Using Portainer to Deploy Guacamole As Web Based Remote Access Gateway (Updated) & KASM Installation - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, September 3, 2022

Using Portainer to Deploy Guacamole As Web Based Remote Access Gateway (Updated) & KASM Installation

 About 3 years ago, I had a post to show how to use Portainer to deploy Guacamole 



The docker and github project (oznu/docker-guacamole) was not been updated since then. There is one person forked original  oznu/docker-guacamole and still keep updating it, that is MaxWaldorf/guacamole

I decided to try it using my Oracle Cloud Free ARM machine to see how the deployment goes. It was surprising smooth for whole deployment experience. This post is to summarize all the steps , including how to RDP into Windows machine and how to use NPM (Nginx Proxy Manager) to add custom domain and ssl support. 



Pre-requirements

Videos:

Posts:


Deployment Using Docker Run Command


Usage (works for x86_64 and arm64v8, no support for 32 bits)
docker run \
  -p 8080:8080 \
  -v /root/data/docker_data/guacamole:/config \
  maxwaldorf/guacamole
Note: /root/data/docker_data/guacamole is a folder created on the docker host. 




Deployment Using Portainer


Create a new container:


maxwaldorf/guacamole



/init

/config



/root/data/docker_data/guacamole

Environment variable will automatically set during creating your docker container. You do not need to manually enter them. 



PATH=/usr/lib/postgresql/13/bin:/usr/local/tomcat/bin:/usr/local/openjdk-8/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JAVA_HOME=/usr/local/openjdk-8
LANG=C.UTF-8
JAVA_VERSION=8u332
CATALINA_HOME=/usr/local/tomcat
TOMCAT_NATIVE_LIBDIR=/usr/local/tomcat/native-jni-lib
LD_LIBRARY_PATH=/usr/local/tomcat/native-jni-lib
GPG_KEYS=05AB33110949707C93A279E3D3EFE6B686867BA6 07E48665A34DCAFAE522E5E6266191C37C037D42 47309207D818FFD8DCD3F83F1931D684307A10A5 541FBE7D8F78B25E055DDEE13C370389288584E7 5C3C5F3E314C866292F359A8F3AD5C94A67F707E 765908099ACF92702C7D949BFA0C35EA8AA299F1 79F7026C690BAA50B92CD8B66A3AD3F4F22C4FED 9BA44C2621385CB966EBA586F72C284D731FABEE A27677289986DB50844682F8ACB77FC2E86E29AC A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 F3A04C595DB5B6A5F1ECA43E3B7BBB100D811BBE F7DA48BB64BCB84ECBA7EE6935CD23C10D498E23
TOMCAT_MAJOR=8
TOMCAT_VERSION=8.5.78
TOMCAT_SHA512=b50213e64cc1fd3da2847deda1ca13bee4c26663093c11d53c5ecfe4cdec8856e743b4a1d8488e0c0cbe9bf149e755df40a4140f3b155e2195e3bc6335de3512
APPLICATION=guacamole
BUILD_RFC3339=2022-01-25T12:00:00Z
REVISION=local
DESCRIPTION=Guacamole 1.4.0
PACKAGE=MaxWaldorf/guacamole
VERSION=1.4.0
GUAC_VER=1.4.0
GUACAMOLE_HOME=/config/guacamole
PG_MAJOR=13
PGDATA=/config/postgres
POSTGRES_USER=guacamole
POSTGRES_DB=guacamole_db


Restart policy can be set to Unless stopped. 

Once all configuration entered, click "Deploy the container" button. Deployment will start. If you have not pull the image before, it will pull image directly from Docker Hub repository. 



Access Guacamole web portal

 http://<public ip>:8080

default username and password: guacadmin / guacadmin

You will be notified to create your own user name and password.


Access Linux Machines

 RDP to access xRDP desktop

1. Username and Password

2. Private key

Private key in Guacamole connection's parameters page will need PEM format file, which is not puttygen generated private key file. 

We are able to convert PPK format private key to PEM format using Puttygen this tool. Using Puttygen to load your PPK format private key file, then choose menu Conversions -> Export OpenSSH key to export to a PEM format private key file.






Access Windows Machines

When using Guacamole to access Windows server machine 2016, all seems fine  But common issue when trying to use Guacamole to connect to Windows server 2022 machine with default settings like this:

You will get following error message:
"The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs."



If your username or password is wrong, you will get following error message.
"Log in failed. Please reconnect and try again."




Even we checked "Ignore server certificate", we might still get an error message to say server is unreachable. 


Guacamole apparently doesn't work with Windows 10 or Windows Server 2016 RDP naturally so you have to edit the registry to make it work.



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

Change “SecurityLayer” value to 1 (Original value is 2)


Verify “UserAuthentication” value is 0 (Original value is 1)


Source: https://mangolassi.it/topic/17846/make-windows-10-server-2016-rdp-work-with-guacamole/2


As long as you checked "Igore server certificate", you will be able to log in now. Security mode can be set to empty or any. 



Enabling Extensions

 
Extensions can be enabled using the -e EXTENSIONS variable. Multiple extensions can be enabled using a comma separated list without spaces.

For example:

docker run \
  -p 8080:8080 \
  -v </path/to/config>:/config \
  -e "EXTENSIONS=auth-ldap,auth-duo"
  maxwaldorf/guacamole

Extension List:

  • auth-duo
  • auth-header
  • auth-jdbc-mysql
  • auth-jdbc-postgresql
  • auth-jdbc-sqlserver
  • auth-json
  • auth-ldap
  • auth-quickconnect
  • auth-sso-openid
  • auth-sso-saml
  • auth-sso-cas
  • auth-totp

Troubleshooting   


Bad gateway when accessing portal

If there is any issue happening after you run your Guacamole for a while, you might want to duplicate / edit your current container to create a exactly new one. 
Before you do that, make sure you stopped the existing Guacamole container. 

I did met an issue after running it for a couple of weeks, something relating to "Bad gateway". Guacamole web GUI could not load. 


连接rdp协议的windows7或者windows server 2008直接断开?

因为freerdp的一个问题导致的,把 设置>RDP 下面的禁用字形缓存打开即可。 详情可参考 https://issues.apache.org/jira/browse/GUACAMOLE-1191

Note: https://next-terminal.typesafe.cn/faq/#docker%E5%AE%89%E8%A3%85%E5%A6%82%E4%BD%95%E6%9B%B4%E6%96%B0


KASM - A Container Based Streaming Platform

Running applications and desktop from browser.

1. Pre-Requisites

https://kasmweb.com/docs/latest/index.html

CPU

2 cores

Memory

4GB

Storage

50GB (SSD)


2. Four Commands to Install

cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh



Videos

 



KASM 1.15 Installation and 


Kasm Workspaces Introduction and Installation (1.9.0)



1 comment:

  1. Hi thank you for this write up. I have installed docker, portainer, NPM and apache guac on a VM running debian 11. While guacamole is working and allows me to connect to a remote computer, i cannot seem to figure out how to enable file transfer permissions. I've added the environment variables in portainer and enabled in the guac UI settings, but when i attempt to transfer a file it says i dont have permissions to do it. I think it might have something to do with the user account that guacd is running on? Not sure but was hoping you might have some pointers. Thanks!

    ReplyDelete