v2025.2.3

Features

• dgw: write startup failures into boot.stacktrace file (#1416) (78028a6e60) (DGW-292)

  This will make troubleshooting configuration errors much more easier.

• dgw: new TlsVerifyStrict option (#1415) (257d941dd1) (DGW-293)

  This adds a TlsVerifyStrict option for controlling the new stricter
  checks on TLS certificates.

  When enabled (true), the client performs additional checks on the
  server certificate, including:

  • Ensuring the presence of the Subject Alternative Name (SAN)
    extension.
  • Verifying that the Extended Key Usage (EKU) extension includes
    serverAuth.

  Certificates that do not meet these requirements are increasingly
  rejected by modern clients (e.g., Chrome, macOS). Therefore, we strongly
  recommend using certificates that comply with these standards.

  The default configuration for fresh installs will include the
  TlsVerifyStrict key set to true.

• dgw,agent: display config file path during initialization (#1421) (a185df7844)

  Output the full path to the configuration file when initializing the
  configuration for both Devolutions Gateway and Devolutions Agent. This
  simplifies debugging and setup verification.

• dgw: auto-detect proxy setup when performing HTTP requests (#1422) (b380feffe6)

  Look in environment variables to set HTTP, HTTPS or SOCKS proxies.

• agent: auto-detect proxy setup when fetching productinfo.htm (#1420) (9f89c4c15c) (DGW-291)

  Look in environment variables to set HTTP, HTTPS or SOCKS proxies.

Bug Fixes

• pedm: don't error on profile selection if no assignments (#1398) (abe9f7c693)

  If a user has never had a profile assigned, there will be no record of
  them in the user table.

  However, if they try to select a profile, an error is returned. It's
  better to catch this scenario upfront and just return an empty profile
  selection and list.

• webapp: fullscreen handling for ARD web client (#1406) (30b6941406)

• webapp: fix enter fullscreen button during a running session (#1408) (4295a41919)

• pedm: add additional context to virtual account code paths (#1409) (63a0d8c8c9)

  Some users are experiencing an error with the virtual account elevator.
  This adds additional context to the virtual account elevator code paths.

• dgw: set default value of TlsVerifyStrict to false (#1419) (528cada242)

  Previously, strict TLS verification was performed even when the
  TlsVerifyStrict key was absent from the configuration file.

  From now on, if this key is missing, it will default to
  "TlsVerifyStrict": false.

  This change ensures that existing users who are currently using improper
  certificates will not be affected. At the same time, newly generated
  configuration files will continue to include "TlsVerifyStrict": true by
  default, encouraging using proper certificates from the start.

  New users can still opt out of strict verification by explicitly setting
  the value to false or removing the key entirely if they are willing to
  accept potential compatibility issues with some clients, such as Chrome
  or macOS.

  A warning will be logged if the option is disabled as it may hide latent
  issues.
  Hopefully, this lead the user to enable the option, and fix the
  underlying certificate issue if necessary.

• webapp: fix an issue in the VNC client where display scaling was not correctly
  updated after a server-initiated resize.

• webapp: fix excessive scroll speed in VNC client.

• webapp: fix clipboard monitoring treats clipboard updates from the server as
  local clipboard updates.

• webapp: fix the error when navigator.clipboard.write was called when the
  browser window was not focused.

v2025.2.2

Features

• webapp: support dynamic resizing for RDP and VNC sessions (#1389) (aa03b65645)

• webapp: update RDP and VNC web clients (#1393) (79870495da)

  • Prevent undesirable scrolling when the canvas is focused.
  • Fix a typo.
  • Fix keyboard input for Firefox.
  • Hide slider in fullscreen mode.
  • Fix a bug in VNC client where ZLIB encoding was not disabled even when
    unchecked from the list.

Bug Fixes

• webapp: incorrect desktop size when a predefined resolution is selected (#1383) (4225fda033)

• dgw: [breaking] clean up /jet/net/config route (#1387) (d596e90558) (DGW-287)

  The JSON output of the /jet/net/config route is changed to be more
  convenient in the consumer code.

