec for ARD
  • VNC: clipboard support

Bug Fixes

• installer: layout tweaks for better HiDPI support (#724) (dd864ba80e)

• webapp: disable debug logging by default (#726) (27d70c9af4)

  Remove console.logs and turn off debugwasm for IronRDP and IronVNC.

• dgw: UI issues in sidebar menu and web form (#727) (6b605780c3)

• dgw: fix Linux issues with network scanner (#715) (0c6f644724)

• webapp: update SSH and Telnet packages (#728) (5bc14ec9c7)

  Fixes a bug when the hostname is incorrect where the connection to the Gateway was being lost, and close session elegantly.

Documentation

• pwsh: update PSGallery tags (#725) (edd9fcff6b)

This build also includes the changes from 2024.1.0 (2024-02-26)

Features

• dgw: standalone web application V1 🎉

• installer: new Windows installer built using WixSharp

• pwsh: add powershell user management with argon2 password hashing (#658) (7157ad6082)

• installer: add ngrok configuration support (#669) (2caeabab2e)

• dgw: debug option to set the webapp path (#663) (7da20760f1)

  The DGATEWAY_WEBAPP_PATH env variable is conserved.
  A new stable and documented configuration key is added: WebApp.StaticRootPath.
  The environment variable will be checked first, then the key in the config file,
  and if nothing is specified, we fall back to a webapp folder along the executable.

• dgw: network scan HTTP API (#689) (846f21d660)

Improvements

• dgw: use all resolved addresses when connecting (#601) (fe4dc63e40) (DGW-125)

  This patch ensures Devolutions Gateway does not immediately discard
  resolved addresses which are not emitted first by Tokio’s lookup_host.

  Typically, the first address is enough and there is no need to try
  subsequent ones. Therefore, it is not expected for this change to
  cause any additional latence in the the vast majority of the cases.
  However, just to be on the safe side and enable easier troubleshooting,
  a WARN-level log is emitted when failing at connecting to a resolved
  address. If latence were to be introduced by this patch, we can
  easily be made aware of the problem and investigate further (network
  configuration, etc).

  If this proves to be a problem in the future, we can add filtering
  options. For instance, on a network where IPv4 is not supported or
  disabled, we may want to filter out all the IPv4 addresses which may
  be resolved by the Devolutions Gateway.

• dgw: improve logs quality for JMUX proxy (abaa7b23bb)

  Notably, status codes like ECONNRESET or ECONNABORTED are not
  considered anymore as actual errors, and will be logged accordingly.

• dgw: improve JMUX proxy error display in logs (#666) (a42b9d6395)

Bug Fixes

• dgw: upgrade Windows store resolve error log (#617) (4c4df605d0)

  This can help with troubleshooting configuration problems with
  Windows system certificate store.

• dgw: better status code for unreachable KDC server (#618) (d0cbd7f6db)

• dgw: spurious warning when using a wildcard certificate (#647) (b2244a9ab4)

• dgw: ensure the hostname matches TLS certificate (#648) (6ebee46634)

  Warning logs are ignored at this point (logger not yet initialized),
  so it doesn’t really help. Since specifying a hostname not matching the
  TLS subject name is a configuration error, we now return an error upon
  loading the configuration.Log warnings are ignored at this point, so it
  doesn’t really help.

• dgw: better support for ngrok free plan (#718) (dc58835e20) (DGW-134)

  Our installer is allowing the 0.0.0.0/0 CIDR by default because
  premium plans need the IP restrictions to be configured or just
  all external traffic. However this doesn’t play well with the free
  plan. This patch is using a dirty trick to detect the free plan
  and ignores the IP restriction configuration when it is detected.

Build

• Include debug symbols for NuGet packages (.snupkg) (186a319b71)

• dgw: eliminate openssl link dependency on Linux (#707) (8ffb181995)

v2023.3.0

Features

• pwsh: add (Get|Set|Reset)-DGatewayConfigPath cmdlets (#572) (d162015843) (DGW-113)

• pwsh: verbosity profile, ngrok tunnel configuration (#577) (51c4d9cee3) (DGW-112)

• dgw: support for Windows Certificate Store (#576) (913f9fad03) (DGW-105)

  New configuration keys:

  • TlsCertificateSource: Source for the TLS certificate (External or System).
  • TlsCertificateSubjectName: Subject name of the certificate.
  • TlsCertificateStoreName: Name of the System Certificate Store.
  • TlsCertificateStoreLocation: Location of the System Certificate Store.

