🖱️ Setup Apache Guacamole — Clientless Remote Desktop
Deploy a browser-based remote desktop gateway that supports VNC, RDP, and SSH — no client software required. Runs entirely in the browser via Docker.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/remote-access/guacamole/guacamole-ubuntu.sh
chmod +x guacamole-ubuntu.sh
sudo bash guacamole-ubuntu.shTutorial Steps
1 Download & Run the Script
The script installs Docker, cleans up old containers, generates a ready-to-run docker-compose.yml, and starts the full Guacamole stack.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/remote-access/guacamole/guacamole-ubuntu.sh
chmod +x guacamole-ubuntu.sh
sudo bash guacamole-ubuntu.sh2 Access the Web UI
http://<your-server-ip>:8090/guacamole3 Login with Default Credentials
| Field | Value |
|---|---|
| Username | guacadmin |
| Password | guacadmin |
4 Add a Remote Connection
Go to Settings → Connections → New Connection. Choose the protocol (RDP, VNC, or SSH), enter the target host IP and credentials, then save and connect.
Ports Used
| Port | Purpose |
|---|---|
| 8090 | Guacamole Web UI |
Files Location
/root/docker/guacamole/
├── docker-compose.yml
└── postgres/Overview
Apache Guacamole is a clientless remote desktop gateway that runs entirely in a web browser. It supports RDP, VNC, SSH, and Telnet protocols, acting as a central access point to all your remote machines with no client software required on the connecting device. Authentication, session logging, and connection sharing are all managed from a central admin panel.
Why Use It
Apache Guacamole solves the remote access problem for environments where installing VPN clients or RDP tools on every endpoint is impractical. By running entirely in the browser, it enables access from tablets, Chromebooks, locked-down corporate laptops, and any device with a modern browser. Organizations get a single, auditable access point for RDP, VNC, SSH, and Telnet connections — replacing a sprawl of individual remote desktop tools with one governed gateway.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Guacamole's web UI runs on port 8080 internally. This should be reverse-proxied to HTTPS on port 443 — never expose 8080 directly. The guacd daemon (the native connection handler) listens on port 4822 internally and should not be externally accessible. Guacamole itself connects outbound to your target machines on their RDP (3389), VNC (5900), or SSH (22) ports — ensure those are reachable from the Guacamole host but not from the internet.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Apache Guacamole is the most mature self-hosted option for clientless remote access. For commercial alternatives, JumpCloud and BeyondTrust offer enterprise-grade privileged access management with more features but significant cost. Teleport is an open-source alternative focused on secure infrastructure access for engineering teams — it handles SSH, Kubernetes, and databases in addition to RDP, with a strong zero-trust model. For simpler use cases, directly exposing a VNC or RDP server behind an Nginx proxy with basic auth is less capable but far simpler to maintain.
When Not to Use It
Guacamole adds deployment complexity that may not be justified for small teams with just a few Linux servers — a simple SSH key setup or a WireGuard VPN with direct RDP is simpler and equally secure. If your primary need is SSH terminal access only, tools like Teleport or a web-based SSH terminal like Wetty may be lighter solutions. For environments with hundreds of servers, Guacamole's lack of native session deduplication and centralized secrets management may push you toward a dedicated Privileged Access Management platform.
Need Help Setting Up Guacamole?
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Does Guacamole require any software installed on the machines I'm connecting to?
No. Guacamole connects to standard protocols — RDP for Windows, SSH for Linux, VNC for graphical Linux/Mac. The target machine only needs to have the relevant service running (Remote Desktop enabled on Windows, SSH server on Linux). No Guacamole agent is needed on the remote machine.
Can Guacamole be used for unattended server access or only live support?
Guacamole works for both. For unattended access you configure saved connections with stored credentials. For attended support you can create connections that prompt for credentials each time. Session sharing lets two users view the same connection for collaborative troubleshooting.
How does Guacamole compare to a VPN for secure remote access?
A VPN extends your network so you can use native RDP/SSH tools. Guacamole provides browser-based access without client software. VPNs are better for full network access; Guacamole is better for controlled, audited access to specific machines without giving users full network reach. They can also be combined — Guacamole behind a VPN adds a second layer.
Does Guacamole support copy-paste between my local machine and the remote desktop?
Yes. Clipboard sharing is supported for RDP and SSH connections. For RDP, paste works from local to remote and vice versa. The clipboard integration in browsers has some limitations depending on browser security settings — Chrome generally works best. Some clipboard types (formatted text, images) may not transfer.
Can I record and playback remote sessions in Guacamole?
Yes. Guacamole supports session recording for RDP and graphical VNC connections. Recordings are stored in the Guacamole recordings directory and can be played back from the admin panel. SSH terminal sessions can be recorded as text logs. This feature is critical for compliance in regulated environments.
How many simultaneous users can Guacamole handle?
Guacamole scales reasonably with hardware. The guacd process handles each connection separately. A VPS with 2-4 vCPUs and 4 GB RAM can comfortably handle 20-50 simultaneous active sessions. For larger deployments, you can run multiple guacd instances and load-balance. Disk I/O becomes a bottleneck when session recording is enabled at scale.
Can I integrate Guacamole with Active Directory for user authentication?
Yes. Guacamole supports LDAP and Active Directory authentication out of the box. Configure the LDAP extension with your AD domain controller details and users can log in with their Windows credentials. Groups can map to connection permissions, so AD group membership determines which machines users can access.
What is the difference between Guacamole and RustDesk or Remotely?
Guacamole is a gateway for connecting to existing services (RDP servers, SSH, VNC) — it doesn't require an agent on the target. RustDesk installs a relay server and requires the RustDesk client on both ends — it's designed for peer-to-peer remote desktop. Remotely focuses on IT helpdesk scenarios with a lightweight agent that enables support access to user machines. Guacamole suits infrastructure access; RustDesk and Remotely suit user support.