DaveWentzel.com            All Things Data

Guacamole: A clientless RDP gateway

(Update:  Upgrading to guac 0.9.4)

(UPDATE:  Guac 0.9.2 is out and I'm running it and very satisfied.  These instructions work equally well with 0.9.2 you simply need to change "0.9.0" to "0.9.2" in the requisite spots in the instructions below.  I also wrote Upgrading Guacamole which covers how to upgrade an existing guac instance to 0.9.2.)

 

Guacamole is an open source (MIT licensed, so it's "free", see my recent Open Source Licensing post on this), clientless RDP solution that runs in any HTML5 browser (which is any browser from the last few years).  Why do you need this or should you care?  If you need to remotely connect over the internet to Windows servers (you deal with small clients or your home network) and you don't want to open up Port 3389 (the default RDP port) then guacamole is an excellent choice.  If you currently have Port 3389 open I suggest closing it.  I can tell you that every script kiddie out there has password crackers that attempt to brute force attack against open, internet-facing RDP ports.  

Guacamole runs on Java/tomcat/Linux on your internal network that then serves up the RDP session via Port 80/443.  So, it's a gateway.  Then why not use /tsweb and IIS that comes with Windows Server?  Because /tsweb still uses Port 3389 to connect, /tsweb merely allows the client to be downloaded from a website.  

With guac no new ports need to be open so it should be much more secure.  Since it doesn't need a client (other than a HTML5 browser) you should be able to connect to your Windows machines from anywhere on the planet including iPhones and Android devices.  You can certainly use something like LogMeIn (which costs a few bucks) or OpenVPN (free, but takes some time to setup and still requires a client) to accomplish secure remote access.  Guacamole is just another tool in your toolbelt.  Guacamole is my solution of choice because it is fast, requires about 256 MB of RAM in a Hyper-V and takes only a few minutes to set up.  

The guacamole install manual, like most OSS, is not user-friendly if you are not a Linux wizpert.  In fact, if you follow the manual you will end up installing an ancient version which does not handle logging in to "modern" Window boxes (Windows 2012/WIN8 has new NLA security features with RDP).  So, this post will show how to setup a VM on your Hyper-V server to host Guacamole.  I assume you understand the absolute basics of VMs and ubuntu.  You need no knowledge of tomcat or Java.  In fact, you really don't even need to know ubuntu if you can type text without too many typos.  

The Process

  1. Install Ubuntu (14.04 is best as of this writing) in your VM.  Patch it (sudo apt-get update;sudo apt-get upgrade), give it a static IP address.
  2. sudo apt-get install make libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs   These are the standard packages you'll need.  

  3. sudo apt-get install libpango1.0-dev libssh2-1-dev
  4. wget -O guacamole-server-0.9.0.tar.gz http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.0.tar.gz/download.  We can't use apt-get because it is currently serving up Guacamole 0.6.0 which doesn't work well with Windows 2012 or Win8.  Instead, we get the source code from sourceforge directly (you may want to see if there is something newer than 0.9.0 since improvements are being made to guacamole weekly). 
  5. wget -O guacamole-0.9.0.war http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.0.war/download
  6. sudo tar -xzf guacamole-server-0.9.0.tar.gz
  7. cd guacamole-server-0.9.0
  8. ./configure --with-init-dir=/etc/init.d  This will configure autostart on reboot for the necessary services.  
  9. make
  10. sudo make install
  11. sudo update-rc.d guacd defaults  This sets the autostart for the default runlevels.  
  12. sudo ldconfig (that is ell dee config.  It essentially loads your config changes)
  13. sudo mkdir /etc/guacamole
  14. sudo nano /etc/guacamole/guacamole.properties  //enter the items from the screenshot at the right
  15. Ctl+O  (writes out the changes)
  16. Ctl+X  (exits nano, the text editor)
  17. sudo nano /etc/guacamole/user-mapping.xml (a sample is to the right).  There are so many options for rdp that you can use that you should probably eventually read the user-mapping documentation.  You can start apps directly using remote-app and you can autologin using username/password.  I use guacamole to remotely connect to my Linux boxes using ssh too, without opening ssh ports (22) or having an ssh client on my android devices.  You can also use guacamole as a clientless VNC gateway too.  
  18. Ctl+O  (writes out the buffered changes)
  19. Ctl+X (exits the editor)
  20. sudo mkdir /usr/share/tomcat7/.guacamole
  21. sudo ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
  22. sudo cp guacamole.0.9.0.war /var/lib/tomcat7/webapps/guacamole.war
  23. sudo service guacd start
  24. sudo service tomcat7 restart
  25. Open a browser on your local network and navigate to http://<ipaddress>:8080/guacamole.  Login with your credentials from user-mapping.xml.  At this point you've got a working guacamole rdp gateway server.  

