In many environments, this access was introduced years ago using:<\/p>\n\n\n\n
- \n
- traditional VPNs<\/li>\n\n\n\n
- exposed RDP services<\/li>\n\n\n\n
- shared accounts<\/li>\n\n\n\n
- unmanaged remote access tools<\/li>\n\n\n\n
- direct vendor connectivity into OT networks<\/li>\n<\/ul>\n\n\n\n
While these methods may solve operational problems, they can also introduce major cybersecurity risks inside industrial environments.<\/p>\n\n\n\n
Apache Guacamole is an open-source browser-based remote access gateway that offers a different approach. Instead of exposing systems directly to external users, it centralizes remote access through a web interface while supporting authentication integration, auditing, access restrictions, and session management capabilities.<\/p>\n\n\n\n
In this article, we will look at how Apache Guacamole can help address common OT remote access challenges through features such as:<\/p>\n\n\n\n
- \n
- Browser-based remote access<\/li>\n\n\n\n
- Multi-factor authentication (MFA)<\/li>\n\n\n\n
- LDAP \/ Active Directory integration<\/li>\n\n\n\n
- Single Sign-On (SSO)<\/li>\n\n\n\n
- Connection-level access control<\/li>\n\n\n\n
- Session recording and auditing<\/li>\n\n\n\n
- Clipboard and file transfer restrictions<\/li>\n\n\n\n
- Brute-force protection<\/li>\n\n\n\n
- Secure DMZ and jump-host deployment architecture<\/li>\n<\/ul>\n\n\n\n
It is important to understand that Apache Guacamole is not:<\/p>\n\n\n\n
- \n
- a firewall<\/li>\n\n\n\n
- a segmentation platform<\/li>\n\n\n\n
- a PAM solution<\/li>\n\n\n\n
- a replacement for OT security architecture<\/li>\n<\/ul>\n\n\n\n
It should be treated as a controlled remote access broker inside a properly segmented environment.<\/p>\n\n\n\n
\n\n\n\nBrowser-Based Remote Access<\/h1>\n\n\n\n
One of the common operational issues in OT environments is dependency on unmanaged remote access software.<\/p>\n\n\n\n
Many vendors still rely on:<\/p>\n\n\n\n
- \n
- standalone RDP clients<\/li>\n\n\n\n
- SSH clients<\/li>\n\n\n\n
- VNC software<\/li>\n\n\n\n
- TeamViewer<\/li>\n\n\n\n
- AnyDesk<\/li>\n\n\n\n
- third-party remote support tools<\/li>\n<\/ul>\n\n\n\n
Apache Guacamole provides browser-based remote access through its HTML5 web interface and
guacd<\/code> service.<\/p>\n\n\n\nSupported protocols include:<\/p>\n\n\n\n
- \n
- RDP<\/li>\n\n\n\n
- SSH<\/li>\n\n\n\n
- VNC<\/li>\n\n\n\n
- Telnet (legacy environments)<\/li>\n<\/ul>\n\n\n\n
Relevant components:<\/p>\n\n\n\n
- \n
guacd<\/code><\/li>\n\n\n\nguacamole.war<\/code><\/li>\n<\/ul>\n\n\n\nRelevant configuration:<\/p>\n\n\n\n
guacd-hostname: localhost\nguacd-port: 4822\n<\/code><\/pre>\n\n\n\nInstead of this:<\/p>\n\n\n\n
Vendor Laptop\n \u2193\nVPN\n \u2193\nDirect RDP Access\n \u2193\nEngineering Workstation\n<\/code><\/pre>\n\n\n\nOrganizations can move toward:<\/p>\n\n\n\n
Vendor\n \u2193\nBrowser\n \u2193\nGuacamole\n \u2193\nApproved Internal System\n<\/code><\/pre>\n\n\n\nThis helps organizations centralize and control remote access sessions while reducing unmanaged software inside the environment.<\/p>\n\n\n\n
\n\n\n\nMulti-Factor Authentication (MFA)<\/h1>\n\n\n\n
Weak authentication and shared accounts remain common issues in industrial environments.<\/p>\n\n\n\n
