guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Guacd SSL use-case
Date Wed, 10 May 2017 09:08:12 GMT
On Sun, May 7, 2017 at 10:44 PM, Suncatcher16 <suncatcher16@outlook.com>
wrote:

> After reading the manual and  a piece
> <https://sourceforge.net/p/guacamole/discussion/1110833/
> thread/b12442b9/#dbbd>
> of your posts, I got it following way:
>
> guacd SSL encryption is *NOT* required and have no sense when both guacd
> and
> Guacamole server reside on the single server. And when I have full control
> on this server. Am I  right?
>

It depends purely on your own needs.

If you do not require encryption at all levels of your internal network,
and your Guacamole deployment involves only one server, then yes, you will
not need encryption in front of guacd, but this is not universally the
case, particularly in a corporate environment or in more complex
deployments. Encryption between guacd and the webapp is not a very commonly
used feature, but it is very necessary. More on this below.

I can't even figure out the situation when we need this.
>

For users simply installing the webapp and guacd on the same server on
their own personal network, it really isn't needed. The only encryption
relevant to you would be on traffic external to your network, ensuring
communication between the browser and the webapp is secure.

Remember, however, that one of the main audiences for Guacamole are
enterprises/companies wishing to provide access for many machines to their
employees, users, etc. In such cases, security policy does sometimes
require that encryption be used at absolutely all levels. Further, large
deployments of Guacamole may require multiple instances of guacd (behind a
balancer, for serving different logical sections of the network, etc.), or
the webapp and guacd may be allocated to separate servers because it makes
architectural sense (and thus communication does not go over a trusted
network).

- Mike

Mime
View raw message