Just to add, there are tools you should use to periodically check the security of the application interface of the reverse proxy, for example:
https://www.ssllabs.com/ssltest/analyze https://securityheaders.com/ You should be aiming to get A (or better) in both those. Both sites have info on how to improve your score and you also have https://cipherli.st/ on how to set the relevant TLS settings for whatever your front-end is. There is https://observatory.mozilla.org/ which wraps the above tool functions into a single interface (although I personally find it a little hit and miss with returning useful results) This is on top of hardening the host machine too. No point securing the host if you don't secure the application, and vice-versa. Adam On Mon, Jan 20, 2020 at 5:26 PM Mike Jumper <[email protected]> wrote: > On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel < > [email protected]> wrote: > >> Hi, >> >> We would like to expose Guacamole to the internet to allow remote access >> to >> internal RDP servers, without a VPN. >> > > That's what Guacamole is designed for. > > >> Assuming we have a strong authentication mechanism, is this a valid use >> case? > > > Yes. It's the *intended* use case. A VPN in front of Guacamole is > superfluous. You do not need to hide Guacamole behind a VPN. > > >> Are there any special security considerations? Any specific hardening? > > > Use proper HTTPS. This is generally done using SSL termination with a > reverse proxy like Nginx or Apache. Do not allow access via unencrypted > HTTP. It's also advisable to ensure that all access must go through > Guacamole, so that the remote desktops on your network have a single, > central, secured point of entry. > > - Mike > >
