v2025.1.3

Bug Fixes

• agent-installer: don't fail an uninstall if the shell extension can't be unregistered (#1249) (67bc5dfc01)

  An unexpected error unregistering the PEDM shell extension can cause an
  uninstall to fail; this leads to a bad posture on the user machine.

• dgw: fix a bug where shadowing player was sometimes failing with high frame rate (#1253) (e415a674d9)

• installer: ensure NetworkService has proper file permissions (#1260) (956741757e)

  We've had sporadic issues where users cannot update the revocation list
  due to a permissions error on the .jrl file (access denied deleting the
  original file).

  Likely cause:

  • Gateway was installed and created this file(s) at or before version
    2024.1.5
  • In subsequent versions, we switched the service account to
    NetworkService and updated the DACL applied to the top-level
    %programdata%\Devolutions\Gateway directory
  • However, files created previously did not retroactively inherit
    NetworkService's new ACL
  • This doesn't matter for most files where Users has read and execute
    permission
  • Files that need Modify permission won't have it (for example, the
    .jrl and existing log files)

  This version:

  • Updates the SDDL set on the top-level
    %programdata%\Devolutions\Gateway directory to ensure that
    NetworkService can delete subfolders and files
  • Forcibly resets the ACL on files in the program data directory

• dgw: fix WebSocket connection hanging at the end of communication (#1243) (a457fdc90c)

  WebSocket close frames were not sent on session termination.
  With this patch, we properly send WebSocket close frames when session terminates.

• dgw: fix missing webapp in deb (#1259) (dd4f3d5ed2)

Build

• dgw,agent: target Ubuntu 18.04 (#1241) (27f12ef910)

  Properly target ubuntu-18.04, including for the cadeau library which was
  just released with ubuntu-18.04 targeting as well. By targeting
  ubuntu-18.04, we are forward-compatible with ubuntu 20.04, 22.04, 24.04
  but we are also compatible with RHEL8, which uses a version of
  glibc older than ubuntu 20.04.

• dgw: don't use libsql default features (#1254) (d05b9a91df)

v2025.1.2

Features

• agent-installer: disable restart manager in Agent MSI (#1214) (0177aed842)

  The restart manager is intended to reduce the number of reboots caused by
  locked files. It attempts to shutdown and relaunch executables that are using
  locked files required by the installer. An interactive prompt is shown to the
  user offering a choice between shutdown/restart of the application (as long as
  the application is integrated with the restart manager) or to reboot.

Bug Fixes

• dgw: fix an issue where 'Unknown error' was displayed at the end of recording playback (#1220) (46a551848d)

• dgw: fix an issue where recording ended but the streaming task was not terminated (#1222) (404ba8aa11)

• dgw: revert service name to "devolutions-gateway" on Linux (#1226) (5b4c2160f4)

  The service name was mistakenly renamed to "devolutions-agent" in the previous release.

• agent-installer: prevent invalid configuration due to installer sequencing (#1229) (d102dc22fb)

  The PEDM/Session feature toggle was manipulating agent.json after
  InstallFiles.

  The action that initializes agent.json was not actually added to the custom
  actions, and in any case it was sequenced before StartServices (which is
  after InstallFiles).

v2025.1.1

Bug Fixes

• agent: fix downgrade logic for unreleased Devolutions Gateway (#1207) (a978ec6c59)

  Fix an updater corner case where the user is trying to downgrade to the
  latest specified version in productinfo.htm while a newer unreleased
  version is installed locally.

• dgw: mute recording player by default to allow autoplay in web browsers (#1208) (1266e8b327)

• agent-installer: add experimental tag to PEDM and session features (#1211) (29b2facc61)

v2025.1.0

Features

• dgw: session shadowing (#1076) (456d057b60) (#1131) (ac7988cc51) (#1148) (b68bf85039) (#1165) (8a52585c30) (#1188) (5539ac6066) (#1193) (8d7c3d592b) (#1181) (8cb4c66fec)

• dgw: add a replay button on streaming finish (#1189) (3177eae885)

Bug Fixes

• jetsocat: (also) return one link per certificate (#1137) (68f0523118) (DGW-235)

  Make jetsocat doctor return one link per certificate in addition to
  the chain link.

• dgw: improve log quality (#1190) (8b3118a640)

  • Enhance the "Peer failure" log to include the peer address and the
    listener kind (in fact, always TCP).
  • Instead of an ERROR-level trace, log an INFO-level trace when the
    wrong protocol is used on the TCP listener.

