Until recently, I have always been a huge proponent of Microsoft’s Remote Desktop Connection Manager (RDCMan) tool for managing RDP connection points. That is, until Microsoft discontinued it earlier this month after discovering a security flaw in the application severe enough to completely remove the ability to download it (CVE-2020-0765).
There have always been other tools available that provide similar functionality, but I have stuck by RDCman over the years due to how intuitive the interface is and how the installation was never a security concern
(It’s signed by Microsoft – no need to allow it through the application whitelist!). Unfortunately, security is not quite that easy, so it’s time to search for a solution that can fill the shoes of a tool loved by many.
That's where Apache Guacamole comes in.
So what exactly is Guacamole? It is an HTML5 clientless remote desktop gateway that is designed to both enhance RDP security and provide easier access to RDP/SSH connections for your organization. Obviously, this will not be as simple as a local client installation, but once it is configured, it can be available for your entire organization to utilize and unify on a single solution.
Guacamole runs on many Linux distributions, so the first step to implement Guacamole is to choose your Linux distribution. I won’t go into details as to which flavor of Linux to choose, but if you do not want to build the packages from source, I would recommend an OS in either the Debian or Red Hat families (and please don’t install a GUI – Even Windows is starting to recommend headless servers running Server Core these days, but that’s a discussion for another blog post).
At this point, I feel like it’s important to address the elephant in the room before continuing onto the application install and configuration. During the course of standing up Guacamole, I entered into dependency hell on two separate occasions – both of which were tied to OS version dependencies that are awaiting a new release of Guacamole to be resolved. I started with CentOS 8, then tested Ubuntu 20.04, and finally ended up with a working install when using Ubuntu 18.04. I was not able to find a comprehensive list of which versions of each Linux distro will work, but in my research, CentOS 7 and Ubuntu 18.04 were both able to run without dependency issues.
Now that you have a working Linux environment, let’s work on installing and configuring Guacamole. As I’ve chosen Debian, I will be utilizing a github installation script located here. Open a SSH session (I used Putty), and connect to your new Linux server. If running Ubuntu 18.04, you will need to manually install FreeRDP2 as the official repository has an issue:
sudo add-apt-repository ppa:remmina-ppa-team/freerdp-daily
sudo apt-get update
sudo apt-get install freerdp2-dev freerdp2-x11
Then, run the following commands to download the installation script from github and execute it:
mv fxZq5 guac-install.sh
chmod +x guac-install.sh
If you would like MFA enabled, choose to install TOTP. After that, select to install MySQL and provide credentials for root and guacamole_user accounts that will be created. When the installation is completed, open a browser and connect to the URL displayed in the console and log in with the default credentials. If you chose to enable MFA, you will need to configure it before being able to log in– you can choose any OTP app of your choosing (Google Authenticator, Microsoft authenticator, Authy, etc)
Once logged in, make sure to change the password of the guacadmin account by opening the dropdown menu in the top-right and selecting preferences. While in settings, click the Connections tab and click New Connection and then fill out following sections (you can fill out more, these are just the mandatory sections to configure an RDP session):
To test this connection, click your username in the top-right and then click Home. Select your server from the All Connections list to connect an RDP session.
Congratulations – you now have an HTML5 web interface for connecting to RDP sessions, which is the first step toward a better and more secure solution around authenticating to servers for administration. For a full implementation, we will still need to cover LDAP/AD integration, credential passthrough, and HTTPS configuration.