Skip to main content

3.1 – Gateway

You can configure the gateway by editing gateway.conf file, here is a list of all options:

Key                                                                                                                                                                                                                                                       Value
bindAddr Binding address, if you have multiple IP addresses and want to bind on one of them.

If you have IIS running on same machine, you must ensure that it is not bound to the IP address & Port you want to use for the SparkGateway. You must set the bindings in the IIS Manager. However, it may also be necessary to change the HTTP service which by default listens on port 80 for all IP addresses. To do this you can use “netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx” to instruct the HTTP service to listen on IP addresses not used by the SparkGateway. Then you can use port 80 on the unused IP Addresses with the SparkGateway.
port Listening port, default is 80. You can let Gateway listen on 2 ports at the same time, e.g. port = 80, 443
ssl Use HTTPS and WSS (WebSocket Secure Connection), default is false. If gateway is listening on 2 port, the parameter can be configured as: ssl = false, true
credSSP Network Level Authentication, Value can be "true", "false" or "auto". Default is false. “true” will slow down the connection speed a little bit . It’s not necessary to use NLA if the gateway is connecting to internal RDP hosts only. It’s better to enable credSSP if you are using Microsoft RD Broker for load balancing. "auto" will connect without credSSP at the first time, reconnect with credSSP if the connection failed.
backlog How many connections can be queued, default is 50.
user Path of user configuration file (JSON format).
server Path of RDP hosts configuration file (JSON format).
html HTML root directory.
directoryIndex Default page for html directory, default is "rdp.html;index.html".
license Path of license file.
logfile Path of log file.
maxbytes Limit the maximum number of bytes to write to any one log file, default is 30M.
maxfiles Log file rotation, the number of log files to use, default is 99.
logHttpHeader If log http header, which may contains sensitive information. Default is true.
converter Postscript to PDF converter, used for printing. Ghostscript is recommended:
http://www.ghostscript.com/download/
Example: C:\\Program Files\\gs\\gs9.04\\bin\\gswin64c.exe
arguments Arguments for converter. %1 is output pdf file name. %2 is input ps file name, they'll be replaced by program.
Example: -dBATCH -dNOPAUSE -dUseCIEColor -dPDFSETTINGS=/printer -sDEVICE=pdfwrite -q -sOutputFile=%1 %2
plugin Class name for your plug-in
pluginFile The full path of your plug-in jar file
password Password for reporting and management API
mime Add extra mime types for web server: rdp:application/rdp;conf:text/plain
stderrLog Set false to disable logging to stdout/stderr
keepDays How many days the temporary files generated by system be kept, default is 1 day
disk The name for the shared disk, used for file uploading/downloading
webfeed RD Web Feed URL, for RD web access integration
recording Session recording, 0: no recording; 1: recording graphic only. 3: recording graphic and audio.
recdir Parent directory for session recording files.
recwarning Warn user about the recording, default is true
accessNotInList if logged in user can access computers which is not in their list (servers.json) or webfeed, default is false
printer Printer name, default is “Remote Printer from Client”. You can specify multiple printer names by using “;” as separator, e.g. “Printer1;Printer2”. The first one will always be the default printer.
printerDriver Printer driver name
shadowing Shadowing switch (if allow joining a session), default is true.
cipherSuites The cipher suites can be used by SSL encryption. You may want to use some good cipher suites only, for example:
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA

