guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From R <>
Subject Re: Control outbound socket connection
Date Mon, 26 Mar 2018 05:40:39 GMT
thanks Nick, I will try playing with guacd

On Tue, Mar 20, 2018 at 9:02 AM, Nick Couchman <> wrote:

> On Mon, Mar 19, 2018 at 2:19 PM, R <> wrote:
>> Nick, thanks for getting back on this.
>> Just to make it simpler. Lets say I have VPN concentrator in the cloud
>> and it has the tunnel to other customers. Now I want to have guacamole
>> installed on a server in the cloud and have a client talk to that VPN concentrator
>> (which is also in the cloud) and that client (on guacamole server) will
>> have a connection to that VPN concentrator  and tell it to establish the
>> rdp/ssh session and session pass it over to the user browser
>> User Browser -->[Guacamole Server-->Client]-->VPN Concentrator
> So, slight clarification in the traffic flow to make sure I understand:
> User Browser -> Guacamole Client -> guacd (Guacamole Server) -> VPN Client
> -> VPN Concentrator -> RDP/SSH/VNC Host
> I gather from your original question that what you're trying to do is
> automate the "VPN Client -> VPN Concentrator" portion of this - that is,
> when a connection is attempted from guacd to RDP/SSH/VNC, something on the
> system is able to automatically "know" that that connection needs to cross
> a VPN boundary, and it establishes that VPN tunnel in order to make the
> connection happen.  Correct?
> My very first question would be: Why can't the VPN tunnel be persistent?
> I'm not familiar with CASB, but it seems like you'd want to set up a
> persistent connection between the guacd host and the VPN concentrator in
> some fashion that enables the gaucd -> RDP/SSH/VNC connections to happen
> very quickly.  The top two reasons I would cite for this would be logistics
> (ease of making it happen) and how quickly the connection happens.
> Logistically, detecting and establishing the VPN tunnel is more an O/S
> issue than it is a Guacamole Server issue.  You'd need some way, on the
> operating system, to detect that a connection was being attempted to a host
> that is known to be on the other side of a VPN, and you'd need a way to
> start that connection up, with some set of pre-defined credentials.  All of
> this would need to happen at the TCP/IP stack layer, and isn't really the
> concern of Guacamole/guacd.  You could probably write something in either
> guacd or into a Guacamole Client extension that accomplishes this for you,
> but why?  Again, why not just have a persistent VPN tunnel?  I have a
> feeling that the answer for your scenario may lie in how CASB actually
> functions, but, again, I'm not familiar with it, so taking the simplified
> approach above I'd push for a persistent VPN tunnel.
> As far as how quickly the connection happens, the process of establishing
> a VPN tunnel usually takes several seconds to accomplish, and if you rely
> on something detecting this guacd connection and establishing the tunnel,
> there's going to be a delay for guacd and for the end user, which raises
> the risk of a timeout during the connection.  It isn't that it makes it
> impossible, just something else to consider when trying to automate this
> process - making sure that timeouts in Guacamole are high enough to handle
> this, and that users expectations are properly aligned.
> -Nick

View raw message