• dgw,jetsocat: implement WebSocket keep-alive logic (#1202) (22e9e7e73f)

  Our WebSockets are already responding Pong messages to Ping messages,
  but they were never sending Ping messages.

Build

• dgw: correct typo causing missing packager (#1176) (dd17375552)

  The control template expects a variable named packager but package was passed.

• dgw: move libxmf.so to /usr/lib (#1175) (0ed70d21ba)

  This moves libxmf.so from /usr/share/devolutions-gateway to /usr/lib/devolutions-gateway.

  According to the FHS,
  /usr/share is for architecture-independent data files.

• Add RPM for gateway and agent (#1179) (3b8667db83)

  This commit adds RPM packages for Gateway and Agent to the release
  assets.

  The rpm is generated with fpm, a Linux packaging tool.

  The RPM includes all the assets of the corresponding Debian package,
  including the changelog, copyright, maintainer scripts, and
  webapp/libxmf.so for Gateway.

  Tested with RHEL 9 (glibc 2.34).

• Add changelogs for Linux packaging (#1185) (fdf2bb1667) (DGW-237)

• Remove unused Linux deps (#1194) (efde6343a0)

  This removes unused dependencies.
  libc6 on Debian is glibc on RPM-based systems.

  libc6 version is bumped to 2.31 as that is the version provided by the
  CI runner generating the build.
  libgcc-s1 dependency is removed as it is a dependency of libc6.

  > ldd devolutions-gateway
    linux-vdso.so.1 (0x000077b2330a9000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x000077b22f5b1000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x000077b22f4c4000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x000077b22f200000)
    /lib64/ld-linux-x86-64.so.2 (0x000077b2330ab000)
  

  The ldd output for Agent is identical.

v2024.3.6

Features

• dgw: persistent job queue for crash resistance (#1108) (2420b07d21)

  This year we added some background tasks in the Gateway that should
  not be canceled, or if they are, should be restarted later. Essentially
  two tasks: mass deletion of recordings (relatively important, but
  it's always possible to launch indexing in DVLS in case of a problem)
  and remuxing recordings to webm format (good to have). If the service
  is killed in the middle of one of these operations, we should resume
  execution on the next startup.

  This persistent job queue is implemented using Turso’s libSQL. Using
  libSQL (or SQLite) for implementing the queue allow us to benefit from
  all the work put into implementing a reliable, secure and performant
  disk-based database instead of attempting to implement our own ad-hoc
  storage and debugging it forever.

• dgw: add agent version field to heartbeat API (#1122) (83fbddb5a4)

• jetsocat: Schannel diagnostics for Windows (#1125) (991d856dea) (ARC-255)

  These diagnostics will return detailed information about how Windows
  will understand the specified certification chain.

Bug Fixes

• webapp: session toolbar loading issues (#1106) (1442a1dc6f) (DGW-230)

• webapp: active session connection status in menu (#1115) (45f396af9c) (DGW-231)

• dgw: improve logs of rdp extension module (#1120) (a068fb46e7)

• dgw: lower the level of the control code log (#1123) (85850304f6)

v2024.3.5

Bug Fixes

• webapp: the initial 401 error is shown when it should not (#1102) (b54a666776) (DGW-226)

v2024.3.4

Features

• jetsocat: make doctor returns links to x509.io (#1059) (ce68fdd1d3)

  Returns a link to x509.io Certificate Viewer in order to inspect the
  certification chain conveniently.

• dgw: shadowing player web-component (#1075) (5169f60622)

• dgw: /jet/jrec/delete endpoint for mass deletion (#1093) (341d455f6c) (DGW-219)

  A new endpoint not taking any parameter via the request path.
  Instead, a list of session IDs is provided in the request body.

Improvements

• dgw: disallow SCOPE tokens missing the jti claim (#1082) (78396b5e14)

  DVLS generates this claim since its version 2022.1.9.
  This version is almost three years old, and already completely phased
  out, as such it’s more than reasonable to stop supporting this kind
  of token.

Bug Fixes

• dgw: the recording policy wasn't set for RDP via web (#1044) (01fb589311)

• dgw: support for .cast files that have two slices with the same timestamp in recording player (#1054) (8ed5163f3a)

• dgw: allow any header to be set in browser JavaScript HTTP requests (#1083) (0a7c80898a)

  We don’t expose any header particularly sensitive from the Devolutions
  Gateway, and the future HTTP bridge will always require a token which
  is only issued on a per-need basis. In fact, in such cases we actually
  want to allow virtually any header to be used for web-based integration
  of various web services (e.g.: VMware dashboard).
  The restriction imposed by the token requirement is strong enough.

