2

We are using Guacamole HTML5 Remote Desktop functionality in our application. However once we deployed Guacamole server and our customers tried accessing it from their corporate network, they have been reporting connectivity issues.

It turns out that most of the anti-virus softwares (Bitdefender, AVG etc...) are blocking access to Guacamole server through their SSL scanning feature. If we disable SSL scanning then our customers are able to connect to Guacamole server. However we cannot expect our client to permanently turn off SSL Scanning from their anti-virus software.

We also figured out that Guacamole creates an HTTP tunnel and the JS client constantly sends read and write requests. These read/write requests are of type application/octet-stream. Most of the firewall block application/octet-stream and our guess it that SSL Scanning feature in anti-virus software is also blocking because of this MIME type.

Guacamole HTTP Tunnel using application/octet-stream

We would like to know if there is any workaround to prevent anti-virus from blocking Guacamole traffic without turning of SSL Scanning feature. We would appreciate any help, feedback or suggestions in this regard.

Gaurav
  • 895
  • 3
  • 14
  • 31

2 Answers2

1

I was able to figure out a solution with the help from Guacamole support team. We were not using latest version of NGINX and Tomcat on our Guacamole server. Once we upgraded to latest version of these softwares, entire communication started using websockets. This also fixed all issues we were facing with anti-virus softwares.

Gaurav
  • 895
  • 3
  • 14
  • 31
0

I think your analysis of the issue is right. I had problems like this in the past with Bit Defender and ended disabling its firewall. I also had issue with fiddler (an http proxy) with long polling requests.

I'm surprised Guacamole uses an HTTP tunnel while it's an HTML5 solution and should use websockets for communication. Perhaps it's to maintain an HTTP session active.

I open sourced last month a solution comparable (Myrtille) to Guacamole. It has about the same features except it's written in C# (uses IIS and the .NET framework) instead of Java and thus is more intended for Windows Servers. If you still have issues and want to give it a try, I'll be curious and glad to have some people feeback :) (sadly few actually, it either means it works great or it's crap ^^)

cedrozor
  • 106
  • 7
  • 1
    Guacamole does use websockets but falls back on HTTP tunnel when there is any issue with websockets. We upgraded nginx and tomcat servers with latest version and websockets started working. Your project Myrtille looks interested and I will definitely spend some time trying out your solution. – Gaurav May 03 '16 at 03:51