Start a new topic
Implemented

Native Azure Bastion integration

As an MSP, more and more clients are moving away from traditional on-premise RDP over VPN and make the switch to Azure Bastion, Microsoft Azure's native RDP and SSH gateway product.


This makes us use Royal TS less and less because there is no native support for Azure Bastion and we are tied to using the Azure Portal or CLI tooling to access servers behind Azure Bastion.


The Standard tier of Azure Bastion supports native RDP integration for native apps on Windows. This has already been implemented by competitor Devolution's RDM as a native feature


Although we would much prefer to stick to RTS, we foresee that RTS will become obsolete for us in the near future if Bastion integration is not implemented.


Thanks for the feedback.


I briefly looked at the Azure Bastion docs from Microsoft and found that "native" integration may a bit complicated. I'm not a specialist in this area but maybe you can help me to clear things up.


I think the only way to do some integration is using the tunnel command:

https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows#connect-to-a-vm---tunnel-command


It would allow us to do something similar we do with the Secure Gateway already (local port forwarding) and use the ActiveX control to connect to the localhost:localport which is forwarded. The other methods are either tied to the web interface or are invoking MSTSC directly.


This would mean that:

  • The user needs to install the Azure CLI tools (az command)
  • Do a login upfront in order to make it work (az login)
  • We need to invoke the az commands to create the tunnel 
  • Connect to the machine on 127.0.0.1:localport of the tunnel
  • There's nothing in the docs which shows how to close the tunnel though


I think that's the only way to make it work, right? I couldn't find alternative APIs/SDKs to do the same directly in code (using .NET/C#). If you are aware of an alternative API, let me know. Using the az commands seems a bit brittle.


1 person likes this

Hi Stefan,


Thank you for your swift look into this functionality. Some preliminary comments on your reply below:


I am not aware of any other officially supported SDKs that allow this to be added. However, I also believe the Azure CLI tools are distributed under the MIT license which should permit you to include the tools or the parts that you need. As far as I know, the Azure CLI tools are just a Python library in disguise so it should be possible to replicate the functionality of tunneling using that. Many calls that the Azure CLI makes are just api endpoint that you could "impersonate" with something like Postman. There are plenty of examples of people online who have reversed engineered this so there should be possibilities there.


Unfortunately I have no experience with Python or too much programming other than PowerShell so I cannot be sure how difficult it would be to extract or duplicate the functionality.


Also, the tunnel is closed when the command window is closed and the Python script is terminated (it's just a local server that keeps a websocket open to Azure and tunnels it to a specific port).

Just to let you know, we were able to do a quick PoC and are working on an implementation. Stay tuned...


1 person likes this

We just released a new build today which has Azure Bastion support:

https://www.royalapps.com/go/help-ts-win-v7-ref-azure-bastion-gateway


You can download the latest release here:

https://royalapps.com/ts/win/download


Regards,
Stefan

Hi Stefan, thanks for the swift implementation! However on first try it seems like the cli command you call is missing the "--target-resource-id" parameter and it fails. Am I doing something wrong on my end?


image


Hi Tom,


our tests were successful. Maybe something else is going on. I would recommend to open a support ticket and provide screenshots of your Bastion Gateway, connection configuration and your Azure resource page.


Regards,
Stefan

Thank you for the feedback, Tom. Would you mind creating a dedicated feature request for that to better track that and let other users comment/vote for it?


Thanks,
Stefan

Login or Signup to post a comment