To access guacamole login to it from your newly created https://FQDN/path/to/guacamole reverse proxy, using the default credentials guacadmin guacadmin
Once inside you can go to Settings and change password to something very very long (don’t fatfinger it!)
Setup a new user named “admin” and give it any password, be sure to check “login disabled” as we’ll be using LDAP users to login
Now logout and, if it doesn’t exist yet, create an “admin” account from NS GUI, give it a password, and use these credentials to login to guacamole, this will be the guacamole administrator account
Once logged in with admin user, you’ll notice you can now see and edit already existing LDAP users, when doing so, there’s new images on top that tell which backend is being used for the user
Guacamole uses all authentication backends it has to authenticate users, if the same account name exists in 2 different backends, any of their passwords can be used to login, which is why we edit users you intend to grant access to guacamole and check the “login disabled” option, so that all passwords are handled only by NS
Assign existing connections to users
Now users can login with their NS credentials and use the connections assigned to them
In the evening i plan on posting an howto to install (or update to) 0.9.11, released a few days ago, it comes with a couple more features, then i’ll move it to the wiki
Also testing the docker install method, but i’m currently having problems allowing the container to speak with the local LDAP and MySQL daemons, NS GUI doesn’t handle the docker0 bridge created by docker and i’ll have to work on iptables rules i guess…
(about that, is there a nethserver-docker or perhaps a nethserver-kubernetes in your plans? )
Just a question, nethserver-packages are built starting from existing rpms and then adding custom code to it right? Is it possible to create a rpm starting from sources somehow?
Sorry for the silly question, but i’m not really into rpm making
Well to be honest I retrieve the most of time a rpm in epel, maintaining directly a rpm could be a full time job. However we could take a look and find a way to build it. For guacamole I believe we can start from a spec file of an older rpm and looks what it appends, otherwise we could start with a spec file of another rpm based distro.
Provides TFA with DUO and improvement to double authentication backend
If installed from source i think the 0.9.10 howto should work just fine by just replacing files with the ones found here, and editing the guacamole.properties
To update from 0.9.10 the following worked
cd /opt/
tar -xzf guacamole-server-0.9.11-incubating.tar.gz
mv guacamole-server-0.9.11-incubating guacamole-0.9.11
rm guacamole-server-0.9.11-incubating.tar.gz
cd guacamole-0.9.11
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
mv /opt/guacamole-0.9.11-incubating.war /var/lib/guacamole/guacamole.war
rm -rf /var/lib/tomcat/webapps/guacamole.war && ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/
rm -rf /usr/lib64/freerdp/guacdr.so && ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/
mkdir ~/guacamole && cd ~/guacamole
mv /opt/guacamole-auth-jdbc-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.11-incubating.tar.gz
tar -zxf guacamole-auth-jdbc-0.9.11-incubating.tar.gz
mv /opt/guacamole-auth-ldap-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-ldap-0.9.11-incubating.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.11-incubating.tar.gz
mv guacamole-auth-jdbc-0.9.11-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar
mv guacamole-auth-ldap-0.9.11-incubating/guacamole-auth-ldap-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
cat guacamole-auth-jdbc-0.9.11-incubating/mysql/schema/upgrade/upgrade-pre-0.9.11.sql | mysql -u root -p guacdb
#Allow logins from existing users only
This will prevent users who do not exist in MySQL to even attempt to login, instead of giving them an empty guacamole screen with no connections, the “login disabled” option in users settings is no longer needed
The DUO TFA seems really neat, it’s really interesting as it allows for a stronger security when exposing internal machines to the internet, users have to authenticate to guacamole with both LDAP and TFA, if either fail, access is denied
If the user has not set it up yet, there’s a wizard with QR codes to set it up
I’ve seen mention of a great app called Guacamole. The official blurb from their website says this:
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
I’ve installed Guacamole a few years back to try it out and I thought it was pretty amazing. But I’m sure others are looking at it and wondering how it can be useful and why would anyone want to add it. I thought I would share my plans for our office’s use case for it.
We are an assaylab business so we use special machines at each workstation to help us do our daily work. The machines have a physical/hardware component and run using software. Rarely does the hardware fail so if there are issues it’s usually with the setup in the software.
All of our workstations that run the software for these machines are locked down from Internet access at our gateway. They are almost like dumb terminals in that they are always running and logged in with a generic account so an operator can go to any workstation and use it. This is a really quick overview of our operation so I’m skipping a lot of detail but you get the idea of our setup now.
All our workstations have VNC Server installed on them so I can remote into the office via VPN to assist. There is no access to any of these workstations from outside unless I’ve granted VPN access.
