doc/1.5.5/gug/configuring-guacamole.html (2,701 lines of code) (raw):
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Configuring Guacamole — Apache Guacamole Manual v1.5.5</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/tabs.css" type="text/css" />
<link rel="stylesheet" href="_static/gug.css" type="text/css" />
<!--[if lt IE 9]>
<script src="_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="_static/jquery.js?v=5d32c60e"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="_static/documentation_options.js?v=5929fcd5"></script>
<script src="_static/doctools.js?v=888ff710"></script>
<script src="_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="_static/tabs.js?v=3ee01567"></script>
<script src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Database authentication" href="jdbc-auth.html" />
<link rel="prev" title="Proxying Guacamole" href="reverse-proxy.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
Apache Guacamole
</a>
<div class="version">
1.5.5
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Overview</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="introduction.html">Introduction</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">User's Guide</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="guacamole-architecture.html">Implementation and architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="installing-guacamole.html">Installing Guacamole natively</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-docker.html">Installing Guacamole with Docker</a></li>
<li class="toctree-l1"><a class="reference internal" href="reverse-proxy.html">Proxying Guacamole</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Configuring Guacamole</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#guacamole-home-etc-guacamole"><code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> (<code class="docutils literal notranslate"><span class="pre">/etc/guacamole</span></code>)</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#overriding-guacamole-home">Overriding <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code></a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#guacamole-properties"><code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="#logging-within-the-web-application">Logging within the web application</a></li>
<li class="toctree-l2"><a class="reference internal" href="#using-the-default-authentication">Using the default authentication</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#user-mapping-xml"><code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code></a><ul>
<li class="toctree-l4"><a class="reference internal" href="#adding-users">Adding users</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-connections-to-a-user">Adding connections to a user</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#configuring-connections">Configuring connections</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#vnc">VNC</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#network-parameters">Network parameters</a></li>
<li class="toctree-l4"><a class="reference internal" href="#authentication">Authentication</a></li>
<li class="toctree-l4"><a class="reference internal" href="#display-settings">Display settings</a></li>
<li class="toctree-l4"><a class="reference internal" href="#vnc-repeater">VNC Repeater</a></li>
<li class="toctree-l4"><a class="reference internal" href="#reverse-vnc-connections">Reverse VNC connections</a></li>
<li class="toctree-l4"><a class="reference internal" href="#audio-support-via-pulseaudio">Audio support (via PulseAudio)</a></li>
<li class="toctree-l4"><a class="reference internal" href="#clipboard-encoding">Clipboard encoding</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-a-vnc-connection">Adding a VNC connection</a></li>
<li class="toctree-l4"><a class="reference internal" href="#which-vnc-server">Which VNC server?</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#rdp">RDP</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#rdp-network-parameters">Network parameters</a></li>
<li class="toctree-l4"><a class="reference internal" href="#authentication-and-security">Authentication and security</a></li>
<li class="toctree-l4"><a class="reference internal" href="#clipboard-normalization">Clipboard normalization</a></li>
<li class="toctree-l4"><a class="reference internal" href="#session-settings">Session settings</a></li>
<li class="toctree-l4"><a class="reference internal" href="#rdp-display-settings">Display settings</a></li>
<li class="toctree-l4"><a class="reference internal" href="#device-redirection">Device redirection</a></li>
<li class="toctree-l4"><a class="reference internal" href="#preconnection-pdu-hyper-v-vmconnect">Preconnection PDU (Hyper-V / VMConnect)</a></li>
<li class="toctree-l4"><a class="reference internal" href="#remote-desktop-gateway">Remote desktop gateway</a></li>
<li class="toctree-l4"><a class="reference internal" href="#load-balancing-and-rdp-connection-brokers">Load balancing and RDP connection brokers</a></li>
<li class="toctree-l4"><a class="reference internal" href="#performance-flags">Performance flags</a></li>
<li class="toctree-l4"><a class="reference internal" href="#remoteapp">RemoteApp</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-an-rdp-connection">Adding an RDP connection</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#ssh">SSH</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#ssh-host-verification">SSH Host Verification</a></li>
<li class="toctree-l4"><a class="reference internal" href="#ssh-network-parameters">Network parameters</a></li>
<li class="toctree-l4"><a class="reference internal" href="#ssh-authentication">Authentication</a></li>
<li class="toctree-l4"><a class="reference internal" href="#running-a-command-instead-of-a-shell">Running a command (instead of a shell)</a></li>
<li class="toctree-l4"><a class="reference internal" href="#internationalization-locale-settings">Internationalization/Locale settings</a></li>
<li class="toctree-l4"><a class="reference internal" href="#sftp">SFTP</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-an-ssh-connection">Adding an SSH connection</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#telnet">Telnet</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#telnet-network-parameters">Network parameters</a></li>
<li class="toctree-l4"><a class="reference internal" href="#telnet-authentication">Authentication</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-a-telnet-connection">Adding a telnet connection</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#kubernetes">Kubernetes</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#network-container-parameters">Network/Container parameters</a></li>
<li class="toctree-l4"><a class="reference internal" href="#authentication-and-ssl-tls">Authentication and SSL/TLS</a></li>
<li class="toctree-l4"><a class="reference internal" href="#adding-a-kubernetes-connection">Adding a Kubernetes connection</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#common-configuration-options">Common configuration options</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#disabling-clipboard-access">Disabling clipboard access</a></li>
<li class="toctree-l4"><a class="reference internal" href="#file-transfer-via-sftp">File transfer via SFTP</a></li>
<li class="toctree-l4"><a class="reference internal" href="#graphical-session-recording">Graphical session recording</a></li>
<li class="toctree-l4"><a class="reference internal" href="#text-session-recording-typescripts">Text session recording (typescripts)</a></li>
<li class="toctree-l4"><a class="reference internal" href="#controlling-terminal-behavior">Controlling terminal behavior</a></li>
<li class="toctree-l4"><a class="reference internal" href="#terminal-display-settings">Terminal display settings</a></li>
<li class="toctree-l4"><a class="reference internal" href="#wake-on-lan">Wake-on-LAN</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#parameter-tokens">Parameter tokens</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#token-modifiers">Token modifiers</a></li>
<li class="toctree-l4"><a class="reference internal" href="#extension-specific-tokens">Extension-specific tokens</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#parameter-prompting">Parameter prompting</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#configuring-guacd">Configuring guacd</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id12"><code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></a><ul>
<li class="toctree-l4"><a class="reference internal" href="#daemon-section"><code class="docutils literal notranslate"><span class="pre">[daemon]</span></code> section</a></li>
<li class="toctree-l4"><a class="reference internal" href="#server-section"><code class="docutils literal notranslate"><span class="pre">[server]</span></code> section</a></li>
<li class="toctree-l4"><a class="reference internal" href="#ssl-section"><code class="docutils literal notranslate"><span class="pre">[ssl]</span></code> section</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#command-line-options">Command-line options</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="jdbc-auth.html">Database authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="ldap-auth.html">LDAP authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="vault.html">Retrieving secrets from a vault</a></li>
<li class="toctree-l1"><a class="reference internal" href="duo-auth.html">Duo two-factor authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="totp-auth.html">TOTP two-factor authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="header-auth.html">HTTP header authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="json-auth.html">Encrypted JSON authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="cas-auth.html">CAS Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="openid-auth.html">OpenID Connect Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="saml-auth.html">SAML Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="radius-auth.html">RADIUS Authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="adhoc-connections.html">Ad-hoc Connections</a></li>
<li class="toctree-l1"><a class="reference internal" href="using-guacamole.html">Using Guacamole</a></li>
<li class="toctree-l1"><a class="reference internal" href="recording-playback.html">Viewing session recordings in-browser</a></li>
<li class="toctree-l1"><a class="reference internal" href="administration.html">Administration</a></li>
<li class="toctree-l1"><a class="reference internal" href="troubleshooting.html">Troubleshooting</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Developer's Guide</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="guacamole-protocol.html">The Guacamole protocol</a></li>
<li class="toctree-l1"><a class="reference internal" href="libguac.html">libguac</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-common.html">guacamole-common</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-common-js.html">guacamole-common-js</a></li>
<li class="toctree-l1"><a class="reference internal" href="guacamole-ext.html">guacamole-ext</a></li>
<li class="toctree-l1"><a class="reference internal" href="custom-protocols.html">Adding new protocols</a></li>
<li class="toctree-l1"><a class="reference internal" href="custom-auth.html">Custom authentication</a></li>
<li class="toctree-l1"><a class="reference internal" href="event-listeners.html">Event listeners</a></li>
<li class="toctree-l1"><a class="reference internal" href="writing-you-own-guacamole-app.html">Writing your own Guacamole application</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Appendices</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="protocol-reference.html">Guacamole protocol reference</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Apache Guacamole</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active">Configuring Guacamole</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/configuring-guacamole.md.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="configuring-guacamole">
<h1>Configuring Guacamole<a class="headerlink" href="#configuring-guacamole" title="Link to this heading"></a></h1>
<p>After installing Guacamole, you need to configure users and connections before
Guacamole will work. This chapter covers general configuration of Guacamole and
the use of its default authentication method.</p>
<p>Guacamole’s default authentication method reads all users and connections from
a single file called <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>. This authentication method is intended
to be:</p>
<ol class="arabic simple">
<li><p>Sufficient for small deployments of Guacamole.</p></li>
<li><p>A relatively-easy means of verifying that Guacamole has been properly set
up.</p></li>
</ol>
<p>Other, more complex authentication methods which use backend databases, LDAP,
etc. are discussed in a separate, dedicated chapters.</p>
<p>Regardless of the authentication method you use, Guacamole’s configuration
always consists of two main pieces: a directory referred to as
<code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code>, which is the primary search location for configuration files,
and <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>, the main configuration file used by Guacamole and
its extensions.</p>
<section id="guacamole-home-etc-guacamole">
<span id="guacamole-home"></span><h2><code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> (<code class="docutils literal notranslate"><span class="pre">/etc/guacamole</span></code>)<a class="headerlink" href="#guacamole-home-etc-guacamole" title="Link to this heading"></a></h2>
<p><code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> is the name given to Guacamole’s configuration directory,
which is located at <code class="docutils literal notranslate"><span class="pre">/etc/guacamole</span></code> by default. All configuration files,
extensions, etc. reside within this directory. The structure of
<code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> is rigorously defined, and consists of the following optional
files:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code></dt><dd><p>The main Guacamole configuration file. Properties within this file dictate
how Guacamole will connect to guacd, and may configure the behavior of
installed authentication extensions.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">logback.xml</span></code></dt><dd><p>Guacamole uses a logging system called Logback for all messages. By
default, Guacamole will log to the console only, but you can change this
by providing your own Logback configuration file.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">extensions/</span></code></dt><dd><p>The install location for all Guacamole extensions. Guacamole will
automatically load all <code class="docutils literal notranslate"><span class="pre">.jar</span></code> files within this directory on startup.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">lib/</span></code></dt><dd><p>The search directory for libraries required by any Guacamole extensions.