Any errors you may get will be "Invalid login" at this point.  This is the generic error message.  The errors will likely be a typo in either the .properties file or the user-mapping.xml file.  You can find the logs at sudo nano /var/log/tomcat7/catalina.<today>.log.  There isn't much that can go wrong other than typos.  Doublecheck the two hand-crafted files we created above.  

At this point guacamole is working but it is listening in on port 8080. If you are OK with that then poke a hole in your firewall/router and you can begin using guacamole. Read on for some additional improvements you can make to guacamole...

Backing up your guacamole server

 There's not much to backup on your guacamole server, other than config files, so I like to use git for things like this. If it's easier you can just take a snasphot of your vm too and save it off somewhere. For Git:

sudo apt-get install git
cd /etc/guacamole //this contains your .props file and user-mapping.xml
sudo git init
sudo git add guacamole.properties
sudo git add user-mapping.xml
sudo git config --global user.email ""
sudo git config --global user.name ""
sudo git commit -m 'initial configuration'
sudo git remote add origin ...
//not necessary unless you want to push to your git repo server
sudo git push -u origin master //again, not necessary

I want guacamole to be available on <main web server>/guacamole, not on Port 8080
In other words, you want guacamole to be served up by your standard webserver in a folder there, not on a separate tomcat webserver running guacamole.  This is a fairly simple mod. On your main webserver you need to create a folder that is used to proxy to your guacamole server.  I assume your main webserver is also Apache, if not you'll have to do some research on your webserver to determine how to proxy to another webserver under the same namespace (ARR in IIS for instance).  In your Apache http.conf (or equiv) file you'll need these entries

 # /guacamole settings
    ProxyPass /guacamole http://192.168.0.8:8080/guacamole
    ProxyPassReverse /guacamole http://192.168.0.8:8080/guacamole
    <Location /guacamole>
       Order allow,deny
       Allow from all
    </Location>
 # /guacamole settings
 ProxyPass /guacamole http://<guac ip>:8080/guacamole
 ProxyPassReverse /guacamole http://<guac ip>:8080/guacamole
 <Location /guacamole>
      Order allow,deny
      Allow from all
 </Location>
 
Restart Apache and you should be able to use guacamole on your main webserver by browsing to /guacamole, using standard Port 80.  No changes needed to the guac installation for this.  The ProxyPass simply tells apache that when requests come to /guacamole that they should be rerouted to the guac server on a different port. ProxyPassReverse handles rewriting the headers on the response from guacamole so the client doesn't get confused.  Remember, guac, in this configuration, does not know it is directly attached to the internet because we did not set a hostname anywhere.  
 
At this point it is also advisable to set up SSL encryption if you deem it necessary.  SSL only needs to be setup on your main webserver, not on the guac server.  So if you have SSL working already the proxying will work transparently with nothing else to do.  You can definitely run guac without https just be aware that you are taking a bit of a risk.  

