You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by drhy <da...@outlook.com> on 2020/02/02 00:36:11 UTC
Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
This step-by-step for Linux newbies builds a vanilla Guacamole 1.1.0.
It is based on instructions for the earlier Guacamole 1.0.0 version.
This post is edited to incorporate updates, feedback and corrections,
but please compare its "Updated" Date-time with that of the last post in
this topic.
The default authentication provider is only really suitable for very small
numbers of users and connections.
MySQL (one of the three database providers) provides scalability and easier
administration.
The Radius Authentication Provider permits integration into many types of
RADIUS server,
including Microsoft's Azure MFA environment via a Windows Network Policy
Server.
The attached setup instructions will specifically install and configure the
following on to a Hyper-V generation 2 VM:
CentOS Linux release 8.1.1911 (Minimal Install)
Tomcat 9 - which includes support for the much faster http/2
MySQL 8 Community Edition (if using the JDBC/MySQL Plugin)
The most useful tool I have found for working across Windows and Linux is
WinSCP from: https://winscp.net/eng/download.php
It includes Putty, and under its Preferences, you can select "Windows
Explorer" UI, or remain with the "Commander" UI.
Here are the steps and config I've used....
Use a Hyper-V MMC console to connect to a Windows 2016 or 2019 Hyper-V
server and create a "Guacamole" VM:
Configure Generation 2, 40GB VHDX, Dynamic Memory, Startup= 2GB, Low=
512MB, High= 8GB, 2 CPUs, SecureBoot= Microsoft UEFI Certificate Authority
Integration Services= all, Production checkpoints,
DVD= CentOS previously downloaded from:
http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8-x86_64-1905-dvd1.iso
Or, using Powershell 5.1:
$VmName = "<GuacamoleVM Name>"
$Location = "<Path of folder to contain all VM files>"
$BootDVD ="<Path to CentOS-8.1.1911-x86_64-dvd1.iso>"
New-VM -Name $VmName -Generation 2 -Path $Location -MemoryStartupBytes 2GB
-NewVHDPath "$VmName.VHDX" -NewVHDSizeBytes 40GB -SwitchName
(Get-VMSwitch)[0].Name
Add-VMDvdDrive -VMName $VmName -Path $BootDVD
Set-VM $VmName -ProcessorCount 3 -DynamicMemory -MemoryStartupBytes 2GB
-MemoryMinimumBytes 512MB -MemoryMaximumBytes 8GB
Set-VMFirmware $VmName -BootOrder (Get-VMDvdDrive
$VmName),(Get-VMHardDiskDrive $VmName) -EnableSecureBoot Off
Enable-VMIntegrationService -VMName $VmName -Name
"Shutdown","VSS","Heartbeat","Guest Service Interface","Key-Value Pair
Exchange","Time Synchronization"
Using the Hyper-V MMC's "Connect" command/window, connect to the new VM's
CentOS boot screen and initiate the normal boot option (not test OS).
In the CentOS start-up GUI:
Select correct time zone, "Minimal Install"
Setup a password for UserID=root, but no other userID is required at this
stage
Host Name= guacamole.yourdomain.com (computername pre-pended to the name of
your domain)
Static/Manual IP Addressing
IPv4=172.16.25.1 (For example. Same subnet as the computer's LAN), DNS,
Gateway, Search Domains
IPv6=11:22:33:401::25 (similar to IPv4 but optional)
"Automatically Connect on boot", and if visible, "Available to All Users"
Once the CentOS start-up GUI has completed, click the CentOS button to
"Reboot".
Then using WinSCP, logon to your VM by specifying your IP Address,
UserID=root and password.
Note that all the Linux commands in the attached files are single line,
except for "echo" which can often be multi-line - note the start and end
quotes.
To setup a simple Guacamole server:
Base_Guacamole_setup.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Base_Guacamole_setup.txt>
To use a MySQL database for more functionality and to scale:
Setup_MySQL_database_provider.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Setup_MySQL_database_provider.txt>
Connection_Config.pdf
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Connection_Config.pdf>
To use Radius for authentication, allowing the use of Active Directory, and
Azure Multi-Factor Authentication, while still using MySQL as a connection
repository:
Setup_Radius_Authentication.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Setup_Radius_Authentication.txt>
NPS_configuration_for_Guacamole_and_Azure_MFA_service.pdf
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/NPS_configuration_for_Guacamole_and_Azure_MFA_service.pdf>
Locking down external communications by only using https on the default port
443:
Setup_https.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Setup_https.txt>
Other sundry CentOS commands I found useful:
Sundry_commands.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t833/Sundry_commands.txt>
A great thread on this Mailing List for tweaking Guacamole performance:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-System-Resource-requirements-for-better-performance-td5996.html
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-System-Resource-requirements-for-better-performance-td5996.html>
And useful tips from Mike Jumper for resource requirements:
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
Guides have been updated to reflect tomcat's latest version changing to
9.0.31, comprising mainly bug fixes.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
The guides in the first post have been updated to use OpenSSL version 1.1.1g
This latest OpenSSL version includes a "high severity fix".
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
Minor update to the guides in the first post:
Library libssh2-devel is now included in the CentOS 8 epel.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
Guides in the first post updated to:
- include OpenSSL 1.1.1f, released 31 March 2020 to address known
vulnerabilities; and
- include the current version of the remirepo;
- remove the use of the deprecated AJP connector in Tomcat (refer Tomcat 9
connector documentation).
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
Guides updated to use tomcat's latest version, 9.0.33, which has a number of
improvements and bug fixes compared to the previously used version.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
Posted by drhy <da...@outlook.com>.
Correction made to the Setup_Radius_Authentication.txt document.
It referenced the guacamole-1.0.0.war file when it should have referenced
the 1.1.0 version.
Thanks to Andrew Kopp who spotted it.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org