• pwsh: add new TLS configuration options (#581) (3c12469989) (DGW-120)

• dgw: support for PFX files (#583) (9ab145d7ea) (DGW-121)

  PFX files may now be specified in the TlsCertificateFile option.
  Furthermore, a new optional option is added: TlsPrivateKeyPassword.
  This option may be used when the PFX file is encrypted using a passkey.

Improvements

• dgw: [breaking] adjust ngrok options (#575) (c30de99d5b)

  Some ngrok options are not making much sense for Devolutions Gateway
  and were removed:

  • PROXY protocol: we do not handle PROXY protocol in Devolutions Gateway
    and instead make use of Conn::peer_addr to find the original client IP.
  • Basic Authentication: we have our own way to handle the authentication
    using Json Web Tokens.
  • Schemes: only HTTPS should be used when exposing a Devolutions Gateway
    on internet.

  The Authtoken key was also renamed to AuthToken for readability.

Documentation

• Update README.md + COOKBOOK.md (#582) (4da466553e)

Continuous Integration

• Ensure upload to OneDrive works when dispatched with workflow_call (#571) (efe8019faa)

v2023.2.4

Features

• dgw: new VerbosityProfile option (#570) (969c42f7a7)

  This adds a stable option to configure log verbosity.

Improvements

• dgw: add support for more X.509 cert PEM labels (#519) (67e9a483a2)

  Devolutions Gateway will now recognize X509 CERTIFICATE and
  TRUSTED CERTIFICATE as valid PEM labels for X.509 certificates.

• dgw: more trace records for RDP extension (#518) (84134481f2)

  This will help when troubleshooting web client issues.

• dgw: improve logs quality (#557) (fb1ffd07f7) (#528) (433e25382e)

  • Records additional info on running sessions
  • Improves file rotation

Bug Fixes

• dgw: proper timeout for HTTP listeners (#561) (90a0725651)

• dgw: shutdown streams gracefully after forwarding (#562) (6902137ad8)

Build

• Update dependencies (#513/837589748b) (#514/12af944c57) (#515/116e42285f) (#522/1fd5584365) (#521/25649a2bbe) (#520/b2a3849a8a) (#526/ec184527d8) (#527/7b7c3c065d) (#525/b1819084bc) (#531/b472c830bd) (#532/66ee3dff62) (#533/38ff1f27f6) (#535/54ce98208e) (#537/d4afcd6a3a) (#538/3d35fbb635) (#541/b50c0b7d20) (#540/d92c3433ab) (#543/2384fc8e8f) (#545/b1e05b1e7a) (#548/25f3c6c778) (#547/9560dc9cfd) (#549/37faedcfee) (#554/7987906a52) (#553/ccf737c11f) (#552/e98b7f27ef) (#556/2e839ae5ac)

• Update Rust toolchain to 1.73.0 (#560) (375ec71cf9)

Continuous Integration

• Skip OneDrive upload if the release workflow is a dry run (36ad076f32)

• Change github token (#542) (afbb7abcbf)

• Fix OneDrive upload job (#546) (787024e1f6)

v2023.2.3

Bug Fixes

• dgw: error 500 when recording folder is missing (#502) (3b1992e647) (DGW-99)

  When listing the recordings, if the recording directory does not exist,
  it means that there is no recording yet (and the folder will be created
  later). However, Devolutions Gateway is attempting to read this folder
  anyway and the HTTP error 500 (Internal Server Error) is returned. This
  patch fixes this by returning an empty list as appropriate.

• dgw: typo in TLS forward route (#510) (7cea3c055a) (DGW-102)

  The name of the endpoint was wrong, and thus /jet/fwd/tls was
  returning the 404 Not Found status.
  Furthermore, the with_tls option was not properly set.

Build

• deps: update dependencies

Documentation

• dgw: stabilize RecordingPath and Ngrok options (#489) (013569884e)

v2023.2.2

Features

• pwsh: initial devolutions gateway updater tool (#472) (d1f5e2053f)

Improvements

• dgw: durations in seconds in ngrok config (#485)

  Previously, a Duration was deserialized from a string
  using the humantime_serde crate. With this patch, the duration
  is specified in seconds using an integer.

