On Wed, Apr 8, 2020 at 1:17 PM WhiteTiger <whitetiger_it...@yahoo.it.invalid> wrote:
> Forgive me, but I still don't understand. > I understand that on *my PC* the brower is enough for me and that Guacamole > will correctly manage the routing protocol. > Sorry, I misunderstood that when you said the "client PCs" you meant the systems accessing Guacamole. > But what is there *on the user's PC* that I want to control remotely? > If I want to connect to a Windows PC with RDP, I have to enable it in the > Windows settings *of that PC*. > Correct. > If I want to connect to a Linux PC via SSH, I have to enable the SSH > server* > on that PC*. > Yes > I therefore believe that if I want to connect via VNC I still have to > install or activate something on that PC. > Yes, if you want to connect to a system using the VNC protocol, you need a VNC server of some sort on that system. This will vary widely based on what your target system is. For example, Mac OS X has a VNC server built into it that you just need to activate in the System Preferences area (I think they call it Remote Control or something like that). For Windows, you would need to install a VNC server (UltraVNC or RealVNC, for example). For Linux, there are several different options for VNC depending on what you're trying to accomplish. In short, there's not really any one answer to this - the steps to activate VNC on a target system ("server") depend upon the target. > On my no, but on others? > This is the question. > > Makes, sense, now. > Linked to this question there is a second one. > How do I manage access to that PC? > Because I would like to get there on that PC only if I know the credentials > of that PC, it is not enough for me to know that of Guacamole. > In my idea, Guacamole will have multiple users and each of these will see > *only* a list of PCs on which he can access. > Every time a user connects to Guacamole, he will have to type his username > and password to see a list of PCs then appear. > Multiple users can access the same PC, only if all these users are > authorized. > > Yes, Guacamole is already set up to do this - particularly if you use the JDBC module, you can set up connections and provide users and/or groups with access to certain systems. You can also either store the credentials or pass through the username and password tokens from the Guacamole login to the remote system. The LDAP authentication extension also provides ways to use the security built-in to LDAP to control what connections users can see and access. Please start by looking at the manual and familiarizing yourself with the configuration of those modules: http://guacamole.apache.org/doc/gug/ > But then, once the user takes remote control on a PC, for example named > PC01, he will have to use his credentials *on that PC*. > In other words, JSMith and Administrator users can access PC01. > But the JSmith user will not be able to do the same things as > Administrator. > For this, when logging in, each of the two will have to enter their > username > and password. > > VNC, if I remember correctly, does not allow access to the PC with > credentials. > If I am at the login screen of the PC, then I have to type them. > But if a user is already active on the PC, who takes remote control is > already inside the PC, even if Administrator is active on the PC, but who > takes remote control is JSmith. > > I think I see what you're saying - basically, VNC is just mirroring the remote screen, it does not provide any method of controlling authorization to a particular user session if someone connects over the VNC protocol, where as RDP performs both the authentication (allowing the user to connect with the correct credentials) and the authorization (only giving the user who logs in access to the resources that belong to them). Unfortunately, this isn't something that Guacamole can necessarily solve for you - this is really more a function of how VNC operates as a protocol. In order to "solve' this with VNC you would need to provide each user that logs into Guacamole with a separate VNC connection that is unique to them, and make sure that Guacamole only allows each user to access his or her own connection. There may be some VNC implementations that work-around this - I think the Mac VNC implementation tries to do this by "locking" the screen after each connection drops so that a user has to log in with VNC and then log on to the desktop, but it isn't part of the standard VNC protocol or implementation. -Nick