The purpose of this project is to simplify deploying Apache guacamole through Netskope Private Access. This configuration will create a docker based guacamole deployment to be used with a SAML identity provider for user authentication and authorization. The below steps assume that Netskope private access is already configured and a publisher is already deployed which will be leveraged to publish Guacamole as a browser based application.
Once deployed, groups and membership can be used to authorize which connections users are allowed to access. These groups are passed to guacamole from the SAML assertion in the group attribute. In the guacamole configuration the administrator only needs to create Groups and assign connections to groups. When the user logs in for the first time the user will automatically be granted access to connections assigned to the group they are a member of.
- An Ubuntu Linux 20.04 LTS VM with docker and docker-composed pre-installed
- Netskope Private access publisher deployed and configured
- A browser based app configured for the guacamole VM host port 8433
- Netskope private access Reverse Proxy idP SAML Configuration
- Guacamole app idP SAML configuration
Copy guacamole-docker-saml.tar.gz to Ubuntu VM home folder and extract or git clone from repo
# tar -zxvf guacamole-docker-saml.tar.gz
# cd guacamole-docker-saml
OR
# git clone https://github.com/pbeyl/guacamole-docker-saml.git
# cd guacamole-docker-saml
Run the configuration script and capture all the required information
# ./configure.sh
When requested to enter the admin account, specify the administrative user account that needs to be created as the initial administrative account on Guacamole. This needs to be a valid account on the idP which is assigned to the guacamole SAML app.
Enter admin account [admin@example.onmicrosoft.com]:
Next enter the url for the browser based app configured as a browser based private app. The browser based app definition needs to point to the host you are currently installing guacamole on. Remember to define the publisher that has tcp access to this hosy and add a real time policy to allow access to this application.
Enter Netskope App URL [example: https://app-8443-tenant.eu.npaproxy.goskope.com]:
When the guacamole service starts it will listen on port 8433 with the self signed certificate generated by this configure script. Certificates are installed in .nginx/ssl/ and can be replaced by trusted CA signed certs if desired.
When prompted to provide the SAML Login URL, provide the URL associated to the SAML configuration for the Guacamole app.
Enter SAML IDP Login URL:
Lastly, input the meta data url associated with the guacamole app SAML configuration and confirm the configuration to complete the setup.
Enter SAML Metadata URL:
The final step in the script is to save the configuration to the .env file and start the required docker container.
- Writing config to .env -
Completed writing config variables to .env
Creating network "guacamole-docker-saml_guacnetwork" with driver "bridge"
Creating guacd ... done
Creating postgres_guacamole ... done
Creating guacamole ... done
Creating nginx_guacamole ... done
There are four docker containers started. Postgresql is used for all configuration related to the guacamole installation, nginx exposes the application to the network and provides TLS encryption, guacamole is the HTML5 guacamole client and guacd is the guacamole service providing access to the RDP, VNC and SSH services.
You can validate that all containers is running
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c051222726a1 nginx "/docker-entrypoint.…" 5 minutes ago Up 5 minutes 80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp nginx_guacamole
5d3a022682bf guacamole/guacamole:1.5.2 "/opt/guacamole/bin/…" 5 minutes ago Up 5 minutes 0.0.0.0:49158->8080/tcp, :::49158->8080/tcp guacamole
363b2ac9a326 postgres:13.4-buster "docker-entrypoint.s…" 5 minutes ago Up 5 minutes 5432/tcp postgres_guacamole
7ae197ba8d65 guacamole/guacd "/bin/sh -c '/usr/lo…" 5 minutes ago Up 5 minutes (healthy) 4822/tcp guacd
To stop all running containers
# docker-compose up -d
To start all running containers
# docker-compose down
To view the logs of a specific running container
# docker logs -f --tail 10 guacd
guacd[7]: INFO: Guacamole proxy daemon (guacd) version 1.4.0 started
guacd[7]: INFO: Listening on host 0.0.0.0, port 4822