You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Niubbo75 <a....@me.com> on 2019/07/09 16:10:06 UTC
Guacamole client and server installed on separated server
Hello all, I would like to install guacamole on 2 different VM, one for the
client side and one for the server side.
I have started installing guacamole-server + mariadb (client & server) + all
needed libs on the server VM, after i end to compile, guacd start w/out any
problem.
After that, I have compiled client side on another VM, on this one I have
installed tomcat, running tomcat and point my browser to
http://client-vm.ip:8080/guacamole I got the login page, but after inserting
guacadmin as default username and password, I got "incorrect username or
password" error, I have check that guacamole's mysql user can connect and
login remotely from guacamole-client VM to guacamole-server VM via cli:
my guacamole.properties is in guacamole-client and is this:
Of course I'd create and populate database with schema/*.sql I have put
mysql-connectors into /etc/guacamole/lib/ and
guacamole-auth-jdbc-mysql-1.0.0.jar in /etc/guacamole/extensions/
Any idea to solve this issue? Am I missing something?
Thanks, Alessandro.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole client and server installed on separated server
Posted by Niubbo75 <a....@me.com>.
Hello Lukáš and thankyou for your preciouse reply, it helps and solved,
partially, my issue.
Issue was that guacd listen only on 127.0.0.1, stopped it and restarted with
your command let me connect to my RDP and so on. Now the question is, how
can I set it up to listen in this way and automatically start at system
boot?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole client and server installed on separated server
Posted by Lukáš Raška <lu...@gmail.com>.
Hi,
if you are certain tcp/4822 is opened on firewall, you can probably check
if the guacd service is really listening on that interface. For most linux
distributions command *ss -tunlp | grep 4822 * should work (if not, you can
try substituing ss command for netstat), it should show you something like
this
tcp LISTEN 0 5 *:4822 *:*
users:(("guacd",pid=5,fd=3))
This means the service is listening on all interfaces (the star there,
sometimes it can also look like :::4822 in case IPv6 is enabled). It's
crucial it's listening either on all addresses or on the ip where you are
connecting from guacamole-server (so it shouldn't just be listening on
localhost -> 127.0.0.1:4822).
If it listens on localhost (127.0.0.1), you can adjust the listen address
via -b parameter for guacd (so the command then could be *guacd -b 0.0.0.0
-L info *for example).
If you are sure it's run correctly, you can test the connection from the
guacamole-server VM via nc command for example (or telnet if you are more
familiar with it). For example like this (requires package nc on most
distributions).
# nc -zv 192.168.1.14 4822
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.1.14:4822.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
It just tries if the connection can be established, if not, it will output
something like this
# nc -zv 192.168.1.14 4823
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection refused.
Then it means there is problem with the connection somewhere (routing,
firewall device, firewall on the VM itself, etc.).
If the connection test succeeds, make sure you're really using the correct
guacd IP in the Guacamole configuration. Also logs from the
guacamole-server could tell what went wrong.
Hope that helps a bit
Best Regards,
Lukas Raska
čt 11. 7. 2019 v 16:37 odesílatel Niubbo75 <a....@me.com> napsal:
> Uhmmmm... Seems something went wrong:
>
>
>
> From what I have understand, client side can't connect to guacd, but I have
> open (and check it twice) port 4822 both TCP and UDP.
>
> How can I solve this? What I need to check?
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
Re: Guacamole client and server installed on separated server
Posted by Niubbo75 <a....@me.com>.
Uhmmmm... Seems something went wrong:
From what I have understand, client side can't connect to guacd, but I have
open (and check it twice) port 4822 both TCP and UDP.
How can I solve this? What I need to check?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole client and server installed on separated server
Posted by sciUser <sh...@securitycentric.net>.
In computer networks, a DMZ (demilitarized zone), also sometimes known as a
perimeter network or a screened subnetwork, is a physical or logical subnet
that *separates* an internal local area network (LAN) from other untrusted
networks, usually the internet. External-facing servers, resources and
services are located in the DMZ. So, they are accessible from the internet,
but the rest of the *internal LAN remains unreachable.*
If your client side needs to authenticate with SQL on the inside this
effectively compromises your DMZ.
Do a little more work on the Linux server like IPTABLES, TCP_wrappers and
run guac under its own username & group. Only allow port 443 and never
process APIs without encryption.
Internet --443---> Firewall ---443--->Guacamole----internal----Resources
If properly locked down you will be safe, but also as a disclaimer
regardless of configuration, you are always at risk from the 1%.
Thank You
-----
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think!
Known good Guacamole installations
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole client and server installed on separated server
Posted by Niubbo75 <a....@me.com>.
Hello Nick and thanks for your reply.
Maybe you have replied while I was editing my post anyway I had solved, the
issue was related to default username and password, I have changed them with
custom and I did a typo when I wrote salt & hash into sql file, that's why I
can't login, checking it twice and fixed the error had solved the issue; now
I got my guacamole-client running on a server in DMZ and my guacamole-server
running on another server in LAN MySQL is on the LAN side, this will be
more secure than have all on a single server, am I right?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole client and server installed on separated server
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Jul 9, 2019 at 12:10 PM Niubbo75 <a....@me.com> wrote:
> Hello all, I would like to install guacamole on 2 different VM, one for the
> client side and one for the server side.
>
This should be fine.
> I have started installing guacamole-server + mariadb (client & server) +
> all
> needed libs on the server VM, after i end to compile, guacd start w/out any
> problem.
>
You can put the database on a different server from Guacamole Client, but
this may not be the way you want to go. If you're going to put the DB
server on the same server as guacd, then you need to make sure that all of
the required ports are opened between the server running Tomcat (Guacamole
Client) and the one running MariaDB.
> After that, I have compiled client side on another VM, on this one I have
> installed tomcat, running tomcat and point my browser to
> http://client-vm.ip:8080/guacamole I got the login page, but after
> inserting
> guacadmin as default username and password, I got "incorrect username or
> password" error, I have check that guacamole's mysql user can connect and
> login remotely from guacamole-client VM to guacamole-server VM via cli:
>
>
When you installed the database, did you import both of the SQL schema
files? One installs the Schema itself, the other installs the default
admin account.
>
>
> my guacamole.properties is in guacamole-client and is this:
>
>
>
> Of course I'd create and populate database with schema/*.sql I have put
> mysql-connectors into /etc/guacamole/lib/ and
> guacamole-auth-jdbc-mysql-1.0.0.jar in /etc/guacamole/extensions/
> Any idea to solve this issue? Am I missing something?
>
>
What does catalina.out (our wherever your Tomcat install logs) say? It
should tell you why the login isn't working, along with any additional
errors related to missing libraries, etc.
-Nick