RE: THE NETWORK CONNECTION IS UNSTABLE

[manoj2patil]

Thanks nick.

 

We are going through your suggestion on user side there is no lack of network 
issue I am also checking the firewall and switches. as per your last point I am 
disable the ping of that URL server but for checking the ping from user side we 
hit this ip which is on same network same ISP.  This “THE NETWORK CONNECTION IS 
UNSTABLE” message showing on that browser that time there is no any huge 
latency and no more delay on network , server also running fine with no lack of 
resources. 

 

So please guide us more how we can stable it.

 

From: Nick Couchman  
Sent: Wednesday, August 25, 2021 8:43 PM
To: user@guacamole.apache.org
Subject: Re: THE NETWORK CONNECTION IS UNSTABLE

 

On Wed, Aug 25, 2021 at 12:56 AM mailto:manoj2pa...@gmail.com> > wrote:

>From many days we have facing THE NETWORK CONNECTION IS UNSTABLE regarding 
>issue , As per checking this massage is showing even there is no any drops on 
>the client side also in the trace root . We have daily showing this type of 
>massage in the client side. i have shared ping and tracer root details for 
>your reference so i request you to please  check this issue on priority and 
>check this issue on the priority.

 

There isn't much that the people on this list can do to check this issue for 
you. It's your environment, you're going to have to investigate the issues. We 
can provide pointers for what you should look at, but we can't solve this for 
you.

 

The items to check that could cause this are:

* Unstable network connectivity, where packets are getting dropped between the 
user's browser and the server running Tomcat (Guacamole Client). This is the 
most likely cause.

* High latency on the network connection between user's browser and the Tomcat 
server, where the packets are taking too long to travel between the user's 
browser and the Tomcat server.

* Lack of resources on the server running Tomcat (Guacamole Client), where the 
Tomcat process cannot respond to client requests in a timely fashion. Check the 
load and resource availability on this server, particularly CPU and memory, to 
make sure that it has the resources to process the connections that it is 
servicing.

* Lack of resources on the user's browser, where the browser cannot get 
adequate time to process the connection.

* There could be network equipment between the user and the Tomcat server that 
is delaying traffic, such as an Application or Deep Packet Inspection firewall.

 

It seems that you've possibly checked the first two, though I do not consider a 
ping and traceroute to be conclusive evidence that the network is operating 
correctly. It is good to verify that, for sure, but doesn't mean that the 
network is not interfering with some traffic (HTTP/HTTPS) and not other traffic 
(ICMP). Also, a couple of other points about your ping/traceroute pictures:

* The ping output you posted covers about 30 seconds of time. In that 30 
seconds, at least one of the pings went from 15-16ms up to 100ms. It's 
impossible to tell from that screenshot you've provided whether that's a single 
occurrence in 1000 pings, or something that's more of a pattern, happening 
every 30 seconds, etc.

* You've provided absolutely no indication of what you're pinging and from 
where. You have a ping going to the IP address 103.115.232.19, but in the photo 
I also see a different URL to another IP. Since the network connection unstable 
message is indicative of connectivity issues between the user's browser and the 
system running Tomcat (Guacamole Client), I would expect to see a ping to the 
IP address where you're accessing Guacamole, from the end user client running 
the web browser.

 

-Nick

Re: Locking password view

[Mike Jumper]

On Wed, Sep 1, 2021 at 4:29 PM Alejandro Hernandez 
wrote:

> Hello!
>
> I have 2 admins for Guacamole (GUI level, not Linux level).
>
> Outside Guacamole those 2 persons do not share all of their passwords (ie.
> just one knows the domain admin password).
>
> Using Guacamole one could create a session so the other can use the domain
> admin.
>
> Since both are Guacamole admins, if the user that doesn't know the
> password edits the respective connection would be able to see and then know
> such password by simply, easily and quickly pressing the lock icon next to
> it.
>
> May I disable such lock icon? So they are able to enter any password
> anywhere but then unable to see such password so easily...
>
> I know that's doesn't make it entirely secure, but in that particular case
> I think it would be enough.
>

No, and you definitely *SHOULD NOT* do this. You should only grant full
admin-level access to users that truly should be able to see and edit
everything. The "administer system" permission is identical in principle to
the root user on Linux systems.

