thanks Nick, I will try playing with guacd On Tue, Mar 20, 2018 at 9:02 AM, Nick Couchman <[email protected]> wrote:
> On Mon, Mar 19, 2018 at 2:19 PM, R <[email protected]> wrote: > >> Nick, thanks for getting back on this. >> >> Just to make it simpler. Lets say I have VPN concentrator in the cloud >> and it has the tunnel to other customers. Now I want to have guacamole >> installed on a server in the cloud and have a client talk to that VPN >> concentrator >> (which is also in the cloud) and that client (on guacamole server) will >> have a connection to that VPN concentrator and tell it to establish the >> rdp/ssh session and session pass it over to the user browser >> >> User Browser -->[Guacamole Server-->Client]-->VPN Concentrator >> >> > So, slight clarification in the traffic flow to make sure I understand: > > User Browser -> Guacamole Client -> guacd (Guacamole Server) -> VPN Client > -> VPN Concentrator -> RDP/SSH/VNC Host > > I gather from your original question that what you're trying to do is > automate the "VPN Client -> VPN Concentrator" portion of this - that is, > when a connection is attempted from guacd to RDP/SSH/VNC, something on the > system is able to automatically "know" that that connection needs to cross > a VPN boundary, and it establishes that VPN tunnel in order to make the > connection happen. Correct? > > My very first question would be: Why can't the VPN tunnel be persistent? > I'm not familiar with CASB, but it seems like you'd want to set up a > persistent connection between the guacd host and the VPN concentrator in > some fashion that enables the gaucd -> RDP/SSH/VNC connections to happen > very quickly. The top two reasons I would cite for this would be logistics > (ease of making it happen) and how quickly the connection happens. > > Logistically, detecting and establishing the VPN tunnel is more an O/S > issue than it is a Guacamole Server issue. You'd need some way, on the > operating system, to detect that a connection was being attempted to a host > that is known to be on the other side of a VPN, and you'd need a way to > start that connection up, with some set of pre-defined credentials. All of > this would need to happen at the TCP/IP stack layer, and isn't really the > concern of Guacamole/guacd. You could probably write something in either > guacd or into a Guacamole Client extension that accomplishes this for you, > but why? Again, why not just have a persistent VPN tunnel? I have a > feeling that the answer for your scenario may lie in how CASB actually > functions, but, again, I'm not familiar with it, so taking the simplified > approach above I'd push for a persistent VPN tunnel. > > As far as how quickly the connection happens, the process of establishing > a VPN tunnel usually takes several seconds to accomplish, and if you rely > on something detecting this guacd connection and establishing the tunnel, > there's going to be a delay for guacd and for the end user, which raises > the risk of a timeout during the connection. It isn't that it makes it > impossible, just something else to consider when trying to automate this > process - making sure that timeouts in Guacamole are high enough to handle > this, and that users expectations are properly aligned. > > -Nick >
