guacamole #91
Comments
|
@mimugmail it looks like a nice product, but personally I'm not too enthusiastic putting things like this on a firewall, it adds a lot of attack surface to one of the most sensitive systems in your infrastructure. Normally I would place a solution like this on it's own virtual environment, but integrating a virtual solution with it's own connectivity challenges in OPNsense is quite some work (and usually not really worth the effort). |
|
Had never heard of this, it's a remote-desktop gateway that provides a client interface via a HTML5 browser - for others that want to read up on it:- Apparently it builds on FreeBSD
The documentation talks about a lot of dependencies as @mimugmail mentioned:- Their previous 0.9.1.x revision is available in the FreeBSD ports tree As a network edge device, does the Guacamole functionality belong on OPNsense? It does seem to fit into the definition of things some administrators might be willing to run at a network edge, but wow it is a heavy weight set of components to be adding on the firewall itself. Personally I'd feel uncomfortable running this directly on a firewall via a publicly exposed port(s), I might consider it over an ssh-tunnel or VPN connection but if an ssh-tunnel or VPN connection is an option then why not just run the RDP session directly from my client machine? Perhaps you could describe scenarios where Guacamole provides access that is otherwise not possible? I appreciate this question might sound silly or that the answer is "obvious" but there is something about your words "tested guacamole as a central mgmt tool for SSH access" that makes me believe there is another (much easier, and more secure) approach to addressing your remote-ssh access requirements. |
|
You could fix your internal Routers in an emergency via your Android Phone since it's only Browser based. Juniper, Sophos and Cisco also offer this in their UTM products. And since it would be an optional Plugin I dont see a huge risk for the mass of the normal users. |
|
@mimugmail aren't they offering a html terminal to only there own box? we declined html5 consoles earlier, if I'm not mistaken there are other, more lightweight options that do this for access to the firewall itself only. |
|
It's a Tomcat App working as a rdp/vnc/SSH Client with predefined profiles. It's not intended for managing OPN itself |
|
I feel like you might be wanting to create a setup where you can access an RDP enabled host using just username/password authentication from an external location and then keep your ssh keys on that RDP host so you can access whatever you have internally - is that right? |
|
I know it's not for managing OPNsense, I'm just a bit surprised if Sophos and Cisco add this into their firewall products, that's all. |
|
Sophos SonicWall FortiGate ... I can count more if you like. I know it's overblown .. and I dont need it for myself, but it would make the project more attractive to prospects. |
|
well, that's my main concern, I have no objections to offering web tunnels when properly integrated and secured (which is what other vendors indeed also offer), but guacamole just feels like too much in my humble opinion. |
|
That's why I opened this issue :) Let's wait what @fichtner thinks about it, there's no hurry on my side. |
|
sure, no rush |
|
@fichtner your objective opinion in this? :) |
|
I need more time to eval the new build server speed and how to optimise the build process To be frank, adding more software, especially larger dependency chains will bring the build time up to half a day at least which slows down response time for tests and releases, introduces more chances for breakage and also bloats major update set downloads, but that's just the cautious side talking.... |
|
Ok, I think this pkg is not that much important to risk all this downsides it brings into the build process. |
|
Let's revisit when we have a large deployment use case at hand? |
|
Sure, there are many different VPNs available to reach the network behind .. but clientless is clientless :) |
|
Hi all, I just found this discussion. best regards |
|
It's not our effort to make users switch from pf :) I worked with guacamole for some time now. The upgrade process on linux itself is a mess, no idea how to support this in a stable manner. It would be better to use the docker container somewhere behind your Firewall. |
Some months ago I tested guacamole as a central mgmt tool for SSH access.
It could be used as a clientless HTML5 VPN but the dependencies are huge: java, tomcat, mysql.
Nonetheless .. we can use this as a start for a discussion to integrate it as a plugin?
Any opinions to this?
The text was updated successfully, but these errors were encountered: