A Remote Access Alternative

+ a guide for setting up Guacamole 1.5.1

In an age where data breaches and security oversights seem to be rampant, it’s becoming increasingly difficult to trust even the biggest cloud-based IT tools like TeamViewer and LastPass. Sure, these established names offer numerous benefits, but their very size also makes them prime targets for cyberattacks. As an alternative, self-hosted tools are available to help lower your threat surface. But a word of caution: diving into self-hosting isn’t for the faint of heart, and you should only pursue it if you have a solid IT background and understand the potential risks of misconfiguring such services, especially when it comes to remote access.
Now, I want to be clear – this isn’t something I plan to put into production for MCT clients unless we can allocate the resources needed to thoroughly test and assess from a security standpoint. In fact, our partnership with Keeper could provide the peace of mind that’s often hard to come by when dealing with open-source projects. More on that another time, perhaps.
The idea of exploring remote access alternatives to major cloud-based IT tools like TeamViewer, ConnectWise Control (formerly ScreenConnect), and Splashtop was sparked by two key factors. Firstly, the requirement of proprietary client software. With recent breaches like the 3CX client, we should be reminded that threats don’t always come from the outside, and we shouldn’t overlook the potential threats that start from a trusted source internally. Secondly, solutions like Keeper’s Connection Manager (built on Guacamole) enable secure credential handling and sensitive data auditing without the need for copying and pasting passwords or exposing them in plain text. This added layer of protection is invaluable for managers and employers, ensuring they know who is accessing what and offering a secure way for employees to work remotely.

Does your remote control tool have these options?

  • Disabling clipboard access: This prevents unauthorized copying and pasting of sensitive data, ensuring that confidential information remains secure.
  • Graphical session recording: This feature allows managers and employers to review sessions in detail, which can be crucial for accountability and resolving any disputes that may arise.
  • TOTP two-factor authentication: Enhancing login security by requiring an additional layer of authentication, such as a one-time password generated by a user’s mobile device, significantly reduces the risk of unauthorized access.
  • Account restrictions: Employers can set limits on user accounts, such as restricting access to specific resources or setting time-based access rules. This level of control helps maintain a secure remote work environment and prevents abuse.

if your existing remote access software doesn't have all the features listed above you're opening you and your company up to unnessary liability. Give us a call to discuss a solution that can increase security and convenience. (615) 200-8045.

Before diving into the setup instructions, I want to emphasize that these instructions are intended for IT admins and technical staff to help with their setups. My intention for providing these instructions is to offer a clear and up-to-date guide on getting Guacamole up and running, as many online tutorials are either outdated or require Docker. I strongly recommend that you only attempt this if you have experience with hosting, virtualization/hypervisors, and Linux. Proceeding without the necessary background and understanding could result in unintended consequences. Furthermore, once you have the Guacamole site up and running, you should look into hardening the security of the web app.

With this understanding, please note the following assumptions for this guide:

A fresh Debian 11 installation on a VM
Native installation, not Docker
Tomcat9 or earlier is required, as the latest version of Tomcat is not compatible
I will not be providing further instructions for security hardening the install, like forcing HTTPS and network restrictions
This guide is for the latest version of Guacamole, 1.5.1
With that said, let’s get started.

  • A fresh Debian 11 installation on a VM
  • Native installation, not Docker
  • Tomcat9 or earlier is required, as the latest version of Tomcat is not compatible
  • I will not be providing further instructions for security hardening the installation, like forcing HTTPS and network restrictions
  • This guide is for the latest version of Guacamole, 1.5.1

With That Said, Let's Get Started!

					# Update all the things
sudo apt update
sudo apt upgrade
					#If you run into permissions or sudoer problems you can either login as root using "su -" or temporarily add your user to the sudoers group. (which is what I did)

su -
apt-get install adduser
apt-get install sudo
sudo apt install passwd
sudo usermod -aG sudo Yourusername

					#After adding the user to the sudo group, you can switch back to the mct user with the following command:

su - Yourusername

					#You can confirm if the permissions to the user were applied correctly by running the following:

sudo -l -U Yourusername
					#Install the required packages

sudo apt install default-jdk maven libjpeg-dev libpng-dev libtool-bin autoconf automake make libcairo2-dev libjpeg62-turbo-dev libpng-dev libossp-uuid-dev freerdp2-dev ghostscript libavcodec-dev libavutil-dev libswscale-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libwebsockets-dev libtool-bin tomcat9 tomcat9-admin tomcat9-common tomcat9-docs tomcat9-examples

					# Download Guacamole 1.5.1

wget https://downloads.apache.org/guacamole/1.5.1/source/guacamole-server-1.5.1.tar.gz
tar -xzf guacamole-server-1.5.1.tar.gz

#Change directory into the extracted folder
cd guacamole-server-1.5.1

					#Build and install Guacamole Server:

autoreconf -fi
./configure --with-init-dir=/etc/init.d
sudo make install
sudo ldconfig

					#Download Guacamole Client source code:

cd ~
wget https://downloads.apache.org/guacamole/1.5.1/source/guacamole-client-1.5.1.tar.gz
tar -xzf guacamole-client-1.5.1.tar.gz
cd guacamole-client-1.5.1

					#Build Guacamole Client:

mvn package

If the build fails due to a Java issue you’ll need to verify the path of the java environment 

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs) on project guacamole-common: MavenReportException: Error while generating Javadoc: Unable to find javadoc command: The environment variable JAVA_HOME is not correctly set. ->
					$ export JAVA_HOME=/path/to/java


then set the JAVA_HOME variable appropriately. For me, it was /usr

					export JAVA_HOME=/usr


Now when you run “mvn package” the build should be successful.

					#Move up a folder:

cd ..
					#Deploy Guacamole, this puts the web app into the directory tomcat will serve:

cd ..
sudo cp guacamole-client-1.5.1/guacamole/target/guacamole-1.5.1.war /var/lib/tomcat9/webapps/guacamole.war
sudo systemctl restart tomcat9
sudo systemctl start guacd


That should do it! Now to access Guacamole you’ll just need to open a browser and navigate to the IP or Hostname address of your server using the default port 8080. By default the guacmole app is not in the root of the tomcat folder so make sure to add the /guacamole after the port as well.