You need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for AES 256 cipher suites.
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
webAddress HTTP server web address, used for OpenID login(redirection back). It’s also used on client side for getting real gateway address (client side may not know that if you are using multiple gateways for load balancing).
clientHost Customize the host name of the client user. Default is the host name or ip address. You can use following variables in the string:
${hostName}: Host name of the gateway machine.
${hostAddress}: Host address of the gateway machine.
${sequence}: a sequence number
${__ip}: client host name or IP.
${ _PARAM_SESSION_ID}: Session GUID.
${ _PARAM_NUMERIC_ID}: Session 9 digit number ID.
${any parameter transferred from client side} e.g. clientHost = RS-${__ip}-${sequence} , the result will be RSClientHostName-0, RS-ClientHostName-1, …
performanceflags Please check 3.4 RDP Host for more information. You may need this if you are connecting to a Terminal Server/Remote Desktop Session Host.
remotefx If enable remtoefx, default is false. RemoteFX is LAN and 32 bit only
enableLookups Set to true if you want calls to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled.
maxCacheTime How long (minutes) the session can be cached on gateway, default is 0 (RDP session cache on gateway is disabled by default).
idleUserSession User session idle timeout, in milliseconds
mail.smtp.host
mail.smtp.port
mail.user
mail.password
mail.from
mail.to
mail.smtp.auth
mail.smtp.starttls.enable
Email notification when license expire etc, following is for gamil:
smtp.gmail.com
587
support@toremote.com
xxxx
support@toremotec.om
xxx@toremote.com
true
true
You can use java -cp SparkGateway.jar com.toremote.gateway.Mailer title message to send a test email.
licenseAlert Float value, Email alert when license usage reached this number. If value < 1, it means percentage of your license number; If value > = 1, it means the actual concurrent license number.
thumbnail.interval Interval for obtaining thumbnails of RDP session, milliseconds, default is 0 (no thumbnail). Client will not send thumbnail to server if screen is not changed.
thumbnail.width Thumbnail width, it must be smaller than 640, default is 0 (no thumbnail)
copyTimeout Timeout for clipboard copy operation, milliseconds, default is 3000. You may need to increase this value if your application need to copy very big data.
savedSessionTimeout This is the maximum value (milliseconds) for saved session, default is 0, means user cannot save session on gateway.
confirmJoin Confirmation needed when a user try to join a session, default is false
keyStore Set up key store position when ssl is true
keyStorePassword Key store password
passwordEncrypted Encrypt the key store password and the reporting password, default is false. Please use following command to get encrypted password:
java -cp SparkGateway.jar com.toremote.gateway.Encryption MyPassword
assistance Enable Remote Assistance, default is false.
ssh Enable SSH, default is false.
telnet Enable TELNET, default is false.
gatewayId Used for email notification etc.
oauth2 Path of oauth2 providers file (JSON format)
disabledKeys Keys (scancode) will not be sent to server, e.g. 219,220 (left and right Windows key); 29+56+211,56+1 will disable Ctrl+Alt+Del and Alt+Esc
dataEncrypted If enable encryption on data files: servers.json, users.json, symlink.json.
webfeedCache If enable webfeed cache. false to disable it. Default is true. You'll need to restart the gateway after your webfeed content changed if it's true.
redirectToHttps Redirect http tranfic to https. Make sure gateway listen on both http and https
log.level The value can be an integer or SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST. Check https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html for more details
connectif Create a new connection if you are joining symlink which doesn’t connect to any hosts.
randomIp Use a random ip if your host name has multiple ip address, default is false
authorization “Basic”: enable HTTP Basic Authentication, default is null.
headers Extra headers for HTTP response, For example: headers = Strict-TransportSecurity: max-age=31536000\r\nContent-Security-Policy: script-src 'self'\r\nXXSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-ContentType-Options: nosniff\r\n
recFileSize Limit the size (in bytes) of recording file (auto rotation)
file.filter File type filter for file uploading, for example “exe,jar”
file.maxSize File size filter (in bytes) for file uploading.
keepPrinting Keep the printing results (PDF) on gateway, default is false.
resetOnJoin Don’t’ use seamless session shadowing.
timeoutWoL Time out (milliseconds) of Wake on LAN. This will enable WoL if the value is great that 0.
symlinkOnly Gateway will only accept aymlink connection if symlinkOnly is true
simpleFormatter Let gateway use SimpleFormatter which is slower but allow you to configure log format.
pingClient Ping client interval (ms). CND or proxy may not close the websocket correctly and leave session alive forever on the gateway. You can enable this to fix this kind of issue. This is enabled by default since 5.6.
sessionRecordParam You can enable session recording from the browser side (sessionRecord=on) if this is true. Default value is false.
userGroup Path of user group configuration file in JSON format.
serverGroup Path of server group configuration file in JSON format.
organization Customize the connection name for the 2FA app on the mobile device.
maxRequestBytes Determines the upper limit for the total size of the request line and the headers. Its default setting is 8KB
maxPrintTime Printing conversion timeout, default is 1200000 milliseconds (20 minutes)
httpCookie Use HTTP Cookie for file uploading to make it more secure. Default is true.
fileUnprompted Files can be download directly without asking user to confirm when user copy a file in RDP server. For example, if the value is “pdf,zip”, when user copy a PDF file, the gateway will prepare the downloading directly without ask use to confirm. Depends on copyFile = true.
fileService Enable SMB2, SFTP file proxy. Disabled by default.
deployment Enable deployment service. User can deploy, test applications with the deploy agent via SSH, SFTP.
preferInteractive Prefer keyboard-interactive method on SSH. Default is true.
Deprecated, please use ssh.preferInteractive instead.
fileService Enable SMB2, SFTP file service, so user can use file.html to upload/download files from SMB2 share or SFTP server.
delSymlinkServer The related server definition will be deleted too if a symlink is deleted or expired. Default is false.
trustStore Trusted certificates for RDP or VNC server (when TLS encrypt is used, credSSP = true in gateway.conf).
trustStorePassword Password for trustStore
fileBlockSize File transferring block size, default is 524288 bytes(5M). Reduce this value can reduce the bandwidth usage but increase uploading time
keyDelay Delay between keys (milliseconds). Default is 0.
authToken.name The parameter name in the websocket URL.
authToken.exec A path of executable or URL. If gateway found the authToken.name parameter in the websocket url, it’ll execute the exe or HTTP Request. The connection can be only allow if the exe or HTTP Request Status Code is authToken.sucessCode.
authToken.sucessCode Integer.
twoFA 1: Enable two-factor authentication; 0: Disable (default); 2: Enforce
twoFAStore Two-factor authentication storage path. Default is installDir\data\store.data. Make sure you back up this file. It’s encrypted by default.
rec.timestampSubDir Enable/disable timestamp sub directory for recdir. Default is true.
rec.begin.exec Run an executable before the session is recorded. Arguments: fileName, server, user, sessionId.
rec.end.exec Run an executable after the session was recorded. Arguments: fileName, server, user, sessionId.
file.post Run an executable after a file was uploaded.
For example: file.post = C:\apps\scan.exe %1
%1 will be replaced by the file path of the uploaded file.
csv.file Log session information to CSV file. Columns: Id, Server, Client, IP, Browser, Time ,NumericId, User, Domain, Join, Protocol, Symlink, Port, Action (CONNECT/DISCONNECT/LOGIN).
csv.size Limit the maximum number of bytes to write the log file, default is 2G.
vnc.transferCredential,
ssh.transferCredential,
telnet.transferCredential
False by default, which disable SSO on VNC, SSH, TELNET connection when SSO is enabled in users.json (transferCredential = true).
app.idString, UUID is recommended. Can be used for load balancing. This unique id will be automatically generated if it's not set.
file.viewableBoolean, the "View" button on File Manager UI will be removed if it's false. Users then can only see the "Download" button.
license.limitInteger, restricts the concurrent session number for testing etc. This value must be smaller than the license number.

*Please always use absolute file path if you are running Gateway as a service.

You can also use config.html to configure gateway.conf. Use your browser navigate to: http://localhost/config.html.
For security reason, this page can be only accessed from localhost.

sparkview-config.png