Guacamole will make the <code class="docutils literal notranslate"><span class="pre">.jar</span></code> files within this directory available to
all extensions. If your extensions require additional libraries, such as
database drivers, this is the proper place to put them.</p>
</dd>
</dl>
<section id="overriding-guacamole-home">
<span id="id1"></span><h3>Overriding <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code><a class="headerlink" href="#overriding-guacamole-home" title="Link to this heading"></a></h3>
<p>If you cannot or do not wish to use <code class="docutils literal notranslate"><span class="pre">/etc/guacamole</span></code> for <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code>, the
location can be overridden through any of the following methods:</p>
<ol class="arabic simple">
<li><p>Creating a directory named <code class="docutils literal notranslate"><span class="pre">.guacamole</span></code>, within the home directory of <em>the
user running the servlet container</em>. This directory will automatically be
used for <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> if it exists.</p></li>
<li><p>Specifying the full path to an alternative directory with the environment
variable <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code>. <em>Be sure to consult the documentation for your
servlet container to determine how to properly set environment variables.</em></p></li>
<li><p>Specifying the full path to an alternative directory with the system
property guacamole.home.</p></li>
</ol>
</section>
</section>
<section id="guacamole-properties">
<span id="initial-setup"></span><h2><code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code><a class="headerlink" href="#guacamole-properties" title="Link to this heading"></a></h2>
<p>The Guacamole web application uses one main configuration file called
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>. This file is the common location for all configuration
properties read by Guacamole or any extension of Guacamole, including
authentication providers.</p>
<p>In previous releases, this file had to be in the classpath of your servlet
container. Now, the location of <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> can be explicitly
defined with environment variables or system properties, and the classpath is
only used as a last resort. When searching for <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>,
Guacamole will check, in order:</p>
<ol class="arabic simple">
<li><p>Within <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code>, as defined above.</p></li>
<li><p>The classpath of the servlet container.</p></li>
</ol>
<p>The <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> file is optional and is used to configure Guacamole
in situations where the defaults are insufficient, or to provide additional
configuration information for extensions. There are several standard properties
that are always available for use:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">api-session-timeout</span></code></dt><dd><p>The amount of time, in minutes, to allow Guacamole sessions
(authentication tokens) to remain valid despite inactivity. If omitted,
Guacamole sessions will expire after 60 minutes of inactivity.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">api-max-request-size</span></code></dt><dd><p>The maximum number of bytes to accept within the entity body of any
particular HTTP request, where 0 indicates that no limit should be
applied. If omitted, requests will be limited to 2097152 bytes (2 MB) by
default. This limit does not apply to file uploads.</p>
<p>If using a reverse proxy for SSL termination, <em>keep in mind that reverse
proxies may enforce their own limits independently of this</em>. For example,
<a class="reference internal" href="reverse-proxy.html#nginx-file-upload-size"><span class="std std-ref">Nginx will enforce a 1 MB request size limit by
default</span></a>.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">allowed-languages</span></code></dt><dd><p>A comma-separated whitelist of language keys to allow as display language
choices within the Guacamole interface. For example, to restrict Guacamole
to only English and German, you would specify:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>allowed-languages: en, de
</pre></div>
</div>
<p>As English is the fallback language, used whenever a translation key is
missing from the chosen language, English should only be omitted from this
list if you are absolutely positive that no strings are missing.</p>
<p>The corresponding JSON of any built-in languages not listed here will
still be available over HTTP, but the Guacamole interface will not use
them, nor will they be used automatically based on local browser language.
If omitted, all defined languages will be available.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-environment-properties</span></code></dt><dd><p>If set to “true”, Guacamole will first evaluate its environment to obtain
the value for any given configuration property, before using a value
specified in <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> or falling back to a default value. By
enabling this option, you can easily override any other configuration
property using an environment variable.</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>enable-environment-properties: true
</pre></div>
</div>
<p>When searching for a configuration property in the environment, the name
of the property is first transformed by converting all lower case
characters to their upper case equivalents, and by replacing all hyphen
characters (<code class="docutils literal notranslate"><span class="pre">-</span></code>) with underscore characters (<code class="docutils literal notranslate"><span class="pre">_</span></code>). For example, the
<code class="docutils literal notranslate"><span class="pre">guacd-hostname</span></code> property would be transformed to <code class="docutils literal notranslate"><span class="pre">GUACD_HOSTNAME</span></code> when
searching the environment.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">extension-priority</span></code></dt><dd><p>A comma-separated list of the namespaces of all extensions that should be
loaded in a specific order. The special value <code class="docutils literal notranslate"><span class="pre">*</span></code> can be used in lieu of a
namespace to represent all extensions that are not listed. All extensions
explicitly listed will be sorted in the order given, while all extensions
not explicitly listed will be sorted by their filenames.</p>
<p>For example, to ensure support for SAML is loaded <em>first</em>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>extension-priority: saml
</pre></div>
</div>
<p>Or to ensure support for SAML is loaded <em>last</em>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>extension-priority: *, saml
</pre></div>
</div>
<p>If unsure which namespaces apply or the order that your extensions are
loaded, check the Guacamole logs. The namespaces and load order of all
installed extensions are logged by Guacamole during startup:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>...
23:32:06.467 [main] INFO o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be loaded in order of decreasing priority:
23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/etc/guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.5.jar)
23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [ldap] "LDAP Authentication" (/etc/guacamole/extensions/guacamole-auth-ldap-1.5.5.jar)
23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [openid] "OpenID Authentication Extension" (/etc/guacamole/extensions/guacamole-auth-sso-openid-1.5.5.jar)
23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [saml] "SAML Authentication Extension" (/etc/guacamole/extensions/guacamole-auth-sso-saml-1.5.5.jar)
23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their filenames.
...
</pre></div>
</div>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">guacd-hostname</span></code></dt><dd><p>The host the Guacamole proxy daemon (guacd) is listening on. If omitted,
Guacamole will assume guacd is listening on localhost.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">guacd-port</span></code></dt><dd><p>The port the Guacamole proxy daemon (guacd) is listening on. If omitted,
Guacamole will assume guacd is listening on port 4822.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">guacd-ssl</span></code></dt><dd><p>If set to “true”, Guacamole will require SSL/TLS encryption between the
web application and guacd. By default, communication between the web
application and guacd will be unencrypted.</p>
<p>Note that if you enable this option, you must also configure guacd to use
SSL via command line options. These options are documented in the manpage
of guacd. You will need an SSL certificate and private key.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">skip-if-unavailable</span></code></dt><dd><p>A comma-separated list of the identifiers of authentication providers that
should be allowed to fail internally without aborting the authentication
process. For example, to request that Guacamole ignore failures due to the
LDAP directory or MySQL server being unexpectedly down, allowing other
authentication providers to continue functioning:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>skip-if-unavailable: mysql, ldap
</pre></div>
</div>
<p>By default, Guacamole takes a conservative approach to internal failures,
aborting the authentication process if an internal error occurs within any
authentication provider. Depending on the nature of the error, this may
mean that no users can log in until the cause of the failure is dealt
with. The <code class="docutils literal notranslate"><span class="pre">skip-if-unavailable</span></code> property may be used to explicitly inform
Guacamole that one or more underlying systems are expected to occasionally
experience failures, and that other functioning systems should be relied
upon if they do fail.</p>
</dd>
</dl>
<p>A typical <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> that defines explicit values for the
<code class="docutils literal notranslate"><span class="pre">guacd-hostname</span></code> and <code class="docutils literal notranslate"><span class="pre">guacd-port</span></code> properties would look like:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
</pre></div>
</div>
</section>
<section id="logging-within-the-web-application">
<span id="webapp-logging"></span><h2>Logging within the web application<a class="headerlink" href="#logging-within-the-web-application" title="Link to this heading"></a></h2>
<p>By default, Guacamole logs all messages to the console. Servlet containers like
Tomcat will automatically redirect these messages to a log file, <code class="docutils literal notranslate"><span class="pre">catalina.out</span></code>
in the case of Tomcat, which you can read through while Guacamole runs.
Messages are logged at four different log levels, depending on message
importance and severity:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">error</span></code></dt><dd><p>Errors are fatal conditions. An operation, described in the log message,
was attempted but could not proceed, and the failure of this operation is
a serious problem that needs to be addressed.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">warn</span></code></dt><dd><p>Warnings are generally non-fatal conditions. The operation continued, but
encountered noteworthy problems.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">info</span></code></dt><dd><p>“Info” messages are purely informational. They may be useful or
interesting to administrators, but are not generally critical to proper
operation of a Guacamole server.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">debug</span></code></dt><dd><p>Debug messages are highly detailed and oriented toward development. Most
debug messages will contain stack traces and internal information that is
useful when investigating problems within code. It is expected that debug
messages, though verbose, will not affect performance.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">trace</span></code></dt><dd><p>Trace messages are similar to debug messages in intent and verbosity, but
are so low-level that they may affect performance due to their frequency.
Trace-level logging is rarely necessary, and is mainly useful in providing
highly detailed context around issues being investigated.</p>
</dd>
</dl>
<p>Guacamole logs messages using a logging framework called
<a class="reference external" href="http://logback.qos.ch/">Logback</a> and, by default, will only log messages at
the “<code class="docutils literal notranslate"><span class="pre">info</span></code>” level or higher. If you wish to change the log level, or configure
how or where Guacamole logs messages, you can do so by providing your own
<code class="docutils literal notranslate"><span class="pre">logback.xml</span></code> file within <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code>. For example, to log all messages
to the console, even “<code class="docutils literal notranslate"><span class="pre">debug</span></code>” messages, you might use the following
<code class="docutils literal notranslate"><span class="pre">logback.xml</span></code>:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><configuration></span>
<span class="w"> </span><span class="cm"><!-- Appender for debugging --></span>
<span class="w"> </span><span class="nt"><appender</span><span class="w"> </span><span class="na">name=</span><span class="s">"GUAC-DEBUG"</span><span class="w"> </span><span class="na">class=</span><span class="s">"ch.qos.logback.core.ConsoleAppender"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><encoder></span>
<span class="w"> </span><span class="nt"><pattern></span>%d{HH:mm:ss.SSS}<span class="w"> </span>[%thread]<span class="w"> </span>%-5level<span class="w"> </span>%logger{36}<span class="w"> </span>-<span class="w"> </span>%msg%n<span class="nt"></pattern></span>
<span class="w"> </span><span class="nt"></encoder></span>
<span class="w"> </span><span class="nt"></appender></span>
<span class="w"> </span><span class="cm"><!-- Log at DEBUG level --></span>
<span class="w"> </span><span class="nt"><root</span><span class="w"> </span><span class="na">level=</span><span class="s">"debug"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><appender-ref</span><span class="w"> </span><span class="na">ref=</span><span class="s">"GUAC-DEBUG"</span><span class="nt">/></span>
<span class="w"> </span><span class="nt"></root></span>
<span class="nt"></configuration></span>
</pre></div>
</div>
<p>Guacamole and the above example configure only one appender which logs to the
console, but Logback is extremely flexible and allows any number of appenders
which can each log to separate files, the console, etc. based on a number of
criteria, including the log level and the source of the message.</p>
<p>More thorough <a class="reference external" href="http://logback.qos.ch/manual/configuration.html">documentation on configuring
Logback</a> is provided on the
Logback project’s web site.</p>
</section>
<section id="using-the-default-authentication">
<span id="basic-auth"></span><h2>Using the default authentication<a class="headerlink" href="#using-the-default-authentication" title="Link to this heading"></a></h2>
<p>Guacamole’s default authentication module is simple and consists of a mapping
of usernames to configurations. This authentication module comes with Guacamole
and simply reads usernames and passwords from an XML file. It is always
enabled, but will only read from the XML file if it exists, and is always last
in priority relative to any other authentication extensions.</p>
<p>There are other authentication modules available. The Guacamole project
provides database-backed authentication modules with the ability to manage
connections and users from the web interface, and other authentication modules
can be created using the extension API provided along with the Guacamole web
application, guacamole-ext.</p>
<section id="user-mapping-xml">
<span id="user-mapping"></span><h3><code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code><a class="headerlink" href="#user-mapping-xml" title="Link to this heading"></a></h3>
<p>The default authentication provider used by Guacamole reads all username,
password, and configuration information from a file called the “user mapping”
located at <code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME/user-mapping.xml</span></code>. An example of a user mapping file
is included with Guacamole, and looks something like this:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><user-mapping></span>
<span class="w"> </span><span class="cm"><!-- Per-user authentication and config information --></span>
<span class="w"> </span><span class="nt"><authorize</span><span class="w"> </span><span class="na">username=</span><span class="s">"USERNAME"</span><span class="w"> </span><span class="na">password=</span><span class="s">"PASSWORD"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>vnc<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>5900<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"password"</span><span class="nt">></span>VNCPASS<span class="nt"></param></span>
<span class="w"> </span><span class="nt"></authorize></span>
<span class="w"> </span><span class="cm"><!-- Another user, but using md5 to hash the password</span>
<span class="cm"> (example below uses the md5 hash of "PASSWORD") --></span>
<span class="w"> </span><span class="nt"><authorize</span>
<span class="w"> </span><span class="na">username=</span><span class="s">"USERNAME2"</span>
<span class="w"> </span><span class="na">password=</span><span class="s">"319f4d26e3c536b5dd871bb2c52e3178"</span>
<span class="w"> </span><span class="na">encoding=</span><span class="s">"md5"</span><span class="nt">></span>
<span class="w"> </span><span class="cm"><!-- First authorized connection --></span>
<span class="w"> </span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"localhost"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>vnc<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>5901<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"password"</span><span class="nt">></span>VNCPASS<span class="nt"></param></span>
<span class="w"> </span><span class="nt"></connection></span>
<span class="w"> </span><span class="cm"><!-- Second authorized connection --></span>
<span class="w"> </span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"otherhost"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>vnc<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>otherhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>5900<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"password"</span><span class="nt">></span>VNCPASS<span class="nt"></param></span>
<span class="w"> </span><span class="nt"></connection></span>
<span class="w"> </span><span class="nt"></authorize></span>
<span class="nt"></user-mapping></span>
</pre></div>
</div>
<p>Each user is specified with a corresponding <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> tag. This tag
contains all authorized connections for that user, each denoted with a
<code class="docutils literal notranslate"><span class="pre"><connection></span></code> tag. Each <code class="docutils literal notranslate"><span class="pre"><connection></span></code> tag contains a corresponding protocol
and set of protocol-specific parameters, specified with the <code class="docutils literal notranslate"><span class="pre"><protocol></span></code> and
<code class="docutils literal notranslate"><span class="pre"><param></span></code> tags respectively.</p>
<section id="adding-users">
<span id="user-setup"></span><h4>Adding users<a class="headerlink" href="#adding-users" title="Link to this heading"></a></h4>
<p>When using <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, username/password pairs are specified with
<code class="docutils literal notranslate"><span class="pre"><authorize></span></code> tags, which each have a <code class="docutils literal notranslate"><span class="pre">username</span></code> and <code class="docutils literal notranslate"><span class="pre">password</span></code> attribute. Each
<code class="docutils literal notranslate"><span class="pre"><authorize></span></code> tag authorizes a specific username/password pair to access all
connections within the tag:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><authorize</span><span class="w"> </span><span class="na">username=</span><span class="s">"USER"</span><span class="w"> </span><span class="na">password=</span><span class="s">"PASS"</span><span class="nt">></span>
<span class="w"> </span>...
