Hey Sean, I agree with your desire for security, but there is no air-gap on a network, those are mutually exclusive. 😉
However that being said, having Guac setup with Azure MFA, L7 firewalled with IP restrictions, and all ESXi (and other critical systems) firewalled to ONLY* allow Guac to talk to them, with the recordings, and FORCED permissions of Guac, is HIGHLY secure. There is no easy way to get into my ESXi hosts via Guac, as it forces the MFA'd account's username directly, and requires the proper SSH key, and source key validation within Guac itself. *I only allow ssh (passwords/http(ss) disabled, ssh key with passphrase) from one other IP/user as a failsafe. Other than running vcenter in HA mode (buggy as heck), and fully disabling ssh/web on the esxi hosts, there is no more secure method I know of. ________________________________ From: Sean Hulbert Sent: Monday, June 5, 2023 11:06 AM To: user@guacamole.apache.org Subject: RE: SSH Connections --- VMWare Hosts Hello Nick thank you, I think I will agree to disagree. Well I did leave out all the security implemented, however we did pass the FedRAMP MIL4 and HIPAA audits with our implementation. Lets hope you are running a layer 7 firewall on your Edge and micro firewalls in front of the ingress end points or it will be a another tragic story on the news. You want a Jump VM as a degree of separation in an isolated network which is can have internal MFA enabled on it; not just TOTP with Guac, By going from guac to VMware you have no separation/segmentation. There is nothing wrong having a standalone Windows server as a utility VM or even Linux system, using private vlans to help air gap the connections. Thank You Sean Hulbert Founder / CEO Work Ph: 925.663.5565 Security Centric Inc. A Cybersecurity Virtualization Enablement Company StormCloud Gov, Protected CUI Environment! [SCILOGOMSP450] FedRAMP MIL4 in process System Award Management CAGE: 8AUV4 AFCEA San Francisco Chapter President If you have heard of a hacker by name, he/she has failed, fear the hacker you haven’t heard of! CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication. Content within this email communication is not legally binding as a contract and no promises are guaranteed unless in a formal contract outside this email communication. igitur qui desiderat pacem, praeparet bellum!!! Epitoma Rei Militaris From: Nick Couchman [mailto:vn...@apache.org] Sent: Monday, June 5, 2023 9:34 AM To: user@guacamole.apache.org Subject: Re: SSH Connections --- VMWare Hosts On Mon, Jun 5, 2023 at 12:32 PM Sean Hulbert <shulb...@securitycentric.net.invalid<mailto:shulb...@securitycentric.net.invalid>> wrote: It is fundamentally a bad idea to go directly to your HOST VMware server, you should use a jumper (utility) VM with connection to the Host on the backend, like windows server 2019 or 2022. 1) Guacamole _is_ the jump/utility VM. 2) In my estimation, it is a fundamentally bad idea to set up a Windows-based server just to log in to UNIX/Linux/ESX servers. -Nick