v2022.3.0

Bug Fixes

• dgw: revert service as "Local Service" (c4f8d24)

• dgw: Content-Type header present twice for Json responses (#315) (c0976d8)

  Indeed, Content-Type is a "singleton field": a single member is anticipated as the field value.

  RFC9110 says:

  Although Content-Type is defined as a singleton field,
  it is sometimes incorrectly generated multiple times,
  resulting in a combined field value that appears to be a list.
  Recipients often attempt to handle this error by using
  the last syntactically valid member of the list, leading to
  potential interoperability and security issues if different
  implementations have different error handling behaviors.

• jmux-proxy: properly cancel proxy task (#327) (f62143e)

  Previously, JMUX proxy task wasn't properly shut down because tokio
  tasks are detached by default (similar to std::thread::spawn). This
  adds a helper wrapper to explicitely specify whether a task should be
  joined or detached.

Features

• OpenAPI document and auto-generated C# and TypeScript clients

• dgw: retrieve KDC token from the path (f9b66c1)

• dgw: subkey tokens (#287) (bebee0e)

• dgw: support for CORS calls (#288) (388b1f6)

• dgw: expose gateway ID in configuration endpoint (f15d33a)

• dgw: add general claim jet_gw_id (#293) (7a22ea1)

  When this claim is specified, a given token can only be used on a Gateway with the very same ID.

• dgw: wildcard scope tokens (#294) (1c98c15)

• dgw: config pushing endpoint (8ff1ebe)

• dgw: lossless and simpler config DTO (ba68301)

• dgw: subscriber API (a80282e)

• dgw: add --config-init-only cli option (89cd2b7)

• dgw: limit JMUX wildcard addresses (#302) (8a95130)

  The same port must be used.

• dgw: jet/health endpoint now returns Gateway identity

  The Accept HTTP header must be set to application/json for this.

• powershell: update module (71e15a4)

  • Deprecate PrivateKeyFile and CertificateFile in favor of
    TlsPrivateKeyFile and TlsCertificateFile. This change is backward
    compatible (older naming are recognized by cmdlets).

  • Add Id, Subscriber and SubProvisionerPublicKey to config class.

  • Allow Set-DGatewayConfig to set Id, Subscriber and
    SubProvisionerPublicKey values.

• dgw: forced session termination support (16c119b)

  This adds the endpoint POST /jet/session/<id>/terminate.
  This is similar to what we had back in Wayk Bastion except it’s not P2P.

• dgw: maximum session lifetime enforcing (9b80162)

  This adds a new claim jet_ttl specifying the maximum lifetime for a
  given session. Devolutions Gateway will kill the session if it is still
  running after the deadline.

• jetsocat: HTTP proxy listener (04bd6da)

  HTTP proxy listener now handles both HTTPS (tunneling) proxy requests
  and HTTP (regular forwarding).

Security

• dgw: Smaller token reuse interval for RDP sessions (832d00b)

  With this change, we do not allow reuse for RDP sessions more than a few
  seconds following the previous use. The interval is 10 seconds which is
  expected to give plenty of time to RDP handshake and negotiations. Once
  this interval is exceeded, we consider the RDP session is fully started
  and the same token can't be reused anymore.

  Two reasons why this is beneficial:

  • Security wise: the reuse interval is considerably shortened
  • Feature wise: more efficient forced RDP session termination

  Regarding the second point: Windows’ mstsc will keep alive the session
  by re-opening it immediately. Because we allow token reuse in a limited
  fashion for RDP, as long as the association token is not expired,
  the terminate action has effectively no visible effect (besides that
  multiple sessions occurred). Reducing the reuse interval greatly
  improves the situation.

v2022.2.2

• Update dependencies with CVE reports
• pwsh: update token generation cmdlet
• dgw: remove unused /jet/sessions/count route
• dgw: lossless unknown application strings