  Previous output example:

  [
    {
      "name": "vboxnet0",
      "addresses": [
        {
          "V4": {
            "ip": "192.168.56.1",
            "broadcast": "192.168.56.255",
            "netmask": "255.255.255.0"
          }
        },
        {
          "V6": {
            "ip": "fe80::800:27ff:fe00:0",
            "netmask": "ffff:ffff:ffff:ffff::"
          }
        }
      ],
      "mac_addr": "0a:00:27:00:00:00",
      "index": 4
    }
  ]
  

  New output example:

  {
    "vboxnet0": [
      {
        "family": "IPv4",
        "address": "192.168.56.1",
        "broadcast": "192.168.56.255",
        "netmask": "255.255.255.0",
        "mac": "0a:00:27:00:00:00"
      },
      {
        "family": "IPv6",
        "address": "fe80::800:27ff:fe00:0",
        "netmask": "ffff:ffff:ffff:ffff::",
        "mac": "0a:00:27:00:00:00"
      }
    ]
  }
  

• webapp: change toolbar activation height (#1390) (882e7571c0)

  When in fullscreen mode, the session toolbar was not appearing
  when the cursor was moved to the top of the screen.

• dgw: [breaking] fail-fast on improper certificate for TLS (#1391) (aca08f0aba) (DGW-286)

  Certificates missing the auth extended key usage, or missing a subject
  alternative name are now rejected:

  • immediately fail on startup for certificates from filesystem, and
  • fail on certificate resolution for system certificate store.

• dgw: crash when using default port HTTP internal URL (#1392) (71080c0547) (DGW-288)

  The listener task was crashing when the default port for HTTP (80) or HTTPS (443)
  was used in the internal URL of the HTTP listener.

v2025.2.1

Features

• webapp: allow dynamically adjust wheel_speed_factor for VNC and ARD sessions (#1369) (58536dba69)

  The wheel speed factor setting is moved to the toolbar.

• dgw: allow session tokens to be reused in a limited way (b3415c2bcc) (DGW-238)

  Add support a configurable reconnection window, allowing token reuse for
  reconnections after disconnection within a defined period. This feature
  will enable more robust handling of temporary disconnections, minimizing
  session disruptions.

  The token can be reused under three conditions:

  • The associated session was not killed.
  • The reconnection window since last disconnection is not exceeded.
  • The number of connections during the reconnection window does not
    exceed 10 (hardcoded value).

  For the last point, this is the maximum number of reconnections allowed
  during the reconnection window. If the reconnection window (e.g.:
  30 seconds) is over while the connection is still alive, the counter
  is reset, and it’s possible to reconnect up to 10 times again. This
  prevents brute force attacks in the situation where the token is stolen,
  although that is tricky to exploit in the first place.

• dgw: support port wildcards for JMUX sessions (#1377) (922792ea07) (DGW-243)

  When the port is set to 0, we do not add a FilteringRule::Port, and
  when the the host is also set to * (i.e.: *:0), insert
  FilteringRule::Allow to allow anything.

Bug Fixes

• dgw: fix terminal recording player CSS issue (#1374) (917bb48d44) (DGW-280)

v2025.2.0

Features

• webapp: add wheel_speed_factor setting to a VNC and ARD connection forms (#1362) (e6be3d02eb)

• dgw: emit a warning alert when TLS is not configured and credentials are pushed (5a6ecd944b)

  For instance, proxy-based credentials injection for RDP requires a TLS
  certificate and private key to be configured.

• dgw: proxy-based credential injection for RDP (033206eb90) (ARC-277)

Bug Fixes

• pedm: fix flawed expand_environment function (#1366) (476b885199)

• webapp: typo in resolution quality control (#1364) (5b7bbbeff3) (DGW-272)

• dgw: [breaking] drop the prx_usr, prx_pwd, dst_usr and dst_pwd claims (#1370) (ba1feedc9f)

  The favored approach when pushing credentials is now to use the
  preflight route.

v2025.1.6

Bug Fixes

• agent: [breaking] Major breaking change in the experimental PEDM module.

  The PEDM module is planned to be released officially in the 2025.2.0 release, but for simplicity we are releasing
  a 2025.1.6 version that will be compatible with RDM 2025.2 so it’s possible for the users to update or install the
  agent before updating the rest of the products to 2025.2.

