As I said, I'm not the admin of the firewall and I have only a little support for it from admin. I must and can only manage the PC with Guacamole. This is the reason I was wondering if Guacamole can be installed on a PC on which something else is already installed. For example OpenVPN, NUT, Zabbix, ...
Il mar 24 mag 2022, 06:49 Vendel Colja <colja.ven...@allysca.de> ha scritto: > Your argument for DDNS is true for the VPN solution too. > > I’d suggest to, > > - yes if it’s dynamic IP assignment use DDNS, > > - forward 443 to your guacamole server > > - redirect port 80 to 443 on your firewall already > > - force TSL 1.3 and only fall back to 1.2 > > - use guacamole with DB > > - use guacamole only with 2FA enabled > > - if you are paranoid enough disable clipboard and file transfer > capabilities > > > > If one intends to run a non-guacamole webserver in you network you could > either proxy guacamole through this web server or use the guacamole apache > or nginx to server or proxy both guacamole and the web site. > > > > I split all services to dedicated VMs and/or containers so there is one > for proxying 443 to guacamole tomcat and one tomcat to run guacamole and > one to run guacd and one more to run pgsql and all of them report logging > information to a central log system to be monitored. > > > > > > > > > > *Von:* Dark Corner <darkcorner...@gmail.com> > *Gesendet:* Montag, 23. Mai 2022 17:57 > *An:* user@guacamole.apache.org > *Betreff:* Re: Access to Guacamole with OpenVPN (behind the Firewall) > > > > Thanks for the reply. > I did not understand your suggestion. > Do you mean that in the firewall I have to direct the 80/443 traffic > towards the PC of Guacamole? > What if there is a web server on the network? There isn't, but it could be > activated in the near future. In this case I would have to change the ports > on Guacamole and tell users that they must use the port in the URL. > Then I have to consider that the IP is dynamic and therefore I still have > to use a DDNS. > > > Finally, it is true that there is an added complication for users, but > also for an intruder who should also have access to the VPN credentials. > > In case I decide to use OpenVPN, can I install the OpenVPN server on the > same server of Guacamole? > > > > Il giorno lun 23 mag 2022 alle ore 17:16 Michael Jumper < > mjum...@apache.org> ha scritto: > > On Mon, May 23, 2022, 07:53 Dark Corner <darkcorner...@gmail.com> wrote: > > Guacamole is installed on a PC behind a Zyxel firewall. > Users should connect to Guacamole via VPN and, once logged into Guacamole, > log into their PC. > However, the firewall cannot handle multiple VPNs. So, I wish to install > OpenVPN, possibly on the same PC used for Guacamole. > To access OpenVPN I would like to open a set of ports on the firewall to > the Guacamole PC only, so that it is not necessary to use a VPN on the > firewall. > > > > Do you have any suggestions in this regard? > > > > I think it would be far better to not use the VPN at all. Putting a VPN in > front of it would just add unnecessary difficulty and complexity for users. > > > > Part of the function of Guacamole is as a VPN replacement. It allows you > to allow users to connect to backend desktops securely and via a browser > without needing VPN at all. You should instead: > > > > 1) Allow direct access to the Guacamole server only, and only on ports 80 > and 443. > > > > 2) Set up SSL termination such that access is properly encrypted and HTTP > traffic to port 80 is redirected to HTTPS at port 443. > > > > 3) Ensure via your firewall and network config that Guacamole is the sole > means of access to the desktops on the private network behind Guacamole. > > > > You then have a single, centralized, monitored, and secured point of > entry, with access to any particular backend desktop only possible if the > admin grants that access. > > > > - Mike > > > >