Blogging about Royal TS/X, Royal Server and Royal Passwords

New Feature: Secure Gateway (SSH Tunnels)

During the Royal Server beta period, one of the most requested features was “Secure Gateway” or “SSH Tunneling”. We gathered a lot of feedback and worked hard on implementing tunnel support in our Royal TS and Royal TSX clients as well as in our new product, Royal Server. Our implementation is based on the SSH standard and is tightly integrated into our desktop clients and our server product. No hacky approach using PuTTY or any other external applications were implemented and when you are using Royal Server as a secure gateway, you will be amazed how easy it is to install and setup.

Note: This feature is included in the current beta releases of Royal TS/X and Royal Server.

What is a “Secure Gateway”?

A Secure Gateway is a component included in Royal Server which can be used to access computers through an encrypted SSH tunnel (aka port forwarding). Those computers are not directly reachable, only through the gateway server.

Here is an example how a Secure Gateway can be used: As a consultant you could access your customers infrastructure through the gateway and work remotely on machines which are not directly reachable from the internet. The secure gateway server requires authentication and provides an encrypted “tunnel” to the infrastructure “behind” the gateway. This is a very popular and secure method to provide access to internal machines and has many benefits compared to VPNs or direct NAT.

Of course you can also use a 3rd party SSH server as long as it supports port forwarding. OpenSSH, for instance is included out of the box in many Linux distributions. OS X also ships with an SSH server but it’s disabled by default. Here’s a short guide on how to enable it on OS X Yosemite.

Which Connection Types are supported?

  • Royal TS (for Windows) V3.1: Download Beta
    • Remote Desktop
    • VNC (based on TightVNC and UltraVNC)
    • Terminal (based on Rebex.net and PuTTY)
  • Royal TSX (for OS X) V2.1: Download Beta
    • Remote Desktop (based on FreeRDP)
    • VNC (based on Apple Screen Sharing)
    • Terminal (based on iTerm2)

The connection types Hyper-V, Terminal Services, Windows Events View, Windows Processes and Windows Services can also be used to access internal machines through Royal Server.

Installing a Secure Gateway

Setup is very quick and easy. If you haven’t already installed Royal Server, simply download the latest Royal Server V1.1 beta and install it. Royal Server is literally installed within minutes. Once installed, open the Royal Server Configuration Tool and switch to the Secure Gateway section:

The Secure Gateway feature is enabled by default. Select on which IP address and Port the gateway should be listening. The Gateway Fingerprint will be shown in Royal TS/X when you connect for the first time and helps you ensure that you connect to the right gateway, preventing “man-in-the-middle-attacks”.

Since a Secure Gateway always requires authentication, you need to configure which users are allowed to use the gateway. The Royal Server installation automatically creates a group “Royal Server Gateway Users“. Simply add the members that should be allowed to use the gateway to that group.

The Gateway Connections page provides a view with all open connections:

As you can see in the screenshot above, you see the clients connected to the remote hosts and which user is currently connected. There are also some statistics, like connect time and data sent/received.

Using a Secure Gateway in Royal TS/X

Once Royal Server is installed, you can create a new “Royal Server” object in your document, pretty much the same way as with connections or credentials. In Royal TS (for Windows), either use the Edit ribbon tab or the Add -> More… menu and select Royal Server. If you’re using Royal TSX (for OS X) you can use the Add menu.

 Secure Gateway 3Secure Gateway OS X 1

Note: In case you want to use a 3rd party SSH server for tunneling, you can also just create a Secure Gateway object.

In the Royal Server main settings page, make sure you enter the hostname/IP address of the installed Royal Server in the Computer Name field. In case you have changed the port number on the server, you can change it in the Secure Gateway settings page. There’s also a Test button which allows you to quickly test connectivity.

Secure Gateway 4 Secure Gateway OS X 2

Also make sure you enter proper credentials in the Secure Gateway Credentials settings page. Configure a credential which represents a user who is a member of the Royal Server Gateway Users group (was mentioned above).

Once you have created the Royal Server object in your document, you can assign that object to any of your Remote Desktop, VNC or Terminal connections. In the Computer Name field, use the hostname or IP address of the destination server, as seen from the computer running Royal Server.

Secure Gateway 5 Secure Gateway OS X 3

In the Secure Gateway settings page, select the Royal Server or Secure Gateway object you just created and set the Gateway Usage to Always:

Secure Gateway 6 Secure Gateway OS X 4

Active Tunnels

Once you have established a connection through a tunnel, you can check on all tunnels of a specific Secure Gateway/Royal Server using the Dashboard:

Secure Gateway 7

or check on all tunnels of all Secure Gateways or Royal Servers (in case you are using multiple gateways) using the Active Tunnels panel:

Secure Gateway 8

Happy Tunneling,
The Royal Applications Team



4 views shared on this article. Join in...

  1. Jeremy Doupe says:

    It seems the Secure Gateway function removed the option to utilize a proxy. While this may work for many, it appears that the Secure Gateway object/mechanism doesn’t allow for a two factor authentication (and even if it did, it seems like it might ask for it for each and every connection through the tunnel – which wouldn’t be acceptable either).

    Am I missing something?

  2. Stefan says:

    Hi Jeremy,

    you are right, proxy support and nested gateways are still on our list and is not yet implemented. Regarding the two factor authentication, I invite you to contact us by email at support(-at-)royalts.com and provide more details on how we could implement it.

    Regards,
    Stefan



Pings to this post

  1. […] Read more about the Secure Gateway feature here. […]

  2. […] Read more about the Secure Gateway feature here. […]


You must be logged in to post a comment.