"Waiting for Response" when connecting to VNC but guacd says it connected

[Hooman Katirai <ho...@pharmachieve.com>]

I'm running Guacamole on Ubuntu 18.02.2 on a Amazon EC2 server trying to
get it to connect to Windows Server 2012 machine.

When using guacamole RDP works great, but when I try to connect via VNC I
get a black screen and "Waiting for Response" message and it never
connects. But guacd in the foreground shows that it joined a connection.

The server I am trying to connect to is running TightVNC but I also tried
TigerVNC as recommended in the docs.

I am able to connect the VNC server using the TightVNC client using another
machine that isn't running Guacamole. I also tried telneting to port 5900
from the guacamole machine to the windows machine and was able to establish
a connection.

I'm Using:
Guacamole 1.0.0
Ubuntu 18.04.02
libvncserver 1.0.0

I also set on guacamole the max connections and max connections per user to
3 (even though there is just 1 connection at a time) but that didn't help.

I am stumped and am not sure what to try next. Any suggestions?

Here is the output when I run guacd in the foreground:

# guacd -L trace -f
guacd[2255]: INFO:      Guacamole proxy daemon (guacd) version 1.0.0 started
guacd[2255]: DEBUG:     Unable to bind socket to host ::1, port 4822:
Address family not supported by protocol
guacd[2255]: DEBUG:     Successfully bound socket to host 127.0.0.1, port
4822
guacd[2255]: INFO:      Listening on host 127.0.0.1, port 4822
guacd[2255]: INFO:      Creating new client for protocol "vnc"
guacd[2255]: INFO:      Connection ID is
"$05e2b9be-5739-4c85-ab43-a35a1056e5a0"
guacd[2257]: INFO:      Cursor rendering: local
guacd[2257]: DEBUG:     Parameter "swap-red-blue" omitted. Using default
value of 0.
guacd[2257]: DEBUG:     Parameter "read-only" omitted. Using default value
of 0.
guacd[2257]: DEBUG:     Parameter "color-depth" omitted. Using default
value of 0.
guacd[2257]: DEBUG:     Parameter "dest-port" omitted. Using default value
of 0.
guacd[2257]: DEBUG:     Parameter "encodings" omitted. Using default value
of "zrle ultra copyrect hextile zlib corre rre raw".
guacd[2257]: DEBUG:     Parameter "autoretry" omitted. Using default value
of 0.
guacd[2257]: DEBUG:     Parameter "reverse-connect" omitted. Using default
value of 0.
guacd[2257]: DEBUG:     Parameter "listen-timeout" omitted. Using default
value of 5000.
guacd[2257]: DEBUG:     Parameter "enable-audio" omitted. Using default
value of 0.
guacd[2257]: DEBUG:     Parameter "enable-sftp" omitted. Using default
value of 0.
guacd[2257]: DEBUG:     Parameter "sftp-hostname" omitted. Using default
value of "172.0.3.60".
guacd[2257]: DEBUG:     Parameter "sftp-port" omitted. Using default value
of "22".
guacd[2257]: DEBUG:     Parameter "sftp-username" omitted. Using default
value of "".
guacd[2257]: DEBUG:     Parameter "sftp-password" omitted. Using default
value of "".
guacd[2257]: DEBUG:     Parameter "sftp-passphrase" omitted. Using default
value of "".
guacd[2257]: DEBUG:     Parameter "sftp-root-directory" omitted. Using
default value of "/".
guacd[2257]: DEBUG:     Parameter "sftp-server-alive-interval" omitted.
Using default value of 0.
guacd[2257]: DEBUG:     Parameter "recording-name" omitted. Using default
value of "recording".
guacd[2257]: DEBUG:     Parameter "recording-exclude-output" omitted. Using
default value of 0.
guacd[2257]: DEBUG:     Parameter "recording-exclude-mouse" omitted. Using
default value of 0.
guacd[2257]: DEBUG:     Parameter "recording-include-keys" omitted. Using
default value of 0.
guacd[2257]: DEBUG:     Parameter "create-recording-path" omitted. Using
default value of 0.
guacd[2257]: INFO:      User "@34d41077-1172-4a6b-bc7a-8fafc068f4c5" *joined
connection *"$05e2b9be-5739-4c85-ab43-a35a1056e5a0" (1 users now present)

Sincerely

Hooman

Re: "Waiting for Response" when connecting to VNC but guacd says it connected

[Nick Couchman <vn...@apache.org>]

On Sat, Jul 6, 2019 at 11:56 PM Hooman Katirai <ho...@gmail.com> wrote:

