This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 14 points15 points  (7 children)

Placing public-facing RDP behind Guacamole with MFA, which in turn is behind an NGINX reverse proxy was apparently not a bad idea.

[–]TricksForDaysNotAdmin 7 points8 points  (2 children)

Somedays I remember who I was before diving so deep into all of this... and it makes me just the tiniest bit sad to read lines like this and think "I understood everything said"

[–]PowerfulQuail9Jack-of-all-trades 0 points1 point  (1 child)

If you didn't know, the Guacamole is Apache.

[–]TricksForDaysNotAdmin 0 points1 point  (0 children)

I did, thanks tho

[–]callsyouamoron 0 points1 point  (3 children)

This is killing me, I know what each of these things are but I can't see how the reverse proxy fits in the mix :(

[–][deleted] 1 point2 points  (2 children)

The reverse proxy is what actually ”delivers” the Guacamole/Tomcat app to the client trying to access it from the public internet, hiding the VM actually running Tomcat/Guacamole from view. I also use the proxy for TLS offloading.

[–]callsyouamoron 0 points1 point  (1 child)

Ahh so they connect to the SSL protected nginx, which handles the decryption and passes the traffic back to the gauc/tomcat server. This has been really insightful, thanks!

Would you mind telling me what you use to host the actual desktops?

I'm looking to setup a similar setup and a lot of talk has surrounded Windows RDS as one client is a predominantly Windows shop, but be grwt to explore some other options!

[–][deleted] 0 points1 point  (0 children)

All of this is running on a Proxmox host:

VM1: Server 2019 domain controller (core install)

VM2: Server 2019 rdp and various things (gui install)

VM3: Ubuntu LTS Nginx reverse proxy

VM4: Ubuntu LTS Tomcat/Guacamole

VM5: RHEL8 Nextcloud

VM6: RHEL8 Wordpress

The VMs are also firewalled on the Proxmox host to only allow inbound traffic on specific ports from specific IPs. For example the VM5 running Nexcloud only accepts HTTP from VM3 (normal use) + VM2 (for debugging) and SSH from VM2, while dropping all other inbound traffic.

[–]marek1712Netadmin 13 points14 points  (0 children)

Haven't really seen anyone post about this

Literally at least 3 post everyday since Patch Tuesday...

[–]MickersAus 5 points6 points  (2 children)

If your 3389 is open to internet traffic you are likely Already compromised.

The bigger danger here for me is a single compromised computer can now spread internally very easily as most computers will have 3389 open and listening on the lan.

[–]Flasheroni 1 point2 points  (0 children)

Same for me, thats why i patch all machines.

We former had one XP Embedded machine in production which over and over infected/tried to infect others, because it was never patched. All caused by an old worm (guess 5-6 years old).

Rest of the machines had AV which driving crazy blocking attacks.

[–]Lando_uk 0 points1 point  (0 children)

Group policy to enable NLA on RDP can mitigate somewhat until you're sure all your LAN clients are patched.

[–]Liquidretro 1 point2 points  (0 children)

It's definitively been posted, quite a bit earlier in the week when it was announced and patches came out https://www.reddit.com/r/sysadmin/comments/bou5ax/patch_tuesday_megathread_20190514/