What are “Cool Solutions”?

Cool Solutions is the name we use to describe Univention solutions which expand UCS with practical, advantageous functions and are also sometimes employed by our customers. These solutions are regularly presented in the Univention Wiki in the form of Cool Solutions articles.

In a new series of articles, we want to introduce you to the five most popular “Cool Solutions” over the next few weeks. Today we are starting with Guacamole – and no, we don’t mean the tasty Mexican dip this time.

What is Guacamole?

Logo GuacamoleGuacamole is an Open Source software (Apache license) which allows remote access to computers. The advantage in its use lies in the fact that it supports different protocols (VNC, RDP, SSH, etc.) and only one browser is required for the access itself. The software was developed by the Open Source developers of the Guacamole project.

The software itself comprises two components – the frontend Guacamole and the backend guacd. Guacamole is written in Java and is supplied as a so-called servlet container (e.g., Tomcat). The software provides an HTML5 frontend, which allows a range of different options for accessing an external system. Different access methods such as RDP, SSH, and VNC can be employed via corresponding dependency packages. Guacamole is an RDP, SSH, or VNC client which functions without additional software or add-ons in the user’s browser.

The backend guacd establishes the actual connection to the target system and forwards the output on to the frontend Guacamole.

Vorgehensweise_Guacamole_Software

How is Guacamole installed?

Guacamole can be installed and operated in the standard way via provision of a servlet server (e.g., Tomcat). Attention also needs to be paid to correct installation of the dependency. However, Guacamole can now also be operated via Docker. In this case, all the necessary dependencies are supplied.

In our wiki article on Guacamole we describe the installation and configuration via Docker on a UCS 4.1 server.

What advantage does Guacamole offer?

The idea behind Guacamole is to configure different remote accesses at user level via a single platform in order to prevent having to create avoidable port openings in the firewalls. Guacamole utilizes the availability of existing methods for access to RDP, SSH, and VNC, and does not include any functions of its own for operating these protocols.

Where do we use Guacamole?

When performing project management for our customers we mostly use Guacamole in Amazon CloudFormation (topic-based, preconfigured template environments) in order to allow access to Windows server systems via RDP. Before we used Guacamole, different port forwardings generally needed to be configured in the UCS system and ports needed to be opened in the firewalls, which resulted in potential security vulnerabilities. In addition, the UCS user needed to ensure that an RDP client was installed on the operating system. Thanks to the use of Guacamole, this step is no longer necessary and the RDP access can be conducted conveniently from the browser.

How can you install Guacamole?

As of UCS 4.0 it is possible to install and run Guacamole with Docker. The installation of the necessary containers is performed as usual via the command line with Docker. The current Docker implementation of Guacamole requires the installation of a database. Without this, the Guacamole container will not start. As soon as the three components

  • database (MySQL or PostgreSQL),
  • guacd,
  • and Guacamole

are installed, Guacamole can be accessed via the URL http://localhost:8080 and the configuration performed via the web interface.

How do I configure Univention Guacamole?

In Amazon CloudFormation we use the “NoAuth” plugin for RDP connections, with which all connections can be used without previous authentication. The configuration is not performed in this case via Guacamole’s web interface, but rather via a configuration file in the Guacamole Docker container. Following a subsequent restart of the Guacamole Docker container, the new configuration is available and the RDP connections can be used.

More information on guacamole you can find here:

Use UCS Core Edition for Free!

Download now

Timo Denissen has been working on Linux-based topics since 1997. He started his apprenticeship as an IT specialist (specialising in system integration) in 2010 and was in the Professional Services Team from 2013 to 2017. He has been working as a system administrator at Univention since 2017.

What's your opinion? Leave a comment!

Comments

  1. I’ve implemented Guacamole with tomcat8, mysql & nginx (to provide HTTPS encrypted links from school to server/tomcat8)

    I would suggest that Univention install NGINX as well because Schools, especially K-12 (kindergarden through High School) have very strict web standards. Using just HTTP means that the Browser HTML5 is un-encrypted over the WAN …. which means it could get intercepted and/or read.

    Just a suggestion if you want schools to acccept your solution.

    Brian

    Reply
    • Guacamole support https, redirect all http to https.
      And you can use vpnweb from Cisco routers to complement.

      Reply
    • Hello Brian,

      thank you for your suggestion, we will look into expanding the Cool Solution article accordingly.

      Following the example from the Cool Solution article, the Apache on the UCS hosts is proxying Guacamole from/to the Docker container, thus the connection (web browser to Guacamole over Apache) is encrypted using HTTPS even though the proxy connection is using un-encrypted HTTP.

      Regards,
      Timo

      Reply

Leave a Reply to brian mullan Cancel reply

Your email address will not be published. Required fields are marked *