<span class="nt"></authorize></span>
</pre></div>
</div>
<p>In the example above, the password would be listed in plaintext. If you don’t
want to do this, you can also specify your password hashed with MD5:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><authorize</span><span class="w"> </span><span class="na">username=</span><span class="s">"USER"</span>
<span class="w"> </span><span class="na">password=</span><span class="s">"319f4d26e3c536b5dd871bb2c52e3178"</span>
<span class="w"> </span><span class="na">encoding=</span><span class="s">"md5"</span><span class="nt">></span>
<span class="w"> </span>...
<span class="nt"></authorize></span>
</pre></div>
</div>
<p>After modifying <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, the file will be automatically reread by
Guacamole, and your changes will take effect immediately. The newly-added user
will be able to log in - no restart of the servlet container is needed.</p>
</section>
<section id="adding-connections-to-a-user">
<span id="connection-setup"></span><h4>Adding connections to a user<a class="headerlink" href="#adding-connections-to-a-user" title="Link to this heading"></a></h4>
<p>To specify a connection within an <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> tag, you can either list a
single protocol and set of parameters (specified with a <code class="docutils literal notranslate"><span class="pre"><protocol></span></code> tag and
any number of <code class="docutils literal notranslate"><span class="pre"><param></span></code> tags), in which case that user will have access to only
one connection named “DEFAULT”, or you can specify one or more connections with
one or more <code class="docutils literal notranslate"><span class="pre"><connection></span></code> tags, each of which can be named and contains a
<code class="docutils literal notranslate"><span class="pre"><protocol></span></code> tag and any number of <code class="docutils literal notranslate"><span class="pre"><param></span></code> tags.</p>
</section>
</section>
</section>
<section id="configuring-connections">
<span id="connection-configuration"></span><h2>Configuring connections<a class="headerlink" href="#configuring-connections" title="Link to this heading"></a></h2>
<p>Each protocol supported by Guacamole has its own set of configuration
parameters. These parameters typically describe the hostname and port of the
remote desktop server, the credentials to use when connecting, if any, and the
size and color depth of the display. If the protocol supports file transfer,
options for enabling that functionality will be provided as well.</p>
<section id="vnc">
<h3>VNC<a class="headerlink" href="#vnc" title="Link to this heading"></a></h3>
<p>The VNC protocol is the simplest and first protocol supported by Guacamole.
Although generally not as fast as RDP, many VNC servers are adequate, and VNC
over Guacamole tends to be faster than VNC by itself due to decreased bandwidth
usage.</p>
<p>VNC support for Guacamole is provided by the libguac-client-vnc library, which
will be installed as part of guacamole-server if the required dependencies are
present during the build.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In addition to the VNC-specific parameters below, Guacamole’s VNC support also
accepts the parameters of several features that Guacamole provides for multiple
protocols:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#disable-clipboard"><span class="std std-ref">Disabling clipboard access</span></a></p></li>
<li><p><a class="reference internal" href="#common-sftp"><span class="std std-ref">File transfer via SFTP</span></a></p></li>
<li><p><a class="reference internal" href="#graphical-recording"><span class="std std-ref">Graphical session recording</span></a></p></li>
<li><p><a class="reference internal" href="#wake-on-lan"><span class="std std-ref">Wake-on-LAN</span></a></p></li>
</ul>
</div>
<section id="network-parameters">
<span id="vnc-network-parameters"></span><h4>Network parameters<a class="headerlink" href="#network-parameters" title="Link to this heading"></a></h4>
<p>With the exception of reverse-mode VNC connections, VNC works by making
outbound network connections to a particular host which runs one or more VNC
servers. Each VNC server is associated with a display number, from which the
appropriate port number is derived.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">hostname</span></code></dt><dd><p>The hostname or IP address of the VNC server Guacamole should connect to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">port</span></code></dt><dd><p>The port the VNC server is listening on, usually 5900 or 5900 + display
number. For example, if your VNC server is serving display number 1
(sometimes written as <code class="docutils literal notranslate"><span class="pre">:1</span></code>), your port number here would be 5901.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">autoretry</span></code></dt><dd><p>The number of times to retry connecting before giving up and returning an
error. In the case of a reverse connection, this is the number of times
the connection process is allowed to time out.</p>
</dd>
</dl>
</section>
<section id="authentication">
<span id="vnc-authentication"></span><h4>Authentication<a class="headerlink" href="#authentication" title="Link to this heading"></a></h4>
<p>The VNC standard defines only password based authentication. Other
authentication mechanisms exist, but are non-standard or proprietary.
Guacamole currently supports both standard password-only based authentication,
as well as username and password authentication.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">username</span></code></dt><dd><p>The username to use when attempting authentication, if any. This parameter
is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">password</span></code></dt><dd><p>The password to use when attempting authentication, if any. This parameter
is optional.</p>
</dd>
</dl>
</section>
<section id="display-settings">
<span id="vnc-display-settings"></span><h4>Display settings<a class="headerlink" href="#display-settings" title="Link to this heading"></a></h4>
<p>VNC servers do not allow the client to request particular display sizes, so you
are at the mercy of your VNC server with respect to display width and height.
However, to reduce bandwidth usage, you may request that the VNC server reduce
its color depth. Guacamole will automatically detect 256-color images, but this
can be guaranteed for absolutely all graphics sent over the connection by
forcing the color depth to 8-bit. Color depth is otherwise dictated by the VNC
server.</p>
<p>If you are noticing problems with your VNC display, such as the lack of a mouse
cursor, the presence of multiple mouse cursors, or strange colors (such as blue
colors appearing more like orange or red), these are typically the result of
bugs or limitations within the VNC server, and additional parameters are
available to work around such issues.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">color-depth</span></code></dt><dd><p>The color depth to request, in bits-per-pixel. This parameter is optional.
If specified, this must be either 8, 16, 24, or 32. Regardless of what
value is chosen here, if a particular update uses less than 256 colors,
Guacamole will always send that update as a 256-color PNG.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">swap-red-blue</span></code></dt><dd><p>If the colors of your display appear wrong (blues appear orange or red,
etc.), it may be that your VNC server is sending image data incorrectly,
and the red and blue components of each color are swapped. If this is the
case, set this parameter to “true” to work around the problem. This
parameter is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">cursor</span></code></dt><dd><p>If set to “remote”, the mouse pointer will be rendered remotely, and the
local position of the mouse pointer will be indicated by a small dot. A
remote mouse cursor will feel slower than a local cursor, but may be
necessary if the VNC server does not support sending the cursor image to
the client.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">encodings</span></code></dt><dd><p>A space-delimited list of VNC encodings to use. The format of this
parameter is dictated by libvncclient and thus doesn’t really follow the
form of other Guacamole parameters. This parameter is optional, and
libguac-client-vnc will use any supported encoding by default.</p>
<p>Beware that this parameter is intended to be replaced with individual,
encoding-specific parameters in a future release.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">read-only</span></code></dt><dd><p>Whether this connection should be read-only. If set to “true”, no input
will be accepted on the connection at all. Users will only see the desktop
and whatever other users using that same desktop are doing. This parameter
is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">force-lossless</span></code></dt><dd><p>Whether this connection should only use lossless compression for graphical
updates. If set to “true”, lossy compression will not be used. This
parameter is optional. By default, lossy compression will be used when
heuristics determine that it would likely outperform lossless compression.</p>
</dd>
</dl>
</section>
<section id="vnc-repeater">
<h4>VNC Repeater<a class="headerlink" href="#vnc-repeater" title="Link to this heading"></a></h4>
<p>There exist VNC repeaters, such as UltraVNC Repeater, which act as
intermediaries or proxies, providing a single logical VNC connection which is
then routed to another VNC server elsewhere. Additional parameters are required
to select which VNC host behind the repeater will receive the connection.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">dest-host</span></code></dt><dd><p>The destination host to request when connecting to a VNC proxy such as
UltraVNC Repeater. This is only necessary if the VNC proxy in use requires
the connecting user to specify which VNC server to connect to. If the VNC
proxy automatically connects to a specific server, this parameter is not
necessary.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">dest-port</span></code></dt><dd><p>The destination port to request when connecting to a VNC proxy such as
UltraVNC Repeater. This is only necessary if the VNC proxy in use requires
the connecting user to specify which VNC server to connect to. If the VNC
proxy automatically connects to a specific server, this parameter is not
necessary.</p>
</dd>
</dl>
</section>
<section id="reverse-vnc-connections">
<span id="vnc-reverse-connections"></span><h4>Reverse VNC connections<a class="headerlink" href="#reverse-vnc-connections" title="Link to this heading"></a></h4>
<p>Guacamole supports “reverse” VNC connections, where the VNC client listens for
an incoming connection from the VNC server. When reverse VNC connections are
used, the VNC client and server switch network roles, but otherwise function as
they normally would. The VNC server still provides the remote display, and the
VNC client still provides all keyboard and mouse input.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">reverse-connect</span></code></dt><dd><p>Whether reverse connection should be used. If set to “true”, instead of
connecting to a server at a given hostname and port, guacd will listen on
the given port for inbound connections from a VNC server.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">listen-timeout</span></code></dt><dd><p>If reverse connection is in use, the maximum amount of time to wait for an
inbound connection from a VNC server, in milliseconds. If blank, the
default value is 5000 (five seconds).</p>
</dd>
</dl>
</section>
<section id="audio-support-via-pulseaudio">
<span id="vnc-audio"></span><h4>Audio support (via PulseAudio)<a class="headerlink" href="#audio-support-via-pulseaudio" title="Link to this heading"></a></h4>
<p>VNC does not provide its own support for audio, but Guacamole’s VNC support can
obtain audio through a secondary network connection to a PulseAudio server
running on the same machine as the VNC server.</p>
<p>Most Linux systems provide audio through a service called PulseAudio. This
service is capable of communicating over the network, and if PulseAudio is
configured to allow TCP connections, Guacamole can connect to your PulseAudio
server and combine its audio with the graphics coming over VNC.</p>
<p>Configuring PulseAudio for network connections requires an additional line
within the PulseAudio configuration file, usually <code class="docutils literal notranslate"><span class="pre">/etc/pulse/default.pa</span></code>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>load-module module-native-protocol-tcp auth-ip-acl=192.168.1.0/24 auth-anonymous=1
</pre></div>
</div>
<p>This loads the TCP module for PulseAudio, configuring it to accept connections
without authentication and <em>only</em> from the <code class="docutils literal notranslate"><span class="pre">192.168.1.0/24</span></code> subnet. You will
want to replace this value with the subnet or IP address from which guacd will
be connecting. It is possible to allow connections from absolutely anywhere,
but beware that you should only do so if the nature of your network prevents
unauthorized access:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>load-module module-native-protocol-tcp auth-anonymous=1
</pre></div>
</div>
<p>In either case, the <code class="docutils literal notranslate"><span class="pre">auth-anonymous=1</span></code> parameter is strictly required.
