Open only port 443 TLS 1.3 and fall back to 1.2 Enable the database on Guacamole for connection storage information, it’s very secure.
If you like to see a production demonstration that handles over 20+K connections let me know. Thank You Sean Hulbert Founder / CEO Work Ph: 925.292.4309 <http://www.securitycentric.net/> www.securitycentric.net A Cybersecurity Enablement Company We don't just run you through the motions, Our labs teach you how to think! System Award Management CAGE: 8AUV4 AFCEA San Francisco Chapter V.P. If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of! CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication. igitur qui desiderat pacem, praeparet bellum!!! Epitoma Rei Militaris From: Dark Corner [mailto:[email protected]] Sent: Monday, May 23, 2022 8:57 AM To: [email protected] Subject: Re: Access to Guacamole with OpenVPN (behind the Firewall) Thanks for the reply. I did not understand your suggestion. Do you mean that in the firewall I have to direct the 80/443 traffic towards the PC of Guacamole? What if there is a web server on the network? There isn't, but it could be activated in the near future. In this case I would have to change the ports on Guacamole and tell users that they must use the port in the URL. Then I have to consider that the IP is dynamic and therefore I still have to use a DDNS. Finally, it is true that there is an added complication for users, but also for an intruder who should also have access to the VPN credentials. In case I decide to use OpenVPN, can I install the OpenVPN server on the same server of Guacamole? Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper <[email protected] <mailto:[email protected]> > ha scritto: On Mon, May 23, 2022, 07:53 Dark Corner <[email protected] <mailto:[email protected]> > wrote: Guacamole is installed on a PC behind a Zyxel firewall. Users should connect to Guacamole via VPN and, once logged into Guacamole, log into their PC. However, the firewall cannot handle multiple VPNs. So, I wish to install OpenVPN, possibly on the same PC used for Guacamole. To access OpenVPN I would like to open a set of ports on the firewall to the Guacamole PC only, so that it is not necessary to use a VPN on the firewall. Do you have any suggestions in this regard? I think it would be far better to not use the VPN at all. Putting a VPN in front of it would just add unnecessary difficulty and complexity for users. Part of the function of Guacamole is as a VPN replacement. It allows you to allow users to connect to backend desktops securely and via a browser without needing VPN at all. You should instead: 1) Allow direct access to the Guacamole server only, and only on ports 80 and 443. 2) Set up SSL termination such that access is properly encrypted and HTTP traffic to port 80 is redirected to HTTPS at port 443. 3) Ensure via your firewall and network config that Guacamole is the sole means of access to the desktops on the private network behind Guacamole. You then have a single, centralized, monitored, and secured point of entry, with access to any particular backend desktop only possible if the admin grants that access. - Mike
