What is Reddit's opinion of
Apache Guacamole?
From 3.5 billion Reddit comments
100 reviews of this app found across Reddit:
Uhh I'm not sure what details to add, but
- Shell: bash
- Phone: Alcatel 4044C
- OS: KaiOS with arch linux in a chroot
- Terminal: Guacamole running on arch
This device came with adb over usb blocked, which made everything a pain. However, qualcomm edl still worked, and I could place arbitrary binaries and add them to a start script. This let me get dropbear on the phone, from which I was able to chroot into an arch linux rootfs stored in the external SD card and start the guacamole server. After that it was just a matter of creating a KaiOS app which loads localhost:8080 and open the terminal emulator!
EDIT: video for the cynics: https://www.youtube.com/watch?v=gze_Acba490
It's a problem because it can be discovered, non standard port or not (better port scanners will send various common protocol challenges on all public ip ports, it'll get picked up sooner or later).
At that stage, if you've ever had an account compromised that shares that password, you're gonezo. It doesn't have to be something you did, there's plenty of sites that have had their entire password database hacked and shared.
The second problem is that RDP has no sort of rate limiting (IE: fail2ban) or two factor authentication, or anything.
If you want universal access from any computer, set up apache guacamole. Once it's in place it's invaluable, and it's such a pain in the ass to set up that it's a good learning experience. And stop sharing your RDP over the internet. "You've never faced an issue" just means "You've never noticed an issue". Doesn't mean it hasn't happened.
Check out Apache Guacamole https://guacamole.apache.org/ it's the closest thing I'm aware of to running Windows in a browser. It is a browser based rdp /vnc/ssh gateway. I use it daily and it's pretty slick.
It is, Apache just has a slow release cycle. They'll release updates right quick on a security vulnerability. They just don't have many vulnerabilities (which speaks well of the software).
Apache is also the same Apache that makes httpd, the most widely used web server on the planet.
I've found that Apache Guacamole is quite a handy way to get at machines behind the firewall securely and from anywhere in the world. Of course you get what you pay for - there are some clipboard and file transfer caveats, but for remote machine access it's just peachy. Was easy to setup a publish point with a letsencrypt cert.
If you install it on your desktop you can setup something like Guacamole and connect to it to work on from the laptop. If you plan on doing it while you are at home on the same network you can rdp to it. If you want to set it up on a vm on your desktop you can setup Hyper-v and setup gpu pass through so it runs in the background and you can rdp into that.
Was curious on how it works. Looks like it utilizes the noVNC project with a wrapper that keeps Firefox open. I think it also wipes the user profile.
Cool stuff
Seems like a lite version of guacamole. https://guacamole.apache.org/
Talk to your IT/Boss about the policy prohibiting you from doing this in the first place?
But if you're set on breaking company policy... Is SSH blocked? You can do a SOCKS5 proxy with ssh and fire up your browser of choice and use something like guacamole for the remoting of the GUI.
- The service is very stable. I have had no issues.
- I have used the AD integration as described https://guacamole.apache.org/doc/gug/ldap-auth.html . I use MySQL to hold the connection data.
- Very, very simple. Basically just check the boxes.
- Yes, you get logging of connection.
- Read the documentation, and put a proxy in front of it, and it's golden. It runs well in Docker, which is my preferred method.
If this is a quick-and-dirty or your user count is fixed, try Apache Guacamole on top of VNC, with one-instance-per-user. No client-side software (besides a modern browser) required.
If this is a commercial or scale venture, try Citrix XenDesktop. The software sucks, but you can at least find experts, which is more than can be said in bodging together a Guacamole solution.
Interesting Idea but I think that you could go even further with that and not "trust" google with your dev environment.
I mean, it is "just" an Ubuntu virtual machine that you could basically run anywhere. If you have a company server it could run there or a small machine running at home. VNC or something like that would allow you to connect to it as well but requires a program that is installed so it isn't as plugin play.
But with the use of apache guacamole you can do that all from your web browser as well.
Still an interesting read though but not everything has to be in the cloud.
