Apache Guacamole

Architectural notes

Apache Guacamole is a clientless remote access gateway server. It can be used from any HTML5 browser to access protocols such as RDP, SSH, and VNC. The Apache Guacamole server is a perfect tool for accessing cloud-hosted desktops without exposing remote access ports of the hosts themselves. It also allows for multiple authentications methods, such as RADIUS, CAS, LDAP, and database based access. The best part is that it’s free and fully open source.

In my deployment, I used MariaDB, coupled with Duo for two-factor authentication. Although the core server components can all be housed in one VM, I decided to further segment them for security purposes. After all, this server will be a gateway to nearly all of my internal machines, so skimping on security is not an option.

My deployment consists of four separate VMs.

  • Nginx (used as an HTTPS proxy for remote access)
  • Tomcat server (front end)
  • Guacd server (back end, this serves as the proxy between your machines and the front end server.
  • MariaDB server (used for authentication)

Tomcat and Nginx are both located in the DMZ, while guacd and mariadb reside in a common server subnet. This allows me to use stricter rules for traffic between the DMZ and the LAN subnets.

The Tomcat server uses the guacamole protocol on port 4822 to communicate to the guacd server. It also uses the standard MySQL/MariaDB port 3306 to authenticate users and access the database.

I’ve used Apache Guacamole for a few months now. RDP connection quality through Guacamole is comparable to the Microsoft client, which is surprisingly smooth, considering the technology being used. VNC is also faster than other clients I’ve used, specifically, X2Go. You may toggle between machines seamlessly without closing the existing connections by using the Ctrl+Shift+Alt key combination. Access to machines can also be controlled on a per account/group basis, so you could organize user access based on the principle of least privilege.

I look forward to seeing what else the Apache Guacamole team is going to bring to this project. It has made work easier for me thus far, and I support anything that makes work easier!