Summary

I do a lot of consulting for small mom-and-pop shops that can't afford expensive IT infrastructure.  When I need to connect to their internal resources the easiest way to do this is to set up a VM with guacamole on it.  Formerly I used LogMeIn but that isn't free anymore.  OpenVPN is an excellent choice but it requires a client and a VM that acts as the gateway, plus a hole in the firewall for OpenVPN.  Guac needs none of this.  Once you setup a guac VM you can save the vhdx file (or equiv if you are using another virtualization technology) and then you have a quick guac server for your next client.  Big time saver...no cost.  


You have just read "Guacamole: A clientless RDP gateway" on davewentzel.com. If you found this useful please feel free to subscribe to the RSS feed.  

43 comments

Comment: 
By far the easiest document yet to follow. Thanks :)

Comment: 
I agree, the easiest guide I've found. However, I'm getting an Invalid login as you mentioned I may get. Log files show: SEVERE: Error getting authentication provider from properties. Exception: /var/lib/tomcat7/webapps/guacamole/web-inf/classes is not a directory Any ideas? Thanks

Comment: 
Worked well thanks for the Guide.

Comment: 
I want to configure guacamole in windows .Please help me regarding this.

Comment: 
Guacamole runs under Linux. This will not happen. You should consider a VM methodology.

Comment: 
Love the help, thank you so much. All appears well, but I keep getting errors when trying to open a VNC connection. RDP connections work fine, but VNC keeps giving a "An internal error has occurred" message, see: http://i.imgur.com/wcWc1zX.png ... Guac Server logs at: http://i.imgur.com/RVPCo0W.png I've scoured Google, but I'm not finding anything helpful. Can someone help, even a little, please?

Comment: 
In my experience that's a generic error and not very helpful.  Look at syslog...all entries are prefixed with "guacd", including client plugins.  The fact that RDP works but VNC doesn't tells me it is likely a client library.  Start looking there.  This is purely my experience but I never use VNC when connecting to Linux or Windows desktops.  It seems too slow to me and never seems to work reliably with guac, as you can attest.  Instead, for Linux desktops I setup xrdp.  Much faster and more stable.  Also, unlimited users can connect.  It's not a panacea though.  On some distros like ubuntu it is almost impossible (or maybe I'm just an idiot) to reconnect to a disconnected RDP session unless you jot down the port you were using for that session.  Fedora is much better at this.  There are lots of good tutorials on xrdp.  