Interoperability. The truth is what does Linux really have as a standard remote desktop protocol?
x2go is fine and everything but it is hardly lightweight , in fact you when use to to to run outside of a DE it is hard to get any consistently.
X-Forwarding has always been inherently insecure and protocol dumb and not at all firewall friendly. It was from a much more naive time in computers where trust was implicitly expected.
In my long and quite varied career I have used all sorts of solutions to try and get a drop in replacement for RDP sadly it just does not exist under Linux.
The closest I have come is using Guacamole to basically abstract away remote access behind a proxy server people can connect to with any modern web browser . But it still use RDP as the backend connections
My hope is that Pipewire can fill that gap and make remote desktop sharing both secure, fast and above all universal in a way we can forget about RDP once and for all.
You said you can't install anything on the work pc - can you download a binary or edit browser settings? If all of the services you're looking to access are web, you could set up a tunnel with Putty (just a download, no installation required). This way, you only need the port for SSH open.
Also have you taken a look at Guacamole: https://guacamole.apache.org/
XRDP is as it uses the same protocol as RDP that Windows uses. Worst case is you use SSH to port forward, but then at that point why not use VNC+SSH. XRDP will also let you hop to another server via VNC, or RDP.
Either VNC+SSH or XRDP will work just fine. XRDP would be best if you don't wan't someone watching what you are doing to the computer at home/work.
I use XRDP and guacamole together. A separate Guac server that can SSH into any box at home, as well as RDP into other computers. Guac can also VNC into other computers. The nice thing about this setup is that I'm not exposing SSH/RDP ports to the world. Someone created a nice script to setup a guac box: https://github.com/MysticRyuujin/guac-install
You can use RDP, but just don't open a firewall port directly to the computer you want to use. Use a combination of VPNs or RD Gateways .
I've never used it but people are fond of https://guacamole.apache.org/ on this subreddit.
We use NPS, with the plugin, and a gateway.
Another way you could do is Apache Guacamole, or something else like it. Use SAML or OpenID for Guacamole's login. Then restrict it so RDP only works from the Guacamole server, and use it as your client. https://guacamole.apache.org/
If you end up unable to get the reverse proxy working appropriately, you might consider an RDP bastion host and something like Trasa or Apache Guacamole in front.
Have you looked at https://guacamole.apache.org/ ? I've not tried it, but would be the first thing I try if I need a remote desktop again. Historically, I've used RealVNC.
it seems your Synology directory server requires LDAP bind to be encrypted (TLS, usually over 636), but Guacamole then requires the encrypted connection to be valid and you do not have proper certificates in place.
as Guacamole has no ignore-invalid-certificate option for the bind as far as I can tell, you will either have to find out how to turn off the encryption requirement on the Synology, or get proper certificates for it (Let's Encrypt is easy and free).
I thing apache guacamole is capable of doing this. (https://guacamole.apache.org/ ) I never really used it, so I don't know how good it is (compared to other solutions). But it's free and open source, so you can easily give it a try.
Are you dead set on the client side being a native VNC client? If it works for you, I'd implement Apache Guacamole as a gateway instead. It's pretty easy to set up (I think I got it going in like 20 minutes using the official Docker images at work) and gives you a single point to control access and you can make the backend transparent to the users.
Look at Apache Guacamole: > Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
An alternative would be to use regular SSH Jump Host (see this example from Gentoo). This thread in /r/linuxadmin can help.
>The difference being (as i understand it) is that you can't connect to another persons session using Guacamole
Guacamole has screen-sharing, both in "view only" and "full control" modes.
Look into dynamic groups. You can assign ACL based on "memberof" attribute. The bad part of this, was that as of early 9.x versions you kind of need ASDM to do it properly. You also could only assign ACL's which were all permit or all deny. So you would need two ACL's for each group.
The other way to do it is to authenticate tunnel groups per LDAP attributes, then assign an ACL based on the VPN group mapped to each tunnel group.
Do you have any Linux expertise at your org? Something like Guacamole can make this much easier if all users are doing is RDP-ing to their desktops.
Guacamole ?
Guacamole is a software that allows you to RDP, X11,.... using HTML5 to machines that are configured, you can set that each username has permission for the machines you want.
