> > > Is there any way to make that SSL a mutual SSL / mutual TLS > authentication? in that way, the client will authenticate the daemon, and > the daemon will authenticate the client, and everybody should be happy > (reference: > https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) > > Today, no, but there is a feature our in Jira for it. Just hasn't been implemented, yet:
https://issues.apache.org/jira/browse/GUACAMOLE-28 > Also, in general, which are the security implications of having a guacd > serving request to incoming internet requests? Are there any docs you can > share on that? > > Without the mutual authentication implementation, you don't want to do this - it would basically allow anyone with any sort of Guacamole client to connect to guacd and attempt to open connections to all of your protected systems. > Finally, if having guacd exposed to the world is not a good idea, should > we go with something like ssh tunnels or site-to-site VPNs to get the > remote locations connected with the cloud deployed client? Any other > options to consider? > > Yes, you could either do site-to-site VPNs or SSH tunneling to protect the traffic. -Nick