First off: no, this is not a cooking blog. As delicious as the name sounds, Apache Guacamole is a tool for remote administration in the browser and not a side dish.
Inherently, what guacamole achieves is a simple concept. You take your remote administrative protocols (SSH, RDP, VNC) and stick them in a browser. That’s it! But why you would want to is a separate idea. There are many advantages, beyond the obvious advantage of conveniently doing administrative work in a browser:
- By using a browser, you can take advantage of browser authentication standards (such as SAML or OIDC SSO)
- Easy MFA. Anyone who has had to implement MFA for RDP or SSH knows what a pain it is. By sticking that authentication challenge in the browser, MFA becomes simple.
- Fine grained access control. People only get to see the servers they are supposed to have access to, and certain toggles (such as file upload/download) can be disabled on a per-connection basis.
- Logging! You know who opened a session, for how long, what account they used, and it’s all conveniently centralized in the guacamole interface.
- Screen recording! This is especially attractive to high risk access, such as servers in the financial sector.
- Screen sharing. Easily provide a demonstration natively in the browser to dozens of people by sharing a link.
- Limited third party access. You can provide a vendor (or somebody else) with a specific link that only provides access to what you want them to have access to.
So with that in mind, let’s learn how to get guacamole working for you.
What makes Guacamole Different?
Remote browser access isn’t a new concept. Back in the day, Citrix was (and still is) an incredibly expensive way of doing just that. Except citrix requires an agent to be installed on the host, and a plugin to be installed in the browser, and isn’t nearly as compatible as Guacamole.
Guacamole has two crazy important advantages:
- There are no browser plugins required. Guacamole created it’s own browser language to represent remote activity in the browser just using a mixture of CSS and PNG images. It’s efficient, low latency, and works with existing HTML5.
- Guacamole interprets native remote protocols. As in the target servers don’t need an agent or even to change their existing access methods. When you connect with guacamole, the server is just working with normal RDP or SSH.
That might not sound like big advantages, but being able to leverage existing remote protocols with added protections makes Guacamole extremely easy to implement as a drop-in replacement for administration.
Used by players, big and small
There’s a good chance you’ve actually used Guacamole and not even realized it.
- Microsoft’s Azure Bastion is actually Apache Guacamole with a Microsoft whitewash on the top for their cloud services.
- CyberArk’s PSM Gateway is actually Apache Guacamole (and at least cyberark has the good sense to state that clearly, unlike Microsoft).
- Fortigate’s SSL Web VPN is Apache Guacamole.
Apache Guacamole is also used by many players internally, from small business to high risk financials (the latest vulnerability disclosure came from ANZ national bank in Australia)
Let’s get started
Alright, so we now know why we want some guacamole dip in our homelab. Let’s make it happen!