The biggest cause of performance loss is going to be falling back to http mode, and not actually using websockets. This can be a mis-configured web server, or a bad browser. If you stuck it behind a reverse proxy, you need to follow the directions here to make it work: https://guacamole.apache.org/doc/gug/proxying-guacamole.html
I like using Apache Guacamole. It allows me to do ssh, vnc, and rdp to my different clients through a browser. I have it running on one of my Pi's along with PiVPN.
What's the end goal here? Who are your users (staff, citizens, etc?)? How important is latency?
If you have a spare server about or can scrounge one up, I'd run Guacmole. It's an html5 interface to the end user, and various RDP protocols to the machine pool.
Like any other solution for this though, user management will be a thing you'll probably have to do by hand.
Something that I have been playing around with recently to get around this is Apache Guacamole. https://guacamole.apache.org/
It's a funky free web application (self hosted) that allows you to publish RDP,VNC,SSH etc over HTTP(S) Web Sockets behind a login wall.
I have no idea how secure this is, but reading your replies down below about your willingness to learn about VPN's, it sounded like you might be interested in funky software like this as well, even as a small project to screw around with - so I thought that I would share :)
If you use Docker you can spin it up pretty fast too, search for it on the hub :)
In general, don't use the web client. Its taxing on the Fortigate and purposfully limited. On the backend its just Apache Guacamole. Standup a Guacamole server and make it yourself, alot of the limitations the Fortigate has a standard Guacamole setup won't.
But honestly RDP is so efficient that I'd just use SSL-VPN with a normal RDP session on top of it.
https://guacamole.apache.org/ is exactly what I use for this.
clientless browser vnc / rdp that can store auth info for connections out of reach of the user, and then auth the user through LDAP or something else.
There are cloud PC services like Shadow, but that particular one is aimed at gamers and has a 30 minute inactivity timer.
Amazon Workspaces might do what you want? They run some amazon flavor of Linux but you should be able to load the web version of MS Teams at least. Don't know whether there's any inactivity timer.
Another alternative would be to buy a cheap VPS (virtual private server) through a place like DigitalOcean and install Apache Guacamole on it, but don't try this unless you're comfortable working with command-line linux.
​
this is an option, but IMHO use the openvpn server from the sc66 probably is better than expose your internal rdp to the internet.
Three options that would provide VNC access over internet while still keeping the connection secure.
1) SSH tunnelling
2) VPN
3) A service like Apache Guacamole (just make sure to use a cert and https)
OK, first a disclaimer: I haven't used this, but I've looked at it with some curiosity. Depending what your end goal is, this might be suited for something like Apache Guacamole. You might be able to just setup the gateway and then let students log in with their AD (or whatever SSO) credentials.
Like I said, I haven't tried it, but I sure am curious to see what you come up with. Good luck!
From https://guacamole.apache.org/
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
Using Apache's official docker images, I've made this deployment a bit easier to configure with Ansible for those wanting a homelab or to build upon for a work/corporate environment.
I use the oznu Guacamole docker image which has the extensions bundled into the image - you just have to make a few config changes to enable either extension.
I then have a nginx container that handles the reverse proxying. If you get round to doing that, let me know and I'll be more than happy to help. 😊
If you only need 2FA for connections from outside then Apache Guacamole might do the trick for you. That'd be TOTP to authenticate to the gateway server, but not for internal RDP connections.
(nb: I have not used this)
Yes, the folks in the office connect to them using Remmina, a remote desktop utility on Linux Mint.
I originally wanted to use Windows Terminal Server and run everything (both clients and service) on one machine, but politics got in the way. It's frustrating.
Back in the day, a guy called Jonas Sextl came to my island (I live on a tropical island in the Caribbean, BTW) and gave a talk on virtual machines.
What he said, exploded in my head. This was back in the late 90s.
I went back to the office, downloaded VMWare, Xen and did everything I could to understand the tech. Eventually, I discovered Proxmox which seems sane after all the others.
Particularly interesting is its high availability and data centre focus. After using Knoppix for years, I was impressed by the German approach. Proxmox is another example of their in-depth way of setting up Linux.
