Skip to main content

3.1 – Gateway

You can configure the gateway by editing gateway.conf file, here is a list of all options:

Key Value
bindAddr Binding address, if you have multiple IP addresses and want to bind on one of them. 

If you have IIS running on same machine, you must ensure that it is not bound to the IP address & Port you want to use for the SparkGateway. You must set the bindings in the IIS Manager. However, it may also be necessary to change the HTTP service which by default listens on port 80 for all IP addresses. To do this you can use “netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx” to instruct the HTTP service to listen on IP addresses not used by the SparkGateway. Then you can use port 80 on the unused IP Addresses with the SparkGateway.
Paragraphport TextListening port, default is 80. You can let Gateway listen on 2 ports at the same time, e.g. port = 80, 443
sslUse HTTPS and WSS (WebSocket Secure Connection), default is false. If gateway is listening on 2 port, the parameter can be configured as: ssl = false, true
credSSPNetwork Level Authentication, Value can be "true", "false" or "auto". Default is false. “true” will slow down the connection speed a little bit . It’s not necessary to use NLA if the gateway is connecting to internal RDP hosts only. It’s better to enable credSSP if you are using Microsoft RD Broker for load balancing. "auto" will connect without credSSP at the first time, reconnect with credSSP if the connection failed.
backlogHow many connections can be queued, default is 50.
userPath of user configuration file (JSON format).
serverPath of RDP hosts configuration file (JSON format).
htmlHTML root directory.
directoryIndexDefault page for html directory, default is "rdp.html;index.html".
licensePath of license file.
logfilePath of log file.
maxbytesLimit the maximum number of bytes to write to any one log file, default is 30M.
maxfilesLog file rotation, the number of log files to use, default is 99.
logHttpHeaderIf log http header, which may contains sensitive information. Default is true.
converterPostscript to PDF converter, used for printing. Ghostscript is recommended:
http://www.ghostscript.com/download/
Example: C:\\Program Files\\gs\\gs9.04\\bin\\gswin64c.exe
argumentsArguments for converter. %1 is output pdf file name. %2 is input ps file name, they'll be replaced by program.
Example: -dBATCH -dNOPAUSE -dUseCIEColor -dPDFSETTINGS=/printer -sDEVICE=pdfwrite -q -sOutputFile=%1 %2
pluginClass name for your plug-in
pluginFileThe full path of your plug-in jar file
passwordPassword for reporting and management API
mimeAdd extra mime types for web server: rdp:application/rdp;conf:text/plain
stderrLogSet false to disable logging to stdout/stderr
keepDaysHow many days the temporary files generated by system be kept, default is 1 day
diskThe name for the shared disk, used for file uploading/downloading
webfeedRD Web Feed URL, for RD web access integration
recordingSession recording, 0: no recording; 1: recording graphic only. 3: recording graphic and audio.
recdirParent directory for session recording files.
recwarningWarn user about the recording, default is true
accessNotInListif logged in user can access computers which is not in their list (servers.json) or webfeed, default is false
printerPrinter name, default is “Remote Printer from Client”. You can specify multiple printer names by using “;” as separator, e.g. “Printer1;Printer2”. The first one will always be the default printer.
printerDriverPrinter driver name
shadowingShadowing switch (if allow joining a session), default is true.
cipherSuitesThe cipher suites can be used by SSL encryption. You may want to use some good cipher suites only, for example:
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA

