What is Apache Guacamole?
Apache Guacamole (hereinafter only Guacamole) is a clientless remote desktop gateway. This gateway accesses desktops/consoles/terminal servers via VNC, RDP or SSH and makes them available in a browser window [0].
Clientless means in this case that no software has to be installed on the PC/tablet or a browser add-on. You only need a browser!
According to your own requirements, Guacamole can be a replacement for e.g. Parallels RAS or Citrix Virtual Apps. The main difference is that these systems are based on a Microsoft terminal server. Terminal server sessions or PC desktops are then deployed over this. This results in costs for
- Terminal server operating system
- Server access licenses
- Terminal server access licenses
- Parallels/Citrix/… licenses
Which over the years becomes immensely costly. Not to forget the installation and complex administration…
If the requirements for a “remote access solution” now coincide with the possibilities of Guacamole, this is a (mostly) free and above all easy to install and administer solution. Even with support from a service provider, the costs are disproportionate.
A small use case:
A company uses EGroupware and wants (must, Corona…) to let employees work from home. It should also be possible to access the accounting software and special construction software. If the installation requirements are given (see below), the admin installs the Guacamole package, sets up the connections (PCs) and assigns the access rights. Already ** the employees can access their familiar PC in the company from home**. Also to special software that otherwise cannot or must not be made available on the external PC (accounting/time management/payroll software, ERP, CAQ, …) and internal information (file servers, management systems, production facilities, …).
Of course, a company that does not use EGroupware can install an EGroupware with Guacamole, connect it to an existing user administration and then use only Guacamole. This is still the easiest and fastest way to get a working Guacamole installation.
The access to the EGroupware can (and should) be secured with a 2-factor authentication (Smartphone authenticator, USB/NFC tokens (EPL)) [1]. This is also not comparable with the above mentioned commercial products.
Due to the pure operation in the browser a quite high security is guaranteed, because the client does not directly access the target systems (and vice versa).
Since Guacamole authenticates against EGroupware, **before that EGroupware can authenticate against the available authentication systems like AD, Mail, LDAP etc.
If the users are not managed in EGroupware, they can be migrated to EGroupware. This procedure then only needs to be repeated if users have changed. So Guacamole can access the users (in the database).
The integration into EGroupware thus essentially consists of
- Installation package
- Integration as app (IFrame in EGroupware window or separate browser window)
- Use of the same database
- Rights management by EGroupware (module/connections)
- Use of EGroupware authentication (against backends/2FA in the frontend)
- Automatic updates of the containers
A user report from an EGroupware/Guacamole user (German language):
Which unfortunately is not (yet) offered at present: Waking up a PC via Wake-On-LAN (WOL). So you have to leave the PC running or someone switches it on “on call”.
Status 19 June 2020: Work in progress
Installation and configuration
Since 04.2020 an installation package for guacamole is available.
Requirements for the installation:
- EGroupware standard installation based on Docker
- Debian or Ubuntu as Host-OS (as of 26.05.2020)
- HTTPS encryption
- ~ 1 GB additional hard disk space
- ~ 200 MB additional RAM (+sessions)
- MariaDB/MySQL database
- Users in the EGroupware database
Other installations with and without a docker are also possible in principle, since guacamole can also be installed natively, a git eGroupware can also be configured to docker guacamole, and you can basically set up authentication over a distance (company <=> hoster). With all the possible combinations, however, you need to have the appropriate knowledge. Unfortunately this can hardly be supported in the community forums.
So it is also basically possible to run EGroupware with a provider (EGroupware GmbH or others) and Guacamole in the company.
PostgreSQL as EGroupware-DB should also be possible in principle, but requires “manual work”. See also:
(German language post)
The installation package egroupware-guacamole is currently (26.05.2020) available for the following distributions:
- Debian 9/10
- xUbuntu 16.04/18.04/20.04
Further distributions can/should follow later.
The installation is a one-liner on the command line and is documented in the Wiki [3].
During installation are performed:
- Database tables created for Guacamole
- Views on the database for user administration created
- the reverse proxy is configured
- downloaded, installed and started the two necessary docker containers
- a Tomcat server installed on the host
- Guacamole installed/registered in EGroupware as an application
- configures the connection to OpenID/OAuth2
This means that guacamole is immediately ready for use. Only “connections” have to be created. So the target PCs with parameters and access rights.
By sharing a database the users and groups from EGroupware can now be used in Guacamole and the connections can be created/managed in a dialog in EGroupware.
A standard installation now looks as follows:
When opening the Guacamole application in EGroupware, it authenticates against the OpenID/OAuth2 server in EGroupware. There the installation has already set up Guacamole as a client:
This ensures that no unauthorized person can access the application and you do not have to authenticate yourself again. This is possible because guacamole can authenticate against oAuth. Even across network boundaries.
As always: No installation without backup!!!
A small practical article on the creation of connections and application will follow…
Further links
[0] What is Guacamole?
Webside: https://guacamole.apache.org/
EGroupware GitHub: https://github.com/EGroupware/guacamole
[3] EGroupware Guacamole installation: https://github.com/EGroupware/egroupware/wiki/Apache-Guacamole-managed-by-EGroupware
EGroupware website: https://www.egroupware.org/en/guacamole/
[1] Tutorial 2FA: https://www.egroupware.org/en/egroupware-support/tutorials/2fa/
EGroupware Guacamole Flyer: https://www.egroupware.org/wp-content/uploads/2020/05/Guacamole-in-EGroupware-Flyer-German.pdf (currently only german, english will follow)
Forum: Category Apps/Guacamole
The EGroupware GmbH provides commercial (installation) support:
For questions, suggestions etc. please, as always, create your own topic in the forum (guacamole category) and refer to this article.