Another feature of Proxmox is its tight integration of TurnkeyLinux container appliances. I've also been using TurnkeyLinux for several years to spin up services quickly. Liraz, the guy behind TurnkeyLinux is a very clever fellow.
In addition to pre-packaging services efficiently, he has added Webmin to manage them, a shell accessible from the browser and backup to Amazon Cloud as well. I can recommend his stuff.
I do also use VirtualBox and have used it for years, but I have come to prefer Proxmox for its web management interface though I also use its command line interface as well.
I also love thin clients/diskless workstations and all that good stuff. In addition to the Remmina client, I have set up a Guacamole server to allow remote access to the VMs over a VPN. Guacamole is pretty fast, better than most remote clients I've tried. Guacamole allows the user to access a Windows 10 desktop in a browser tab.
It depends on what you're trying to access at the end of the day. Something web-based? You can use SSH (putty if it is allowed) to create an encrypted tunnel for TCP traffic on a port you define. Then you configure your web browser to use that tunnel and voila, it is basically a VPN into your network. Here is a guide: https://www.techrepublic.com/blog/it-security/use-putty-as-a-secure-proxy-on-windows/
If you want an actual remote desktop experience, it might be time to look at Apache's Guacamole project - https://guacamole.apache.org/
I assume these are Win 10 Pro machines? So they should support RDP...
Just set up a Guacamole server on-site and you have a free RDP gateway.
It supports LDAP authentication if you've got a domain. Or database auth if you don't.
There is also commercial support available if your business is concerned about that.
Guacamole is a very popular choice for this but this assumes your home network has port 80/443 open. You can also run openvpn over port 443 but again you must have that port open at home to make the connection.
From documentation :
NGINX supports WebSocket by allowing a tunnel to be set up between a client and a back-end server. For NGINX to send the Upgrade request from the client to the back-end server, Upgrade and Connection headers must be set explicitly.
Try adding:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Does Guacamole work correctly without going through the proxy? If you connect directly to Tomcat on 8080, are you able to make the SSH connection successfully?
If not, then the problem is not with your Apache reverse proxy configuration but with either Guacamole or Guacd.
Do you have the mod_proxy_wstunnel module installed and enabled for Apache HTTPD? I can't remember if Apache will complain if you have a ws:// resource or just fall back to HTTP silently. If Guacamole works fine direct to Tomcat, this would be the next thing to check. Your config looks like it came straight from https://guacamole.apache.org/doc/gug/proxying-guacamole.html#apache so it should be good.
Like spyingwind, I use Nginx as the reverse proxy and haven't had any issues.
No worries. I remember reading about Apache Guacamole a while back but never dug into it. You could give its documentation a look to see if it’ll fit your needs:
VNC is likely the answer you're looking for, but take a look at Guacamole for connecting. Guacamole is really slick, its a web portal to connect to any VNC, RDP, or SSH client through your browser. So once set up you just log into Guacamole and can connect to all your Windows, Linux, Mac, etc boxes through anything with a web browser without installing extra stuff.
Have you looked at Guacamole? Not every good tool has to be MS ;)
Also, MSPs are like that everywhere. Some MSPs have teeth and can convince businesses to invest wisely, some don't.
are these servers or clients?
If they are clients/terminals, meshcentral is a robust RMM that works both on windows and linux (hey, I just wrote a docker container for it yesterday!)
If they are servers, guacamole is a secure way to access both windows and linux servers via the web browser.
Neither require client software (though they do require knowing how to set up a linux server).
I've not used RDP with SSL gateway but I do have another suggestion that may work for you. There is an apache project called guacamole that may fit your need (https://guacamole.apache.org/). It supports multiple remote desktop protocolt(ssh, RDP, vnc, etc...) client-less. I have it setup frontend by a reverse proxy with Authelia (https://www.authelia.com/) for dual factor authentication. I think it is better than just RDP as it allows me to remote in both my linux and windows server the same way.
Once you've created the connection, you can add a connection share from the list. You then give the other users permissions to the share.
https://guacamole.apache.org/doc/gug/administration.html?highlight=sharing
That page has a section on sharing profiles.
