You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by gabriel sztejnworcel <ga...@gmail.com> on 2020/01/20 07:02:59 UTC
Internet facing Guacamole?
Hi,
We would like to expose Guacamole to the internet to allow remote access to
internal RDP servers, without a VPN.
Assuming we have a strong authentication mechanism, is this a valid use
case? Are there any special security considerations? Any specific hardening?
Thanks,
Gabriel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Internet facing Guacamole?
Posted by gabriel sztejnworcel <ga...@gmail.com>.
Thanks!
On Mon, Jan 20, 2020, 12:21 PM Adam Woodland <ad...@adamwoodland.com> wrote:
> Just to add, there are tools you should use to periodically check the
> security of the application interface of the reverse proxy, for example:
>
> https://www.ssllabs.com/ssltest/analyze
> https://securityheaders.com/
>
> You should be aiming to get A (or better) in both those. Both sites have
> info on how to improve your score and you also have https://cipherli.st/ on
> how to set the relevant TLS settings for whatever your front-end is.
>
> There is https://observatory.mozilla.org/ which wraps the above tool
> functions into a single interface (although I personally find it a little
> hit and miss with returning useful results)
>
> This is on top of hardening the host machine too. No point securing the
> host if you don't secure the application, and vice-versa.
>
> Adam
>
> On Mon, Jan 20, 2020 at 5:26 PM Mike Jumper <mj...@apache.org> wrote:
>
>> On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel <
>> gabriel.560@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> We would like to expose Guacamole to the internet to allow remote access
>>> to
>>> internal RDP servers, without a VPN.
>>>
>>
>> That's what Guacamole is designed for.
>>
>>
>>> Assuming we have a strong authentication mechanism, is this a valid use
>>> case?
>>
>>
>> Yes. It's the *intended* use case. A VPN in front of Guacamole is
>> superfluous. You do not need to hide Guacamole behind a VPN.
>>
>>
>>> Are there any special security considerations? Any specific hardening?
>>
>>
>> Use proper HTTPS. This is generally done using SSL termination with a
>> reverse proxy like Nginx or Apache. Do not allow access via unencrypted
>> HTTP. It's also advisable to ensure that all access must go through
>> Guacamole, so that the remote desktops on your network have a single,
>> central, secured point of entry.
>>
>> - Mike
>>
>>
Re: Internet facing Guacamole?
Posted by Adam Woodland <ad...@adamwoodland.com>.
Just to add, there are tools you should use to periodically check the
security of the application interface of the reverse proxy, for example:
https://www.ssllabs.com/ssltest/analyze
https://securityheaders.com/
You should be aiming to get A (or better) in both those. Both sites have
info on how to improve your score and you also have https://cipherli.st/ on
how to set the relevant TLS settings for whatever your front-end is.
There is https://observatory.mozilla.org/ which wraps the above tool
functions into a single interface (although I personally find it a little
hit and miss with returning useful results)
This is on top of hardening the host machine too. No point securing the
host if you don't secure the application, and vice-versa.
Adam
On Mon, Jan 20, 2020 at 5:26 PM Mike Jumper <mj...@apache.org> wrote:
> On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel <
> gabriel.560@gmail.com> wrote:
>
>> Hi,
>>
>> We would like to expose Guacamole to the internet to allow remote access
>> to
>> internal RDP servers, without a VPN.
>>
>
> That's what Guacamole is designed for.
>
>
>> Assuming we have a strong authentication mechanism, is this a valid use
>> case?
>
>
> Yes. It's the *intended* use case. A VPN in front of Guacamole is
> superfluous. You do not need to hide Guacamole behind a VPN.
>
>
>> Are there any special security considerations? Any specific hardening?
>
>
> Use proper HTTPS. This is generally done using SSL termination with a
> reverse proxy like Nginx or Apache. Do not allow access via unencrypted
> HTTP. It's also advisable to ensure that all access must go through
> Guacamole, so that the remote desktops on your network have a single,
> central, secured point of entry.
>
> - Mike
>
>
Re: Internet facing Guacamole?
Posted by Mike Jumper <mj...@apache.org>.
On Sun, Jan 19, 2020 at 11:00 PM gabriel sztejnworcel <ga...@gmail.com>
wrote:
> Hi,
>
> We would like to expose Guacamole to the internet to allow remote access to
> internal RDP servers, without a VPN.
>
That's what Guacamole is designed for.
> Assuming we have a strong authentication mechanism, is this a valid use
> case?
Yes. It's the *intended* use case. A VPN in front of Guacamole is
superfluous. You do not need to hide Guacamole behind a VPN.
> Are there any special security considerations? Any specific hardening?
Use proper HTTPS. This is generally done using SSL termination with a
reverse proxy like Nginx or Apache. Do not allow access via unencrypted
HTTP. It's also advisable to ensure that all access must go through
Guacamole, so that the remote desktops on your network have a single,
central, secured point of entry.
- Mike