  With this change, unknown application protocols will get displayed in session information as well.
  Previously, any unknown value was just treated as the "unknown" string.

v2022.2.1

• Migrate logging infrastructure to tracing
• dgw: duplicate /jmux and /KdcProxy endpoints under /jet
• dgw: log files are now rotated on a daily basis (old log files are deleted automatically)
• dgw: new LogDirective config option
• dgw: downgrade health route logs to debug level
• dgw: JMUX filtering through claims (* is used to generate an "allow all" rule)
• dgw: optional application protocol claim in JMUX tokens to find good default ports
• dgw: PowerShell via SSH application protocol has been renamed from pwsh to ssh-pwsh
• dgw: new known application protocols
  • PowerShell via WinRM (winrm-http-pwsh, winrm-https-pwsh)
  • VNC (vnc)
  • SCP (scp)
  • HTTP (http)
  • HTTPS (https)
• jetsocat: process watcher option (--watch-parent, --watch-process)
• jetsocat: pipe timeout option (--pipe-timeout)
• jetsocat: HTTP(S) tunneling (proxy) listener for JMUX proxy (http-listen://<BINDING_ADDRESS>)

v2022.1.1

• diagnostics/configuration endpoint now also returns Gateway's version
• New diagnostics/clock endpoint to troubleshoot clock drift
• Initial KDC proxy implementation
• Windows installer (MSI) now installs Gateway service as "Local Service" (fewer permissions)

v2021.1.7

• JMUX multiplexing protocol implementation for jetsocat and gateway server
• Improve various startup validations and diagnostics
• Support for generic plain TCP forwarding (e.g.: raw SSH forwarding)
  This requires sending a preconnection PDU containing an appropriate token
• Duplicate root HTTP endpoints under /jet (this help simplifying routing configurations)
• Support for alternative hosts to try in successive order
• Token reuse mitigation based on IP address (RDP protocol requires to connect multiple times
  and previously used token can't just be rejected)

v2021.1.6

Changes:

• 34158eb Merge pull request #181 from Devolutions/v2021.1.6
• 2fe6661 devolutions-gateway: version bump to 21.1.6 and updated CHANGELOG.md
• 945d745 Add macOS ARM64, add Windows nuget restore workaround (#180)
• 846b874 Merge pull request #178 from Devolutions/cargo_clippy
• 52a6da5 Merge branch 'master' into cargo_clippy
• cad3d42 WAYK-2568: Add an endpoint to get configuration information (#177)
• 8907015 Cargo clippy
• ebb5fc8 Merge pull request #176 from Devolutions/WAYK-2567
• e46601e WAYK-2567: Add endpoint to get logs (GET /diagnostics/logs)
• cf6e96b Merge pull request #175 from Devolutions/fix_bridge

See More

• 2b5077a Bridge all verbs (get/put/patch/post/delete) + Authorization is set in Gateway-Authorization header for the bridge
• cfdc353 Merge pull request #174 from Devolutions/WAYK-2566
• 2524955 Merge branch 'master' into WAYK-2566
• de5f7f1 WAYK-2566: Cleanup: Rename session_token by association_token
• 354d9e9 WAYK-2566: Remove api_key config parameter
• 17e8bae WAYK-2566: Remove unrestricted config parameter
• fe03b14 WAYK-2566: Use the AUTH middleware for all routes except those explicitly excluded
• 5064fb1 WAYK-2566: Add a way to specify association_id when we create a token via powershell + fix GET /associations endpoint to return the error if error occurred
• 2beacd1 WAYK-2566: Add token type + bridge token + update powershell to generate token
• 4890bd1 Merge pull request #173 from Devolutions/fix_build
• e989ddb WAYK-2566: Add a type field in auth tokens (session/scope)
• d5bbbbd WAYK-2566: Generate scope token with tokengen tool and powershell module
• 193156f WAYK-2566: Add authorization to get sessions list
• 3a483aa Fix powershell build: Remove nuget cert revocation check
• d87bbf2 Merge pull request #172 from Devolutions/WAYK-2564
• d15b4b1 WAYK-2564: cargo fmt
• 74fcbda WAYK-2564: Fix benchmark build
• 90d1a1b WAYK-2564: Fix build
• 7fefa19 WAYK-2564: Add jet_flt in the session token
• ea0104f WAYK-2564: Update specification to add jet_rec and jet_flt
• e78a404 WAYK-2564: Add endpoint /sessions to list sessions + Fix tests
• 79d6090 Use helper functions for error codes in bridge
• abe9b1b Add leeway for bridge token validation
• cca926f WAYK-2562: initial HTTP bridge implementation
• cbda9b7 Fix clippy warnings in registry module
• 593e459 Update dependencies
• eb84a89 Merge pull request #169 from Devolutions/sogar_update
• e1fc4f6 Don't use sogar_cli to push files to remote registry + Remove sogar_path from config + sogar update
• 80d20e8 Sogar update (#168)