Comment: 
I try to install tomcat7 but it failed so I installed tomcat6. I have follow all the other instructions but I cannot connect so I look at the log file and I have problems/errors that I cannot solve myself. Could you help me ? oct. 13, 2014 7:27:15 AM org.apache.coyote.http11.Http11Protocol pause INFOS: Suspension de Coyote HTTP/1.1 sur http-8080 oct. 13, 2014 7:27:16 AM org.apache.catalina.core.StandardService stop INFOS: Arrêt du service Catalina oct. 13, 2014 7:27:16 AM org.apache.coyote.http11.Http11Protocol destroy INFOS: Arrêt de Coyote HTTP/1.1 sur http-8080 oct. 13, 2014 7:27:18 AM org.apache.catalina.startup.ClassLoaderFactory validateFile AVERTISSEMENT: Problem with directory [/usr/share/tomcat6/server/classes], exists: [false], isDirectory: [false], canRead: [false] oct. 13, 2014 7:27:18 AM org.apache.catalina.startup.ClassLoaderFactory validateFile AVERTISSEMENT: Problem with directory [/usr/share/tomcat6/server], exists: [false], isDirectory: [false], canRead: [false] oct. 13, 2014 7:27:18 AM org.apache.catalina.startup.ClassLoaderFactory validateFile AVERTISSEMENT: Problem with directory [/usr/share/tomcat6/shared/classes], exists: [false], isDirectory: [false], canRead: [false] oct. 13, 2014 7:27:18 AM org.apache.catalina.startup.ClassLoaderFactory validateFile AVERTISSEMENT: Problem with directory [/usr/share/tomcat6/shared], exists: [false], isDirectory: [false], canRead: [false] oct. 13, 2014 7:27:19 AM org.apache.coyote.http11.Http11Protocol init INFOS: Initialisation de Coyote HTTP/1.1 sur http-8080 oct. 13, 2014 7:27:19 AM org.apache.catalina.startup.Catalina load INFOS: Initialization processed in 1465 ms oct. 13, 2014 7:27:20 AM org.apache.catalina.core.StandardService start INFOS: Démarrage du service Catalina oct. 13, 2014 7:27:20 AM org.apache.catalina.core.StandardEngine start INFOS: Starting Servlet Engine: Apache Tomcat/6.0.39 oct. 13, 2014 7:27:20 AM org.apache.catalina.startup.HostConfig deployDescriptor INFOS: Déploiement du descripteur de configuration guacamole.xml oct. 13, 2014 7:27:21 AM org.glyptodon.guacamole.net.basic.WebSocketSupportLoader info INFOS: WebSocket support not found. oct. 13, 2014 7:27:22 AM org.apache.catalina.startup.HostConfig deployDescriptor INFOS: Déploiement du descripteur de configuration ROOT.xml oct. 13, 2014 7:27:22 AM org.apache.coyote.http11.Http11Protocol start INFOS: Démarrage de Coyote HTTP/1.1 sur http-8080 oct. 13, 2014 7:27:22 AM org.apache.catalina.startup.Catalina start INFOS: Server startup in 2623 ms oct. 13, 2014 7:28:17 AM net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider info INFOS: Reading user mapping file: /etc/guacamole/user-mapping.xml oct. 13, 2014 7:28:17 AM org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet error GRAVE: Internal server error. org.glyptodon.guacamole.GuacamoleException: Error parsing basic user mapping XML. at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getUserMapping(BasicFileAuthenticationProvider.java:132) at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getAuthorizedConfigurations(BasicFileAuthenticationProvider.java:148) at org.glyptodon.guacamole.net.auth.simple.SimpleAuthenticationProvider.getUserContext(SimpleAuthenticationProvider.java:84) at org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet.service(AuthenticatingHttpServlet.java:267) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:745) Caused by: org.xml.sax.SAXParseException; lineNumber: 6; columnNumber: 12; Le type d'élément "authorize" doit se terminer par la balise de fin correspondante "". at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239) at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getUserMapping(BasicFileAuthenticationProvider.java:120) ... 16 more oct. 13, 2014 7:28:26 AM net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider info INFOS: Reading user mapping file: /etc/guacamole/user-mapping.xml oct. 13, 2014 7:28:26 AM org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet error GRAVE: Internal server error. org.glyptodon.guacamole.GuacamoleException: Error parsing basic user mapping XML. at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getUserMapping(BasicFileAuthenticationProvider.java:132) at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getAuthorizedConfigurations(BasicFileAuthenticationProvider.java:148) at org.glyptodon.guacamole.net.auth.simple.SimpleAuthenticationProvider.getUserContext(SimpleAuthenticationProvider.java:84) at org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet.service(AuthenticatingHttpServlet.java:267) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:745) Caused by: org.xml.sax.SAXParseException; lineNumber: 6; columnNumber: 12; Le type d'élément "authorize" doit se terminer par la balise de fin correspondante "". at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239) at net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider.getUserMapping(BasicFileAuthenticationProvider.java:120) ... 16 more

Comment: 
I finally start from scratch with a new VM linux ubuntu 14 LTS. I followed your tuto and I managed to have access to portal after entering the user and pwd. When I selected the saver I have the following error : connection error ! From where the error could come from ? Regards Vince

Comment: 
Hi, could you (PLEASE) rewrite the tuto from scratch with new linux ubuntu completely new without any installation as I still have connection error when I am trying to connect the the remote VM from a PC ! I do not know how to solve this ! Please help me ! thanks for this good job but I missed something and I have tried again from scratch with same result

Comment: 
If you post the catalina logs we can probably figure it out.

