Hello, Apologies if this may not be the correct place to ask this, I've not raised a query for Apache Guacamole before and I've not been able to find answers to my questions on forums or other posts.
Scenario: * Dockerised deployment with 3 containers, one for guacamole, guacd and MySQL respectively. All 3 containers are linked and functional. * Additional mods - TOTP * MySQL and TOTP properties specified in start.sh * Apache reverse proxy with proxy pass in front of the guacamole container. * Local Apache Guacamole accounts stored in MySQL * Connection information stored within MySQL * A connection to connect to a windows server 2016 standard VM (domain joined). Connection is configured with a virtual drive to upload/download files through the browser session. Questions: 1. How is the virtual drive mapped between the Guacamole instance and the windows server it connects to and which credentials are used to handle this? I've logged into guacamole using the guacadmin account, clicked on the configured connection and before I've even authenticated to the windows server with domain credentials, I'm able to open the menu with ctrl + shift + alt and upload/download files to the windows server without specifying any credentials. 2. Is there any way to restrict upload/download access so that it's only possible to handle files after authenticating to the windows server? 3. Aside from the information stored in apache httpd logs, is there a better way to handle logging for file transfers? We need this for audit purposes. I also have a second guacamole environment set up which used OpenID connect against Azure AD to provide authentication and MFA - this environment has the same issue with access to virtual drives being granted before authenticating to the backend windows server. Although this may be partly expected, due to authentication tokens being generated with OAuth/OpenID Connect, I do not have credential passthrough configured with parameter tokens (it doesn't work properly - credentials are passed through when enabled but authentication fails, even though the credentials should be correct) so I would expect that the virtual drive would not be connected before authenticating to the server. I appreciate the above may be a lot to respond to but having spent a few weeks trying to find this information myself, I've not had any luck. Thanks, Himat This electronic message contains information from CACI International Inc or subsidiary companies, which may be confidential, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify us immediately at [email protected] Viruses: Although we have taken steps to ensure that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. CACI Limited. Registered in England & Wales. Registration No. 1649776. CACI House, Avonmore Road, London, W14 8TS
