Apache Guacamole is an open source client-less remote desktop gateway. Guacamole allows your end-users to use their browsers to access desktop environments; under the hood, Guacamole uses remote desktop protocols (such as VNC or RDP) to set up the connection.
You can leverage Banyan’s ability to secure Hosted Websites, combined with its capability as a Federated Identity provider, to manage access to desktop environments via Guacamole. Your end-users will be able to access their desktop environment conveniently via the browser, without needing VPN access. Best of all, you can enforce Zero Trust access policies as you would for any hosted web service.
This article assumes you have good familiarity with the Guacamole Manual and have a working installation of the Guacamole server that is configured for SAML.
If you don’t already have a working Guacamole installation, you can follow Banyan’s setup guides to:
1.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.
1.2 Create a new Policy using the template Basic Authorization Policy for Users.
1.3 Enter a Policy Name (such as,
hosted-service) and a Description.
1.4 Configure the Policy Attributes for minimal controls:
2.1 Navigate to Manage Services > Hosted Services and then click + Register Service.
2.2 Select the template Standard Website.
2.3 Enter the Service Name (such as,
Guacamole Web) and Description (such as
Access to hosted Guacamole server).
2.4 Click Select an Icon, then search for and select an icon.
2.5 Select the cluster where the applicable Access Tier is located.
2.6 Configure the Service Attributes:
guac.corp.example.com) and leave the port as
2.7 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to
2.8 Click Register Service.
3.1 Navigate to Manage Services > SaaS Applications and then click + Register App.
3.2 Enter the SaaS Application Name (such as,
Guacamole SAML) and Description (such as
SAML authentication for Guacamole).
3.3 Configure the Authentication Federation settings:
3.4 You’ll also need to note the Metadata URL for use in configure the SAML authentication in the Guacamole server configs.
4.1 Now, you can navigate to your Guacamole instance at
You will be taken to your Identity Provider to login while, behind the scenes, Banyan is evaluating device posture and enforcing your security policies.
Once access in granted, you can use Guacamole’s native capabilities to configure and access desktop environments.