Depends on your use case, but guacamole will do that for you (sftp for ssh connection relays, rdp based virtual drive for windows).
If you are looking for something that will give you greater (root) control over multiple devices, meshcentral is a self hosted RMM platform that (among other things) can do file uploads and downloads from/to clients.
OMG great project OP! I am going to reference this project quite a few times to support my point that web browsers have become so advanced that they are the new "operating system".
I understand that this is more of a hobby project and shows what all can be achieved by web development but what features does it have over Apache Guacamole.
Apache guacamole is (among other things) an SSH client that should support file upload and download: https://guacamole.apache.org/
But if you want to just upload files, it's actually a lot easier:
- Install apache and PHP on your linux machine
- Put a simple PHP file there that copies all uploaded files into
/tmp/transferif the password is correct
You can now upload file to the server via a normal form element. Adding JS Drag and drop for files or even entire directories is not that difficult.
You could probably put something like that together by putting Apache Guacamole in front of a VM (or a physical machine even) running in the cloud or at home. Then you could access that machine from any device that has a modern web browser.
If you are really want to use RDP and SSH without a VPN you can try Apache Guacamole. It is a webinterface for using SSH and RDP without any Client software except a webbrowser. Way more secure. As directly exposing them both directly. It also supports Multi Factor Authentication.
Then setup Port Forwarding on the router to expose the port(s) to the internet. Make every computer it's own port and remember the port numbers (their mapping to computers) somewhere in phone/google drive.
That's the fastest, simplest way. VNC clients should be available everywhere, Android, etc, but if you need an HTML5 VNC server, then consider Apache Guacamole (with port forwarding as explained above).
Apache Guacamole is a remote desktop server that spits out an HTML5 website client to whoever conects to it. It's a .war file (A Java Server Application, a glorified .zip file, you can unzip it if curious), so it can be run inside Apache Tomcat (Apache server with Java installed) on windows XP. Or you can maybe locate a XP standalone executable if you dig a bit, .war files can be made into .exes if portable java is included i guess.
https://guacamole.apache.org/releases/1.3.0/
https://stackoverflow.com/questions/694513/how-to-install-tomcat-on-windows-xp
Tight VNC exposes a webpage client also, but the webpage contains a Java Applet, those run on NPAPI extension system, only supported by Internet Explorer currently, Chrome, Firefox discontinued it since about 2015.
Let me know if you have further questions.
You could put a jump box in like Guacamole https://guacamole.apache.org/ connect onto that with some sort of 2FA and then SSH from there.
Also unless it can not be changed, I would not use VLAN1 as this can sometimes play issues with management VLANs on switches.
If you're running a containerized environment (i.e. Docker), consider Webtop by LinuxServer, it's a full Linux desktop environment in your browser. Alternatively if you just want a coding platform, Code Server is essentially just VS Code running on a remote machine, also accessible in your browser.
Another method you might consider is running Apache Guacamole on your existing work machine. It basically takes RDP/VNC/SSH and makes them accessible via a web browser.
Essentially you are asking about a VDI solution, which Citrix, vmware Horizon and vanilla Microsoft RDS can provide but that can be expensive (you have to buy their licenses plus a Windows license for a Windows VDI and then provide an remote desktop services solution, either integrated within something like Citrix (and yet another license) or separately with a Windows RDS deployment). Guacamole running on Linux however can be much cheaper because everything but the single Windows desktop you'll want would be free.
What is cool about using a VDI solution is you could easily buy a thin client like a Dell Wyse connect it to your network and then use that to log into the VDI as if it were there in front of you. Here is Microsoft's recommend Windows VDI image settings.
A performance Intel NUC should be able to act as a VM host and provide a single VM/VDI host for something like a browsing and Office instance, if you're going to use a Linux based hypervisor, in my opinion (you can make a Windows Guest though). A Windows hypervisor might work if you're willing to upgrade another 8 GB of RAM on top of that.
Other solutions can run from simply installing a Linux distribution to using something like TailsOS on a USB stick to staying in Windows but sandboxing the browser, running a Linux host for a Windows VM (even something like VFIO) and use VM snapshots, and so-on.