Guacamole does not currently support the cookie-based authentication used by
PulseAudio for non-anonymous connections. If this parameter is omitted,
Guacamole will not be able to connect to PulseAudio.</p>
<p>Once the PulseAudio configuration file has been modified appropriately, restart
the PulseAudio service. PulseAudio should then begin listening on port 4713
(the default PulseAudio port) for incoming TCP connections. You can verify this
using a utility like <strong class="command">netstat</strong>:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>netstat<span class="w"> </span>-ln<span class="w"> </span><span class="p">|</span><span class="w"> </span>grep<span class="w"> </span><span class="m">4713</span>
<span class="go">tcp 0 0 0.0.0.0:4713 0.0.0.0:* LISTEN</span>
<span class="go">tcp6 0 0 :::4713 :::* LISTEN</span>
<span class="gp">$</span>
</pre></div>
</div>
<p>The following parameters are available for configuring the audio support for
VNC:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">enable-audio</span></code></dt><dd><p>If set to “true”, audio support will be enabled, and a second connection
for PulseAudio will be made in addition to the VNC connection. By default,
audio support within VNC is disabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">audio-servername</span></code></dt><dd><p>The name of the PulseAudio server to connect to. This will be the hostname
of the computer providing audio for your connection via PulseAudio, most
likely the same as the value given for the <code class="docutils literal notranslate"><span class="pre">hostname</span></code> parameter.</p>
<p>If this parameter is omitted, the default PulseAudio device will be used,
which will be the PulseAudio server running on the same machine as guacd.</p>
</dd>
</dl>
</section>
<section id="clipboard-encoding">
<span id="vnc-clipboard-encoding"></span><h4>Clipboard encoding<a class="headerlink" href="#clipboard-encoding" title="Link to this heading"></a></h4>
<p>While Guacamole will always use UTF-8 for its own clipboard data, the VNC
standard requires that clipboard data be encoded in ISO 8859-1. As most VNC
servers will not accept data in any other format, Guacamole will translate
between UTF-8 and ISO 8859-1 when exchanging clipboard data with the VNC
server, but this behavior can be overridden with the <code class="docutils literal notranslate"><span class="pre">clipboard-encoding</span></code>
parameter.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p><em>The only clipboard encoding guaranteed to be supported by VNC servers is ISO
8859-1.</em> You should only override the clipboard encoding using the
<code class="docutils literal notranslate"><span class="pre">clipboard-encoding</span></code> parameter of you are absolutely positive your VNC server
supports other encodings.</p>
</div>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">clipboard-encoding</span></code></dt><dd><p>The encoding to assume for the VNC clipboard. This parameter is optional.
By default, the standard encoding ISO 8859-1 will be used. <em>Only use this
parameter if you are sure your VNC server supports other encodings beyond
the standard ISO 8859-1.</em></p>
<p>Possible values are:</p>
<dl class="simple myst">
<dt>ISO8859-1</dt><dd><p>ISO 8859-1 is the clipboard encoding mandated by the VNC standard, and
supports only basic Latin characters. Unless your VNC server specifies
otherwise, this encoding is the only encoding guaranteed to work.</p>
</dd>
<dt>UTF-8</dt><dd><p>UTF-8 - the most common encoding used for Unicode. Using this encoding
for the VNC clipboard violates the VNC specification, but some servers
do support this. This parameter value should only be used if you know
your VNC server supports this encoding.</p>
</dd>
<dt>UTF-16</dt><dd><p>UTF-16 - a 16-bit encoding for Unicode which is not as common as UTF-8,
but still widely used. Using this encoding for the VNC clipboard
violates the VNC specification. This parameter value should only be used
if you know your VNC server supports this encoding.</p>
</dd>
<dt>CP1252</dt><dd><p>Code page 1252 - a Windows-specific encoding for Latin characters which
is mostly a superset of ISO 8859-1, mapping some additional displayable
characters onto what would otherwise be control characters. Using this
encoding for the VNC clipboard violates the VNC specification. This
parameter value should only be used if you know your VNC server supports
this encoding.</p>
</dd>
</dl>
</dd>
</dl>
</section>
<section id="adding-a-vnc-connection">
<span id="adding-vnc"></span><h4>Adding a VNC connection<a class="headerlink" href="#adding-a-vnc-connection" title="Link to this heading"></a></h4>
<p>If you are using the default authentication built into Guacamole, and you wish
to grant access to a VNC connection to a particular user, you need to locate
the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section for that user within your <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, and add
a section like the following within it:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"Unique Name"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>vnc<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>5901<span class="nt"></param></span>
<span class="nt"></connection></span>
</pre></div>
</div>
<p>If added exactly as above, a new connection named “<code class="docutils literal notranslate"><span class="pre">Unique</span> <span class="pre">Name</span></code>” will be
available to the user associated with the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section containing it.
The connection will use VNC to connect to localhost at port 5901. Naturally,
you will want to change some or all of these values.</p>
<p>If your VNC server requires a password, or you wish to specify other
configuration parameters (to reduce the color depth, for example), you will
need to add additional <code class="docutils literal notranslate"><span class="pre"><param></span></code> tags accordingly.</p>
<p>Other authentication methods will provide documentation describing how to
configure new connections. If the authentication method in use fully implements
the features of Guacamole’s authentication API, you will be able to add a new
VNC connection easily and intuitively using the administration interface built
into Guacamole. You will not need to edit configuration files.</p>
</section>
<section id="which-vnc-server">
<span id="vnc-servers"></span><h4>Which VNC server?<a class="headerlink" href="#which-vnc-server" title="Link to this heading"></a></h4>
<p>The choice of VNC server can make a big difference when it comes to
performance, especially over slower networks. While many systems provide VNC
access by default, using this is often not the fastest method.</p>
<section id="realvnc-or-tigervnc">
<span id="realvnc"></span><h5>RealVNC or TigerVNC<a class="headerlink" href="#realvnc-or-tigervnc" title="Link to this heading"></a></h5>
<p>RealVNC, and its derivative TigerVNC, perform quite well. In our testing, they
perform the best with Guacamole. If you are okay with having a desktop that can
only be accessed via VNC, one of these is likely your best choice. Both
optimize window movement and (depending on the application) scrolling, giving a
very responsive user experience.</p>
</section>
<section id="tightvnc">
<h5>TightVNC<a class="headerlink" href="#tightvnc" title="Link to this heading"></a></h5>
<p>TightVNC is widely-available and performs generally as well as RealVNC or
TigerVNC. If you wish to use TightVNC with Guacamole, performance should be
just fine, but we highly recommend disabling its JPEG encoding. This is because
images transmitted to Guacamole are always encoded losslessly as PNG images.
When this operation is performed on a JPEG image, the artifacts present from
JPEG’s lossy compression reduce the compressibility of the image for PNG, thus
leading to a slower experience overall than if JPEG was simply not used to
begin with.</p>
</section>
<section id="x11vnc">
<h5>x11vnc<a class="headerlink" href="#x11vnc" title="Link to this heading"></a></h5>
<p>The main benefit of using x11vnc is that it allows you to continue using your
desktop normally, while simultaneously exposing control of your desktop via
VNC. Performance of x11vnc is comparable to RealVNC, TigerVNC, and TightVNC. If
you need to use your desktop locally as well as via VNC, you will likely be
quite happy with x11vnc.</p>
</section>
<section id="vino">
<h5>vino<a class="headerlink" href="#vino" title="Link to this heading"></a></h5>
<p>vino is the VNC server that comes with the Gnome desktop environment, and is
enabled if you enable “desktop sharing” via the system preferences available
within Gnome. If you need to share your local desktop, we recommend using
x11vnc rather vino, as it has proven more performant and feature-complete in
our testing. If you don’t need to share a local desktop but simply need an
environment you can access remotely, using a VNC server like RealVNC, TigerVNC,
or TightVNC is a better choice.</p>
</section>
<section id="qemu-or-kvm">
<span id="qemu"></span><h5>QEMU or KVM<a class="headerlink" href="#qemu-or-kvm" title="Link to this heading"></a></h5>
<p>QEMU (and thus KVM) expose the displays of virtual machines using VNC. If you
need to see the virtual monitor of your virtual machine, using this VNC
connection is really your only choice. As the VNC server built into QEMU cannot
be aware of higher-level operations like window movement, resizing, or
scrolling, those operations will tend to be sent suboptimally, and will not be
as fast as a VNC server running within the virtual machine.</p>
<p>If you wish to use a virtual machine for desktop access, we recommend
installing a native VNC server inside the virtual machine after the virtual
machine is set up. This will give a more responsive desktop.</p>
</section>
</section>
</section>
<section id="rdp">
<h3>RDP<a class="headerlink" href="#rdp" title="Link to this heading"></a></h3>
<p>The RDP protocol is more complicated than VNC and was the second protocol
officially supported by Guacamole. RDP tends to be faster than VNC due to the
use of caching, which Guacamole does take advantage of.</p>
<p>RDP support for Guacamole is provided by the libguac-client-rdp library, which
will be installed as part of guacamole-server if the required dependencies are
present during the build.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In addition to the RDP-specific parameters below, Guacamole’s RDP support also
accepts the parameters of several features that Guacamole provides for multiple
protocols:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#disable-clipboard"><span class="std std-ref">Disabling clipboard access</span></a></p></li>
<li><p><a class="reference internal" href="#common-sftp"><span class="std std-ref">File transfer via SFTP</span></a></p></li>
<li><p><a class="reference internal" href="#graphical-recording"><span class="std std-ref">Graphical session recording</span></a></p></li>
<li><p><a class="reference internal" href="#wake-on-lan"><span class="std std-ref">Wake-on-LAN</span></a></p></li>
</ul>
</div>
<section id="rdp-network-parameters">
<span id="id2"></span><h4>Network parameters<a class="headerlink" href="#rdp-network-parameters" title="Link to this heading"></a></h4>
<p>RDP connections require a hostname or IP address defining the
destination machine. The RDP port is defined to be 3389, and will be
this value in most cases. You only need to specify the RDP port if you
are not using port 3389.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">hostname</span></code></dt><dd><p>The hostname or IP address of the RDP server Guacamole should connect to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">port</span></code></dt><dd><p>The port the RDP server is listening on. This parameter is optional. If
this is not specified, the standard port for RDP (3389) or Hyper-V’s
default port for VMConnect (2179) will be used, depending on the security
mode selected.</p>
</dd>
</dl>
</section>
<section id="authentication-and-security">
<span id="rdp-authentication"></span><h4>Authentication and security<a class="headerlink" href="#authentication-and-security" title="Link to this heading"></a></h4>
<p>RDP provides authentication through the use of a username, password, and
optional domain. All RDP connections are encrypted.</p>
<p>Most RDP servers will provide a graphical login if the username, password, and
domain parameters are omitted. One notable exception to this is Network Level
Authentication, or NLA, which performs all authentication outside of a desktop
session, and thus in the absence of a graphical interface.</p>
<p>Servers that require NLA can be handled by Guacamole in one of two ways. The
first is to provide the username and password within the connection
configuration, either via static values or by passing through the Guacamole
credentials with <a class="reference internal" href="#parameter-tokens"><span class="std std-ref">parameter tokens</span></a> and <a class="reference internal" href="ldap-auth.html"><span class="doc std std-doc">LDAP authentication</span></a>.
