3.1 – Gateway
You can configure the gateway by editing gateway.conf file, here is a list of all options:
Key | Value |
---|---|
bindAddr | Binding address, if you have multiple IP addresses and want to bind on one of them. If you have IIS running on same machine, you must ensure that it is not bound to the IP address & Port you want to use for the SparkGateway. You must set the bindings in the IIS Manager. However, it may also be necessary to change the HTTP service which by default listens on port 80 for all IP addresses. To do this you can use “netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx” to instruct the HTTP service to listen on IP addresses not used by the SparkGateway. Then you can use port 80 on the unused IP Addresses with the SparkGateway. |
port | Listening port, default is 80. You can let Gateway listen on 2 ports at the same time, e.g. port = 80, 443 |
ssl | Use HTTPS and WSS (WebSocket Secure Connection), default is false. If gateway is listening on 2 port, the parameter can be configured as: ssl = false, true |
credSSP | Network Level Authentication, Value can be "true", "false" or "auto". Default is false. “true” will slow down the connection speed a little bit . It’s not necessary to use NLA if the gateway is connecting to internal RDP hosts only. It’s better to enable credSSP if you are using Microsoft RD Broker for load balancing. "auto" will connect without credSSP at the first time, reconnect with credSSP if the connection failed. |
backlog | How many connections can be queued, default is 50. |
user | Path of user configuration file (JSON format). |
server | Path of RDP hosts configuration file (JSON format). |
html | HTML root directory. |
directoryIndex | Default page for html directory, default is "rdp.html;index.html". |
license | Path of the license file. If you copy the license file named "license" (note that there is no file extension) to the SparkView root directory, it is automatically detected. If it is located elsewhere, please specify the full path of the license file including the file name, e.g. license=C:\\Program Files\\Remote Spark\\SparkGateway\\licensefolder\\license.txt . |
logfile | Path of log file. |
maxbytes | Limit the maximum number of bytes to write to any one log file, default is 30M. |
maxfiles | Log file rotation, the number of log files to use, default is 99. |
logHttpHeader | If log http header, which may contains sensitive information. Default is true. |
converter | Postscript to PDF converter, used for printing. Ghostscript is recommended: http://www.ghostscript.com/download/ Example: C:\\Program Files\\gs\\gs9.04\\bin\\gswin64c.exe |
arguments | Arguments for converter. %1 is output pdf file name. %2 is input ps file name, they'll be replaced by program. Example: -dBATCH -dNOPAUSE -dUseCIEColor -dPDFSETTINGS=/printer -sDEVICE=pdfwrite -q -sOutputFile=%1 %2 |
plugin | Class name for your plug-in |
pluginFile | The full path of your plug-in jar file |
password | Password for reporting and management API |
mime | Add extra mime types for web server: rdp:application/rdp;conf:text/plain |
stderrLog | Set false to disable logging to stdout/stderr |
keepDays | How many days the temporary files generated by system be kept, default is 1 day |
disk | The name for the shared disk, used for file uploading/downloading |
webfeed | RD Web Feed URL, for RD web access integration |
recording | Session recording, 0: no recording; 1: recording graphic only. 3: recording graphic and audio. |
recdir | Parent directory for session recording files. |
recwarning | Warn user about the recording, default is true |
accessNotInList | if logged in user can access computers which is not in their list (servers.json) or webfeed, default is false |
printer | Printer name, default is “Remote Printer from Client”. You can specify multiple printer names by using “;” as separator, e.g. “Printer1;Printer2”. The first one will always be the default printer. |
printerDriver | Printer driver name |
shadowing | Shadowing switch (if allow joining a session), default is true. |
resetOnJoin | Don't use seamless session shadowing. |
nativeShadowing | Allow native RDP session shadowing, default is false. |
cipherSuites | The cipher suites can be used by SSL encryption. You may want to use some good cipher suites only, for example: SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA You need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for AES 256 cipher suites. http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html |
