RDP in the browser: Apache Guacamole and Sophos UTM

Although the UTM also has a solution with the HTML5 VPN to display RDP connections in the browser, this runs as within the user portal. If you only have a public IP, you have to switch to a different port, as I did with the built-in Sophos solution. In other networks, however, often only the common ports such as 80 and 443 are open.

I faced exactly this problem, only one public IP, often I could not connect to the UTM user portal via other ports. The HTTPS port is already occupied by the web server protection and other services.

I first tested the Windows Admin Center, which is a pretty useful solution, but unfortunately not in conjunction with UTM Webserver Protection. The Windows Admin Center uses WebSockets, but this is not supported by UTM Webserver Protection.

However, there is the Apache Guacamole project, which has worked perfectly for me so far in conjunction with Webserver Protection. Maybe this little article will help other people, so here is a brief description of how to set up Webserver Protection for Guacamole.

My setup looks something like this:

Sophos UTM Webserver Protection uses a free wildcard certificate from Let's Encrypt. The web server protection runs on port 443 (https) and forwards to the real web servers depending on the host name. Currently, these are, for example, an Exchange server and another web server:

In addition, I am now adding a small CentOS VM to run Guacamole. I am using the CentOS minimal installation with 1 GB RAM and 1 CPU. The installation of Guacamole is pretty simple, I just used this installation script:

• https://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/

The script asks for a few settings and installs a ready-made Guacamole environment.

Small hint: I installed Guacamole with NGINX, more on that later.

As soon as Guacamole is installed, a new web server can be created on the UTM:

A firewall profile is then required:

For guacamole to work, a few exceptions are necessary. I had to skip these rules:

• 981257
• 981245
• 981246
• 981243
• 981204
• 981172
• 981173
• 960015
• 981203
• 981318
• 981176

The virtual web server can now be created (do not forget the firewall profile):

Since the Guacamole installation is called via the /guacamole directory, I have adapted the NGIX configuration a little. This means that /guacamole does not have to be appended each time it is called:

• /etc/nginx/conf.d/guacamole_ssl.conf

For example, a call from https://rdp.frankysweb.de is now redirected to https://rdp.frankyweb.de/guacamole. With a corresponding redirection directly in the UTM, it would not work for me. So it's currently double (UTM + NGNIX). Maybe someone else has a tip?

So far I have not noticed any restrictions in connection with the UTM, everything works like clockwork:

Although the range of functions cannot be compared with the Windows Admin Center, the RDP connection in the browser works first-class and is extremely fast:

I have also activated Reverse Authentication, but this currently prompts for the user name and password twice. I'll see if I can switch Guacamole to basic authentication. Of course, you could also leave it as 2-factor authentication as it is