Thanks! On Mon, Jan 20, 2020, 12:21 PM Adam Woodland <[email protected]> wrote:
> Just to add, there are tools you should use to periodically check the > security of the application interface of the reverse proxy, for example: > > https://www.ssllabs.com/ssltest/analyze > https://securityheaders.com/ > > You should be aiming to get A (or better) in both those. Both sites have > info on how to improve your score and you also have https://cipherli.st/ on > how to set the relevant TLS settings for whatever your front-end is. > > There is https://observatory.mozilla.org/ which wraps the above tool > functions into a single interface (although I personally find it a little > hit and miss with returning useful results) > > This is on top of hardening the host machine too. No point securing the > host if you don't secure the application, and vice-versa. > > Adam > > On Mon, Jan 20, 2020 at 5:26 PM Mike Jumper <[email protected]> wrote: > >> On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel < >> [email protected]> wrote: >> >>> Hi, >>> >>> We would like to expose Guacamole to the internet to allow remote access >>> to >>> internal RDP servers, without a VPN. >>> >> >> That's what Guacamole is designed for. >> >> >>> Assuming we have a strong authentication mechanism, is this a valid use >>> case? >> >> >> Yes. It's the *intended* use case. A VPN in front of Guacamole is >> superfluous. You do not need to hide Guacamole behind a VPN. >> >> >>> Are there any special security considerations? Any specific hardening? >> >> >> Use proper HTTPS. This is generally done using SSL termination with a >> reverse proxy like Nginx or Apache. Do not allow access via unencrypted >> HTTP. It's also advisable to ensure that all access must go through >> Guacamole, so that the remote desktops on your network have a single, >> central, secured point of entry. >> >> - Mike >> >>
