Apache Guacamole should be configured as a controlled remote-access gateway, not as an open internet endpoint.
¶ Core files and settings
Main files:
/etc/guacamole/guacamole.properties/etc/guacamole/user-mapping.xml (only for simple/local auth)
Example guacamole.properties baseline:
guacd-hostname: 127.0.0.1
guacd-port: 4822
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: replace-with-strong-password
¶ Authentication and access policy
- Prefer LDAP/OIDC/SAML modules over local users.
- Enforce MFA at IdP or reverse proxy layer.
- Restrict admin UI to trusted networks or VPN.
- Apply least-privilege permissions for connection groups.
¶ Session and protocol hardening
- Disable clipboard/file transfer where policy requires it.
- Set idle timeout and maximum session duration.
- Keep RDP/NLA enabled for Windows targets.
- Use SSH key auth for Linux targets instead of password auth.
¶ Backup and recovery
Back up:
- Guacamole database
/etc/guacamole configuration- Reverse proxy and TLS config
Recovery test:
- Restore DB and config to test host.
- Validate login via configured auth backend.
- Open one RDP and one SSH session successfully.
- HTTPS enforced.
- Failed login and brute-force events monitored.
guacd and servlet health monitored.- Session/audit logs retained per policy.
Feel free to contact us. Find all contact information on our contact page.