What I'm saying are there are a lot of paths to take on this and you should think and research about what you'd like to try. Some of these are fairly straight forward, some aren't, some are expensive, some aren't. There are pro's and con's to each.
Yes, it will resize to your web browser. You don't have to expose it to the internet, you can just leave it within your network and VPN into your network and then access it that way. I use it so I can access my machines remotely when I cannot install a VPN client on the machine I'm using... like a work laptop.
Make use of the Guacamole docker image to install it easier.
> Users currently connect using RDP through a VPN.
use this
https://www.tecmint.com/guacamole-access-remote-linux-windows-machines-via-web-browser/
>The desktops are on an S2D cluster using deduplication at the storage level so space consumption is not unruly.
get rid of s2d :( bite it before it bites u !
Open source load-balancing and reverse proxying solutions tend to be small tools that are assembled together, instead of big monolithic products like the Netscaler and appliances from F5 and A10.
How much do you know about the functionality in question? Apache Guacamole does something like that for apps over VNC, RDP, and includes support for the "Microsoft RemoteApp" functionality since release 0.9.0.
> What I do not know is how I would be able to login to run applications remotely
Your hypervisor can handle this. It has a console.
VMware, proxmox, hyper-v, xen all have the concept of users and roles. You don't NEED a remote desktop for this.
For an actual REMOTE connection, you can standardize on RDP and use it natively on Windows, or use XRDP on Linux. On linux, there is also X-forwarding.
It sounds like you are trying to get to something like Apache Guacamole though.
The client needs an authentication provider configured for that functionality to appear. LDAP, Postgres, and MYSQL are supported among others. https://guacamole.apache.org/doc/1.3.0/gug/jdbc-auth.html
Storytime: During the last year several cves for rdp were issues and the malware creators jumped all over them. Several months back, my friend got hit with ransomware because he forwarded rdp. Encrypted his main system and his nas storage, he lost everything. To make it worse he does video production professional and lost a ton of work related stuff as well.
Bottom line friends done let friends expose rdp to the internet! Either use a vpn or apache guacamole.
>system that is literally just a RDC, literally just a login with the RDP and a good default setting. This exist?
Nope, but a linux distro + apache guacamole is fine :
https://guacamole.apache.org/
Two options:
- RD Gateway + MFA
- https://guacamole.apache.org/
First option will also have some level of support (assuming proper licensing). Second option is all community support.
Guacamole seems to be the usual recommendation around these parts for remote console access.
Combine with OpenJDK and the "icedtea-netx" package for web start, should work with those pesky Java KVMs.
For remote desktop work, it also depends on your users.
If all of them are comfortable with Linux, you might use vnc or x11 forwarding. Otherwise, I would opt for rdp, since it is very common (even available per default) on mac os and windows.
You can also have a look at apache guacamole to have a rdp/ssh/vnc session in a webserver. So your users only need a browser. https://guacamole.apache.org/
read up upon guacamole, install nginx proxy on you're homePC, and make sure the right porst are opened ( 80 & 443 )
Enter your preferred details, and you can web-connect to your homepc from everywhere
​
I've watched streaming video while in a heavily 'closed' hospitalnetwork.
Netflix would not start, but over the Guac connection perfectly
it sounds like you are essentially using your PC as a server / streaming / casting base
I never had much luck with this, but then again , I was at work , juggling calls and having to work around a firewall; YMMV
maybe try looking into Guacamole ( https://guacamole.apache.org/ )
>Now one thing im wondering is if its possible to run a normal windows install as a virtual machine and run it as a normal desktop, but im not sure how best to connect to it. Should I just run a hdmi to my monitor? Or is it easier to rdp in (although I admit my current install of Windows is only home)
That depends entirely on why you want a full desktop environment. For example, I have one dekstop environment set up that has all my environment management tools on there. Makes remoting in and working on things easier. RDP works well here. If you want a clientless option, you could look into Guacamole. Pretty easy to set up inside of docker. If you're looking to use it as a for anything with higher graphical requirements, RDP won't be good enough. I know there are other options, but can't say off the top of my head.