Comment: 
Dave I just wanted to say thank you for the tutorial, this is going to be a huge help when I am away for an upcoming deployment, but still need to get back to resources. They don't like it when I install ssh software, or use rdp back to my own servers. This provides a very clean way to get back to what I need in a pinch. Maybe a tutorial on how to do it with ssl would also be good. Thank you for this one, it was awesome.

Comment: 
Thanks alot Dave, it was really very straightforward and clear , i faced a problems my self it was not working and find out as you said " Any errors you may get will be "Invalid login" at this point. This is the generic error message. The errors will likely be a typo in either the .properties file or the user-mapping.xml file." and my problem was copy and paste problems so as i learned you must "love to learn the pain" (LLP) :) in linux. just want to add more in the section of making guacanole under the proxy beside to add the the apachi2.conf file under "/etc/apache2" first you need to run these commands to activate MOD_PROXY as follows: "sudo a2enmod proxy" "sudo a2enmod proxy_http" and then run restart apache server by "sudo service apache2 restart" that's how it worked for me. i hope i added a correct thing not mislead any one. good day for all

Comment: 
Missing libraries to make it work under Ubuntu 14.02: apt-get install libossp-uuid-dev libtelnet-dev Configuration stages ends with: ------------------------------------------------ guacamole-server version 0.9.6 ------------------------------------------------ Library status: freerdp ............. yes pango ............... yes libssh2 ............. yes libssl .............. yes libtelnet ........... yes libVNCServer ........ yes libvorbis ........... yes libpulse ............ yes Protocol support: RDP ....... yes SSH ....... yes Telnet .... yes VNC ....... yes Init scripts: /etc/init.d

Comment: 
Any idea how to make clipboard/Copy-Paste working for RDP using Guacamole?

Comment: 
Ctl + Alt + Shift opens the helper window.  Works great for me using Chrome.  --dave

Comment: 
Apr 30, 2015 2:09:45 PM org.slf4j.impl.JCLLoggerAdapter error SEVERE: Internal server error. org.glyptodon.guacamole.GuacamoleServerException: java.net.ConnectException: Connection refused at org.glyptodon.guacamole.net.InetGuacamoleSocket.(InetGuacamoleSocket.java:119) at org.glyptodon.guacamole.net.auth.simple.SimpleConnection.connect(SimpleConnection.java:96) at org.glyptodon.guacamole.net.basic.BasicTunnelRequestUtility.createTunnel(BasicTunnelRequestUtility.java:296) at org.glyptodon.guacamole.net.basic.BasicGuacamoleTunnelServlet$1.doConnect(BasicGuacamoleTunnelServlet.java:138) at org.glyptodon.guacamole.servlet.GuacamoleHTTPTunnelServlet.handleTunnelRequest(GuacamoleHTTPTunnelServlet.java:154) at org.glyptodon.guacamole.servlet.GuacamoleHTTPTunnelServlet.doPost(GuacamoleHTTPTunnelServlet.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.glyptodon.guacamole.net.basic.BasicGuacamoleTunnelServlet.authenticatedService(BasicGuacamoleTunnelServlet.java:115) at org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet.service(AuthenticatingHttpServlet.java:336) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:745) Caused by: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:579) at org.glyptodon.guacamole.net.InetGuacamoleSocket.(InetGuacamoleSocket.java:105) ... 22 more

Comment: 
Thanks for the blog post Dave.. Very precise and informative.. I only had to build this about 19 times... I am just starting with port 8080.. No MySQL no Apache2?? Check your TOMCAT7 folks symlinks missing. Look up "broken symbolic links tomcat7 on 14" in google.. Back that box up!