Apache Guacamole supports MFA using authentication extensions.<\/p>\n\n\n\n
Supported MFA extensions include:<\/p>\n\n\n\n
- \n
guacamole-auth-totp<\/code><\/li>\n\n\n\nguacamole-auth-duo<\/code><\/li>\n\n\n\nguacamole-auth-sso-saml<\/code><\/li>\n\n\n\nguacamole-auth-sso-openid<\/code><\/li>\n<\/ul>\n\n\n\nExample TOTP configuration:<\/p>\n\n\n\n
totp-issuer: OT-Remote-Access\ntotp-digits: 6\ntotp-period: 30\n<\/code><\/pre>\n\n\n\nExample Duo configuration:<\/p>\n\n\n\n
duo-api-hostname:\nduo-integration-key:\nduo-secret-key:\nduo-application-key:\n<\/code><\/pre>\n\n\n\nThis allows organizations to strengthen authentication security for remote vendor and engineering access.<\/p>\n\n\n\n
\n\n\n\nLDAP and Active Directory Integration<\/h1>\n\n\n\n
Managing remote access accounts independently across OT systems becomes difficult over time.<\/p>\n\n\n\n
Apache Guacamole supports LDAP and Active Directory integration using:<\/p>\n\n\n\n
guacamole-auth-ldap\n<\/code><\/pre>\n\n\n\nRelevant configuration examples:<\/p>\n\n\n\n
ldap-hostname:\nldap-port:\nldap-user-base-dn:\nldap-search-bind-dn:\nldap-search-bind-password:\nldap-username-attribute:\n<\/code><\/pre>\n\n\n\nThis allows organizations to:<\/p>\n\n\n\n
- \n
- centralize identity management<\/li>\n\n\n\n
- integrate with Active Directory<\/li>\n\n\n\n
- apply role-based access<\/li>\n\n\n\n
- remove access centrally<\/li>\n\n\n\n
- reduce unmanaged local accounts<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nSingle Sign-On (SSO)<\/h1>\n\n\n\n
Many organizations want remote access integrated into existing enterprise identity systems.<\/p>\n\n\n\n
Apache Guacamole supports SSO extensions including:<\/p>\n\n\n\n
- \n
- SAML<\/li>\n\n\n\n
- OpenID Connect<\/li>\n\n\n\n
- CAS<\/li>\n<\/ul>\n\n\n\n
Relevant extensions:<\/p>\n\n\n\n
- \n
guacamole-auth-sso-saml<\/code><\/li>\n\n\n\nguacamole-auth-sso-openid<\/code><\/li>\n\n\n\nguacamole-auth-cas<\/code><\/li>\n<\/ul>\n\n\n\nExample SAML configuration:<\/p>\n\n\n\n
saml-idp-url:\nsaml-entity-id:\nsaml-callback-url:\nsaml-strict: true\n<\/code><\/pre>\n\n\n\nExample OpenID configuration:<\/p>\n\n\n\n
openid-authorization-endpoint:\nopenid-jwks-endpoint:\nopenid-issuer:\nopenid-client-id:\nopenid-client-secret:\nopenid-redirect-uri:\n<\/code><\/pre>\n\n\n\nThis helps organizations integrate centralized authentication workflows into remote access infrastructure.<\/p>\n\n\n\n
\n\n\n\nConnection-Level Access Control<\/h1>\n\n\n\n
A common OT security problem is excessive vendor access inside industrial networks.<\/p>\n\n\n\n
Apache Guacamole supports:<\/p>\n\n\n\n
- \n
- connection permissions<\/li>\n\n\n\n
- user groups<\/li>\n\n\n\n
- connection groups<\/li>\n\n\n\n
- role-based access management<\/li>\n<\/ul>\n\n\n\n
Database-backed access control is supported using:<\/p>\n\n\n\n
- \n
guacamole-auth-jdbc-mysql<\/code><\/li>\n\n\n\nguacamole-auth-jdbc-postgresql<\/code><\/li>\n<\/ul>\n\n\n\nThis allows organizations to restrict which systems each user may access instead of providing unrestricted network-level access.<\/p>\n\n\n\n
\n\n\n\nClipboard and File Transfer Restrictions<\/h1>\n\n\n\n
File transfer and clipboard access can introduce operational and security risks inside OT environments.<\/p>\n\n\n\n