You need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for AES 256 cipher suites.
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
webAddressHTTP server web address, used for OpenID login(redirection back). It’s also used on client side for getting real gateway address (client side may not know that if you are using multiple gateways for load balancing).
clientHostCustomize the host name of the client user. Default is the host name or ip address. You can use following variables in the string:
${hostName}: Host name of the gateway machine.
${hostAddress}: Host address of the gateway machine.
${sequence}: a sequence number
${__ip}: client host name or IP.
${ _PARAM_SESSION_ID}: Session GUID.
${ _PARAM_NUMERIC_ID}: Session 9 digit number ID.
${any parameter transferred from client side} e.g. clientHost = RS-${__ip}-${sequence} , the result will be RSClientHostName-0, RS-ClientHostName-1, …
performanceflagsPlease check 3.4 RDP Host for more information. You may need this if you are connecting to a Terminal Server/Remote Desktop Session Host.
remotefxIf enable remtoefx, default is false. RemoteFX is LAN and 32 bit only
enableLookupsSet to true if you want calls to perform DNS lookups in order to return the actual host name of the remote client. Set to false to skip the DNS lookup and return the IP address in String form instead (thereby improving performance). By default, DNS lookups are disabled.
maxCacheTimeHow long (minutes) the session can be cached on gateway, default is 0 (RDP session cache on gateway is disabled by default).
idleUserSessionUser session idle timeout, in milliseconds
mail.smtp.host
mail.smtp.port
mail.user
mail.password
mail.from
mail.to
mail.smtp.auth
mail.smtp.starttls.enable
Email notification when license expire etc, following is for gamil:
smtp.gmail.com
587
support@toremote.com
xxxx
support@toremotec.om
xxx@toremote.com
true
true
You can use java -cp SparkGateway.jar com.toremote.gateway.Mailer title message to send a test email.
licenseAlertFloat value, Email alert when license usage reached this number. If value < 1, it means percentage of your license number; If value > = 1, it means the actual concurrent license number.
thumbnail.intervalInterval for obtaining thumbnails of RDP session, milliseconds, default is 0 (no thumbnail). Client will not send thumbnail to server if screen is not changed.
thumbnail.widthThumbnail width, it must be smaller than 640, default is 0 (no thumbnail)
copyTimeoutTimeout for clipboard copy operation, milliseconds, default is 3000. You may need to increase this value if your application need to copy very big data.
savedSessionTimeoutThis is the maximum value (milliseconds) for saved session, default is 0, means user cannot save session on gateway.
confirmJoinConfirmation needed when a user try to join a session, default is false
keyStoreSet up key store position when ssl is true
keyStorePasswordKey store password
passwordEncryptedEncrypt the key store password and the reporting password, default is false. Please use following command to get encrypted password:
java -cp SparkGateway.jar com.toremote.gateway.Encryption MyPassword
assistanceEnable Remote Assistance, default is false.
sshEnable SSH, default is false.
telnetEnable TELNET, default is false.
gatewayIdUsed for email notification etc.
oauth2Path of oauth2 providers file (JSON format)
disabledKeysKeys (scancode) will not be sent to server, e.g. 219,220 (left and right Windows key); 29+56+211,56+1 will disable Ctrl+Alt+Del and Alt+Esc
dataEncryptedIf enable encryption on data files: servers.json, users.json, symlink.json.
webfeedCacheIf enable webfeed cache. false to disable it. Default is true. You'll need to restart the gateway after your webfeed content changed if it's true.
redirectToHttpsRedirect http tranfic to https. Make sure gateway listen on both http and https
log.levelThe value can be an integer or SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST. Check https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html for more details
connectifCreate a new connection if you are joining symlink which doesn’t connect to any hosts.
randomIpUse a random ip if your host name has multiple ip address, default is false
authorization“Basic”: enable HTTP Basic Authentication, default is null.
headersExtra headers for HTTP response, For example: headers = Strict-TransportSecurity: max-age=31536000\r\nContent-Security-Policy: script-src 'self'\r\nXXSS-Protection: 1; mode=block\r\nX-Frame-Options: SAMEORIGIN\r\nX-ContentType-Options: nosniff\r\n