  If you installed the experimental PEDM module prior to 2025.1.5, you must:

  • Uninstall the current version
  • Run the following PowerShell script as administrator.
  • Install 2025.1.6 or newer.

  $CurrentUser = "$Env:USERDOMAIN\$Env:USERNAME"
  $Path = "$Env:ProgramData\Devolutions\Agent\pedm"
  
  if (-Not (Test-Path $Path)) {
      Write-Error "Path does not exist ($Path)"
      exit 1
  }
  
  Write-Output "Taking ownership of $Path"
  takeown /F "$Path" /R /D Y | Out-Null
  Write-Output "Granting full control to $CurrentUser"
  $Args = "`"$Path`" /grant:r `"$CurrentUser`:F`" /T /C"
  Start-Process icacls -ArgumentList $Args -NoNewWindow -Wait
  Write-Output "Deleting $Path"
  Remove-Item -LiteralPath $Path -Recurse -Force

v2025.1.5

Features

• dgw: cross-file seeking for recording player (#1271) (fbac3d29ce) (DGW-216)

  Introduces support for seemless playback of multi-files recording playback.

• dgw: preflight API (#1279) (8d4f7376d5) (DGW-245)

  Possible operations:

  • get-version: returns the version of the service.
  • get-agent-version: returns the version of the agent, if available.
  • get-running-session-count: returns the number of active sessions.
  • get-recording-storage-health: returns information about the remaining disk space available for recordings, etc.
  • provision-token: caches the token on the proxy side for later use.
  • provision-credentials: associates a username/password with a token for proxy-side credential injection.
  • resolve-host: DNS resolution of a hostname.

  Possible results:

  • version: the version of the service.
  • agent-version: the version of the side-by-side installed agent, if applicable.
  • running-session-count: the number of running sessions.
  • recording-storage-health: various information regarding recording storage health.
  • resolved-host: the IP addresses resolved for the hostname.
  • ack: acknowledge a given operation was performed with success.
  • alert: alert message for errors and other information.

• dgw: extend net scanner capabilities (#1303) (7518a4ea20)

• dgw: stabilize /jet/net/config (#1311) (36a034ae51)

• webapp: integrate the newer RDP and VNC packages (#1329) (79b09a62f6)

  New version of the remote desktop web clients.

  New settings are exposed for VNC, ARD and RDP.

  • VNC-specific settings: Enabled Encodings (it’s possible to specify
    in a fine-grained manner which codecs are enabled or not),
    Enable/disable cursor pseudo-encoding, etc.
  • ARD-specific settings: Resolutions Quality and Quality Mode settings.
  • RDP-specific: toggle for Unicode mode.

• webapp: option for enabling/disabling display control in RDP web client (#1333) (b056ddf5d1)

• dgw: improve system store certificate selection (#1341) (d8b2fdf4fd) (DGW-262)

  The selection is now discriminating based on the extended key usage and
  the not valid before date.

  • Discriminate based on the extended key usage: certificate is ignored
    when the "Server Authentication" (1.3.6.1.5.5.7.3.1) key usage is not
    specified.
  • Discriminate based on the "not valid before" date: certificates not
    yet valid are ignored.
  • Added generous logging to observe the selection process in details.

Bug Fixes

• installer: resolve potential null reference installing PEDM shell extension (#1278) (d36978e63b)

  The top-level file extension keys may not all exist (in the case of QA,
  HKEY_CLASSES_ROOT\\.ps1 was not present). Although we check for an
  empty default value, we don't check for the presence of the top-level
  key which could cause a null-reference exception and force the installer
  to roll back.

• dgw: properly order system certificates (#1285) (1925990f10) (DGW-261)

  We used the wrong key for sorting the certificates. It should have been
  "valid_not_after" instead of "valid_not_before".

Performance

• dgw: caching of system store certificates (#1339) (4b15a9cf6a) (DGW-266)

  Basic caching is implemented for certificates fetched from the system
  store reducing considerably the number of system calls.