Apache Guacamole supports restricting:<\/p>\n\n\n\n
- \n
- clipboard usage<\/li>\n\n\n\n
- copy\/paste operations<\/li>\n\n\n\n
- drive redirection<\/li>\n\n\n\n
- file transfers<\/li>\n<\/ul>\n\n\n\n
Relevant configuration examples:<\/p>\n\n\n\n
disable-copy=true\ndisable-paste=true\nenable-drive=false\n<\/code><\/pre>\n\n\n\nThis can help reduce:<\/p>\n\n\n\n
- \n
- malware introduction<\/li>\n\n\n\n
- unauthorized tool uploads<\/li>\n\n\n\n
- accidental file movement<\/li>\n\n\n\n
- uncontrolled data transfers<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nSession Recording and Auditing<\/h1>\n\n\n\n
One of the major issues in OT remote access environments is the lack of visibility into vendor activity.<\/p>\n\n\n\n
Apache Guacamole supports:<\/p>\n\n\n\n
- \n
- session history<\/li>\n\n\n\n
- audit logging<\/li>\n\n\n\n
- session recording<\/li>\n\n\n\n
- connection tracking<\/li>\n<\/ul>\n\n\n\n
Recording configuration examples:<\/p>\n\n\n\n
recording-path:\n\/var\/lib\/guacamole\/recordings\n<\/code><\/pre>\n\n\n\ncreate-recording-path=true\n<\/code><\/pre>\n\n\n\nSSH recording support:<\/p>\n\n\n\n
typescript-path:\n<\/code><\/pre>\n\n\n\nDatabase audit history tables include:<\/p>\n\n\n\n
- \n
guacamole_connection_history<\/code><\/li>\n\n\n\nguacamole_user_history<\/code><\/li>\n<\/ul>\n\n\n\nThis helps organizations improve:<\/p>\n\n\n\n
- \n
- accountability<\/li>\n\n\n\n
- auditing<\/li>\n\n\n\n
- compliance<\/li>\n\n\n\n
- incident investigations<\/li>\n\n\n\n
- operational visibility<\/li>\n<\/ul>\n\n\n\n
Instead of relying entirely on trust, organizations gain the ability to review and investigate remote sessions when required.<\/p>\n\n\n\n
\n\n\n\nBrowser-Based Clientless Access<\/h1>\n\n\n\n
Apache Guacamole uses:<\/p>\n\n\n\n
- \n
- an HTML5 frontend<\/li>\n\n\n\n
- WebSocket tunneling<\/li>\n<\/ul>\n\n\n\n
No additional client software is required on the endpoint.<\/p>\n\n\n\n
Reverse proxies must support:<\/p>\n\n\n\n
Upgrade: websocket\n<\/code><\/pre>\n\n\n\nThis helps reduce dependency on unmanaged remote access software installed on vendor systems.<\/p>\n\n\n\n
\n\n\n\nSSL\/TLS Enforcement<\/h1>\n\n\n\n
Remote OT access should always use encrypted communications.<\/p>\n\n\n\n
Apache Guacamole deployments commonly use reverse proxies such as:<\/p>\n\n\n\n
- \n
- Nginx<\/li>\n\n\n\n
- Apache HTTP Server<\/li>\n<\/ul>\n\n\n\n
Example TLS configuration:<\/p>\n\n\n\n
server {\n listen 443 ssl;\n ssl_certificate ...\n ssl_certificate_key ...\n}\n<\/code><\/pre>\n\n\n\nRelevant Guacamole proxy settings:<\/p>\n\n\n\n
proxy-hostname:\nproxy-port:\n<\/code><\/pre>\n\n\n\nThis helps protect:<\/p>\n\n\n\n
- \n
- remote sessions<\/li>\n\n\n\n
- credentials<\/li>\n\n\n\n
- authentication traffic<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nBrute-Force Protection<\/h1>\n\n\n\n
Internet-facing remote access systems are commonly targeted by password attacks.<\/p>\n\n\n\n
Apache Guacamole supports brute-force protection using:<\/p>\n\n\n\n
guacamole-auth-ban\n<\/code><\/pre>\n\n\n\nRelevant configuration examples:<\/p>\n\n\n\n