  In other words, this code:

  #[serde(default, skip_serializing_if = "Option::is_none", with = "humantime_serde")]
  pub heartbeat_interval: Option<Duration>,

  Is changed into this:

  #[serde(skip_serializing_if = "Option::is_none")]
  pub heartbeat_interval: Option<u64>,

• dgw: make Ngrok listeners appear in configuration diagnostic (#485)

Bug Fixes

• dgw: truncated payload after PCB reading (#483) (875967f15b) (DGW-97)

  Too many bytes are consumed when PCB string is missing the
  null-terminator.

  Indeed, until now the number of bytes to consume was found by computing
  the size of the previously decoded PCB when re-encoded.
  IronRDP will always encode PCB string with a null-terminator (just like
  mstcs client). This is generally correct, but will cause payload
  truncation when the received PCB string did not originally contain
  the null-terminator.

  This patch is changing this. The "cursor API" is used instead, and
  cursor position after reading the PCB can be used to find the number of
  bytes actually read (even if re-encoding the PDU would give a different
  result).

Continuous Integration

• SBOM cdxgen (#471) (08520cdbbb)

Build

• deps: bump tokio-rustls from 0.24.0 to 0.24.1 (#468) (5b86f4af33)

• deps: bump sysinfo from 0.29.0 to 0.29.2 (#467) (dfc3e533b5)

• deps: bump log from 0.4.18 to 0.4.19 (#475) (c7bd46cd66)

• deps: bump serde_json from 1.0.96 to 1.0.97 (#473) (ff301e7c2b)

• Dependency bump and maintainance (#476) (a0f8abc113)

• deps: bump hyper from 0.14.26 to 0.14.27 (#480) (3f8c6cac73)

v2023.2.1

Improvements

• jetsocat: JETSOCAT_LOG instead of RUST_LOG (db06a3d32)

Bug Fixes

• jetsocat / dgw: ignore case for hosts and schemes (6666623219)

  Case is irrelevant when comparing hostnames and schemes.
  Note: using eq_ignore_ascii_case is okay because we don’t
  really expect unicode in such context.

• dgw: KDC proxy auth using token in path (2173ecec4d) (DGW-94)

Build

• deps: bump ngrok from 0.12.1 to 0.12.2 (#455) (ae95b255c0)

• deps: bump url from 2.3.1 to 2.4.0 (#456) (e6c0e7da6a)

v2023.2.0

Features

• dgw: /jet/jrec endpoint for session recording (#404) (bbc0c41941) (DGW-64) (#408) (51355a1ac4) (#410) (8a28a44d5d) (#417) (56578f8785) (1816b9586f)

  Adds new JREC token type for session recording.
  Adds new jet_rft (recording file type) private claim.
  Handles /jet/jrec route for WSS to file streaming.

• dgw: /jet/heartbeat endpoint (#406) (605d3871de)

  The /jet/heartbeat endpoint requires a scope token for the
  "gateway.heartbeat.read" scope. It is very similar to /jet/health, but
  returns additional information that should not be publicly available
  such as the current number of running sessions.

• dgw: /jet/jrec/list endpoint (#412) (332c86fc5e)

• dgw: /jet/jrec/pull/{id}/{filename} endpoint (#416) (8187f8bb2e) (#431) (66dc4e3009)

  Recording files can be fetched using this new endpoint and a
  JREC token with the jet_rop operation set to pull.

• dgw: ngrok tunnel support (711164010a) (9e29a1d3ce)

• dgw: add ldap, ldaps application protocols (#432) (bdb34ef27e)

• dgw: add known application protocol "tunnel" (c3142870f2) (ARC-142)

  This is known as Devolutions Gateway Tunnel on RDM side.

Improvements

• dgw: [breaking] move jet/{tcp,tls} endpoints under /jet/fwd (#407)

  That is:

  • /jet/tcp → /jet/fwd/tcp
  • /jet/tls → /jet/fwd/tls

  This is a breaking change, but these routes were not yet used by any other Devolutions product
  until 2023.2.x releases, so it is safe to change this at this point.

• jetsocat: default port in WebSocket URLs (#413) (354e097d4e)

  With this change, port may be omitted from the WebSocket URL.
  In such case, the default port will be used (either 80 or 443).