> Our use case is an online course: students (who pre-licensure healthcare
> professional) get hands-on training in the use of a Windows based software
> package they need to get a job.
>
> The students log in via guacamole to access the software. The teacher
> shows them how to do different tasks (e.g. entering a prescription), and
> then the students do those tasks while the teacher watches.
>
> When the students get stuck, the teacher needs to be able to step in to
> show them how to complete the task. So the students are aware that they
> are being observed and we have two connections with one shadowing the other.
>
> A single teacher may be monitoring up to 10 students at a time as they
> complete short assignments.
>
> With respect to what happens when I connect a VNC client to an RDP
> session, the windows login screen is displayed. Once you log in, what
> happens next depends on how many active sessions there are. A base WIndows
> Server 2019 supplied by Amazon supports up to 2 simultaneous sessions. If 2
> sessions are already active, the VNC connection will show a Windows blue
> screen asking which existing session you want to disconnect in order to
> proceed with your connection. Once you choose which connection to
> disconnect, a new console session is opened.
>

Maybe you could use Sharing Profiles within Guacamole, instead?  This would
allow the same connection to be shared, either R/O (View-only) or R/W
(View + Control) by two different people.  At present, the student(s) would
have to explicitly share the connection with the teacher.  We're working on
some changes that would allow this sharing behavior to be expanded such
that, in your setting in particular, the teacher could have access to those
sharing sessions by default, depending upon permissions.  Those changes are
still a little ways out, but definitely on the map.

Also, currently to use the Sharing Profiles you need to be storing your
connections in the JDBC module - LDAP and other mechanisms do not track
active connections nor support sharing them.

-Nick

>

Re: "Waiting for Response" when connecting to VNC but guacd says it connected

[Hooman Katirai <ho...@gmail.com>]

Our use case is an online course: students (who pre-licensure healthcare
professional) get hands-on training in the use of a Windows based software
package they need to get a job.

The students log in via guacamole to access the software. The teacher shows
them how to do different tasks (e.g. entering a prescription), and then the
students do those tasks while the teacher watches.

When the students get stuck, the teacher needs to be able to step in to
show them how to complete the task. So the students are aware that they are
being observed and we have two connections with one shadowing the other.

A single teacher may be monitoring up to 10 students at a time as they
complete short assignments.

With respect to what happens when I connect a VNC client to an RDP session,
the windows login screen is displayed. Once you log in, what happens next
depends on how many active sessions there are. A base WIndows Server 2019
supplied by Amazon supports up to 2 simultaneous sessions. If 2 sessions
are already active, the VNC connection will show a Windows blue screen
asking which existing session you want to disconnect in order to proceed
with your connection. Once you choose which connection to disconnect, a new
console session is opened.

Because of the strange issue that prevents VNC through guacamole (even
though regular VNC works), I am doing 2 RDP sessions to the same
server/different session through guacamole (one for student, one for
teacher). I then use one of the session to look up the sessions using the
quser command and then open a terminal server shadow session from the 2nd
session (teacher) to the 1st session.

It's convoluted, but it works!  Thanks by the way for your time and advice.
Any suggestions on how to do this better are most welcome, as the current
setup is obviously not ideal.

On Sat., Jul. 6, 2019, 5:44 p.m. Mike Jumper, <mj...@apache.org> wrote:

>
>
> On Sat, Jul 6, 2019 at 1:14 PM Hooman Katirai <ho...@pharmachieve.com>
> wrote:
>
>> After telneting from the guacamole server to the VNC server on port 5900
>> I get the following message:
>> *RFB 003.008*
>>
>> Strangely, the  "User @xxxxx joined connection $yyyyy (N users now
>> present)" message is the last thing I see. There are no messages related
>> to VNC or otherwise that come after that.
>>
>> After writing my initial post I was also able to replicate this on both
>> guacamole 1.0.0 and on another server with guacamole with guacd
>> 0.9.13-incubating (they both output the same message).
>>
>
> It is unlikely that this is a bug in Guacamole (VNC support not
> fundamentally broken), thus it is more likely that the cause is
> environmental. With this in mind, I would expect you to be able to
> reproduce this with absolutely any version.
>
> I don't think it's a firewall issue because I enabled all IP4 traffic
>> between the guacamole server and the windows machine (at least long enough
>> to prove it's not the firewall).
>>
>
> If you're seeing that "RFB 003.008" message when connecting with telnet
> from the Guacamole server to the same address and port, there is definitely
> no firewall issue. That string is the initial, raw response from the VNC
> server.
>
> One possible suspect is libvncserver-dev -- if you install with apt-get on
>> ubuntu version 1.0 is installed but the guacamole website links to a github
>> whose latest release is 0.9.12. Other than swapping these libraries not
>> sure, what else to try. Any suggestions?
>>
>
> Where are you seeing 1.0 for libvncserver-dev? The package listed in the
> Ubuntu repositories for 18.04 is 0.9.11 plus patches:
>
> https://packages.ubuntu.com/bionic-updates/libvncserver-dev
>
> Have you tried testing against the "guacamole/guacd" Docker image? It
> should serve well as a known-good baseline, if the suspicion is a bug in
> the VNC library:
>
>
> http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacd-docker-external
>
> What I'm ultimately trying to accomplish is two simultaneous connections
>> to the same session (whether RDP or VNC) to a Windows 2019 Server (which is
>> the stock windows server Amazon EC2 provides).
>>
>> The simplest would be to make 2 RDP connections or 2 VNC connections.
>>
>> But I don't know how to completely automate the process from guacamole
>> login to showing a remote session as I think would require knowledge of the
>> session number in advance (please correct me if I'm wrong) -- and guacamole
>> has no way of finding this, and I don't think it supports shadowing.
>>
>
> Correct, though there is some development underway which may provide this,
> at least on the Guacamole side:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-360
>
> What is the nature of these two connections? Is the idea that one shadows
> the other, with the user of the original unaware that the connection is
> being observed? Or is the user of the connection already expecting the
> connection to be shared? Are both connections coming through Guacamole?
>
> As a result, I think I'm going to have to settle for two different
>> connections -- one RDP and one VNC to achieve the two connections. But if
>> there is a better way I'd be grateful for any suggestions.
>>
>
> Have you verified that you can connect to your VNC server with a VNC
> client while an RDP session is active?
>
> - Mike
>
>