Comment: 
Dave, Your instructions are well documented, and you've done a fantastic job putting this together! I would like to request a rewrite for the latest version 0.9.7, as it seems to be significantly different according to the Guacamole documentation. This would be a HUGE asset to us noobs. Thanks in advance!

Comment: 
I can't guarantee it, but I'll try.  I'll probably instead write instructions for upgrading to 0.9.7 from previous versions.  It seems like the most common use cases are upgrading guac from a previous version...which is usually an ancient version installed from apt or yum.  

Comment: 
Thanks for your blog post Dave.. Very precise and helpful to me. I have followed your post and successed to install guacamole server on Ubuntu 12.04 LTS VM. Connection to guacamole web page is OK as well. But the connection to RDP host from web page is failed with connection error message. -------------------- Connection Error An internal error has occoured within the Guacamole server, and the connection has been terminated. If the problem persists, please notify your system administrator, or check your system logs. Reconnect --------------------- I confirmed log file in /var/log/tomcat7/catalina..log, but could not know what is wrong. I'm only at the ABC of Guacamole. Aug 14, 2015 12:55:23 AM org.slf4j.impl.JCLLoggerAdapter info INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml Aug 14, 2015 12:55:23 AM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Authentication attempt from 192.168.1.17 for user "null" failed. Aug 14, 2015 12:55:23 AM org.slf4j.impl.JCLLoggerAdapter warn WARNING: Client request rejected: Not authenticated Aug 14, 2015 12:55:28 AM org.slf4j.impl.JCLLoggerAdapter info INFO: Reading user mapping file: /etc/guacamole/user-mapping.xml Aug 14, 2015 12:55:28 AM org.slf4j.impl.JCLLoggerAdapter info INFO: User "user" successfully authenticated from 192.168.1.17. Aug 14, 2015 12:55:28 AM org.slf4j.impl.JCLLoggerAdapter info INFO: Login was successful. Aug 14, 2015 12:55:44 AM org.slf4j.impl.JCLLoggerAdapter error SEVERE: Internal server error. org.glyptodon.guacamole.GuacamoleUpstreamTimeoutException: Connection to guacd timed out. at org.glyptodon.guacamole.io.ReaderGuacamoleReader.read(ReaderGuacamoleReader.java:183) at org.glyptodon.guacamole.io.ReaderGuacamoleReader.readInstruction(ReaderGuacamoleReader.java:195) at org.glyptodon.guacamole.protocol.ConfiguredGuacamoleSocket.(ConfiguredGuacamoleSocket.java:107) at org.glyptodon.guacamole.net.auth.simple.SimpleConnection.connect(SimpleConnection.java:96) at org.glyptodon.guacamole.net.basic.BasicTunnelRequestUtility.createTunnel(BasicTunnelRequestUtility.java:296) at org.glyptodon.guacamole.net.basic.BasicGuacamoleTunnelServlet$1.doConnect(BasicGuacamoleTunnelServlet.java:138) at org.glyptodon.guacamole.servlet.GuacamoleHTTPTunnelServlet.handleTunnelRequest(GuacamoleHTTPTunnelServlet.java:154) at org.glyptodon.guacamole.servlet.GuacamoleHTTPTunnelServlet.doPost(GuacamoleHTTPTunnelServlet.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.glyptodon.guacamole.net.basic.BasicGuacamoleTunnelServlet.authenticatedService(BasicGuacamoleTunnelServlet.java:115) at org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet.service(AuthenticatingHttpServlet.java:336) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283) at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325) at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) at java.io.InputStreamReader.read(InputStreamReader.java:184) at org.glyptodon.guacamole.io.ReaderGuacamoleReader.read(ReaderGuacamoleReader.java:172) ... 28 more Could you help me to give me a hint what is wrong? Thanks again.

