Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes how to configure Apache Guacamole as a web resource in Smart ID Digital Access component (Hybrid Access Gateway)

Expand/Collapse All

Prerequisites

 Prerequisites

Step-by-step instruction

Install Guacamole

 Install Guacamole
  1. Login via SSH to the Guacamole server.
  2. Install Guacamole using this command:

    Install Guacamole
    wget -q -O - https://us.nexusgroup.com/dl/hag-docker-guacamole.sh | bash
  3. Start the Docker container as ‘root’ or any other Docker administrator user:

    Start Docker container
    sudo su -
    cd /opt/docker-guacamole
    docker-compose up -d

Create web resource

 Create web resource
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Add Web Resource Host.
  3. Enable resource is checked by default.
  4. Enter a Display Name, the Host of the Guacamole server and the HTTP Port (8080). 
  5. Under Portal settings check Make resource available in the Portal. Upload an icon image and link text.
  6. Click Next until the web-resource is created and you see the Advanced Settings... option.
 Add attribute

Either you continue from the previous step, or you

  • Select the web resource under Registered Resources
  • Click Edit Resource Host...
  • Click Advanced Settings...
  1. At the bottom of the page, click Add Attribute... under section Back-end Attributes.
  2. Add a back-end attribute:
    1. Enter guac as Name.
    2. Use Header as Type.
    3. Use Static Value as Source.
    4. Choose None as Encoding
    5. As Value, add username, password and IP address or DNS name of RDP host:

      <protocol>://username:password@<target-server>/?<parameterkey1>=<parametervalue1>&<parameterkey2>=<parametervalue2>

      this could look like:

      Example
      rdp://agadmin:admi123!@192.168.1.2/?color-depth=16

      protocol -  is one of: rdp, ssh, telnet, vnc
      additional parameters following: key=value,key=value...
      More details can be found here: https://guacamole.apache.org/doc/gug/configuring-guacamole.html#connection-configuration

  3. Click Add.
  4. Click Next and Finish Wizard.

Single Sign-on settings

 Add Single Sign-On templates

If the username and password should be picked from a specific SSO domain, do the following adaptions. Refer also to Single sign-on script in Digital Access, headings "Upload script files" and "Add filters".

Do the instructions below for these scripts:

Upload script files

  1. In Digital Access Admin, click Browse.
  2. Upload the provided files (without changing the file names) to access-point/files/custom-files/scripts.

 Add filters
  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Filters tab and click Add Filter...
  3. As Display Name enter sso_username
  4. As Script Name enter sso_username
  5. Select Request as Type of Filter.
  6. Select the Guacamole web resource as Resource Host.
  7. Enter * in Path.
  8. Select Headers as Apply Filter To.
  9. Click Add.
  10. Also add filters for sso_password, sso_domain and sso_uid.
 Set internal cookies for User ID
  1. In Digital Access Admin, go to Manage Resource Access > Global Resource Settings.
  2. Go to the Advanced tab.
  3. Check User ID under Internal Cookies.
  4. Check Use "Cache-Control: no store" under Cache Control.
  5. Click Save.
 Create an “SSO Domain” with the credentials you need
 Update the Web resource HOST
  1. In Digital Access Admin, go to Manage Resource Access.
  2. Click Web Resources > Edit Web Resources and select the web resource host you created.
    1. To use the scripts for SSO, sso_username and sso_password have to be used within the Guacamole resource, like:

      rdp://sso_username:sso_password@192.168.1.2/

      This is explained in the following steps.

  3. Under heading Single Sign-On:
    1. Check Enable Single Sign-On 
    2. Select Script as Single Sign-On Type.
    3. Select the SSO domain you created before as SSO Domain.
  4. Click Edit Attribute guac.
  5. Click Advanced settings...
  6. Update the Header as to use 'sso_username' and 'sso_password' etc to use the dynamic values.
  7. Click Save and then publish the updates.

Add multiple web resources to a Guacamole server instance

 Add multiple web resources to a Guacamole server instance
  1. Create a new DNS entry for the guacamole server (add a CNAME).
  2. Follow the same steps as for the first connection.
  3. If you want to use SSO, you must add filter for the new CNAME. Follow the instructions in Add filters under heading Single Sign-On settings.

This article is valid for Digital Access 6.0.2 and Smart ID 20.06.1 and later.

Related information

Links