  The lifetime is 45 seconds, so the certificate is still refreshed on a
  regular basis.

v2025.1.4

Features

• dgw: add --config-path command-line option (#1268) (3bcff86239) (ARC-307)

Bug Fixes

• dgw: improve debug logs for recording path canonicalization (#1273) (6e74bcc425)

  It’s easier to diagnostic why canonicalization failed now.

• dgw: reopen the certificate store for each request (#1274) (7c2c042106) (DGW-256)

  When using the system certificate store, we now properly reopen the
  store for each HTTP request, eliminating the need for restarting the
  service when renewing the certificate.

v2025.1.3

Bug Fixes

• agent-installer: don't fail an uninstall if the shell extension can't be unregistered (#1249) (67bc5dfc01)

  An unexpected error unregistering the PEDM shell extension can cause an
  uninstall to fail; this leads to a bad posture on the user machine.

• dgw: fix a bug where shadowing player was sometimes failing with high frame rate (#1253) (e415a674d9)

• installer: ensure NetworkService has proper file permissions (#1260) (956741757e)

  We've had sporadic issues where users cannot update the revocation list
  due to a permissions error on the .jrl file (access denied deleting the
  original file).

  Likely cause:

  • Gateway was installed and created this file(s) at or before version
    2024.1.5
  • In subsequent versions, we switched the service account to
    NetworkService and updated the DACL applied to the top-level
    %programdata%\Devolutions\Gateway directory
  • However, files created previously did not retroactively inherit
    NetworkService's new ACL
  • This doesn't matter for most files where Users has read and execute
    permission
  • Files that need Modify permission won't have it (for example, the
    .jrl and existing log files)

  This version:

  • Updates the SDDL set on the top-level
    %programdata%\Devolutions\Gateway directory to ensure that
    NetworkService can delete subfolders and files
  • Forcibly resets the ACL on files in the program data directory

• dgw: fix WebSocket connection hanging at the end of communication (#1243) (a457fdc90c)

  WebSocket close frames were not sent on session termination.
  With this patch, we properly send WebSocket close frames when session terminates.

• dgw: fix missing webapp in deb (#1259) (dd4f3d5ed2)

Build

• dgw,agent: target Ubuntu 18.04 (#1241) (27f12ef910)

  Properly target ubuntu-18.04, including for the cadeau library which was
  just released with ubuntu-18.04 targeting as well. By targeting
  ubuntu-18.04, we are forward-compatible with ubuntu 20.04, 22.04, 24.04
  but we are also compatible with RHEL8, which uses a version of
  glibc older than ubuntu 20.04.

• dgw: don't use libsql default features (#1254) (d05b9a91df)

v2025.1.2

Features

• agent-installer: disable restart manager in Agent MSI (#1214) (0177aed842)

  The restart manager is intended to reduce the number of reboots caused by
  locked files. It attempts to shutdown and relaunch executables that are using
  locked files required by the installer. An interactive prompt is shown to the
  user offering a choice between shutdown/restart of the application (as long as
  the application is integrated with the restart manager) or to reboot.

Bug Fixes

• dgw: fix an issue where 'Unknown error' was displayed at the end of recording playback (#1220) (46a551848d)

• dgw: fix an issue where recording ended but the streaming task was not terminated (#1222) (404ba8aa11)

• dgw: revert service name to "devolutions-gateway" on Linux (#1226) (5b4c2160f4)

  The service name was mistakenly renamed to "devolutions-agent" in the previous release.

• agent-installer: prevent invalid configuration due to installer sequencing (#1229) (d102dc22fb)

  The PEDM/Session feature toggle was manipulating agent.json after
  InstallFiles.

  The action that initializes agent.json was not actually added to the custom
  actions, and in any case it was sequenced before StartServices (which is
  after InstallFiles).

v2025.1.1

Bug Fixes

• agent: fix downgrade logic for unreleased Devolutions Gateway (#1207) (a978ec6c59)

  Fix an updater corner case where the user is trying to downgrade to the
  latest specified version in productinfo.htm while a newer unreleased
  version is installed locally.

• dgw: mute recording player by default to allow autoplay in web browsers (#1208) (1266e8b327)

• agent-installer: add experimental tag to PEDM and session features (#1211) (29b2facc61)