• dgw: better custom recording paths handling in heartbeat endpoint (#1097) (c1d047c190) (DGW-218)

  On Windows, the std::fs::canonicalize function returns
  Windows NT UNC paths, but our code detecting the mount point does not
  understand that.
  We use dunce to handle that for us instead.

v2024.3.3

Features

• pedm: add context menu icon resource (#990) (263de985cc)

• agent: devolutions-session bootstrap (#997) (f8b291d908)

• jetsocat: Windows named pipes and Unix sockets (#1022) (b13caba5b6)

• jetsocat: new doctor subcommand for diagnostics (#1030) (6ed8591b38)

Bug Fixes

• pwsh: trace more info when importing Certificate from PFX (#992) (5de155738a)

• dgw: set dwShareMode for recording files on Windows (#1007) (4df3c854ca)

  On Windows, the default default share_mode set when opening a new file
  is FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE.

  We now override the share_mode and set it to FILE_SHARE_READ.

  This makes the recording process more robust by ensuring no other
  process can write or delete the files while the Devolutions Gateway
  is actively writing it.

• jetsocat,dgw: add backpressure in JMUX proxy (41ea3ee3f0)

  The memory consumption of the JMUX proxy was unbounded because we used
  an unbounded mpsc channel for message passing.

  Here is a jetsocat-bench.nu run against master:

• player: start recording when tab is open (#1024) (6506b08ee2) (RDMW-16402)

v2024.3.2

Features

• agent: initial PEDM implementation (1ed573ae54)

Improvements

• dgw: log KDC domain when throwing the error (#963) (873217c804)

  We now print the name of the requested domain when the requested
  domain didn't match the authorized (expected) domain.

• dgw: accept subject name even if it does not match the hostname (1f40b45bae)

  Configurations where the certificate subject name does not match the
  hostname are now accepted.
  Instead, a few warning and debug log records are added to help
  discover configuration issues in case of problem.
  The problem with the strict approach we had previously is that we
  may reject valid configurations where the hostname was actually
  matched by one of the subject alternative names in the certificate.

Performance

• jetsocat: use a larger buffer for plain forwarding (#968) (6c18ff1fc1)

  By increasing the size of the intermediate buffer from 8k to 16k,
  performance of raw TCP forwarding is increased by ~19.4%.

  Performance was measured using iperf on local network.

• jetsocat,dgw: major throughput improvement for JMUX proxy (Devolutions Gateway Tunnel) (#973) (32de1d50de) (#975) (8ebfd2316d) (#976) (11efaa5cfe) (#977) (6b77a993ab) (DGW-202) (#980) (53af6fa7c7)

  See JMUX-proxy-performance.md.

Build

• dgw: update cryptography dependencies (787027cbf9)

  We keep using ring as our crypto provider for now.

v2024.3.1

Features

• dgw: dynamically load XMF native lib on startup (#939) (86dee2631a)

  The DGATEWAY_LIB_XMF_PATH environment variable can be used optionally to specify the path to
  the XMF native library.

• dgw: remux webm files when video recording ends (#943) (cc787ef691)

Bug Fixes

• dgw: fix recording player parsing problem (#937) (cdf08a3e2c) (DPS-11197)

  • Remove usage of btoa, it fails on different charset.

  • Add 1 millisecond if the time of previous event is the same at the next event.
    Otherwise, the player will throw an error.

• webapp: fix RDP connection form - set pre connection blob as not required (#950) (c684994fce)

• webapp: add tooltip ellipsis for long netscan service names (#946) (5e4b3080d6) (DGW-204)

• dgw: [breaking] jet_rec claim is now a string (#957) (59bb0af249)

  Possible values are:

  • none: No policy to enforce (recording is optional)

  • stream: An external application (e.g.: RDM) must push the
    recording stream via a separate websocket connection

  • proxy: Session must be recorded directly at Devolutions Gateway
    level (not implemented yet)

  Note: Up until now, Devolutions Gateway was rejecting sessions when this claim was found because it couldn’t upheld
  the policy. It’s effectively not breaking anything which wasn’t already broken previously.