ban-address-duration: 300\nban-max-invalid-attempts: 5\nban-max-attempts-per-interval: 5\nban-login-failure-window: 60\n<\/code><\/pre>\n\n\n\nThis helps reduce automated login attack attempts against remote access portals.<\/p>\n\n\n\n
\n\n\n\nDatabase-Backed Centralized Administration<\/h1>\n\n\n\n
Apache Guacamole supports centralized administration using:<\/p>\n\n\n\n
- \n
- MySQL<\/li>\n\n\n\n
- PostgreSQL<\/li>\n<\/ul>\n\n\n\n
Supported extensions:<\/p>\n\n\n\n
- \n
guacamole-auth-jdbc-mysql<\/code><\/li>\n\n\n\nguacamole-auth-jdbc-postgresql<\/code><\/li>\n<\/ul>\n\n\n\nExample MySQL configuration:<\/p>\n\n\n\n
mysql-hostname:\nmysql-port:\nmysql-database:\nmysql-username:\nmysql-password:\n<\/code><\/pre>\n\n\n\nExample PostgreSQL configuration:<\/p>\n\n\n\n
postgresql-hostname:\npostgresql-port:\npostgresql-database:\npostgresql-username:\npostgresql-password:\n<\/code><\/pre>\n\n\n\nThis helps organizations centralize:<\/p>\n\n\n\n
- \n
- users<\/li>\n\n\n\n
- permissions<\/li>\n\n\n\n
- audit data<\/li>\n\n\n\n
- connection management<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nSecure DMZ and Jump-Host Architecture<\/h1>\n\n\n\n
One of the most dangerous mistakes in OT environments is exposing RDP or engineering systems directly to the internet.<\/p>\n\n\n\n
Apache Guacamole should not provide unrestricted access directly into industrial networks.<\/p>\n\n\n\n
A more controlled deployment model places Guacamole behind:<\/p>\n\n\n\n
- \n
- reverse proxies<\/li>\n\n\n\n
- firewalls<\/li>\n\n\n\n
- DMZ environments<\/li>\n\n\n\n
- jump hosts<\/li>\n<\/ul>\n\n\n\n
This approach helps organizations:<\/p>\n\n\n\n
- \n
- centralize remote access<\/li>\n\n\n\n
- reduce direct exposure of OT assets<\/li>\n\n\n\n
- apply segmentation boundaries<\/li>\n\n\n\n
- monitor vendor sessions<\/li>\n\n\n\n
- restrict reachable systems<\/li>\n<\/ul>\n\n\n\n
instead of exposing engineering systems directly to external users.<\/p>\n\n\n\n
Suggested deployment diagram:<\/p>\n\n\n\n
![\"\"](\"https:\/\/zerontek.com\/zt\/wp-content\/uploads\/2026\/05\/gua-diagram-683x1024.png\")
<\/figure>\n\n\n\n
\n\n\n\nOpen Source and Operational Control<\/h1>\n\n\n\n
Many organizations are increasingly exploring open-source technologies to improve operational control and reduce dependency on proprietary ecosystems.<\/p>\n\n\n\n
Open-source platforms provide:<\/p>\n\n\n\n
- \n
- self-hosted deployment flexibility<\/li>\n\n\n\n
- visibility into configurations<\/li>\n\n\n\n
- integration freedom<\/li>\n\n\n\n
- reduced vendor lock-in<\/li>\n\n\n\n
- deployment customization<\/li>\n<\/ul>\n\n\n\n
For OT environments, this becomes especially valuable when organizations require greater operational ownership over their remote access infrastructure.<\/p>\n\n\n\n
\n\n\n\nFinal Thoughts<\/h1>\n\n\n\n
Remote access is now a normal operational requirement in many industrial environments. The challenge is making it secure, controlled, and operationally manageable.<\/p>\n\n\n\n
Apache Guacamole provides multiple features that can help organizations improve centralized remote access management in OT and ICS environments when deployed correctly.<\/p>\n\n\n\n
These capabilities include:<\/p>\n\n\n\n
- \n
- browser-based access<\/li>\n\n\n\n
- MFA<\/li>\n\n\n\n
- LDAP\/AD integration<\/li>\n\n\n\n
- SSO<\/li>\n\n\n\n