Alternatively, if credentials are not configured within the connection
configuration, Guacamole will attempt to prompt the user for the credentials
interactively, if the versions of both guacd and Guacamole Client in use
support it. If either component does not support prompting and the credentials
are not configured, NLA-based connections will fail.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">username</span></code></dt><dd><p>The username to use to authenticate, if any. This parameter is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">password</span></code></dt><dd><p>The password to use when attempting authentication, if any. This parameter
is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">domain</span></code></dt><dd><p>The domain to use when attempting authentication, if any. This parameter
is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">security</span></code></dt><dd><p>The security mode to use for the RDP connection. This mode dictates how
data will be encrypted and what type of authentication will be performed,
if any. By default, a security mode is selected based on a negotiation
process which determines what both the client and the server support.</p>
<p>Possible values are:</p>
<dl class="simple myst">
<dt>any</dt><dd><p>Automatically select the security mode based on the security protocols
supported by both the client and the server. <em>This is the default</em>.</p>
</dd>
<dt>nla</dt><dd><p>Network Level Authentication, sometimes also referred to as “hybrid” or
CredSSP (the protocol that drives NLA). This mode uses TLS encryption
and requires the username and password to be given in advance. Unlike
RDP mode, the authentication step is performed before the remote desktop
session actually starts, avoiding the need for the Windows server to
allocate significant resources for users that may not be authorized.</p>
<p>If the versions of guacd and Guacamole Client in use support prompting
and the username, password, and domain are not specified, the user will
be interactively prompted to enter credentials to complete NLA and
continue the connection. Otherwise, when prompting is not supported and
credentials are not provided, NLA connections will fail.</p>
</dd>
<dt>nla-ext</dt><dd><p>Extended Network Level Authentication. This mode is identical to NLA
except that an additional “<a class="reference external" href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/d0e560a3-25cb-4563-8bdc-6c4cc625bbfc">Early User Authorization
Result</a>”
is required to be sent from the server to the client immediately after the
NLA handshake is completed.</p>
</dd>
<dt>tls</dt><dd><p>RDP authentication and encryption implemented via TLS (Transport Layer
Security). Also referred to as RDSTLS, the TLS security mode is
primarily used in load balanced configurations where the initial RDP
server may redirect the connection to a different RDP server.</p>
</dd>
<dt>vmconnect</dt><dd><p>Automatically select the security mode based on the security protocols
supported by both the client and the server, limiting that negotiation
to only the protocols known to be supported by <a class="reference internal" href="#rdp-preconnection-pdu"><span class="std std-ref">Hyper-V /
VMConnect</span></a>.</p>
</dd>
<dt>rdp</dt><dd><p>Legacy RDP encryption. This mode is generally only used for older
Windows servers or in cases where a standard Windows login screen is
desired. Newer versions of Windows have this mode disabled by default
and will only accept NLA unless explicitly configured otherwise.</p>
</dd>
</dl>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">ignore-cert</span></code></dt><dd><p>If set to “true”, the certificate returned by the server will be ignored,
even if that certificate cannot be validated. This is useful if you
universally trust the server and your connection to the server, and you
know that the server’s certificate cannot be validated (for example, if it
is self-signed).</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-auth</span></code></dt><dd><p>If set to “true”, authentication will be disabled. Note that this refers
to authentication that takes place while connecting. Any authentication
enforced by the server over the remote desktop session (such as a login
dialog) will still take place. By default, authentication is enabled and
only used when requested by the server.</p>
<p>If you are using NLA, authentication must be enabled by definition.</p>
</dd>
</dl>
</section>
<section id="clipboard-normalization">
<span id="rdp-clipboard-normalization"></span><h4>Clipboard normalization<a class="headerlink" href="#clipboard-normalization" title="Link to this heading"></a></h4>
<p>Windows uses a different sequence of characters at the end of each line
compared to other operating systems. As RDP preserves the format of line
endings within the clipboard, this can cause trouble when using a non-Windows
machine to access Windows or vice versa.</p>
<p>If clipboard normalization is used, Guacamole will automatically translate the
line endings within clipboard data to compensate for the expectations of the
remote system.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">normalize-clipboard</span></code></dt><dd><p>The type of line ending normalization to apply to text within the clipboard,
if any. By default, line ending normalization is not applied.</p>
<p>Possible values are:</p>
<dl class="simple myst">
<dt>preserve</dt><dd><p>Preserve all line endings within the clipboard exactly as they are,
performing no normalization whatsoever. This is the default.</p>
</dd>
<dt>unix</dt><dd><p>Automatically transform all line endings within the clipboard to Unix-style
line endings (LF). This format of line ending is the format used by both
Linux and Mac.</p>
</dd>
<dt>windows</dt><dd><p>Automatically transform all line endings within the clipboard to
Windows-style line endings (CRLF).</p>
</dd>
</dl>
</dd>
</dl>
</section>
<section id="session-settings">
<span id="rdp-session-settings"></span><h4>Session settings<a class="headerlink" href="#session-settings" title="Link to this heading"></a></h4>
<p>RDP sessions will typically involve the full desktop environment of a normal
user. Alternatively, you can manually specify a program to use instead of the
RDP server’s default shell, or connect to the administrative console.</p>
<p>Although Guacamole is independent of keyboard layout, RDP is not. This is
because Guacamole represents keys based on what they <em>do</em> (“press the Enter
key”), while RDP uses identifiers based on the key’s location (“press the
rightmost key in the second row”). To translate between a Guacamole key event
and an RDP key event, Guacamole must know ahead of time the keyboard layout of
the RDP server.</p>
<p>By default, the US English qwerty keyboard will be used. If this does not match
the keyboard layout of your RDP server, keys will not be properly translated,
and you will need to explicitly choose a different layout in your connection
settings. If your keyboard layout is not supported, please notify the Guacamole
team by <a class="reference external" href="https://issues.apache.org/jira/browse/GUACAMOLE">opening an issue in
JIRA</a>.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">client-name</span></code></dt><dd><p>When connecting to the RDP server, Guacamole will normally provide its own
hostname as the name of the client. If this parameter is specified,
Guacamole will use its value instead.</p>
<p>On Windows RDP servers, this value is exposed within the session as the
<code class="docutils literal notranslate"><span class="pre">CLIENTNAME</span></code> environment variable.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">console</span></code></dt><dd><p>If set to “true”, you will be connected to the console (admin) session of
the RDP server.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">initial-program</span></code></dt><dd><p>The full path to the program to run immediately upon connecting. This
parameter is optional.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">server-layout</span></code></dt><dd><p>The server-side keyboard layout. This is the layout of the RDP server and
has nothing to do with the keyboard layout in use on the client. <em>The
Guacamole client is independent of keyboard layout.</em> The RDP protocol,
however, is <em>not</em> independent of keyboard layout, and Guacamole needs to
know the keyboard layout of the server in order to send the proper keys
when a user is typing.</p>
<p>Possible values are generally in the format
<code class="samp docutils literal notranslate"><em><span class="pre">LANGUAGE</span></em><span class="pre">-</span><em><span class="pre">REGION</span></em><span class="pre">-</span><em><span class="pre">VARIANT</span></em></code>, where <code class="docutils literal notranslate"><span class="pre">LANGUAGE</span></code> is the standard
two-letter language code for the primary language associated with the
layout, <code class="docutils literal notranslate"><span class="pre">REGION</span></code> is a standard representation of the location that the
keyboard is used (the two-letter country code, when possible), and
<code class="docutils literal notranslate"><span class="pre">VARIANT</span></code> is the specific keyboard layout variant (such as “qwerty”,
“qwertz”, or “azerty”):</p>
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head"><p>Keyboard layout</p></th>
<th class="head"><p>Parameter value</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>Brazilian (Portuguese)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">pt-br-qwerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>English (UK)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">en-gb-qwerty</span></code></p></td>
</tr>
<tr class="row-even"><td><p>English (US)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">en-us-qwerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>French</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">fr-fr-azerty</span></code></p></td>
</tr>
<tr class="row-even"><td><p>French (Belgian)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">fr-be-azerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>French (Swiss)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">fr-ch-qwertz</span></code></p></td>
</tr>
<tr class="row-even"><td><p>German</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">de-de-qwertz</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>German (Swiss)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">de-ch-qwertz</span></code></p></td>
</tr>
<tr class="row-even"><td><p>Hungarian</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">hu-hu-qwertz</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>Italian</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">it-it-qwerty</span></code></p></td>
</tr>
<tr class="row-even"><td><p>Japanese</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">ja-jp-qwerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>Norwegian</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">no-no-qwerty</span></code></p></td>
</tr>
<tr class="row-even"><td><p>Spanish</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">es-es-qwerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>Spanish (Latin American)</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">es-latam-qwerty</span></code></p></td>
</tr>
<tr class="row-even"><td><p>Swedish</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">sv-se-qwerty</span></code></p></td>
</tr>
<tr class="row-odd"><td><p>Turkish-Q</p></td>
<td><p><code class="docutils literal notranslate"><span class="pre">tr-tr-qwerty</span></code></p></td>
</tr>
</tbody>
</table>
<p>If you server’s keyboard layout is not yet supported, and it is not possible
to set your server to use a supported layout, the <code class="docutils literal notranslate"><span class="pre">failsafe</span></code> layout may be used
to force Unicode events to be used for all input, however beware that doing so
may prevent keyboard shortcuts from working as expected.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">timezone</span></code></dt><dd><p>The timezone that the client should send to the server for configuring the
local time display of that server. The format of the timezone is in the
standard IANA key zone format, which is the format used in UNIX/Linux.
This will be converted by RDP into the correct format for Windows.</p>
<p>The timezone is detected and will be passed to the server during the
handshake phase of the connection, and may used by protocols, like RDP,
that support it. This parameter can be used to override the value detected
and passed during the handshake, or can be used in situations where guacd
does not support passing the timezone parameter during the handshake phase
(guacd versions prior to 1.3.0).</p>
<p>Support for forwarding the client timezone varies by RDP server
implementation. For example, with Windows, support for forwarding
timezones is only present in Windows Server with Remote Desktop Services
(RDS, formerly known as Terminal Services) installed. Windows Server
installations in admin mode, along with Windows workstation versions, do
not allow the timezone to be forwarded. Other server implementations, for
example, xrdp, may not implement this feature at all. Consult the
documentation for the RDP server to determine whether or not this feature
is supported.</p>
</dd>
</dl>
</section>
<section id="rdp-display-settings">
<span id="id3"></span><h4>Display settings<a class="headerlink" href="#rdp-display-settings" title="Link to this heading"></a></h4>
<p>Guacamole will automatically choose an appropriate display size for RDP
connections based on the size of the browser window and the DPI of the device.
The size of the display can be forced by specifying explicit width or height
values.</p>
<p>To reduce bandwidth usage, you may also request that the server reduce its
color depth. Guacamole will automatically detect 256-color images, but this can
be guaranteed for absolutely all graphics sent over the connection by forcing
the color depth to 8-bit. Color depth is otherwise dictated by the RDP server.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">color-depth</span></code></dt><dd><p>The color depth to request, in bits-per-pixel. This parameter is optional.