webAddress | HTTP server web address, used for OpenID login (redirection back). It’s also used on client side for getting real gateway address (client side may not know that if you are using multiple gateways for load balancing). |
clientHost | Customize the host name of the client user. Default is the host name or ip address. You can use following variables in the string: ${hostName}: Host name of the gateway machine. ${hostAddress}: Host address of the gateway machine. ${sequence}: a sequence number ${__ip}: client host name or IP. ${ _PARAM_SESSION_ID}: Session GUID. ${ _PARAM_NUMERIC_ID}: Session 9 digit number ID. ${any parameter transferred from client side} e.g. clientHost = RS-${__ip}-${sequence} , the result will be RSClientHostName-0, RS-ClientHostName-1, … |
performanceflags | Please check 3.4 RDP Host for more information. You may need this if you are connecting to a Terminal Server/Remote Desktop Session Host. |
remotefx | If enable remtoefx, default is false. RemoteFX is LAN and 32 bit only |
enableLookups | Set to true if you want calls to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled. |
maxCacheTime | How long (minutes) the session can be cached on gateway, default is 0 (RDP session cache on gateway is disabled by default). |
idleUserSession | User session idle timeout, in milliseconds |
mail.smtp.host mail.smtp.port mail.user mail.password mail.from mail.to mail.smtp.auth mail.smtp.starttls.enable |
Email notification when license expire etc, following is for gamil: smtp.gmail.com 587 support@toremote.com xxxx support@toremotec.om xxx@toremote.com true true You can use java -cp SparkGateway.jar com.toremote.gateway.Mailer title message to send a test email. |
licenseAlert | Float value, Email alert when license usage reached this number. If value < 1, it means percentage of your license number; If value > = 1, it means the actual concurrent license number. |
thumbnail.interval | Interval for obtaining thumbnails of RDP session, milliseconds, default is 0 (no thumbnail). Client will not send thumbnail to server if screen is not changed. |
thumbnail.width | Thumbnail width, it must be smaller than 640, default is 0 (no thumbnail) |
copyTimeout | Timeout for clipboard copy operation, milliseconds, default is 3000. You may need to increase this value if your application need to copy very big data. |
savedSessionTimeout | This is the maximum value (milliseconds) for saved session, default is 0, means user cannot save session on gateway. |
confirmJoin | Confirmation needed when a user try to join a session, default is false |
keyStore | Set up key store position when ssl is true |
keyStorePassword | Key store password |
passwordEncrypted | Encrypt the key store password and the reporting password, default is false. Please use following command to get encrypted password:java -cp SparkGateway.jar com.toremote.gateway.Encryption MyPassword |
assistance | Enable Remote Assistance, default is false. |
ssh | Enable SSH, default is false. |
telnet | Enable TELNET, default is false. |
gatewayId | Used for email notification etc. |
oauth2 | Path of oauth2 providers file (JSON format) |
disabledKeys | Keys (scancode) will not be sent to server, e.g. 219,220 (left and right Windows key); 29+56+211,56+1 will disable Ctrl+Alt+Del and Alt+Esc |
dataEncrypted | If enable encryption on data files: servers.json, users.json, symlink.json. |
webfeedCache | If enable webfeed cache. false to disable it. Default is true. You'll need to restart the gateway after your webfeed content changed if it's true. |
redirectToHttps | Redirect http tranfic to https. Make sure gateway listen on both http and https |
log.level | The value can be an integer or SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST. Check https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html for more details |
connectif | Create a new connection if you are joining symlink which doesn’t connect to any hosts. |
randomIp | Use a random ip if your host name has multiple ip address, default is false |
authorization | “Basic”: enable HTTP Basic Authentication, default is null. |
headers | Extra headers for HTTP response, For example: headers = Strict-TransportSecurity: max-age=31536000\r\nContent-Security-Policy: script-src 'self'\r\nXXSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-ContentType-Options: nosniff\r\n |
recFileSize | Limit the size (in bytes) of recording file (auto rotation) |
file.filter | File type filter for file uploading, for example “exe,jar” |
file.maxSize | File size filter (in bytes) for file uploading. |
keepPrinting | Keep the printing results (PDF) on gateway, default is false. |