• dgw: log version on start (#414) (7391114a4d)

  Useful when troubleshooting issues using user’s logs.

• dgw: improve HTTP error reporting (#415) (ad19a2fa7c)

• pwsh: use .NET 6 RSA APIs when available (#435) (974d8ee1da)

  Use .NET 6 RSA public/private key APIs when available.

• dgw: graceful shutdown (ef1d12d468)

• dgw: do not enforce scheme in /jet/fwd routes (#430) (54e467f803)

  This was inconsistent with other routes such as /jet/jmux where
  dst_hst will have the http or https scheme, but this is
  simply used as a filter policy and Devolutions Gateway will not
  wrap the stream further into an "https protocol layer".

  Instead, we rely on the requested URI to choose between plain TCP
  and TLS wrapping at proxy level (i.e.: /jet/fwd/tcp vs /jet/fwd/tls).

Performance

• dgw: re-use TLS client config (#433) (b6ebb01aad)

  As of rustls 0.21, it’s possible to disable the TLS resumption that is
  not supported by some services such as CredSSP.

  This allow us to reuse the same TLS client config and connector for
  all proxy-based TLS connections.
  (TlsConnector is just a wrapper around the config providing the
  connect method.)

  Making one of these can be expensive, and should be once per process
  rather than once per connection.

  source

Build

• deps: update dependencies (abf5b00d33)

• deps: bump serde from 1.0.162 to 1.0.163 (#437) (3f3127a178)

• deps: bump tokio from 1.28.0 to 1.28.1 (#439) (2fefafe529)

• deps: bump uuid from 1.3.2 to 1.3.3 (#438) (561c89d0f3)

• deps: update tokio-tungstenite version (c1e9f506e1)

• deps: bump x509-cert from 0.2.1 to 0.2.2 (#444) (6bb0b24ff9)

• deps: bump chrono from 0.4.24 to 0.4.25 (#447) (46cdb1e737)

• deps: bump proptest from 1.1.0 to 1.2.0 (#449) (b82e21ac93)

• deps: bump tokio from 1.28.1 to 1.28.2 (#448) (7de2a2fd64)

Continuous Integration

• Build and package jet-doctor and tokengen (#423) (564717fbe2)

• Enable dependabot pull requests (988921039e)

• Update Artifactory credentials (#440) (8a4ecc003b)

• Limit builds on forked PRs, optimize CI workflow (#441) (39d5f9a350)

v2023.1.3

Bug Fixes

• installer: fix command execution and add validation (#401) (456f802962) (DGW-84)

Features

• dgw: WebSocket-TCP endpoint (/jet/tcp) (#399) (265f0dbe3f) (DGW-82)

• dgw: WebSocket-TLS endpoint (/jet/tls) (#400) (46368f6d43) (DGW-83)

v2023.1.2

Improvements

• dgw: size-based log rotation (#393) (e3acafcfcd) (DGW-34)

  Set a maximum size of 3 MB for each file and a maximum of 10 log files.
  With this change, Devolutions Gateway should never consume more than 30 MB for its logs.

• pwsh: sort certification chain from leaf to root (#394) (f7ff93c6df) (DGW-80)

• installer: improved error handling in Windows installer (#397) (2766e5fffe) (DGW-78)

  PowerShell configuration commands are now executed as custom actions instead of WixSilentExec.
  Errors are tracked and, if the installer is running with UI, an appropriate error message is shown to the user.

  PowerShell command output is redirected to a temporary file; in the case of an error we provide the user the path to that file.
  A general command execution error will display a string error value.

  Custom actions are refactored slightly for consistency and readability:

  • Internal functions now only return void, BOOL, or HRESULT where possible. Errors are always handled as HRESULT and other results (e.g. Win32 error codes, LSTATUS, null references) are converted to HRESULT and handled with the different WiX macros (e.g. ExitOnWin32Error).
  • Consolidate on WixGetProperty instead of MsiGetProperty and be careful to release the resulting strings (ReleaseStr)
  • Consolidate on nullptr instead of NULL

• installer: rollback on error in Windows installer (#397) (2766e5fffe) (DGW-76)

  For first time installs, if the installation fails, files that may have been created by the configuration process are cleaned up.