If specified, this must be either 8, 16, or 24. Regardless of what value
is chosen here, if a particular update uses less than 256 colors,
Guacamole will always send that update as a 256-color PNG.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">width</span></code></dt><dd><p>The width of the display to request, in pixels. This parameter is
optional. If this value is not specified, the width of the connecting
client display will be used instead.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">height</span></code></dt><dd><p>The height of the display to request, in pixels. This parameter is
optional. If this value is not specified, the height of the connecting
client display will be used instead.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">dpi</span></code></dt><dd><p>The desired effective resolution of the client display, in DPI. This
parameter is optional. If this value is not specified, the resolution and
size of the client display will be used together to determine,
heuristically, an appropriate resolution for the RDP session.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">resize-method</span></code></dt><dd><p>The method to use to update the RDP server when the width or height of the
client display changes. This parameter is optional. If this value is not
specified, no action will be taken when the client display changes size.</p>
<p>Normally, the display size of an RDP session is constant and can only be
changed when initially connecting. As of RDP 8.1, the “Display Update”
channel can be used to request that the server change the display size.
For older RDP servers, the only option is to disconnect and reconnect with
the new size.</p>
<p>Possible values are:</p>
<dl class="simple myst">
<dt>display-update</dt><dd><p>Uses the “Display Update” channel added with RDP 8.1 to signal the
server when the client display size has changed.</p>
</dd>
<dt>reconnect</dt><dd><p>Automatically disconnects the RDP session when the client display size
has changed, and reconnects with the new size.</p>
</dd>
</dl>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">force-lossless</span></code></dt><dd><p>Whether this connection should only use lossless compression for graphical
updates. If set to “true”, lossy compression will not be used. This
parameter is optional. By default, lossy compression will be used when
heuristics determine that it would likely outperform lossless compression.</p>
</dd>
</dl>
</section>
<section id="device-redirection">
<span id="rdp-device-redirection"></span><h4>Device redirection<a class="headerlink" href="#device-redirection" title="Link to this heading"></a></h4>
<p>Device redirection refers to the use of non-display devices over RDP.
Guacamole’s RDP support currently allows redirection of audio, printing, and
disk access, some of which require additional configuration in order to
function properly.</p>
<p>Audio redirection will be enabled by default. If Guacamole was correctly
installed, and audio redirection is supported by your RDP server, sound should
play within remote connections without manual intervention.</p>
<p>Printing requires GhostScript to be installed on the Guacamole server, and
allows users to print arbitrary documents directly to PDF. When documents are
printed to the redirected printer, the user will receive a PDF of that document
within their web browser.</p>
<p>Guacamole provides support for file transfer over RDP by emulating a virtual
disk drive. This drive will persist on the Guacamole server, confined within
the drive path specified. If drive redirection is enabled on a Guacamole RDP
connection, users will be able to upload and download files as described in
<a class="reference internal" href="using-guacamole.html"><span class="doc std std-doc">Using Guacamole</span></a>.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">disable-audio</span></code></dt><dd><p>Audio is enabled by default in both the client and in libguac-client-rdp.
If you are concerned about bandwidth usage, or sound is causing problems,
you can explicitly disable sound by setting this parameter to “true”.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-audio-input</span></code></dt><dd><p>If set to “true”, audio input support (microphone) will be enabled,
leveraging the standard “<code class="docutils literal notranslate"><span class="pre">AUDIO_INPUT</span></code>” channel of RDP. By default, audio
input support within RDP is disabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-touch</span></code></dt><dd><p>If set to “true”, support for multi-touch events will be enabled, leveraging
the standard “<code class="docutils literal notranslate"><span class="pre">RDPEI</span></code>” channel of RDP. By default, direct RDP support for
multi-touch events is disabled.</p>
<p>Enabling support for multi-touch allows touch interaction with applications
inside the RDP session, however the touch gestures available will depend on
the level of touch support of those applications and the OS.</p>
<p>If multi-touch support is not enabled, pointer-type interaction with
applications inside the RDP session will be limited to mouse or emulated
mouse events.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-printing</span></code></dt><dd><p>Printing is disabled by default, but with printing enabled, RDP users can
print to a virtual printer that sends a PDF containing the document
printed to the Guacamole client. Enable printing by setting this parameter
to “true”.</p>
<p><em>Printing support requires GhostScript to be installed.</em> If guacd cannot
find the <code class="docutils literal notranslate"><span class="pre">gs</span></code> executable when printing, the print attempt will fail.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">printer-name</span></code></dt><dd><p>The name of the redirected printer device that is passed through to the
RDP session. This is the name that the user will see in, for example, the
Devices and Printers control panel.</p>
<p>If printer redirection is not enabled, this option has no effect.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-drive</span></code></dt><dd><p>File transfer is disabled by default, but with file transfer enabled, RDP
users can transfer files to and from a virtual drive which persists on the
Guacamole server. Enable file transfer support by setting this parameter
to “true”.</p>
<p>Files will be stored in the directory specified by the “<code class="docutils literal notranslate"><span class="pre">drive-path</span></code>”
parameter, which is required if file transfer is enabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-download</span></code></dt><dd><p>If set to true downloads from the remote server to client (browser) will
be disabled. This includes both downloads done via the hidden Guacamole
menu, as well as using the special “Download” folder presented to the
remote server. The default is false, which means that downloads will be
allowed.</p>
<p>If file transfer is not enabled, this parameter is ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-upload</span></code></dt><dd><p>If set to true, uploads from the client (browser) to the remote server
location will be disabled. The default is false, which means uploads will
be allowed if file transfer is enabled.</p>
<p>If file transfer is not enabled, this parameter is ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">drive-name</span></code></dt><dd><p>The name of the filesystem used when passed through to the RDP session.
This is the name that users will see in their Computer/My Computer area
along with client name (for example, “Guacamole on Guacamole RDP”), and is
also the name of the share when accessing the special <code class="docutils literal notranslate"><span class="pre">\\tsclient</span></code> network
location.</p>
<p>If file transfer is not enabled, this parameter is ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">drive-path</span></code></dt><dd><p>The directory on the Guacamole server in which transferred files should be
stored. This directory must be accessible by guacd and both readable and
writable by the user that runs guacd. <em>This parameter does not refer to a
directory on the RDP server.</em></p>
<p>If file transfer is not enabled, this parameter is ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">create-drive-path</span></code></dt><dd><p>If set to “true”, and file transfer is enabled, the directory specified by
the <code class="docutils literal notranslate"><span class="pre">drive-path</span></code> parameter will automatically be created if it does not
yet exist. Only the final directory in the path will be created - if other
directories earlier in the path do not exist, automatic creation will
fail, and an error will be logged.</p>
<p>By default, the directory specified by the <code class="docutils literal notranslate"><span class="pre">drive-path</span></code> parameter will not
automatically be created, and attempts to transfer files to a non-existent
directory will be logged as errors.</p>
<p>If file transfer is not enabled, this parameter is ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">console-audio</span></code></dt><dd><p>If set to “true”, audio will be explicitly enabled in the console (admin)
session of the RDP server. Setting this option to “true” only makes sense
if the <code class="docutils literal notranslate"><span class="pre">console</span></code> parameter is also set to “true”.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">static-channels</span></code></dt><dd><p>A comma-separated list of static channel names to open and expose as
pipes. If you wish to communicate between an application running on the
remote desktop and JavaScript, this is the best way to do it. Guacamole
will open an outbound pipe with the name of the static channel. If
JavaScript needs to communicate back in the other direction, it should
respond by opening another pipe with the same name.</p>
<p>Guacamole allows any number of static channels to be opened, but protocol
restrictions of RDP limit the size of each channel name to 7 characters.</p>
</dd>
</dl>
</section>
<section id="preconnection-pdu-hyper-v-vmconnect">
<span id="rdp-preconnection-pdu"></span><h4>Preconnection PDU (Hyper-V / VMConnect)<a class="headerlink" href="#preconnection-pdu-hyper-v-vmconnect" title="Link to this heading"></a></h4>
<p>Some RDP servers host multiple logical RDP connections behind a single server
listening on a single TCP port. To select between these logical connections, an
RDP client must send the “preconnection PDU” - a message which contains values
that uniquely identify the destination, referred to as the “RDP source”. This
mechanism is defined by the <a class="reference external" href="https://msdn.microsoft.com/en-us/library/cc242359.aspx">“Session Selection
Extension</a> for the RDP
protocol, and is implemented by Microsoft’s Hyper-V hypervisor.</p>
<p>If you are using Hyper-V, you will need to specify the ID of the destination
virtual machine within the <code class="docutils literal notranslate"><span class="pre">preconnection-blob</span></code> parameter. This value can be
determined using PowerShell:</p>
<div class="highlight-ps1con notranslate"><div class="highlight"><pre><span></span><span class="gp">PS C:\> </span><span class="nb">Get-VM</span> <span class="n">VirtualMachineName</span> <span class="p">|</span> <span class="nb">Select-Object</span> <span class="n">Id</span>
<span class="go">Id</span>
<span class="go">--</span>
<span class="go">ed272546-87bd-4db9-acba-e36e1a9ca20a</span>
<span class="gp">PS C:\></span>
</pre></div>
</div>
<p>The preconnection PDU is intentionally generic. While its primary use is as a
means for selecting virtual machines behind Hyper-V, other RDP servers may use
it as well. It is up to the RDP server itself to determine whether the
preconnection ID, BLOB, or both will be used, and what their values mean.</p>
<p><em>If you do intend to use Hyper-V, beware that its built-in RDP server requires
different parameters for authentication and Guacamole’s defaults will not
work.</em> In most cases, you will need to do the following when connecting to
Hyper-V:</p>
<ol class="arabic simple">
<li><p>Specify both “<code class="docutils literal notranslate"><span class="pre">username</span></code>” and “<code class="docutils literal notranslate"><span class="pre">password</span></code>” appropriately, and set
“<code class="docutils literal notranslate"><span class="pre">security</span></code>” to “<code class="docutils literal notranslate"><span class="pre">vmconnect</span></code>”. Selecting the “<code class="docutils literal notranslate"><span class="pre">vmconnect</span></code>” security mode
will configure Guacamole to automatically negotiate security modes known to
be supported by Hyper-V, and will automatically select Hyper-V’s default RDP
port (2179).</p></li>
<li><p>If necessary, set “<code class="docutils literal notranslate"><span class="pre">ignore-cert</span></code>” to “<code class="docutils literal notranslate"><span class="pre">true</span></code>”. Hyper-V may use a self-signed
certificate.</p></li>
</ol>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">preconnection-id</span></code></dt><dd><p>The numeric ID of the RDP source. This is a non-negative integer value
dictating which of potentially several logical RDP connections should be
used. This parameter is optional, and is only required if the RDP server
is documented as requiring it. <em>If using Hyper-V, this should be left
blank.</em></p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">preconnection-blob</span></code></dt><dd><p>An arbitrary string which identifies the RDP source - one of potentially
several logical RDP connections hosted by the same RDP server. This
parameter is optional, and is only required if the RDP server is
documented as requiring it, such as Hyper-V. In all cases, the meaning of
this parameter is opaque to the RDP protocol itself and is dictated by the
RDP server. <em>For Hyper-V, this will be the ID of the destination virtual
machine.</em></p>
</dd>
</dl>
</section>
<section id="remote-desktop-gateway">
<span id="rdp-gateway"></span><h4>Remote desktop gateway<a class="headerlink" href="#remote-desktop-gateway" title="Link to this heading"></a></h4>
<p>Microsoft’s remote desktop server provides an additional gateway service which
allows external connections to be forwarded to internal RDP servers which are
otherwise not accessible. If you will be using Guacamole to connect through
such a gateway, you will need to provide additional parameters describing the
connection to that gateway, as well as any required credentials.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">gateway-hostname</span></code></dt><dd><p>The hostname of the remote desktop gateway that should be used as an
intermediary for the remote desktop connection. <em>If omitted, a gateway
will not be used.</em></p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">gateway-port</span></code></dt><dd><p>The port of the remote desktop gateway that should be used as an
intermediary for the remote desktop connection. By default, this will be
“443”.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">gateway-username</span></code></dt><dd><p>The username of the user authenticating with the remote desktop gateway,
if a gateway is being used. This is not necessarily the same as the user
actually using the remote desktop connection.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">gateway-password</span></code></dt><dd><p>The password to provide when authenticating with the remote desktop