Re: "Waiting for Response" when connecting to VNC but guacd says it connected

[Mike Jumper <mj...@apache.org>]

On Sat, Jul 6, 2019 at 1:14 PM Hooman Katirai <ho...@pharmachieve.com>
wrote:

> After telneting from the guacamole server to the VNC server on port 5900 I
> get the following message:
> *RFB 003.008*
>
> Strangely, the  "User @xxxxx joined connection $yyyyy (N users now
> present)" message is the last thing I see. There are no messages related
> to VNC or otherwise that come after that.
>
> After writing my initial post I was also able to replicate this on both
> guacamole 1.0.0 and on another server with guacamole with guacd
> 0.9.13-incubating (they both output the same message).
>

It is unlikely that this is a bug in Guacamole (VNC support not
fundamentally broken), thus it is more likely that the cause is
environmental. With this in mind, I would expect you to be able to
reproduce this with absolutely any version.

I don't think it's a firewall issue because I enabled all IP4 traffic
> between the guacamole server and the windows machine (at least long enough
> to prove it's not the firewall).
>

If you're seeing that "RFB 003.008" message when connecting with telnet
from the Guacamole server to the same address and port, there is definitely
no firewall issue. That string is the initial, raw response from the VNC
server.

One possible suspect is libvncserver-dev -- if you install with apt-get on
> ubuntu version 1.0 is installed but the guacamole website links to a github
> whose latest release is 0.9.12. Other than swapping these libraries not
> sure, what else to try. Any suggestions?
>

Where are you seeing 1.0 for libvncserver-dev? The package listed in the
Ubuntu repositories for 18.04 is 0.9.11 plus patches:

https://packages.ubuntu.com/bionic-updates/libvncserver-dev

Have you tried testing against the "guacamole/guacd" Docker image? It
should serve well as a known-good baseline, if the suspicion is a bug in
the VNC library:

http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacd-docker-external

What I'm ultimately trying to accomplish is two simultaneous connections to
> the same session (whether RDP or VNC) to a Windows 2019 Server (which is
> the stock windows server Amazon EC2 provides).
>
> The simplest would be to make 2 RDP connections or 2 VNC connections.
>
> But I don't know how to completely automate the process from guacamole
> login to showing a remote session as I think would require knowledge of the
> session number in advance (please correct me if I'm wrong) -- and guacamole
> has no way of finding this, and I don't think it supports shadowing.
>

Correct, though there is some development underway which may provide this,
at least on the Guacamole side:

https://issues.apache.org/jira/browse/GUACAMOLE-360

What is the nature of these two connections? Is the idea that one shadows
the other, with the user of the original unaware that the connection is
being observed? Or is the user of the connection already expecting the
connection to be shared? Are both connections coming through Guacamole?

As a result, I think I'm going to have to settle for two different
> connections -- one RDP and one VNC to achieve the two connections. But if
> there is a better way I'd be grateful for any suggestions.
>

Have you verified that you can connect to your VNC server with a VNC client
while an RDP session is active?

- Mike

Re: "Waiting for Response" when connecting to VNC but guacd says it connected

[Hooman Katirai <ho...@pharmachieve.com>]

After telneting from the guacamole server to the VNC server on port 5900 I
get the following message:
*RFB 003.008*

Strangely, the  "User @xxxxx joined connection $yyyyy (N users now
present)" message is the last thing I see. There are no messages related to
VNC or otherwise that come after that.

