{"id":139,"date":"2026-03-25T23:43:34","date_gmt":"2026-03-25T23:43:34","guid":{"rendered":"https:\/\/gigabrit.com\/?p=139"},"modified":"2026-03-25T23:43:36","modified_gmt":"2026-03-25T23:43:36","slug":"secure-clientless-remote-desktop-with-vdefend-avi-load-balancer-apache-guacamole-and-entra-id","status":"publish","type":"post","link":"https:\/\/gigabrit.com\/?p=139","title":{"rendered":"Secure Clientless Remote Desktop with vDefend, Avi Load Balancer, Apache Guacamole, and Entra ID"},"content":{"rendered":"\n

For a long time now, I’ve been hearing from customers they want a Secure Clientless Remote access solution they can trust. It might shock you just how many times I’ve run across Enterprise IT orgs still dependent on a now deprecated SSLVPN solution from a Hardware Firewall vendor. The only use case for it , is giving 3rd parties access to maintain systems via RDP. <\/p>\n\n\n\n

Here’s what I’ve come up with. I’ve actually built this and will continue testing it. Apache Guacamole is open source and really not that hard to deploy in Docker. I used Claude to generate an Install script, so I spent all of 10 minutes installing it. Given how Guacamole works, it’s not something you just want to have open access. So it needs to be well protected.<\/p>\n\n\n\n

The Architecture<\/h3>\n\n\n\n
    \n
  1. User:<\/strong> Hits the Avi Virtual Service (HTTPS).<\/li>\n\n\n\n
  2. Avi (SAML SP):<\/strong> Redirects the user to Entra ID for MFA\/SSO.<\/li>\n\n\n\n
  3. Entra ID (IdP):<\/strong> Validates the user and sends a SAML token back to Avi.<\/li>\n\n\n\n
  4. Avi:<\/strong> Validates the token and grants access to the Guacamole Web Server (Tomcat).<\/li>\n\n\n\n
  5. Guacamole:<\/strong> Uses its internal guacd<\/code> proxy to connect to the backend RDP servers.<\/li>\n\n\n\n
  6. vDefend<\/strong>: Ensures lateral security by only allowing the AVI SE’s to talk to Guac and Guac can only talk to the Internal VMs that vDefend Allows it to.<\/li>\n<\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    Aside from the Security that AVI provides with Full SSL Encryption (including LetsEncrypt Certs) and SAML for MFA. AVI also provides you unmatched End to End Analytics so if there was any performance issues, you can quickly find them. <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Lastly, I configure a vDefend Distributed Firewall Policy set to ensure maximum security around the whole setup. <\/p>\n\n\n\n

    An Allow rule so only the AVI Service Engines can talk to Guac<\/p>\n\n\n\n

    An Allow rule so Guac is only able to RDP to the hosts it must have access to<\/p>\n\n\n\n

    Block Anything else and don’t let Guac RDP to Anything else<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The end result is Clientless access to Only what I want and where I want to be. I can even have AVI pass off the Authentication Header to Guac, so when the user signs in via SSO, it’s mapped all the way through, otherwise you get the standard Guac Ui login. <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    The testing I’ve done with this setup so far it works well. I need to do more fine tuning. And if I ever get Openclaw running, maybe I’ll have it write a better looking front end interface for Guacamole. <\/p>\n\n\n\n

    -Britton <\/p>\n\n\n\n

    This was written by Me. Not an LLM. <\/p>\n\n\n\n

    \"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

    For a long time now, I’ve been hearing from customers they want a Secure Clientless Remote access solution they can trust. It might shock you just how many times I’ve run across Enterprise IT orgs still dependent on a now deprecated SSLVPN solution from a Hardware Firewall vendor. The only use case for it , … Continue reading Secure Clientless Remote Desktop with vDefend, Avi Load Balancer, Apache Guacamole, and Entra ID<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-139","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/posts\/139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gigabrit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=139"}],"version-history":[{"count":3,"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/posts\/139\/revisions"}],"predecessor-version":[{"id":147,"href":"https:\/\/gigabrit.com\/index.php?rest_route=\/wp\/v2\/posts\/139\/revisions\/147"}],"wp:attachment":[{"href":"https:\/\/gigabrit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gigabrit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gigabrit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}