gateway, if a gateway is being used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">gateway-domain</span></code></dt><dd><p>The domain of the user authenticating with the remote desktop gateway, if
a gateway is being used. This is not necessarily the same domain as the
user actually using the remote desktop connection.</p>
</dd>
</dl>
</section>
<section id="load-balancing-and-rdp-connection-brokers">
<span id="rdp-connection-broker"></span><h4>Load balancing and RDP connection brokers<a class="headerlink" href="#load-balancing-and-rdp-connection-brokers" title="Link to this heading"></a></h4>
<p>If your remote desktop servers are behind a load balancer, sometimes referred
to as a “connection broker” or “TS session broker”, that balancer may require
additional information during the connection process to determine how the
incoming connection should be routed. RDP does not dictate the format of this
information; it is specific to the balancer in use.</p>
<p>If you are using a load balancer and are unsure whether such information is
required, <em>you will need to check the documentation for your balancer</em>. If your
balancer provides <code class="docutils literal notranslate"><span class="pre">.rdp</span></code> files for convenience, look through the contents of
those files for a string field called “loadbalanceinfo”, as that field is where
the required information/cookie would be specified.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">load-balance-info</span></code></dt><dd><p>The load balancing information or cookie which should be provided to the
connection broker. <em>If no connection broker is being used, this should be
left blank.</em></p>
</dd>
</dl>
</section>
<section id="performance-flags">
<span id="rdp-perf-flags"></span><h4>Performance flags<a class="headerlink" href="#performance-flags" title="Link to this heading"></a></h4>
<p>RDP provides several flags which control the availability of features that
decrease performance and increase bandwidth for the sake of aesthetics, such as
wallpaper, window theming, menu effects, and smooth fonts. These features are
all disabled by default within Guacamole such that bandwidth usage is
minimized, but you can manually re-enable them on a per-connection basis if
desired.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">enable-wallpaper</span></code></dt><dd><p>If set to “true”, enables rendering of the desktop wallpaper. By default,
wallpaper will be disabled, such that unnecessary bandwidth need not be
spent redrawing the desktop.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-theming</span></code></dt><dd><p>If set to “true”, enables use of theming of windows and controls. By
default, theming within RDP sessions is disabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-font-smoothing</span></code></dt><dd><p>If set to “true”, text will be rendered with smooth edges. Text over RDP
is rendered with rough edges by default, as this reduces the number of
colors used by text, and thus reduces the bandwidth required for the
connection.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-full-window-drag</span></code></dt><dd><p>If set to “true”, the contents of windows will be displayed as windows are
moved. By default, the RDP server will only draw the window border while
windows are being dragged.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-desktop-composition</span></code></dt><dd><p>If set to “true”, graphical effects such as transparent windows and
shadows will be allowed. By default, such effects, if available, are
disabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">enable-menu-animations</span></code></dt><dd><p>If set to “true”, menu open and close animations will be allowed. Menu
animations are disabled by default.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-bitmap-caching</span></code></dt><dd><p>In certain situations, particularly with RDP server implementations with
known bugs, it is necessary to disable RDP’s built-in bitmap caching
functionality. This parameter allows that to be controlled in a Guacamole
session. If set to “true” the RDP bitmap cache will not be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-offscreen-caching</span></code></dt><dd><p>RDP normally maintains caches of regions of the screen that are currently
not visible in the client in order to accelerate retrieval of those
regions when they come into view. This parameter, when set to “true,” will
disable caching of those regions. This is usually only useful when dealing
with known bugs in RDP server implementations and should remain enabled in
most circumstances.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-glyph-caching</span></code></dt><dd><p>In addition to screen regions, RDP maintains caches of frequently used
symbols or fonts, collectively known as “glyphs.” As with bitmap and
offscreen caching, certain known bugs in RDP implementations can cause
performance issues with this enabled, and setting this parameter to “true”
will disable that glyph caching in the RDP session.</p>
<p><strong>Glyph caching is currently universally disabled, regardless of the value of
this parameter, as glyph caching support is not considered stable by FreeRDP
as of the FreeRDP 2.0.0 release. See: <a class="reference external" href="https://issues.apache.org/jira/browse/GUACAMOLE-1191">GUACAMOLE-1191</a>.</strong></p>
</dd>
</dl>
</section>
<section id="remoteapp">
<span id="rdp-remoteapp"></span><h4>RemoteApp<a class="headerlink" href="#remoteapp" title="Link to this heading"></a></h4>
<p>Recent versions of Windows provide a feature called RemoteApp which allows
individual applications to be used over RDP, without providing access to the
full desktop environment. If your RDP server has this feature enabled and
configured, you can configure Guacamole connections to use those individual
applications.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">remote-app</span></code></dt><dd><p>Specifies the RemoteApp to start on the remote desktop. If supported by
your remote desktop server, this application, and only this application,
will be visible to the user.</p>
<p>Windows requires a special notation for the names of remote applications.
The names of remote applications must be prefixed with two vertical bars.
For example, if you have created a remote application on your server for
<code class="docutils literal notranslate"><span class="pre">notepad.exe</span></code> and have assigned it the name “notepad”, you would set this
parameter to: “<code class="docutils literal notranslate"><span class="pre">||notepad</span></code>”.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">remote-app-dir</span></code></dt><dd><p>The working directory, if any, for the remote application. This parameter
has no effect if RemoteApp is not in use.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">remote-app-args</span></code></dt><dd><p>The command-line arguments, if any, for the remote application. This
parameter has no effect if RemoteApp is not in use.</p>
</dd>
</dl>
</section>
<section id="adding-an-rdp-connection">
<span id="adding-rdp"></span><h4>Adding an RDP connection<a class="headerlink" href="#adding-an-rdp-connection" title="Link to this heading"></a></h4>
<p>If you are using the default authentication built into Guacamole, and you wish
to grant access to a RDP connection to a particular user, you need to locate
the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section for that user within your <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, and add
a section like the following within it:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"Unique Name"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>rdp<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>3389<span class="nt"></param></span>
<span class="nt"></connection></span>
</pre></div>
</div>
<p>If added exactly as above, a new connection named “<code class="docutils literal notranslate"><span class="pre">Unique</span> <span class="pre">Name</span></code>” will be
available to the user associated with the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section containing it.
The connection will use RDP to connect to localhost at port 3389. Naturally,
you will want to change some or all of these values.</p>
<p>If you want to login automatically rather than receive a login prompt upon
connecting, you can specify a username and password with additional <code class="docutils literal notranslate"><span class="pre"><param></span></code>
tags. Other options are available for controlling the color depth, size of the
screen, etc.</p>
<p>Other authentication methods will provide documentation describing how to
configure new connections. If the authentication method in use fully implements
the features of Guacamole’s authentication API, you will be able to add a new
RDP connection easily and intuitively using the administration interface built
into Guacamole. You will not need to edit configuration files.</p>
</section>
</section>
<section id="ssh">
<h3>SSH<a class="headerlink" href="#ssh" title="Link to this heading"></a></h3>
<p>Unlike VNC or RDP, SSH is a text protocol. Its implementation in Guacamole is
actually a combination of a terminal emulator and SSH client, because the SSH
protocol isn’t inherently graphical. Guacamole’s SSH support emulates a
terminal on the server side, and draws the screen of this terminal remotely on
the client.</p>
<p>SSH support for Guacamole is provided by the libguac-client-ssh library, which
will be installed as part of guacamole-server if the required dependencies are
present during the build.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In addition to the SSH-specific parameters below, Guacamole’s SSH support also
accepts the parameters of several features that Guacamole provides for multiple
protocols:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#disable-clipboard"><span class="std std-ref">Disabling clipboard access</span></a></p></li>
<li><p><a class="reference internal" href="#graphical-recording"><span class="std std-ref">Graphical session recording</span></a></p></li>
<li><p><a class="reference internal" href="#typescripts"><span class="std std-ref">Text session recording (typescripts)</span></a></p></li>
<li><p><a class="reference internal" href="#stdin-pipe"><span class="std std-ref">Providing terminal input directly from JavaScript</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-behavior"><span class="std std-ref">Controlling terminal behavior</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-display-settings"><span class="std std-ref">Terminal display settings</span></a></p></li>
<li><p><a class="reference internal" href="#wake-on-lan"><span class="std std-ref">Wake-on-LAN</span></a></p></li>
</ul>
</div>
<section id="ssh-host-verification">
<span id="id4"></span><h4>SSH Host Verification<a class="headerlink" href="#ssh-host-verification" title="Link to this heading"></a></h4>
<p>By default, Guacamole does not do any verification of host identity before
establishing SSH connections. While this may be safe for private and trusted
networks, it is not ideal for large networks with unknown/untrusted systems, or
for SSH connections that traverse the Internet. The potential exists for
Man-in-the-Middle (MitM) attacks when connecting to these hosts.</p>
<p>Guacamole includes two methods for verifying SSH (and SFTP) server identity
that can be used to make sure that the host you are connecting to is a host
that you know and trust. The first method is by reading a file in
<code class="docutils literal notranslate"><span class="pre">GUACAMOLE_HOME</span></code> called <code class="docutils literal notranslate"><span class="pre">ssh_known_hosts</span></code>. This file should be in the format of
a standard OpenSSH <code class="docutils literal notranslate"><span class="pre">known_hosts</span></code> file. If the file is not present, no
verification is done. If the file is present, it is read in at connection time
and remote host identities are verified against the keys present in the file.</p>
<p>The second method for verifying host identity is by passing a connection
parameter that contains an OpenSSH known hosts entry for that specific host.
The <code class="docutils literal notranslate"><span class="pre">host-key</span></code> parameter is used for SSH connections, while the SFTP
connections associated with RDP and VNC use the <code class="docutils literal notranslate"><span class="pre">sftp-host-key</span></code> parameter. If
these parameters are not present on their respective connections no host
identity verification is performed. If the parameter is present then the
identity of the remote host is verified against the identity provided in the
parameter before a connection is established.</p>
</section>
<section id="ssh-network-parameters">
<span id="id5"></span><h4>Network parameters<a class="headerlink" href="#ssh-network-parameters" title="Link to this heading"></a></h4>
<p>SSH connections require a hostname or IP address defining the destination
machine. SSH is standardized to use port 22 and this will be the proper value
in most cases. You only need to specify the SSH port if you are not using the
standard port.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">hostname</span></code></dt><dd><p>The hostname or IP address of the SSH server Guacamole should connect to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">port</span></code></dt><dd><p>The port the SSH server is listening on, usually 22. This parameter is
optional. If this is not specified, the default of 22 will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">host-key</span></code></dt><dd><p>The known hosts entry for the SSH server. This parameter is optional, and,
if not provided, no verification of host identity will be done. If the
parameter is provided the identity of the server will be checked against
the data.</p>
<p>The format of this parameter is that of a single entry from an OpenSSH
<code class="docutils literal notranslate"><span class="pre">known_hosts</span></code> file.</p>
<p>For more information, please see <a class="reference internal" href="#ssh-host-verification"><span class="std std-ref">SSH Host Verification</span></a>.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">server-alive-interval</span></code></dt><dd><p>By default the SSH client does not send keepalive requests to the server.
This parameter allows you to configure the the interval in seconds at
which the client connection sends keepalive packets to the server. The
default is 0, which disables sending the packets. The minimum value is 2.</p>
</dd>
</dl>
</section>
<section id="ssh-authentication">
<span id="id6"></span><h4>Authentication<a class="headerlink" href="#ssh-authentication" title="Link to this heading"></a></h4>
<p>SSH provides authentication through passwords and public key authentication,
and also supports the “NONE” method.</p>
<p>SSH “NONE” authentication is seen occasionally in appliances and items like
network or SAN fabric switches. Generally for this authentication method you
need only provide a username.</p>
<p>For Guacamole to use public key authentication, it must have access to your
private key and, if applicable, its passphrase. If the private key requires a
passphrase, but no passphrase is provided, you will be prompted for the
passphrase upon connecting.</p>
<p>If no private key is provided, Guacamole will attempt to authenticate using a
password, reading that password from the connection parameters, if provided, or
by prompting the user directly.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">username</span></code></dt><dd><p>The username to use to authenticate, if any. This parameter is optional.
