On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel <[email protected]> wrote:
> Hi, > > We would like to expose Guacamole to the internet to allow remote access to > internal RDP servers, without a VPN. > That's what Guacamole is designed for. > Assuming we have a strong authentication mechanism, is this a valid use > case? Yes. It's the *intended* use case. A VPN in front of Guacamole is superfluous. You do not need to hide Guacamole behind a VPN. > Are there any special security considerations? Any specific hardening? Use proper HTTPS. This is generally done using SSL termination with a reverse proxy like Nginx or Apache. Do not allow access via unencrypted HTTP. It's also advisable to ensure that all access must go through Guacamole, so that the remote desktops on your network have a single, central, secured point of entry. - Mike
