Home » Blog » Installing and Setting Up Guacamole on Debian 9.8

Information

Installing and Setting Up Guacamole on Debian 9.8

Benhcmark Administrator

14/08/2025

0 Views 0

SaveSavedRemoved 0

Your Step-by-Step Guide to Installing Apache Guacamole on Debian

Juggling multiple remote connections can be a challenge, especially when you need to access different machines running various protocols like RDP, VNC, and SSH. Apache Guacamole offers an elegant solution by providing a clientless remote desktop gateway. All you need is a web browser, and you can access your entire network of machines from anywhere.

This comprehensive guide will walk you through the process of installing and configuring Apache Guacamole on a Debian system. We will cover everything from installing dependencies to securing your final setup.

What is Apache Guacamole?

Apache Guacamole is an open-source gateway that requires no plugins or client software. It acts as a middleman, translating protocols like RDP and VNC into a clean, responsive HTML5 web interface. This means you can manage Windows servers, Linux desktops, and SSH terminals seamlessly from a single browser tab.

Step 1: Installing All Necessary Prerequisites

Before we can build Guacamole, we need to install the essential dependencies from the Debian repositories. These packages include development tools and libraries required for the various protocols Guacamole supports.

Open your terminal and run the following command to install all required packages:

sudo apt update && sudo apt upgrade -y
sudo apt install build-essential libcairo2-dev libjpeg-turbo8-dev \
libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavutil-dev \
libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libvncserver-dev \
libtelnet-dev libssl-dev libwebsockets-dev libpulse-dev

This single command installs:

• Build tools needed to compile the software from source.
• Libraries for graphics (Cairo, JPEG, PNG).
• Protocol support for FreeRDP (RDP), libssh2 (SSH), and libvncserver (VNC).

Step 2: Downloading and Compiling Guacamole Server

The “guacamole-server” component is the backend daemon that connects to your remote machines. We will download the source code and compile it.

1. Download the latest stable source code from the Apache Guacamole website. You can find the link on their official download page. Use wget to download it directly to your server. (Replace the URL with the latest version).

   wget https://apache.org/dyn/closer.lua/guacamole/1.5.4/source/guacamole-server-1.5.4.tar.gz
   

2. Extract the archive and navigate into the directory.

   tar -xzf guacamole-server-1.5.4.tar.gz
   cd guacamole-server-1.5.4/
   

3. Run the configure script, compile, and install. The ./configure script will check if all dependencies are present. Pay close attention to its output to ensure all protocols you need are enabled.

   ./configure --with-systemd-dir=/etc/systemd/system/
   make
   sudo make install
   

4. Update the system’s library cache and start the daemon.

   sudo ldconfig
   sudo systemctl enable guacd
   sudo systemctl start guacd
   

You can check the status of the service with sudo systemctl status guacd. If it’s active and running, you’re ready for the next step.

Step 3: Installing Tomcat and the Guacamole Client

The Guacamole client is the web application that users interact with. It runs on a Java servlet container, and the recommended choice is Apache Tomcat.

1. Install Tomcat.

   sudo apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user
   

2. Download the Guacamole client .war file. This is a pre-compiled web application archive. Make sure its version matches the guacamole-server version you downloaded.

   wget https://apache.org/dyn/closer.lua/guacamole/1.5.4/binary/guacamole-1.5.4.war
   

3. Deploy the web app. Move the .war file into Tomcat’s webapps directory.

   sudo mv guacamole-1.5.4.war /var/lib/tomcat9/webapps/guacamole.war
   

   By renaming it to guacamole.war, the application will be accessible at http://your-server-ip:8080/guacamole.

Step 4: Configuring Guacamole

Now we need to tell the web application how to connect to the backend daemon (guacd) and define which users can access which remote connections.

1. Create the Guacamole configuration directory.

   sudo mkdir /etc/guacamole
   

2. Create the main configuration file, guacamole.properties. This file points the web app to guacd.

   sudo nano /etc/guacamole/guacamole.properties
   

   Add the following lines to the file:

   # Guacamole server location
   guacd-hostname: localhost
   guacd-port: 4822
   
   # Authentication provider
   auth-provider: net.sourceforge.guacamole.net.auth.xml.XMLAuthenticationProvider
   xml-auth-config: /etc/guacamole/user-mapping.xml
   

3. Create the user mapping file, user-mapping.xml. This is where you define users, passwords, and their available connections.

   sudo nano /etc/guacamole/user-mapping.xml
   

   Here is a basic example defining one user with access to both an RDP and a VNC connection. Remember to change the usernames, passwords, and connection details to match your environment.

   <user-mapping>
       <!-- A user who can access two different connections -->
       <authorize username="admin" password="YOUR-STRONG-PASSWORD-HERE">
           <connection name="Windows Server 2022">
               <protocol>rdp</protocol>
               <param name="hostname">192.168.1.100</param>
               <param name="port">3389</param>
               <param name="username">win-user</param>
               <param name="password">win-password</param>
               <param name="ignore-cert">true</param>
           </connection>
           <connection name="Linux VNC Desktop">
               <protocol>vnc</protocol>
               <param name="hostname">192.168.1.101</param>
               <param name="port">5901</param>
               <param name="password">vnc-password</param>
           </connection>
       </authorize>
   </user-mapping>
   

4. Set the correct permissions and restart Tomcat to apply the new configuration.

   sudo chmod 600 /etc/guacamole/user-mapping.xml
   sudo systemctl restart tomcat9
   

You should now be able to access your Guacamole instance by navigating to http://your-server-ip:8080/guacamole and logging in with the credentials you defined in user-mapping.xml.

Crucial Security Steps for Your Guacamole Server

A default installation is functional but not secure. It is critical to implement security measures to protect your network.

• Use a Reverse Proxy with SSL/TLS: Never expose Tomcat directly to the internet. Set up a reverse proxy like Nginx or Apache in front of Guacamole. This allows you to enable HTTPS with a free Let’s Encrypt certificate, encrypting all traffic between your users and the server.

• Implement Strong Authentication: The user-mapping.xml file is suitable for small setups. For better security and scalability, configure Guacamole to use database authentication (MySQL/PostgreSQL) or integrate with an existing LDAP or Duo directory. This provides better user management and logging.

• Use Fail2Ban: Protect your login page from brute-force attacks. You can configure Fail2Ban to monitor Tomcat’s logs and automatically ban IP addresses that have too many failed login attempts.

• Keep Your System Updated: Regularly run sudo apt update && sudo apt upgrade to ensure your server and all Guacamole components have the latest security patches.

By following this guide, you have successfully deployed a powerful, browser-based remote access gateway. By taking the extra steps to secure it, you can provide convenient and safe access to your network resources.

Source: https://kifarunix.com/how-to-install-and-setup-guacamole-on-debian-9-8/