On Mon, Mar 19, 2018 at 2:19 PM, R <[email protected]> wrote: > Nick, thanks for getting back on this. > > Just to make it simpler. Lets say I have VPN concentrator in the cloud and > it has the tunnel to other customers. Now I want to have guacamole > installed on a server in the cloud and have a client talk to that VPN > concentrator > (which is also in the cloud) and that client (on guacamole server) will > have a connection to that VPN concentrator and tell it to establish the > rdp/ssh session and session pass it over to the user browser > > User Browser -->[Guacamole Server-->Client]-->VPN Concentrator > > So, slight clarification in the traffic flow to make sure I understand:
User Browser -> Guacamole Client -> guacd (Guacamole Server) -> VPN Client -> VPN Concentrator -> RDP/SSH/VNC Host I gather from your original question that what you're trying to do is automate the "VPN Client -> VPN Concentrator" portion of this - that is, when a connection is attempted from guacd to RDP/SSH/VNC, something on the system is able to automatically "know" that that connection needs to cross a VPN boundary, and it establishes that VPN tunnel in order to make the connection happen. Correct? My very first question would be: Why can't the VPN tunnel be persistent? I'm not familiar with CASB, but it seems like you'd want to set up a persistent connection between the guacd host and the VPN concentrator in some fashion that enables the gaucd -> RDP/SSH/VNC connections to happen very quickly. The top two reasons I would cite for this would be logistics (ease of making it happen) and how quickly the connection happens. Logistically, detecting and establishing the VPN tunnel is more an O/S issue than it is a Guacamole Server issue. You'd need some way, on the operating system, to detect that a connection was being attempted to a host that is known to be on the other side of a VPN, and you'd need a way to start that connection up, with some set of pre-defined credentials. All of this would need to happen at the TCP/IP stack layer, and isn't really the concern of Guacamole/guacd. You could probably write something in either guacd or into a Guacamole Client extension that accomplishes this for you, but why? Again, why not just have a persistent VPN tunnel? I have a feeling that the answer for your scenario may lie in how CASB actually functions, but, again, I'm not familiar with it, so taking the simplified approach above I'd push for a persistent VPN tunnel. As far as how quickly the connection happens, the process of establishing a VPN tunnel usually takes several seconds to accomplish, and if you rely on something detecting this guacd connection and establishing the tunnel, there's going to be a delay for guacd and for the end user, which raises the risk of a timeout during the connection. It isn't that it makes it impossible, just something else to consider when trying to automate this process - making sure that timeouts in Guacamole are high enough to handle this, and that users expectations are properly aligned. -Nick
