Start a new topic
Implemented

Native Azure Bastion integration

As an MSP, more and more clients are moving away from traditional on-premise RDP over VPN and make the switch to Azure Bastion, Microsoft Azure's native RDP and SSH gateway product.


This makes us use Royal TS less and less because there is no native support for Azure Bastion and we are tied to using the Azure Portal or CLI tooling to access servers behind Azure Bastion.


The Standard tier of Azure Bastion supports native RDP integration for native apps on Windows. This has already been implemented by competitor Devolution's RDM as a native feature


Although we would much prefer to stick to RTS, we foresee that RTS will become obsolete for us in the near future if Bastion integration is not implemented.


Thanks for the feedback.


I briefly looked at the Azure Bastion docs from Microsoft and found that "native" integration may a bit complicated. I'm not a specialist in this area but maybe you can help me to clear things up.


I think the only way to do some integration is using the tunnel command:

https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows#connect-to-a-vm---tunnel-command


It would allow us to do something similar we do with the Secure Gateway already (local port forwarding) and use the ActiveX control to connect to the localhost:localport which is forwarded. The other methods are either tied to the web interface or are invoking MSTSC directly.


This would mean that:

  • The user needs to install the Azure CLI tools (az command)
  • Do a login upfront in order to make it work (az login)
  • We need to invoke the az commands to create the tunnel 
  • Connect to the machine on 127.0.0.1:localport of the tunnel
  • There's nothing in the docs which shows how to close the tunnel though


I think that's the only way to make it work, right? I couldn't find alternative APIs/SDKs to do the same directly in code (using .NET/C#). If you are aware of an alternative API, let me know. Using the az commands seems a bit brittle.


1 person likes this

Hi Stefan,


Thank you for your swift look into this functionality. Some preliminary comments on your reply below:


I am not aware of any other officially supported SDKs that allow this to be added. However, I also believe the Azure CLI tools are distributed under the MIT license which should permit you to include the tools or the parts that you need. As far as I know, the Azure CLI tools are just a Python library in disguise so it should be possible to replicate the functionality of tunneling using that. Many calls that the Azure CLI makes are just api endpoint that you could "impersonate" with something like Postman. There are plenty of examples of people online who have reversed engineered this so there should be possibilities there.


Unfortunately I have no experience with Python or too much programming other than PowerShell so I cannot be sure how difficult it would be to extract or duplicate the functionality.


Also, the tunnel is closed when the command window is closed and the Python script is terminated (it's just a local server that keeps a websocket open to Azure and tunnels it to a specific port).

Just to let you know, we were able to do a quick PoC and are working on an implementation. Stay tuned...


1 person likes this

We just released a new build today which has Azure Bastion support:

https://www.royalapps.com/go/help-ts-win-v7-ref-azure-bastion-gateway


You can download the latest release here:

https://royalapps.com/ts/win/download


Regards,
Stefan

Hi Stefan, thanks for the swift implementation! However on first try it seems like the cli command you call is missing the "--target-resource-id" parameter and it fails. Am I doing something wrong on my end?


image


Hi Tom,


our tests were successful. Maybe something else is going on. I would recommend to open a support ticket and provide screenshots of your Bastion Gateway, connection configuration and your Azure resource page.


Regards,
Stefan

Thank you for the feedback, Tom. Would you mind creating a dedicated feature request for that to better track that and let other users comment/vote for it?


Thanks,
Stefan

Hi Stefan, 

thank you for implementing the Bastion integration. This makes RoyalTS interesting again for our internal IT.


However, I encountered a problem during testing. I cannot connect to the VMs in Azure. I get the message "Please enter a valid resource ID". I suspect that this is because our bastion and the VMs I want to connect to via RDP are in different resource groups, sometimes even in different subscriptions. I have not found a way to specify the resource group and subscription for each VM. With another well-known RDP manager, I can define resource groups and subscriptions for the bastion as well as for each VM individually and this works.


Have I overlooked something, or is this something you could implement? I suspect that it is more often the exception that bastion and VM are in the same resource group.


Regards,

Lukas

Hi Lukas,


If you enter the full resource ID to the VM in the "Computer Name" of the computer object, it should work! We use different subscriptions for our Bastion and VMs too. Please note that we had to update the Bastion cli extension on the local PC before everything worked for us as you need the latest version. (az extension update --name bastion)


image


Let me know if this helps!


Kind regards,

Tom


1 person likes this

Hello Tom,


thank you very much for your answer, it worked immediately!


Kind regards,

Lukas

 

Royal TSX support for this as well?

Hi Luminous!


Royal TSX implementation is planned but not high on our priority list. If you want to speed things up, I recommend to create a dedicated entry in the Royal TSX Ideas forum so that other users can also upvote the feature request.


Regards,
Stefan

Hey! This is pretty cool. But is there any chance we could chain use an Azure Bastion as a dependent gateway for a secure gateway? I have a bit of an annoying setup where I need to connect like:


My PC -> Azure Bastion -> Server 1 (SSH) -> Server 2 (SSH) -> Server 3 (HTTPS)


All of this is doable in Royal TS right now, but it's two steps.


1. I have to start an interactive SSH session (PuTTY) through the Azure Bastion, on this I've set up "traditional" SSH forwarding towards the SSH ports on Server 2.

2. I've setup Server 2 as a "secure gateway" that I can then use as a gateway in server 3.


This works OK but it requires me to keep an open interactive SSH session to Server 1, it would be nicer if I could make a Secure Gateway object for Server 1 and then make that secure gateway object depend on the Azure Bastion, and then make the Server 2 gateway depend on Server 1.

Using Azure Bastion as dependent gateway for secure gateways or secure gateways as a dependent gateway for Azure Bastion gateways is currently not possible on a technical level. We need to restructure a fairly big amount of code for this to work and I can't really tell when we are able to work on this. I suggest you open a separate feature request for this in the Ideas forum for Windows and macOS so that other users can comment and vote for it.


Regards,
Stefan

Login or Signup to post a comment