Apache Guacamole, Cyber security, ICS security, ICS Tools, OT Security, Remote Access

Building an Open-Source OT Remote Access Platform

| Sulaiman Alhasawi

Remote access has become one of the biggest challenges in OT and ICS environments.

Industrial facilities often require vendors, engineers, system integrators, and support teams to remotely access:

  • HMIs
  • engineering workstations
  • historians
  • Windows servers
  • Linux systems
  • virtualization platforms

In many environments, this access was introduced years ago using:

  • traditional VPNs
  • exposed RDP services
  • shared accounts
  • unmanaged remote access tools
  • direct vendor connectivity into OT networks

While these methods may solve operational problems, they can also introduce major cybersecurity risks inside industrial environments.

Apache Guacamole is an open-source browser-based remote access gateway that offers a different approach. Instead of exposing systems directly to external users, it centralizes remote access through a web interface while supporting authentication integration, auditing, access restrictions, and session management capabilities.

In this article, we will look at how Apache Guacamole can help address common OT remote access challenges through features such as:

  • Browser-based remote access
  • Multi-factor authentication (MFA)
  • LDAP / Active Directory integration
  • Single Sign-On (SSO)
  • Connection-level access control
  • Session recording and auditing
  • Clipboard and file transfer restrictions
  • Brute-force protection
  • Secure DMZ and jump-host deployment architecture

It is important to understand that Apache Guacamole is not:

  • a firewall
  • a segmentation platform
  • a PAM solution
  • a replacement for OT security architecture

It should be treated as a controlled remote access broker inside a properly segmented environment.

Browser-Based Remote Access

One of the common operational issues in OT environments is dependency on unmanaged remote access software.

Many vendors still rely on:

  • standalone RDP clients
  • SSH clients
  • VNC software
  • TeamViewer
  • AnyDesk
  • third-party remote support tools

Apache Guacamole provides browser-based remote access through its HTML5 web interface and guacd service.

Supported protocols include:

  • RDP
  • SSH
  • VNC
  • Telnet (legacy environments)

Relevant components:

  • guacd
  • guacamole.war

Relevant configuration:

guacd-hostname: localhost
guacd-port: 4822

Instead of this:

Vendor Laptop
     ↓
VPN
     ↓
Direct RDP Access
     ↓
Engineering Workstation

Organizations can move toward:

Vendor
     ↓
Browser
     ↓
Guacamole
     ↓
Approved Internal System

This helps organizations centralize and control remote access sessions while reducing unmanaged software inside the environment.

Multi-Factor Authentication (MFA)

Weak authentication and shared accounts remain common issues in industrial environments.

Apache Guacamole supports MFA using authentication extensions.

Supported MFA extensions include:

  • guacamole-auth-totp
  • guacamole-auth-duo
  • guacamole-auth-sso-saml
  • guacamole-auth-sso-openid

Example TOTP configuration:

totp-issuer: OT-Remote-Access
totp-digits: 6
totp-period: 30

Example Duo configuration:

duo-api-hostname:
duo-integration-key:
duo-secret-key:
duo-application-key:

This allows organizations to strengthen authentication security for remote vendor and engineering access.

LDAP and Active Directory Integration

Managing remote access accounts independently across OT systems becomes difficult over time.

Apache Guacamole supports LDAP and Active Directory integration using:

guacamole-auth-ldap

Relevant configuration examples:

ldap-hostname:
ldap-port:
ldap-user-base-dn:
ldap-search-bind-dn:
ldap-search-bind-password:
ldap-username-attribute:

This allows organizations to:

  • centralize identity management
  • integrate with Active Directory
  • apply role-based access
  • remove access centrally
  • reduce unmanaged local accounts

Single Sign-On (SSO)

Many organizations want remote access integrated into existing enterprise identity systems.

Apache Guacamole supports SSO extensions including:

  • SAML
  • OpenID Connect
  • CAS

Relevant extensions:

  • guacamole-auth-sso-saml
  • guacamole-auth-sso-openid
  • guacamole-auth-cas

Example SAML configuration:

saml-idp-url:
saml-entity-id:
saml-callback-url:
saml-strict: true

Example OpenID configuration:

openid-authorization-endpoint:
openid-jwks-endpoint:
openid-issuer:
openid-client-id:
openid-client-secret:
openid-redirect-uri:

This helps organizations integrate centralized authentication workflows into remote access infrastructure.

Connection-Level Access Control

A common OT security problem is excessive vendor access inside industrial networks.

Apache Guacamole supports:

  • connection permissions
  • user groups
  • connection groups
  • role-based access management

Database-backed access control is supported using:

  • guacamole-auth-jdbc-mysql
  • guacamole-auth-jdbc-postgresql

This allows organizations to restrict which systems each user may access instead of providing unrestricted network-level access.

Clipboard and File Transfer Restrictions

File transfer and clipboard access can introduce operational and security risks inside OT environments.