timeoutWoL | Time out (milliseconds) of Wake on LAN. This will enable WoL if the value is great that 0. |
symlinkOnly | Gateway will only accept aymlink connection if symlinkOnly is true |
simpleFormatter | Let gateway use SimpleFormatter which is slower but allow you to configure log format. |
pingClient | Ping client interval (ms). CND or proxy may not close the websocket correctly and leave session alive forever on the gateway. You can enable this to fix this kind of issue. This is enabled by default since 5.6. |
sessionRecordParam | You can enable session recording from the browser side (sessionRecord=on) if this is true. Default value is false. |
userGroup | Path of user group configuration file in JSON format. |
serverGroup | Path of server group configuration file in JSON format. |
organization | Customize the connection name for the 2FA app on the mobile device. |
maxRequestBytes | Determines the upper limit for the total size of the request line and the headers. Its default setting is 8KB |
maxPrintTime | Printing conversion timeout, default is 1200000 milliseconds (20 minutes) |
httpCookie | Use HTTP Cookie for file uploading to make it more secure. Default is true. |
fileUnprompted | Files can be download directly without asking user to confirm when user copy a file in RDP server. For example, if the value is “pdf,zip”, when user copy a PDF file, the gateway will prepare the downloading directly without ask use to confirm. Depends on copyFile = true. |
deployment | Enable deployment service. User can deploy, test applications with the deploy agent via SSH, SFTP. |
Prefer keyboard-interactive method on SSH. Default is true. Deprecated, please use ssh.preferInteractive instead. |
|
fileService | Enable SMB2, SFTP file proxy, so user can use file.html to upload/download files from SMB2 share or SFTP server. Disabled by default. |
delSymlinkServer | The related server definition will be deleted too if a symlink is deleted or expired. Default is false. |
trustStore | Trusted certificates for RDP or VNC server (when TLS encrypt is used, credSSP = true in gateway.conf). |
trustStorePassword | Password for trustStore |
fileBlockSize | File transferring block size, default is 524288 bytes(5M). Reduce this value can reduce the bandwidth usage but increase uploading time |
keyDelay | Delay between keys (milliseconds). Default is 0. |
authToken.name | The parameter name in the websocket URL. |
authToken.exec | A path of executable or URL. If gateway found the authToken.name parameter in the websocket url, it’ll execute the exe or HTTP Request. The connection can be only allow if the exe or HTTP Request Status Code is authToken.sucessCode. |
authToken.sucessCode | Integer. |
twoFA | 1: Enable two-factor authentication; 0: Disable (default); 2: Enforce |
twoFAStore | Two-factor authentication storage path. Default is installDir\data\store.data. Make sure you back up this file. It’s encrypted by default. |
rec.timestampSubDir | Enable/disable timestamp sub directory for recdir. Default is true. |
rec.begin.exec | Run an executable before the session is recorded. Arguments: fileName, server, user, sessionId. |
rec.end.exec | Run an executable after the session was recorded. Arguments: fileName, server, user, sessionId. |
file.post | Run an executable after a file was uploaded. For example: file.post = C:\apps\scan.exe %1 %1 will be replaced by the file path of the uploaded file. |
csv.file | Log session information to CSV file. Columns: Id, Server, Client, IP, Browser, Time ,NumericId, User, Domain, Join, Protocol, Symlink, Port, Action (CONNECT/DISCONNECT/LOGIN). |
csv.size | Limit the maximum number of bytes to write the log file, default is 2G. |
vnc.transferCredential, ssh.transferCredential, telnet.transferCredential |
False by default, which disable SSO on VNC, SSH, TELNET connection when SSO is enabled in users.json (transferCredential = true). |
app.id | String, UUID is recommended. Can be used for load balancing. This unique id will be automatically generated if it's not set. |
file.viewable | Boolean, the "View" button on File Manager UI will be removed if it's false. Users then can only see the "Download" button. |
license.limit | Integer, restricts the concurrent session number for testing etc. This value must be smaller than the license number. |
*Please always use absolute file path if you are running Gateway as a service.
You can also use config.html to configure gateway.conf. Use your browser navigate to: http://localhost/config.html.
For security reason, this page can be only accessed from localhost.