- session recording<\/li>\n\n\n\n
- access restrictions<\/li>\n\n\n\n
- brute-force protection<\/li>\n\n\n\n
- centralized administration<\/li>\n\n\n\n
- segmented deployment architectures<\/li>\n<\/ul>\n\n\n\n
Like any security technology, proper architecture and operational controls remain critical.<\/p>\n\n\n\n
Guacamole should not be viewed as:<\/p>\n\n\n\n
- \n
- a magic security product<\/li>\n\n\n\n
- a replacement for segmentation<\/li>\n\n\n\n
- a replacement for firewalls<\/li>\n\n\n\n
- a replacement for OT security architecture<\/li>\n<\/ul>\n\n\n\n
Instead, it should be treated as a controlled remote access broker operating inside a properly designed OT environment.<\/p>\n\n\n\n
At ZeroNtek<\/a>, we help organizations worldwide design and deploy secure open-source solutions for both OT and IT environments.<\/p>\n\n\n\n
This includes:<\/p>\n\n\n\n
- \n
- secure remote access architectures<\/li>\n\n\n\n
- OT segmentation guidance<\/li>\n\n\n\n
- logging and monitoring integration<\/li>\n\n\n\n
- open-source OT security deployments<\/li>\n\n\n\n
- hardening and operational support<\/li>\n<\/ul>\n\n\n\n
We strongly believe open-source technologies can play an important role in building more transparent, flexible, and sovereign security environments for critical infrastructure and industrial operations.<\/p>\n\n\n\n
\n\n\n\nReferences<\/h1>\n\n\n\n
- \n
- Apache Guacamole Official Website<\/a><\/li>\n\n\n\n
- Apache Guacamole Configuration Guide<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Remote access has become one of the biggest challenges in OT and ICS environments. Industrial facilities often require vendors, engineers, system integrators, and support teams to remotely access: In many environments, this access was introduced years ago using: While these methods may solve operational problems, they can also introduce major cybersecurity risks inside industrial environments. […]<\/p>\n","protected":false},"author":2,"featured_media":1829,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[304,4,3,46,48,302],"tags":[303,7,6,47,27],"class_list":["post-1823","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apache-guacamole","category-cyber-security","category-ics-security","category-ics-tools","category-ot-security","category-remote-access","tag-apache-guacamole","tag-cyber-security","tag-ics-security","tag-ot-security","tag-zerontek"],"_links":{"self":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/comments?post=1823"}],"version-history":[{"count":10,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1823\/revisions"}],"predecessor-version":[{"id":1837,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/posts\/1823\/revisions\/1837"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media\/1829"}],"wp:attachment":[{"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/media?parent=1823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/categories?post=1823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerontek.com\/zt\/wp-json\/wp\/v2\/tags?post=1823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Apache Guacamole Configuration Guide<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
- Apache Guacamole Official Website<\/a><\/li>\n\n\n\n