>How would you run this? As I do plan on future making a game server but all the things I've looked at online haven't really talked about connecting it to peripherals.
Servers generally run headless. In most cases you don't really need to connect peripherals. If you're doing something like gaming that requires super low latency, then yes. Look into solutions such as super long cables or maybe something like steam link.
For remote access using RDP at work, we've been using Apache Guacamole . I have the connection open to a select few external IP addresses and use 2FA after login.
​
So far it's been a great help for work-from-home access.
30TB is not much storage. I have that much on my NAS at home. G Suite business includes 1TB storage per user, so 800 users == 800TB.
And G Suite is HIPAA compliant, you can control access from non-compliant computers. Hell, you could switch from Windows laptops to only authorized Chromebooks. Chromebooks can do remote access to Windows just fine. Or you could use something like Apache Guacamole.
Chromebooks are one of the most secure end-user platforms out there. No malware, everything is cryptographic verified from the BIOS, everything is sandboxed, storage is encrypted per user, etc.
For comparison, my company is 1300 users, 100% remote, all on G Suite. We're mostly MacOS, but we've talked about making Chromebooks an option.
Guacamole might be more in line with what you are looking for. HTML5 compliant so no extra software to install on client machines and you can setup individual accounts along with MFA. No AD needed.
Did you heard about "Apache Guacamole"? (Webpage). I dont know if it fits the MeshCentral standards or requirements. Or even if the "philosophy" of MeshCentral about using external apps like that.
But i know it works very fast, it has a well-documented API (You can use JavaScript).
I don't know. Maybe is easy to implement. Just an idea
You can copy files with a method. Not as clean as RDP tho. https://guacamole.apache.org/doc/gug/using-guacamole.html#:~:text=Currently%2C%20Guacamole%20supports%20file%20transfer,located%20in%20the%20Guacamole%20menu.
Have you heard about guacamole?
This way you only provide an url, but has some extra configuration for sysadmins. Not sure how secure is it.
This way you only provide a link to your end user.
We had the same problem and configured about 200 vpn on users pc (didn't want to use guacamole)
Try Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH. https://guacamole.apache.org/ I run Guacamole in Docker and before that I ran it on CentOS 7 for years, it works very well. You can also set up 2FA for added security. You will be able to access you Windows desktop from any modern browser.
First, get LDAP auth set up: https://guacamole.apache.org/doc/gug/ldap-auth.html
But, that is only a piece of the puzzle. This will let you authenticate to Guacamole with your AD credentials, but you still need to re-type your username/password into the RDP session, as you are seeing.
${GUAC_USERNAME} and ${GUAC_PASSWORD} are what you are looking for - use these variables in the username/password fields for the connection. Then, when a user types in their credentials into Guacamole, those same credentials will be passed on to the RDP client.
It supports LDAP: https://guacamole.apache.org/doc/gug/ldap-auth.html
It also has very interesting AD integrations for automated provisioning of connections based on OU and AD attribute.
It does not need a dedicated WAN IP - it can be behind any load balancer/reverse proxy of your choice, as it is purely an Apache web server under the hood. I run it behind an nginx reverse proxy.
​
Another suggestion was Windows Virtual Desktop - this may be the best option if you are heavy Windows and especially Azure. However, there is a RD Licensing component - it can get expensive unless you already have a lot of Windows licensing.
​
Both are great options :)
In the Spring I looked into setting up Apache Guacamole, but never got the chance to get it going. I'm looking into it again for the start of school. Key concern is securing the remote access from unauthorized users.
You should also consider guacamole. Guacamole allows you to remotely access your containers/computers/VM using a web browser. Guacamole supports ssh, vnc, and rdp on the backend. Two factor and other authentication methods, including OpenID, SAML, and RADIUS are supported. To secure your external connection you just need to put a reverse proxy with ssl termination in front of the Guacamole frontend.
I could be wrong but Guacamole may be the solution you are looking for.
I installed Guacamole on a VM (512MB RAM) behind the target network's firewall, set it up as an OpenVPN server (you could just open a port on the firewall instead) and am able to either SSH, VNC or RDP to target hosts on that network.
