Azure AD access token lifetimes are around 60 minutes by default. You may be able to change this according to https://learn.microsoft.com/en-us/azure/active-directory/develop/configurable-token-lifetimes. I believe until access token is refreshed, WAP will not pass traffic since the access token is no longer valid.
Application proxy currently does not have support for WebSocket according to https://feedback.azure.com/d365community/idea/8fc692de-bb25-ec11-b6e6-000d3a4f0789. In the event Guacamole cannot use WebSocket, it will fall back to HTTP and you will see the message below. We have a similar setup using Cloudflare Access/Tunnel and it has worked very well for us. Best regards, Stephen Cluff, Solution Architect ecomm911.ca<https://www.ecomm911.ca/> @EComm911_info<https://twitter.com/ecomm911_info> CONFIDENTIALITY NOTICE: This email and any attachments are only for the use of the intended recipient and must not be distributed, disclosed, used or copied by or to anyone else. This transmission may contain confidential or privileged information, and the sender does not waive any related rights, protection or obligations in connection with such materials. The unauthorized use or disclosure of this material may be unlawful and result in legal action or other sanctions. If you have received this email in error please immediately contact the sender by return email and delete all copies of this email and any attachments. From: Dose, Volker <[email protected]> Sent: Thursday, July 20, 2023 1:50 AM To: [email protected] Subject: Guacamole and Microsoft Web Application Proxy * This is an external E-Mail, please take caution when clicking on links or opening attachments unless you recognize the sender * Dear all, we are using Guacamole 1.4.0 in combination with a MS WAP. This WAP server forces the user to authenticate against AD FS and only after a successful authentication the user gets to Guacamole to work with. Generally speaking this setup works, bur we are facing some issues with it: 1. Every 60 minutes the session is disconnected - after pressing F5 the user is able to work, but this is a bit annoying Catalina.out shows a line like this: 17:08:13.871 [main] INFO o.a.g.rest.auth.HashTokenSessionMap - Sessions will expire after 60 minutes of inactivity. But the session breaks even if the user in active all the time 1. We can upload files to the TRANSFER drive, but download does not work - only for files with 0 bytes 1. Websocket does not work at all, Catalina.out shows this 16:59:40.785 [http-nio-8080-exec-15] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal. Does anybody have a similar setup? Can someone guide me to the right direction? I'm a bit out of ideas right now.. Best regards Volker Dose IT-Infrastruktur
