Guacamole

• Tomcat
• Nginx
• MySQL
• SAML
• GUI Configuration
• Firewall
• NAT Rules
• Security Rules

Tomcat

Tomcat has been modified from the default setup to allow for SSL to be enabled for the Guacamole host. 

ALL of Tomcat settings and logging files are inaccessible from the regular user login. sudo -s is required to be able to access and modify Tomcat files

Logging is done via Catalina, the output of which sits at /opt/tomcat/tomcatapp/logs/catalina.out

Tomcat Connector

Keystore password is in 1Password.

This connector was modified from the original 8080 connector to enable SSL, and designate a certificate for SSL. 

The certificate is located in a .jks keystore and encrypted using the password. The certificate that was placed in the keystore was a pkcs12 certificate with Private Key embedded. These files are stored in the /conf/crt/ directory of Tomcat.

SSL is required in Tomcat to enable SAML transmissions through the reverse proxy remaining in HTTPS.

 

Note. When changes are made to the Guacamole Config, Tomcat is the server host, a restart of the Tomcat service is usually all that is required to enact the changes. 

Nginx

Nginx serves as a reverse proxy to intercept and filter traffic between browsers and the Tomcat instance hosting the Guacamole server. 

Config file is hosted at /etc/nginx/conf.d/reverse-proxy.conf

Nginx is loaded with the PBR Wildcard Cert to enable SSL. It is hosted on :443 and forwards to :8080

It is critical that the headers listed above are included. This allows Guacamole to function properly passing through Nginx. 

MySQL

MySQL is used as a database for all configurations and user configs.

It is installed with a plugin based in Guacamole Home (/etc/guacamole/) 
The plugin is installed in the Extensions directory.

MySQL requires a jdbc plugin in order to work. This is the Platform independent .jar plugin and sits in /etc/guacamole/lib

The credentials for MySQL are in 1Password

The Schema template is located within the extract of the JDBC plugin at /guacamole-auth-jdbc-1.5.2/mysql/schema
Currently this sits in the Home Directory of pbr_admin

Configuration for Guacamole using MySQL takes place in guacamole.properties in Guacamole Home

Documentation for MySQL can be found at https://guacamole.apache.org/doc/gug/jdbc-auth.html

SAML

SAML is provided as an alternative secure sign in method utilising Duo to authenticate against the server. 

Settings for SAML are in guacamole.properties

Note this will work for all authentications that are successful through Duo, but the users will be unable to access anything as the user does not correspond within the MySQL database for any connections. 

Settings to note here specifically is the below

skip-if-unavailable - this will skip the authentication method if SAML falls over to SQL authentication

extension-priority - currently as above, is set up to provide any other authentication priority over SAML. This will currently show the SQL login screen, with the option to log into SAML as below

GUI Configuration

User and computer configuration is done via the GUI, which maps into the SQL database.

There is a built in admin account, with credentials stored inside of 1Password that can configure.

Different permission groups can be configured, these permission groups can also contain connection groups as well as Guacamole Administration permissions.

 

 

Firewall

NAT Rules

Inbound NAT Translation

Outbound NAT for internet access in DMZ

Security Rules

Given Guac sits in DMZ, with outbound internet access and internal network access, we need to be very careful around what we can allow the server access to. 
The server has restrictive access to the internal LAN, as well as external internet. 

Guac to Outbound

Internal LAN to Guac:

Only allows SSH and SSL access to the server, as well as ping sends and built-in Guac profile

Guac to Inbound:

Allows RDP SSH and VNC to specified servers

Also allows internal DNS access to DC's.