recFileSizeLimit the size (in bytes) of recording file (auto rotation)
file.filterFile type filter for file uploading, for example “exe,jar”
file.maxSizeFile size filter (in bytes) for file uploading.
keepPrintingKeep the printing results (PDF) on gateway, default is false.
resetOnJoinDon’t’ use seamless session shadowing.
timeoutWoLTime out (milliseconds) of Wake on LAN. This will enable WoL if the value is great that 0.
symlinkOnlyGateway will only accept aymlink connection if symlinkOnly is true
simpleFormatterLet gateway use SimpleFormatter which is slower but allow you to configure log format.
pingClientPing client interval (ms). CND or proxy may not close the websocket correctly and leave session alive forever on the gateway. You can enable this to fix this kind of issue. This is enabled by default since 5.6.
sessionRecordParamYou can enable session recording from the browser side (sessionRecord=on) if this is true. Default value is false.
userGroupPath of user group configuration file in JSON format.
serverGroupPath of server group configuration file in JSON format.
maxRequestBytesDetermines the upper limit for the total size of the request line and the headers. Its default setting is 8KB
maxPrintTimePrinting conversion timeout, default is 1200000 milliseconds (20 minutes)
httpCookieUse HTTP Cookie for file uploading to make it more secure. Default is true.
fileUnpromptedFiles can be download directly without asking user to confirm when user copy a file in RDP server. For example, if the value is “pdf,zip”, when user copy a PDF file, the gateway will prepare the downloading directly without ask use to confirm. Depends on copyFile = true.
fileServiceEnable SMB2, SFTB file proxy. Disabled by default.
deploymentEnable deployment service. User can deploy, test applications with the deploy agent via SSH, SFTP.
preferInteractivePrefer keyboard-interactive method on SSH. Default is true.
Deprecated, please use ssh.preferInteractive instead.
fileServiceEnable SMB2, SFTP file service, so user can use file.html to upload/download files from SMB2 share or SFTP server.
delSymlinkServerThe related server definition will be deleted too if a symlink is deleted or expired. Default is false.
trustStoreTrusted certificates for RDP or VNC server (when TLS encrypt is used, credSSP = true in gateway.conf).
trustStorePasswordPassword for trustStore
fileBlockSizeFile transferring block size, default is 524288 bytes(5M). Reduce this value can reduce the bandwidth usage but increase uploading time
keyDelayDelay between keys (milliseconds). Default is 0.
authToken.nameThe parameter name in the websocket URL.
authToken.execA path of executable or URL. If gateway found the authToken.name parameter in the websocket url, it’ll execute the exe or HTTP Request. The connection can be only allow if the exe or HTTP Request Status Code is authToken.sucessCode.
authToken.sucessCodeInteger.
twoFA1: Enable two-factor authentication; 0: Disable (default); 2: Enforce
twoFAStoreTwo-factor authentication storage path. Default is installDir\data\store.data. Make sure you back up this file. It’s encrypted by default.
rec.timestampSubDirEnable/disable timestamp sub directory for recdir. Default is true.
rec.begin.execRun an executable before the session is recorded. Arguments: fileName, server, user, sessionId.
rec.end.execRun an executable after the session was recorded. Arguments: fileName, server, user, sessionId.
file.postRun an executable after a file was uploaded.
For example: file.post = C:\apps\scan.exe %1
%1 will be replaced by the file path of the uploaded file.
csv.fileLog session information to CSV file. Columns: Id, Server, Client, IP, Browser, Time ,NumericId, User, Domain, Join, Protocol, Symlink, Port, Action (CONNECT/DISCONNECT/LOGIN).
csv.sizeLimit the maximum number of bytes to write the log file, default is 2G.
vnc.transferCredential,
ssh.transferCredential,
telnet.transferCredential
False by default, which disable SSO on VNC, SSH, TELNET connection when SSO is enabled in users.json (transferCredential = true).

*Please always use absolute file path if you are running Gateway as a service.

You can also use config.html to configure gateway.conf. Use your browser navigate to: http://localhost/config.html.
For security reason, this page can be only accessed from localhost.