devolutions-gateway icon indicating copy to clipboard operation
devolutions-gateway copied to clipboard
verified publisher icon Devolutions

feat(dgw): proxy-based credentials injection support for RDP

Open CBenoit opened this issue 8 months ago • 0 comments

Consumer side

  • Provide and associate the proxy-target credential mapping with the association token using a preflight API call.
  • Connect using the fake (proxy) credentials to the Devolutions Gateway as usual, with a PCB containing the association token.

How it works

  • Perform two-way forwarding between the client and the target until the TLS security upgrade.
  • Separately perform the TLS upgrade for both the client and the server, effectively acting as a man-in-the-middle.
    • The client must trust the TLS certificate configured in the Devolutions Gateway.
  • Separately perform CredSSP authentification as server with the client, and as client with the target.
    • The fake, proxy credentials are used with the client.
    • The real, target credentials are used with the target.
  • Proceed with the usual two-way forwarding (expect we can actually see and inspect all the traffic)

Demo

proxy-based-credentials-injection-prototype.webm

CBenoit avatar May 24 '25 20:05 CBenoit