You can, of course, just use a JumpHost as well. Ssh can also have reverse tunnels listening for connections, but for several hosts, it may become a little unmanageable?
Maybe try setting up a Guacamole server with file transfer enabled in front of the box they're remoting into? It's not full access to the local drive, but it would at least allow transfers back and forth fairly easily.
Nicely done, I thought that it was easy as I just had the 3 containers in a compose file, but apparently I just blanked on the difficulty with it as I checked the Apache documentation I followed https://guacamole.apache.org/doc/0.9.7/gug/guacamole-docker.html and yah it's really that many steps...
> I do not have experience with Docker
You don't need to use Docker, but it's a very convenient way to get it up and running quickly if you were already set up for it. It's possible to build & run on the host OS like any other program, but TBH it's probably easier to install Docker and follow the Docker-based installation guide.
​
> or Apache
"Apache" in this context isn't "Apache HTTP Server", which is what a lot of people mean when they say "Apache". Apache is (now) a brand name for the Apache Software Foundation, which hosts a LOT of projects, of which the Apache HTTP server is just one.
It's so much worse when (due to COVID-19) the office is closed, and the only way to work is via some program that creates a remote desktop session in you're web browser.
This is the site https://guacamole.apache.org/ This is what is looks like once you have it installed: https://www.youtube.com/watch?v=wxSxE4M4Zpo here is an install video: https://www.youtube.com/watch?v=_QNYIKeZgDg
Maybe worth looking at Apache Guacamole. It can use an LDAP backend for users and supports DUO MFA.
Not sure what the bandwidth capacity is like, but it's easy to setup and quick to deploy (just use docker).
You can bypass that requirement if you use guacamole instead, since there's no windows server between you and the workstation.
That said, You're expected to have a CAL for every computer that connects to active directory.
https://guacamole.apache.org/doc/gug/configuring-guacamole.html
Scroll down to Parameter Tokens. Using these, you can configure a new Connection to user Username: ${GUAC_USERNAME} and Password: ${GUAC_PASSWORD}, which means that Guacamole simply passes the credentials that the user logged into Guacamole with onto the RDP client.
A teacher sent me this Reddit link asking if I can help you. Unfortunately, your needs are beyond what I have available in terms of resources, so I've reached out to one of the developers at Glyptodon to see if they can help your class and you.
Guacamole looked great when I was looking into it last week, but the setup looked pretty intensive. Anyone have a simpler walk-through than Apache's own instructions?
Would be easy enough to firewall off the vpn to only allow rdp connections through.
It sounds like you are looking for an rdp web interface rather than a vpn. There is Microsofts web interface, or I've heard good things about Apache Guacamole which is the way I've thought about going in the past (limited by time and it's not a problem I really need solved).
Just be sure the web page uses https and has a valid certificate.
Hmmm well the docs do say Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions.
But I wonder if it would work if you associate the database with ldap. https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database. Or have you already done that?
Guacamole is just a client less Remote Desktop solution. It requires very little work to implement.
You could use it to allow staff to use their home computer to remote into their work computer and access its resources.
It’s a way companies can provide a work from home solution at no cost. I think of small companies with say a 4-5 person office, this may work as an easy solution without purchasing anything.
> prompt the user for their password, instead needing it to be saved in guacamole
> feature being worked on for a couple years now.
Bullshit.
Poke again: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
It worked just fine two years ago.
The first thing that comes to mind for me is limited commercial support options. The only two companies listed are in San Francisco or Newtown, PA.
Another concern is allowing connections to a device on the corporate network from non-company assets. Allowing external connections to the corporate network from an (assumed) compromised employee PC may be considered an unacceptable risk.
The whole idea is putting a gateway in front of your secret (whether it be a private key, api key, root password, or whatever). If someone is asking for an SQL password, you say no. You provide a service that authenticates them, and then gives them access, without ever needing the secret to begin with.
An easy example: Say you have a linux server that people need SSH access to. You don't want to give out SSH keys, because you want to audit and control who has access. A solution would be to put in Apache Guacamole which can provide access, but will audit all users, and can use a central authentication platform (like active directory).
There's no one size fits all solution, because different secrets interact with different products in different ways.