Cloudflare with Devolutions Gateway

Devolutions Gateway can operate behind a Cloudflare Tunnel to add an additional layer of protection to an internal Devolutions Gateway installation or to allow an outbound tunnel when changing a firewall configuration is unavailable. Using Devolutions Gateway behind Cloudflare Tunnel is available for both Devolutions Server and Devolutions Hub Business.

Configure Cloudflare tunnel

  1. Log into the Cloudflare dashboard.

    A Cloudflare free plan can be used to install and run Cloudflare tunnels.

  2. Go to the Zero Trust section which is under Cloudflare Dashboard.

  3. Go to NetworksTunnels and click Create a tunnel. Create a tunnel

  4. Select Cloudflared and click Next. Cloudflared

  5. Input a name and click Save tunnel. Save tunnel

  6. Choose the appropriate operating system and architecture.

  7. Download the installer via the given link. Download the installer

  8. Copy the configuration string. Copy the configuration string

  9. Run the Cloudflare installer.

  10. In the Install and run a connector section of the Cloudflare installation window copy the command.

  11. Open the server with the installed Cloudflare tunnel daemon and open Command Prompt as an administrator.

  12. Paste the copied configuration string from step 8 and press enter.

    It is advised to verify that the Status is showing as Connected.

    Copied configuration string
    Copied configuration string
  13. Click Next. Connectors

  14. Input a unique subdomain.

  15. Choose HTTPS as Type.

    1. Enable the No TLS Verify option under Additional application settingsTLS when using a self-signed certificate for a gateway.

    Use localhost:7171 as the URL if the default gateway configuration was used.

  16. Click Save tunnel. Save tunnel

  17. Click on the newly created Tunnel name.

  18. Click Edit. Edit

  19. Go to the Public Hostname tab and click Add a public hostname. Add a public hostname

  20. Input a unique subdomain (different from step 14).

  21. Choose TCP as Type.

    Use localhost:8181 as the URL if the default gateway configuration was used.

  22. Click Save hostname. Save hostname

When done there should be two public hostnames.

Two unique public hostnames
Two unique public hostnames

Retrieve the Devolutions Server or Devolutions Hub Business provisioning key

  1. Log into the Devolutions Server or Devolutions Hub Business instance as a user with access to the Devolutions Gateway configuration.
  2. Go to AdministrationDevolutions Gateway.
  3. Click the More button and select Download public key.

This file needs to be accessible to the server hosting Devolutions Gateway behind the Cloudflare tunnel.

Install Devolutions Gateway with Cloudflare

When using Cloudflare with Devolutions Hub Business , the Devolutions Gateway Standalone web interface will be unavailable, therefore keep the Enable the Gateway web interface option unchecked. Devolutions Gateway Standalone requires a private provisioner key, which is not available with Devolutions Hub.

  1. Open a connection to the server hosting Devolutions Gateway and download the installer.

  2. Run the installer.

  3. Click Next. Next

  4. Once the desired installation path is selected, click the Next button. Installation path

  5. Click Next. Leave the defaults

  6. Click Next in the Listeners window.

    It is advised to leave the default listeners as they will likely correspond to the Cloudflare tunnel configuration.

    Listeners
    Listeners
  7. Enter the external URI by which the gateway will be reachable.

  8. Click Next. External URL

  9. Specify the path to the TLS certificates or to the system certificate store location.

  10. Click Next. Certificates

  11. Specify the path to the previously retrieved public key from Devolutions Server or Devolutions Hub Business.

    This key file must be accessible to the NetworkService account, which Devolutions Gateway runs as.

  12. Click Next. Public Key

  13. Click Install.

Launch the Cloudflared client on the Remote Desktop Manager host

The Cloudflared client needs to be downloaded and launched to properly tunnel the connection. This client will create an outbound Cloudflare tunnel connection from the local Remote Desktop Manager client to the Cloudflare tunnel connecting to Devolutions Gateway.

The following code needs to be run in a terminal window as long the tunnel needs to be open and each time a gateway will be accessed behind a Cloudflare tunnel:
cloudflared-windows-amd64.exe access tcp --hostname gateway-client-tcp.mydomain.com --url localhost:8181

To avoid running the code every time, create a service:

  1. Launch an elevated PowerShell session.

  2. Input this code to create a new PowerShell service:

    New-Service -Name "Cloudflared Egress" -BinaryPath "C:\Tools\cloudflared-windows-amd64.exe access tcp --hostname gateway-client-tcp.mydomain.com --url localhost:8181"
    
    Start-Service -Name 'Cloudflared Egress'
    
  3. Start the service.

The tunnel is now running permanently client-side.

Configure Devolutions Server or Devolutions Hub Business

Devolutions Server

  1. Log into a Devolutions Server instance as a user with access to the Devolutions Gateway configuration.

  2. Go to AdministrationDevolutions Gateway.

  3. Click the Add (+) button and choose Gateway. Gateway

  4. Enter the previously retrieved details from Cloudflare used to configure Devolutions Gateway.

    It may be needed to preface the Cloudflare tunnel domain with https://. Auto-Detect will only work if the hostname was configured to be the same as the TCP hostname in Cloudflare. Test connection if the tunnel domain is accessible.

  5. Click Save. Cloudflare configuration

  6. Click the ellipsis (More) button next to the newly configured gateway and select Publish revocation list.

    1. If the Publish Gateway configuration option is available, it should be done before Publish revocation list.
    Publish Gateway configuration
    Publish Gateway configuration

Devolutions Hub Business

  1. Log into a Devolutions Hub Business instance as a user with access to the Devolutions Gateway configuration.

  2. Go to AdministrationDevolutions Gateway.

  3. Click the Add (+) button. Add

  4. Enter the previously retrieved details from Cloudflare used to configure Devolutions Gateway.

    It may be needed to preface the Cloudflare tunnel domain with https://. Auto-Detect will only work if the hostname was configured to be the same as the TCP hostname in Cloudflare. Test connection if the tunnel domain is accessible.

    Cloudflare configuration
    Cloudflare configuration
  5. Go through any combination of Vaults, Groups or Users tabs to decide how the licenses will be distributed.

  6. Click Add.

  7. Click the ellipsis (More) button next to the newly configured gateway and select Publish Gateway configuration. Publish Gateway configuration

Devolutions Forum logo Give us Feedback