After writing my initial post I was also able to replicate this on both
guacamole 1.0.0 and on another server with guacamole with guacd
0.9.13-incubating (they both output the same message).

I don't think it's a firewall issue because I enabled all IP4 traffic
between the guacamole server and the windows machine (at least long enough
to prove it's not the firewall).

One possible suspect is libvncserver-dev -- if you install with apt-get on
ubuntu version 1.0 is installed but the guacamole website links to a github
whose latest release is 0.9.12. Other than swapping these libraries not
sure, what else to try. Any suggestions?

What I'm ultimately trying to accomplish is two simultaneous connections to
the same session (whether RDP or VNC) to a Windows 2019 Server (which is
the stock windows server Amazon EC2 provides).

The simplest would be to make 2 RDP connections or 2 VNC connections.

But I don't know how to completely automate the process from guacamole
login to showing a remote session as I think would require knowledge of the
session number in advance (please correct me if I'm wrong) -- and guacamole
has no way of finding this, and I don't think it supports shadowing.

As a result, I think I'm going to have to settle for two different
connections -- one RDP and one VNC to achieve the two connections. But if
there is a better way I'd be grateful for any suggestions.

On Sat, Jul 6, 2019 at 3:04 PM Mike Jumper <mj...@apache.org> wrote:

> On Sat, Jul 6, 2019 at 6:46 AM Hooman Katirai <ho...@pharmachieve.com>
> wrote:
>
>> I'm running Guacamole on Ubuntu 18.02.2 on a Amazon EC2 server trying to
>> get it to connect to Windows Server 2012 machine.
>>
>> When using guacamole RDP works great, but when I try to connect via VNC I
>> get a black screen and "Waiting for Response" message and it never
>> connects. But guacd in the foreground shows that it joined a connection.
>>
>
> The "User @xxxxx joined connection $yyyyy (N users now present)" message
> is actually informing you only about the connection between the web
> application and guacd, not the VNC connection between guacd and the Windows
> machine. It indicates that the Guacamole protocol handshake for that user
> of that connection has completed. The underlying connection, whether that
> be VNC, RDP, or some other protocol, may not yet be ready. After this
> message is logged, there will be additional messages specific to VNC once
> that connection is established and functioning.
>
> I am able to connect the VNC server using the TightVNC client using
>> another machine that isn't running Guacamole. I also tried telneting to
>> port 5900 from the guacamole machine to the windows machine and was able to
>> establish a connection.
>>
>
> What specific output do you see on the screen when you try telnet to port
> 5900?
>
> I also set on guacamole the max connections and max connections per user
>> to 3 (even though there is just 1 connection at a time) but that didn't
>> help.
>>
>
> Unless you are seeing an error that states concurrent access is being
> denied, this has no bearing.
>
> - Mike
>
>

-- 
Sincerely

Hooman

Hooman Katirai
Chief Executive Officer
PharmAchieve

Tel: (416) 722-2323
Toll-Free: 1-888-PASS-OSCE (1-888-727-7672)
Email: hooman@pharmachieve.com

Re: "Waiting for Response" when connecting to VNC but guacd says it connected

[Mike Jumper <mj...@apache.org>]

On Sat, Jul 6, 2019 at 6:46 AM Hooman Katirai <ho...@pharmachieve.com>
wrote:

> I'm running Guacamole on Ubuntu 18.02.2 on a Amazon EC2 server trying to
> get it to connect to Windows Server 2012 machine.
>
> When using guacamole RDP works great, but when I try to connect via VNC I
> get a black screen and "Waiting for Response" message and it never
> connects. But guacd in the foreground shows that it joined a connection.
>

The "User @xxxxx joined connection $yyyyy (N users now present)" message is
actually informing you only about the connection between the web
application and guacd, not the VNC connection between guacd and the Windows
machine. It indicates that the Guacamole protocol handshake for that user
of that connection has completed. The underlying connection, whether that
be VNC, RDP, or some other protocol, may not yet be ready. After this
message is logged, there will be additional messages specific to VNC once
that connection is established and functioning.

I am able to connect the VNC server using the TightVNC client using another
> machine that isn't running Guacamole. I also tried telneting to port 5900
> from the guacamole machine to the windows machine and was able to establish
> a connection.
>

What specific output do you see on the screen when you try telnet to port
5900?

I also set on guacamole the max connections and max connections per user to
> 3 (even though there is just 1 connection at a time) but that didn't help.
>

Unless you are seeing an error that states concurrent access is being
denied, this has no bearing.

- Mike