Apache Guacamole supports restricting:

  • clipboard usage
  • copy/paste operations
  • drive redirection
  • file transfers

Relevant configuration examples:

disable-copy=true
disable-paste=true
enable-drive=false

This can help reduce:

  • malware introduction
  • unauthorized tool uploads
  • accidental file movement
  • uncontrolled data transfers

Session Recording and Auditing

One of the major issues in OT remote access environments is the lack of visibility into vendor activity.

Apache Guacamole supports:

  • session history
  • audit logging
  • session recording
  • connection tracking

Recording configuration examples:

recording-path:
/var/lib/guacamole/recordings

create-recording-path=true

SSH recording support:

typescript-path:

Database audit history tables include:

  • guacamole_connection_history
  • guacamole_user_history

This helps organizations improve:

  • accountability
  • auditing
  • compliance
  • incident investigations
  • operational visibility

Instead of relying entirely on trust, organizations gain the ability to review and investigate remote sessions when required.

Browser-Based Clientless Access

Apache Guacamole uses:

  • an HTML5 frontend
  • WebSocket tunneling

No additional client software is required on the endpoint.

Reverse proxies must support:

Upgrade: websocket

This helps reduce dependency on unmanaged remote access software installed on vendor systems.

SSL/TLS Enforcement

Remote OT access should always use encrypted communications.

Apache Guacamole deployments commonly use reverse proxies such as:

  • Nginx
  • Apache HTTP Server

Example TLS configuration:

server {
    listen 443 ssl;
    ssl_certificate ...
    ssl_certificate_key ...
}

Relevant Guacamole proxy settings:

proxy-hostname:
proxy-port:

This helps protect:

  • remote sessions
  • credentials
  • authentication traffic

Brute-Force Protection

Internet-facing remote access systems are commonly targeted by password attacks.

Apache Guacamole supports brute-force protection using:

guacamole-auth-ban

Relevant configuration examples:

ban-address-duration: 300
ban-max-invalid-attempts: 5
ban-max-attempts-per-interval: 5
ban-login-failure-window: 60

This helps reduce automated login attack attempts against remote access portals.

Database-Backed Centralized Administration

Apache Guacamole supports centralized administration using:

  • MySQL
  • PostgreSQL

Supported extensions:

  • guacamole-auth-jdbc-mysql
  • guacamole-auth-jdbc-postgresql

Example MySQL configuration:

mysql-hostname:
mysql-port:
mysql-database:
mysql-username:
mysql-password:

Example PostgreSQL configuration:

postgresql-hostname:
postgresql-port:
postgresql-database:
postgresql-username:
postgresql-password:

This helps organizations centralize:

  • users
  • permissions
  • audit data
  • connection management

Secure DMZ and Jump-Host Architecture

One of the most dangerous mistakes in OT environments is exposing RDP or engineering systems directly to the internet.

Apache Guacamole should not provide unrestricted access directly into industrial networks.

A more controlled deployment model places Guacamole behind:

  • reverse proxies
  • firewalls
  • DMZ environments
  • jump hosts

This approach helps organizations:

  • centralize remote access
  • reduce direct exposure of OT assets
  • apply segmentation boundaries
  • monitor vendor sessions
  • restrict reachable systems

instead of exposing engineering systems directly to external users.

Suggested deployment diagram:

Open Source and Operational Control

Many organizations are increasingly exploring open-source technologies to improve operational control and reduce dependency on proprietary ecosystems.

Open-source platforms provide:

  • self-hosted deployment flexibility
  • visibility into configurations
  • integration freedom
  • reduced vendor lock-in
  • deployment customization

For OT environments, this becomes especially valuable when organizations require greater operational ownership over their remote access infrastructure.

Final Thoughts

Remote access is now a normal operational requirement in many industrial environments. The challenge is making it secure, controlled, and operationally manageable.

Apache Guacamole provides multiple features that can help organizations improve centralized remote access management in OT and ICS environments when deployed correctly.

These capabilities include:

  • browser-based access
  • MFA
  • LDAP/AD integration
  • SSO
  • session recording
  • access restrictions
  • brute-force protection
  • centralized administration
  • segmented deployment architectures

Like any security technology, proper architecture and operational controls remain critical.

Guacamole should not be viewed as:

  • a magic security product
  • a replacement for segmentation
  • a replacement for firewalls
  • a replacement for OT security architecture

Instead, it should be treated as a controlled remote access broker operating inside a properly designed OT environment.

At ZeroNtek, we help organizations worldwide design and deploy secure open-source solutions for both OT and IT environments.

This includes:

  • secure remote access architectures
  • OT segmentation guidance
  • logging and monitoring integration
  • open-source OT security deployments
  • hardening and operational support

We strongly believe open-source technologies can play an important role in building more transparent, flexible, and sovereign security environments for critical infrastructure and industrial operations.

References

#Apache Guacamole #cyber security #ics security #OT security #zerontek

Comments are closed.