Comment: 
based on the error it looks like /etc/guacamole/user-mapping.xml.  Can you send the contents of that file, obviously removing identifying information?  --dave

Comment: 
I'm wondering about hte purpose of downloading the guacamole-0.9.0.war above, you seem to download it and then not do anything with instead using the .tar.gz ? Am I missing something here?

Comment: 
hi, first thanks for this help, its really hard to follow the guacamole documentation on their site. I however have a problem here too. I have come to the state where I can see the guacamole login page. But when i enter the credential I cannot login, it says- login invalid. I rechecked the user-mapping.xml and guacamole.properties files. My tomcat is in opt/tomcat folder so I guess I had to change the lib-directory path(which in your case is /var/lib...), am I right? Also, I don't have the tomcat7 directory so sudo mkdir /usr/share/tomcat7/.guacamole fails to create it. I think that my problem is that tomcat is installed in other directory than mentioned here. Can you help how to configure correctly if my tomcat installation is in /opt/tomcat folder? thanks! -suman

Comment: 
I'm not sure what that could be.  The newer versions of guac have installation manuals that are easier to understand.  

Comment: 
Hi Suman I get the exact same issue, did you ever find a solution? Thanks Ade

Comment: 
hi ade, no i haven't solved it. i am restarted the whole process using tomcat7.

Comment: 
Thanks so much! I got this working today with this post + your 0.9.4 revisions and a copy of a Ubuntu 14 VM that I had lying around. There is a typo, "guacadmole" in the first screenshot. More importantly, it may have been my recycling of a random VM, but I had to get one more package: sudo apt-get install libossp-uuid-dev Overall, awesome. My eyes glazed over when I started reading the official docs...

Comment: 
Glad to hear it.  Agreed regarding the official docs...too much "why" and "what" embedded with the "hows".  --dave

Comment: 
hi, i am still having problem. Do we need to install xrpd server? thanks

Comment: 
I am getting the following connection error with a reverse proxy to a Guac server. On the internal network i can connect to each VM fine, but externally I get the following error: "Connection Error, you do not have permission to access this connection. If you require access, please ask your administrator to add you to the list of allowed users or check your system settings" Is there a specific firewall port that needs to be open to connect to either the IIS server or Guac server?

Comment: 
Try this:  http://sourceforge.net/p/guacamole/discussion/1110834/thread/b6556e68/

Comment: 
I'm not able to move the .war file into the .gauc folder as it says that .war doesnt exist but I've downloaded it twice. Any recommendations?

Comment: 
what is the exact error?  Make sure you are running as sudo su -

Comment: 
Hi , had the same problem, the directory will be wrong. just type " cd.. " to go to the above directory and try again.

Comment: 
This looks great, could I ask a stupid question? how do I connect to each machine? Once the server is set up how do you connect to the end client? does the end user need to go to a specific web page or do I need to create some sort of list with each ip? Sorry i know I'm stupid but I can't get my tiny brain around how exactly this works.

Comment: 
Essentially in the UI there is an area to specify the remote machines/IPs and the protocol (ssh, rdp, vnc).  As long as you have the client libraries for the protocols you want installed and you don't have any firewall issues you'll be fine.  There is another section in the UI where you can specify which users can log in and which remote servers they can "see" via guac.  Guacamole itself does no authentication (by default) to the remote servers so the user would need to still have an RDP or SSH login.  