Your options here would be:

   1. Integrate Guacamole with your Active Directory using LDAP and use
   parameter tokens to pass through the user's own credentials, that way no
   credentials are stored:
   
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
   2. Do not grant these users full admin permission, but rather only any
   relevant "create" permissions. They will only be able to see, edit, and
   manage the connections or users that they create. Despite having admin
   access to *their* connections, they won't be able to see or touch the
   connections created by the other.
   3. Separate the systems, giving one admin access to one and the other
   admin access to the other.
   4. Leverage the upcoming vault support, when it's ready:
   https://issues.apache.org/jira/browse/GUACAMOLE-641

Do not grant full admin access to users unless those users truly need and
should have that kind of access. If they shouldn't have that kind of
access, or you feel the need to restrict that access, then that means they
definitely should not be given that level of access.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

Locking password view

[Alejandro Hernandez]

Hello!

I have 2 admins for Guacamole (GUI level, not Linux level).

Outside Guacamole those 2 persons do not share all of their passwords 
(ie. just one knows the domain admin password).


Using Guacamole one could create a session so the other can use the 
domain admin.


Since both are Guacamole admins, if the user that doesn't know the 
password edits the respective connection would be able to see and then 
know such password by simply, easily and quickly pressing the lock icon 
next to it.


May I disable such lock icon? So they are able to enter any password 
anywhere but then unable to see such password so easily...


I know that's doesn't make it entirely secure, but in that particular 
case I think it would be enough.

Re: Install guacamole precompiled

[Nick Couchman]

On Wed, Sep 1, 2021 at 8:06 AM Paula Carboné 
wrote:

> Helloo
> Is it posible to copmpile (make, make install) guacamole server in one
> server, and then move the compiled folder itself into another server? I
> have tried but some files installed in other folders are missing. How can I
> list all the files installed or something in order to copy all of them from
> one server to another?
>

Yes, this is absolutely possible - if you're going to do this, I would
suggest generating a package for whatever Linux distribution you are
running across those servers (deb for Debian, Ubuntu, etc., RPM for SuSE,
RHEL, CentOS, etc.). We don't provide packaging files with the Guacamole
source code, so you'll have to generate these on your own, and there are
plenty of instructions around the Internet on how to do this.

-Nick

Install guacamole precompiled

[Paula Carboné]

Helloo
Is it posible to copmpile (make, make install) guacamole server in one
server, and then move the compiled folder itself into another server? I
have tried but some files installed in other folders are missing. How can I
list all the files installed or something in order to copy all of them from
one server to another?
Thanks

Re: PostgreSQL encryption

[Nick Couchman]

On Wed, Sep 1, 2021 at 5:17 AM Paula Carboné 
wrote:

> Hi again! I understand, for what I have read in
> https://issues.apache.org/jira/browse/GUACAMOLE-1162 that data encryption
> using a PostgreSQL database is not currently possible.
>

We have determined that encrypting values stored in the database is of
little value unless the key to decrypting them can be stored elsewhere -
otherwise you're just obscuring the credentials, and as long as the
database is properly secured, you add very little value and more overhead
in processing and configuration.


> However, this issue talks about using vaults to store credentials
> https://issues.apache.org/jira/browse/GUACAMOLE-641
> Is it working already or you are just developing it? Can this be used with
> PostgreSQL?
>

It is in development, now - Mike has been working on this. I don't believe
it is fully functional, yet, but is still going through development and
review. Once it is completed I would imagine you can use it with any of the
extensions that store connections. That said, the work that has been done
so far on this is specific to storing credentials in Azure's credential
vault, so if you're asking if you'll be able to use it with only PostgreSQL
and no Azure, the answer is no - it will require some form of external
credential vault.

-Nick

PostgreSQL encryption

[Paula Carboné]

Hi again! I understand, for what I have read in
https://issues.apache.org/jira/browse/GUACAMOLE-1162 that data encryption
using a PostgreSQL database is not currently possible. However, this issue
talks about using vaults to store credentials
https://issues.apache.org/jira/browse/GUACAMOLE-641
Is it working already or you are just developing it? Can this be used with
PostgreSQL?
Thanks!
BR