For a long time now, I’ve been hearing from customers they want a Secure Clientless Remote access solution they can trust. It might shock you just how many times I’ve run across Enterprise IT orgs still dependent on a now deprecated SSLVPN solution from a Hardware Firewall vendor. The only use case for it , is giving 3rd parties access to maintain systems via RDP.

Here’s what I’ve come up with. I’ve actually built this and will continue testing it. Apache Guacamole is open source and really not that hard to deploy in Docker. I used Claude to generate an Install script, so I spent all of 10 minutes installing it. Given how Guacamole works, it’s not something you just want to have open access. So it needs to be well protected.

The Architecture

1. User: Hits the Avi Virtual Service (HTTPS).
2. Avi (SAML SP): Redirects the user to Entra ID for MFA/SSO.
3. Entra ID (IdP): Validates the user and sends a SAML token back to Avi.
4. Avi: Validates the token and grants access to the Guacamole Web Server (Tomcat).
5. Guacamole: Uses its internal guacd proxy to connect to the backend RDP servers.
6. vDefend: Ensures lateral security by only allowing the AVI SE’s to talk to Guac and Guac can only talk to the Internal VMs that vDefend Allows it to.

Aside from the Security that AVI provides with Full SSL Encryption (including LetsEncrypt Certs) and SAML for MFA. AVI also provides you unmatched End to End Analytics so if there was any performance issues, you can quickly find them.

Lastly, I configure a vDefend Distributed Firewall Policy set to ensure maximum security around the whole setup.

An Allow rule so only the AVI Service Engines can talk to Guac

An Allow rule so Guac is only able to RDP to the hosts it must have access to

Block Anything else and don’t let Guac RDP to Anything else

The end result is Clientless access to Only what I want and where I want to be. I can even have AVI pass off the Authentication Header to Guac, so when the user signs in via SSO, it’s mapped all the way through, otherwise you get the standard Guac Ui login.

The testing I’ve done with this setup so far it works well. I need to do more fine tuning. And if I ever get Openclaw running, maybe I’ll have it write a better looking front end interface for Guacamole.

-Britton

This was written by Me. Not an LLM.

For many years now, I’ve been hearing from customers of all shapes and sizes a similar refrain. “Zero Trust is not achievable” , “Segmenting my Apps for Security takes too long”, “We can’t reconstruct the entire network just to make Apps more secure”, “I don’t have visibility of what my Apps are talking to”, “I already have too many security tools”… If you’ve worked in an Enterprise IT organization for any length of time you’ve heard all these too and more.

Having seen how the Data Center Security problem is viewed from multiple angles. I come back to where I started which is VMware (now by Broadcom), and what we now call the vDefend Security Services Platform. This powerful solution encompasses both Best in class defense with the Distributed Firewall and Advanced Threat Prevention services for complete security in the Data Center.

Over the coming weeks I’m going to take on each one of these critical feedback points, and show how customers are able to overcome them. Change is hard, and at some point everyone has to make a decision to this question. What do you want more? To remain the same or do you want real results with trackable metrics? I believe it goes without saying that remaining the same only leaves you vulnerable. So change is your only option. The attackers adapt their strategies constantly, and so must you. Let’s get started.

Leave Comments on my LinkedIN post for this thread. https://www.linkedin.com/posts/gigabrit_new-blog-series-incoming-lets-build-a-secure-activity-7393754339036758016-K5Xn?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAxjQwQBCCc84y2NN2WWIkIqW1s6EbbbmHQ

-Britton Johnson | @vcixnv

VCIX-NV | VCAP-NV