This list of changes was auto generated.

v2021.1.5

Changes:

• 8aec9a9 Update CHANGELOG.md
• e7ce1e9 Bump version (2021.1.5)
• 8d634a1 Fix clippy warnings
• 5b46aea Fix sogar-core dependency link
• 1727a72 Sogar registry inside devolutions-gateway (#166)
• 40da875 jetsocat: add sftp example in cli doc
• b3589e0 jetsocat: fix WebSocket read buffer advancing
• b05220c jetsocat: flush on write
• 50964d1 jetsocat: add ws-listen pipe
• eec6fc9 jetsocat: fix process piping

See More

• 9c9c9b0 jetsocat: now with a single forward action (#164)
• 2a18295 Add SOGAR session recording for web sockets (#163)

This list of changes was auto generated.

v2021.1.4

Changes:

• ca2e4db 2021.1.4 release preparation (#162)
• 44483a6 Linux packaging and service registration (#161)
• b572867 PowerShell Formatting (#160)
• b465f39 Add Install-DGatewayPackage / Uninstall-DGatewayPackage commands (#159)
• 50d4023 Pushing files to the remote (#158)
• 676a855 Add logs to track all HTTP requests received and processed (#157)

This list of changes was auto generated.

v2021.1.3

Changes:

• 28d9f8d Merge pull request #156 from Devolutions/2021.1.3
• 17d9cb9 Version 2021.1.3
• 1b697dc Merge pull request #155 from Devolutions/WAYK-2432
• b7dc2a9 Merge pull request #154 from Devolutions/wayk-2430
• 20cea3d Remove Incoming helper struct
• 766813c Fix possible stability issue with protocol peeking
• 441a65c Enable socket options
• e11980c Fix clippy warning
• 8570b33 Update tokio dependency
• 66aa58c Merge pull request #153 from Devolutions/bugfix-session-recording

See More

• 83bca54 devolutions-gateway: fix container image version (#152)
• 078783f Changelog update
• 2a44bef added check on the source_addr
• b8f46c8 WAYK-2430: Avoid infinite loop if no data is received for RDP connection
• 37042a3 fixed incorrect size
• afbd397 added awaiting on the thread to finish
• 41b5aaa jetsocat: clarify logs (#151)
• ab78a7b refactored code
• 0e0d1fe removed magic number
• 2fb9632 fixed error with artifacts in the video by adding additional frame updates

This list of changes was auto generated.

v2021.1.2

Changes:

• fe342c8 2021.1.2 release preparation: unify changelog, cleanup. (#150)
• 3d29727 devolutions-gateway: move Dockerfiles around (#149)
• 2f1db36 Zip PowerShell module + remove extracted files from GitHub releases (#148)
• 048df20 Session recording inside gateway (#147)
• f4c5405 Update README about direct connection and pcap recording (#146)

This list of changes was auto generated.