Comment: 
Im getting an invaild login error. I've double and triple checked the .properties and user-mapping for types. The logs say that the classes library doesnt exist. I've manually navigated to that directory and it is... Any advice? un 09, 2016 1:40:24 AM org.slf4j.impl.JCLLoggerAdapter error SEVERE: Error getting authentication provider from properties. org.glyptodon.guacamole.GuacamoleException: var/lib/tomcat7/webapps/guacamole/WEB-INF/classes is not a directory. at org.glyptodon.guacamole.net.basic.GuacamoleClassLoader.(GuacamoleClassLoader.java:104) at org.glyptodon.guacamole.net.basic.GuacamoleClassLoader.(GuacamoleClassLoader.java:45) at org.glyptodon.guacamole.net.basic.GuacamoleClassLoader$1.run(GuacamoleClassLoader.java:72) at org.glyptodon.guacamole.net.basic.GuacamoleClassLoader$1.run(GuacamoleClassLoader.java:68) at java.security.AccessController.doPrivileged(Native Method) at org.glyptodon.guacamole.net.basic.GuacamoleClassLoader.(GuacamoleClassLoader.java:68) at org.glyptodon.guacamole.net.basic.properties.AuthenticationProviderProperty.parseValue(AuthenticationProvi$ at org.glyptodon.guacamole.net.basic.properties.AuthenticationProviderProperty.parseValue(AuthenticationProvi$ at org.glyptodon.guacamole.properties.GuacamoleProperties.getProperty(GuacamoleProperties.java:150) at org.glyptodon.guacamole.properties.GuacamoleProperties.getRequiredProperty(GuacamoleProperties.java:198) at org.glyptodon.guacamole.net.basic.AuthenticatingHttpServlet.init(AuthenticatingHttpServlet.java:98) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1279) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1192) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)

Comment: 
ldconfig (It essentially loads your config changes) no l0l

Comment: 
Hi, Please help me to setup the windows client using guacamole.. in guacd log is Connection "$d1651439-2a12-462b-8274-a6ee82484bd8" removed. guacd[9502]: INFO: Creating new client for protocol "rdp" guacd[9502]: INFO: Connection ID is "$692846eb-6769-45e9-9fbd-ff5078f29ca8" guacd[19061]: INFO: Security mode: ANY guacd[19061]: INFO: Resize method: none guacd[19061]: INFO: User "@ceb3c738-ae42-45e8-91b2-e4d644b9e330" joined connection "$692846eb-6769-45e9-9fbd-ff5078f29ca8" (1 users now present) guacd[19061]: INFO: Loading keymap "base" guacd[19061]: INFO: Loading keymap "en-us-qwerty" connected to 172.16.0.9:3389 guacd[19061]: INFO: guacsnd connected. guacd[19061]: INFO: guacdr connected. guacd[9502]: INFO: Connection "$692846eb-6769-45e9-9fbd-ff5078f29ca8" removed. in syslog Creating new client for protocol "rdp" Sep 15 23:12:45 localhost guacd[9502]: Connection ID is "$692846eb-6769-45e9-9fbd-ff5078f29ca8" Sep 15 23:12:45 localhost guacd[19061]: Security mode: ANY Sep 15 23:12:45 localhost guacd[19061]: Resize method: none Sep 15 23:12:45 localhost guacd[19061]: User "@ceb3c738-ae42-45e8-91b2-e4d644b9e330" joined connection "$692846eb-6769-45e9-9fbd-ff5078f29ca8" (1 users now present) Sep 15 23:12:45 localhost guacd[19061]: Loading keymap "base" Sep 15 23:12:45 localhost guacd[19061]: Loading keymap "en-us-qwerty" Sep 15 23:12:45 localhost guacd[19061]: guacsnd connected. Sep 15 23:12:45 localhost guacd[19061]: guacdr connected. Sep 15 23:12:45 localhost kernel: guacd[19072]: segfault at 0 ip 0042fc96 sp b4afe0b4 error 4 in libc-2.12.so[3af000+191000] Sep 15 23:12:45 localhost guacd[9502]: Connection "$692846eb-6769-45e9-9fbd-ff5078f29ca8" removed. KIndly help me to solve this.... Thanks in advance, John

Comment: 
how to connect guacamole to android mobile what msut be loaded on android device to allow guacamole server to Remote Control also does guacamole use VNC protocal to connect to android ? We dont want to use SSH as its only terminal based

Comment: 
no idea.  My guess is VNC.  

Comment: 
Great tutorial. Made a little type but after that everything worked well. Thanks.

Add new comment