On Mon, Nov 26, 2018 at 2:02 PM ssat <ssatp...@zededa.com> wrote: > Hello, > > I am looking to place guacd behind a NAT network as that looks to be the > only way to gain a VNC connection to my destination VMs. This naturally > introduces a challenge in maintaining the connectivity between > guacamole-client cloud layer and guacd. The environment restrictions local > to guacd dictate that I cannot directly expose the IP address/port of guacd > to the outside world. >
It might be useful in helping you determine the best way to deploy this if you provide either a network diagram or some more detail on exactly where the VMs you're trying to connect to are located, where the users will be, etc. Some items that might help fill in the blanks: - Are the VMs you're trying to provide access to on an internal/private/firewalled network, or are they accessible via the Internet (or both)? - Are the users of the Guacamole system accessing it via the Internet, an internal private network, or both? - Do you already have a DMZ in your configuration? Is the system hosting (at least) the Guacamole Client on this DMZ? - Are you installing Guacamole Client and guacd on the same system, or independent systems? It is generally true that you don't want to expose guacd to the entire outside world (Internet, or any untrusted network). But, the exact details of how you'd implement the configuration in your setup depend a lot on the architecture of your network and what you're trying to do. > > My question is two-fold: > - I was wondering if there are any known best practices or recommended > deployment topologies to make this work? Are there any known experiences of > making a reverse ssh-like setup work successfully to support the websocket > connections between guacamole-client & guacd? > I'm not entirely sure what you mean by "reverse ssh-like setup," here? Are you talking about having "guacd" dial back to the Guacamole Client to establish the connection? Or something like VNC's reverse connection, where the VNC Client listens and the server then dials back to establish the connection? I don't really think this is necessary, and there's no way to do it, currently. There is an enhancement JIRA issue opened for doing mutual TLS authentication between the Guacamole Client and Server, which I believe would address some of the concern of running Guacamole Client and guacd across an untrusted network. > > - Are there any long term plans to support a reverse connection setup > assuming users take responsibility of making available a messaging > mechanism > to inform guacd of a connection to be setup? > If I understand what you're asking for, then I believe the answer is no, there are no plans, nor do I see a ton of value in it. Perhaps you can explain further what you mean and why you think this will help address security concerns specific to your scenario? -Nick