Our vendors do provide remote support via Internet but with all workstations locked down they cannot automatically remote in and assist when an operator requires help. I have provided VPN access to our vendor (and only allowed them access to the workstations they need to get too) but then our vendor needs to have a list of IP’s for each workstation. It works but is kind of messy.
This is where I see Guacamole can help. Serving up a webpage and creating a user account for our vendor I can display the workstations they can have access too. They can use VNC to look over our operators shoulder and assist. I still prefer to use VPN access as I don’t want to leave the Guacamole page opened for hackers to try and break in. But for a short period of time I suppose I could expose the Guacamole webpage to the Net for the duration of the vendor that provides support. It’s always best to be careful so VPN is very important to me and our office.
If others have a use case for Guacamole they would like to share I’d like to hear it!
I have just added your post here, I think that it’s the right place.
Thanks for your thoughts I think that Guacamole is a GREAT package, sadly it’s not so straightforward installing it as rpm, as you can say above.
Thanks @alefattorini for putting my post in the right location.
I’m still getting my head around requirements with regards to adding new modules. Is there a document or would someone be able to list of me what is needed from an App before it would be considered for nethserver? It sounds like an .rpm file is a must. Anything else you look for?
I was trying to find a solution for people to access RDP sessions with zero config and no installation files.
first I solved it by implementing sslexplorer until I found out about Guacamole.
I would like to share my experience about that,
Compiling it over Centos or Ubuntu is not an issue at all, no need for Docker as there are some posts advising to do so.
The trick about guacamole is that, best to be integrated into Nextcloud rather than being exposed to the public internet.
What I did: downloaded and compiled the guacamole from source.
Then inside nextcloud I pointed to it with external site link (however I used its private ip address)
So now the guacamole and its ports 8080 and 443 are not exposed to the outside world hence no one can access it directly.
The only problem I have is solving the issue of the certificate being pointing to a private IP.
How does external site work when accessing nextcloud from outside using its FQDN? Does it just embed guacamole’s page inside nextcloud (meaning that page has to be directly reachable from the user, i.e. you still have to open tomcat port 8080 to the outside world to make it work) or does it work like a reverse proxy?
Also check this out, next release will add an http authentication header module which could be helpful when giving a user access to its desktops when that user has already been authenticated by a different service (nextcloud, authenticated reverse proxy, etc…)
Guacamole is working fine however there is a need to port forward 443
There is a way to avoid exposing the guacamole server to the public net.
I am launching a community request to develop 2 simple apps for nextcloud
one for freepbx webrtc and one for the guacamole. @alefattorini could you please create a thread for that request ?
I agree @ghost, guacamole really needs to be added to nethserver…where did your community request to develop your two apps go? I don’t see a continuation of this thread. I hope it’s not dead.
@alefattorini, that bounty that you created…I’m guessing it’s still open? I’m not a developer so sadly I can’t create the package nethserver needs…but I’m more than willing to help with testing.
How close are we to having guacamole integrated into nethserver…or is it best to just use the excellent instructions from this thread (thanks @edi and @Adam!).
@greavette I hear you well.
Unfortunately my request did not get the @alefattorini attention.
I am not a developer either, however I am willing to contribute!
Just upgraded to 0.9.12 ( credits to Chase Wright https://www.chasewright.com/guacamole-upgrade/ ) and looks even nicer very bright resolution with RDP. It will be a pity to let this nice jewellery out of Nethserver.
Back to you @alefattorini
C’mon team…let’s get this implemented into Nethserver!
But seriously…how close are we to having this module installed? From what I read there is an older version of the rpm from epel available? what if Nethserver added that older version to the Software Center and provide command line instructions on how to update it. At least that will allow people to use/try out Guacamole until such time Nethserver team decides if they want to create/maintain a more recent rpm version? Just a suggestion…
I’m using Guacamole for a while now and I like this package. On my secondary school(where I work as system/network administrator) I use it to get some “working from home” environment. The only thing the employees must have is an html5 browser.
Now I’m working on a project with Guacamole. I want to create a solution for people who’s pc is crached and have to get back to work really soon. They can boot with pxe into a Linux environment that starts Chromium with a connection to a Guacamole server. Because it all runs from memory and not from harddisk, you can push an image to that harddisk. (video: https://www.youtube.com/watch?v=pPbTfJk0GmQ)
So I think Guacamole is a very goor product and I think it’s really good to add it to nethserver.
Hi @FMFREAK,
Great to see you here in our forums. We can surely use your experience with Guacamole and make it an integrated module for NethServer.
Can you tell us a bit more about the technical details how you managed to get things done on your project?
)