If not specified, you will be prompted for the username upon connecting.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">password</span></code></dt><dd><p>The password to use when attempting authentication, if any. This parameter
is optional. If not specified, you will be prompted for your password upon
connecting.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">private-key</span></code></dt><dd><p>The entire contents of the private key to use for public key
authentication. If this parameter is not specified, public key
authentication will not be used. The private key must be in OpenSSH
format, as would be generated by the OpenSSH <strong class="command">ssh-keygen</strong>
utility.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">passphrase</span></code></dt><dd><p>The passphrase to use to decrypt the private key for use in public key
authentication. This parameter is not needed if the private key does not
require a passphrase. If the private key requires a passphrase, but this
parameter is not provided, the user will be prompted for the passphrase
upon connecting.</p>
</dd>
</dl>
</section>
<section id="running-a-command-instead-of-a-shell">
<span id="ssh-command"></span><h4>Running a command (instead of a shell)<a class="headerlink" href="#running-a-command-instead-of-a-shell" title="Link to this heading"></a></h4>
<p>By default, SSH sessions will start an interactive shell. The shell which will
be used is determined by the SSH server, normally by reading the user’s default
shell previously set with <code class="docutils literal notranslate"><span class="pre">chsh</span></code> or within <code class="docutils literal notranslate"><span class="pre">/etc/passwd</span></code>. If you wish to
override this and instead run a specific command, you can do so by specifying
that command in the configuration of the Guacamole SSH connection.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">command</span></code></dt><dd><p>The command to execute over the SSH session, if any. This parameter is
optional. If not specified, the SSH session will use the user’s default
shell.</p>
</dd>
</dl>
</section>
<section id="internationalization-locale-settings">
<h4>Internationalization/Locale settings<a class="headerlink" href="#internationalization-locale-settings" title="Link to this heading"></a></h4>
<p>The language of the session is normally set by the SSH server. If the SSH
server allows the relevant environment variable to be set, the language can be
overridden on a per-connection basis.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">locale</span></code></dt><dd><p>The specific locale to request for the SSH session. This parameter is
optional and may be any value accepted by the <code class="docutils literal notranslate"><span class="pre">LANG</span></code> environment variable
of the SSH server. If not specified, the SSH server’s default locale will
be used.</p>
<p>As this parameter is sent to the SSH server using the <code class="docutils literal notranslate"><span class="pre">LANG</span></code> environment
variable, the parameter will only have an effect if the SSH server allows
the <code class="docutils literal notranslate"><span class="pre">LANG</span></code> environment variable to be set by SSH clients.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">timezone</span></code></dt><dd><p>This parameter allows you to control the timezone that is sent to the
server over the SSH connection, which will change the way local time is
displayed on the server.</p>
<p>The mechanism used to do this over SSH connections is by setting the <code class="docutils literal notranslate"><span class="pre">TZ</span></code>
variable on the SSH connection to the timezone specified by this
parameter. This means that the SSH server must allow the <code class="docutils literal notranslate"><span class="pre">TZ</span></code> variable to
be set/overriden - many SSH server implementations have this disabled by
default. To get this to work, you may need to modify the configuration of
the SSH server and explicitly allow for <code class="docutils literal notranslate"><span class="pre">TZ</span></code> to be set/overriden.</p>
<p>The available values of this parameter are standard IANA key zone format
timezones, and the value will be sent directly to the server in this
format.</p>
</dd>
</dl>
</section>
<section id="sftp">
<span id="ssh-sftp"></span><h4>SFTP<a class="headerlink" href="#sftp" title="Link to this heading"></a></h4>
<p>Guacamole provides support for file transfer over SSH using SFTP, the
file transfer protocol built into most SSH servers. If SFTP is enabled
on a Guacamole SSH connection, users will be able to upload and download
files as described in <a class="reference internal" href="using-guacamole.html"><span class="doc std std-doc">Using Guacamole</span></a></p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">enable-sftp</span></code></dt><dd><p>Whether file transfer should be enabled. If set to “true”, the user will
be allowed to upload or download files from the SSH server using SFTP.
Guacamole includes the <strong class="program">guacctl</strong> utility which controls file
downloads and uploads when run on the SSH server by the user over the SSH
connection.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-root-directory</span></code></dt><dd><p>The directory to expose to connected users via Guacamole’s <a class="reference internal" href="using-guacamole.html#file-browser"><span class="std std-ref">file
browser</span></a>. If omitted, the root directory will be used by
default.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-disable-download</span></code></dt><dd><p>If set to true downloads from the remote system to the client (browser)
will be disabled. The default is false, which means that downloads will be
enabled.</p>
<p>If SFTP is not enabled, this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-disable-upload</span></code></dt><dd><p>If set to true uploads from the client (browser) to the remote system will
be disabled. The default is false, which means that uploads will be
enabled.</p>
<p>If SFTP is not enabled, this parameter will be ignored.</p>
</dd>
</dl>
</section>
<section id="adding-an-ssh-connection">
<span id="adding-ssh"></span><h4>Adding an SSH connection<a class="headerlink" href="#adding-an-ssh-connection" title="Link to this heading"></a></h4>
<p>If you are using the default authentication built into Guacamole, and
you wish to grant access to a SSH connection to a particular user, you
need to locate the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section for that user within your
<code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, and add a section like the following within it:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"Unique Name"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>ssh<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>22<span class="nt"></param></span>
<span class="nt"></connection></span>
</pre></div>
</div>
<p>If added exactly as above, a new connection named “<code class="docutils literal notranslate"><span class="pre">Unique</span> <span class="pre">Name</span></code>” will be
available to the user associated with the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section containing it.
The connection will use SSH to connect to localhost at port 22. Naturally, you
will want to change some or all of these values.</p>
<p>If you want to login automatically rather than receive a login prompt upon
connecting, you can specify a username and password with additional <code class="docutils literal notranslate"><span class="pre"><param></span></code>
tags. Other options are available for controlling the font.</p>
<p>Other authentication methods will provide documentation describing how to
configure new connections.</p>
</section>
</section>
<section id="telnet">
<h3>Telnet<a class="headerlink" href="#telnet" title="Link to this heading"></a></h3>
<p>Telnet is a text protocol and provides similar functionality to SSH. By nature,
it is not encrypted, and does not provide support for file transfer. As far as
graphics are concerned, Guacamole’s telnet support works in the same manner as
SSH: it emulates a terminal on the server side which renders to the Guacamole
client’s display.</p>
<p>Telnet support for Guacamole is provided by the libguac-client-telnet library,
which will be installed as part of guacamole-server if the required
dependencies are present during the build.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In addition to the telnet-specific parameters below, Guacamole’s telnet support
also accepts the parameters of several features that Guacamole provides for
multiple protocols:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#disable-clipboard"><span class="std std-ref">Disabling clipboard access</span></a></p></li>
<li><p><a class="reference internal" href="#graphical-recording"><span class="std std-ref">Graphical session recording</span></a></p></li>
<li><p><a class="reference internal" href="#typescripts"><span class="std std-ref">Text session recording (typescripts)</span></a></p></li>
<li><p><a class="reference internal" href="#stdin-pipe"><span class="std std-ref">Providing terminal input directly from JavaScript</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-behavior"><span class="std std-ref">Controlling terminal behavior</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-display-settings"><span class="std std-ref">Terminal display settings</span></a></p></li>
<li><p><a class="reference internal" href="#wake-on-lan"><span class="std std-ref">Wake-on-LAN</span></a></p></li>
</ul>
</div>
<section id="telnet-network-parameters">
<span id="id7"></span><h4>Network parameters<a class="headerlink" href="#telnet-network-parameters" title="Link to this heading"></a></h4>
<p>Telnet connections require a hostname or IP address defining the
destination machine. Telnet is standardized to use port 23 and this will
be the proper value in most cases. You only need to specify the telnet
port if you are not using the standard port.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">hostname</span></code></dt><dd><p>The hostname or IP address of the telnet server Guacamole should connect
to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">port</span></code></dt><dd><p>The port the telnet server is listening on, usually 23. This parameter is
optional. If this is not specified, the default of 23 will be used.</p>
</dd>
</dl>
</section>
<section id="telnet-authentication">
<span id="id8"></span><h4>Authentication<a class="headerlink" href="#telnet-authentication" title="Link to this heading"></a></h4>
<p>Telnet does not actually provide any standard means of authentication.
Authentication over telnet depends entirely on the login process running on the
server and is interactive. To cope with this, Guacamole provides non-standard
mechanisms for automatically passing the username and entering password.
Whether these mechanisms work depends on specific login process used by your
telnet server.</p>
<p>The de-facto method for passing the username automatically via telnet is to
submit it via the <code class="docutils literal notranslate"><span class="pre">USER</span></code> environment variable, sent using the NEW-ENVIRON
option. This is the mechanism used by most telnet clients, typically via the
<code class="docutils literal notranslate"><span class="pre">-l</span></code> command-line option.</p>
<p>Passwords cannot typically be sent automatically - at least not as reliably as
the username. There is no <code class="docutils literal notranslate"><span class="pre">PASSWORD</span></code> environment variable (this would actually
be a horrible idea) nor any similar mechanism for passing the password to the
telnet login process, and most telnet clients provide no built-in support for
automatically entering the password. The best that can be done is to
heuristically detect the password prompt, and type the password on behalf of
the user when the prompt appears. The prescribed method for doing this with a
traditional command-line telnet is to use a utility like <code class="docutils literal notranslate"><span class="pre">expect</span></code>. Guacamole
provides similar functionality by searching for the password prompt with a
regular expression.</p>
<p>If Guacamole receives a line of text which matches the regular expression, the
password is automatically sent. If no such line is ever received, the password
is not sent, and the user must type the password manually. Pressing any key
during this process cancels the heuristic password prompt detection.</p>
<p>If the password prompt is not being detected properly, you can try using your
own regular expression by specifying it within the <code class="docutils literal notranslate"><span class="pre">password-regex</span></code> parameter.
The regular expression must be written in the POSIX ERE dialect (the dialect
typically used by <code class="docutils literal notranslate"><span class="pre">egrep</span></code>).</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">username</span></code></dt><dd><p>The username to use to authenticate, if any. This parameter is optional.
If not specified, or not supported by the telnet server, the login process
on the telnet server will prompt you for your credentials. For this to
work, your telnet server must support the NEW-ENVIRON option, and the
telnet login process must pay attention to the <code class="docutils literal notranslate"><span class="pre">USER</span></code> environment
variable. Most telnet servers satisfy this criteria.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">password</span></code></dt><dd><p>The password to use when attempting authentication, if any. This parameter
is optional. If specified, your password will be typed on your behalf when
the password prompt is detected.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">username-regex</span></code></dt><dd><p>The regular expression to use when waiting for the username prompt. This
parameter is optional. If not specified, a reasonable default built into
Guacamole will be used. The regular expression must be written in the
POSIX ERE dialect (the dialect typically used by <code class="docutils literal notranslate"><span class="pre">egrep</span></code>).</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">password-regex</span></code></dt><dd><p>The regular expression to use when waiting for the password prompt. This
parameter is optional. If not specified, a reasonable default built into
Guacamole will be used. The regular expression must be written in the
POSIX ERE dialect (the dialect typically used by <code class="docutils literal notranslate"><span class="pre">egrep</span></code>).</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">login-success-regex</span></code></dt><dd><p>The regular expression to use when detecting that the login attempt has
succeeded. This parameter is optional. If specified, the terminal display
will not be shown to the user until text matching this regular expression
has been received from the telnet server. The regular expression must be
written in the POSIX ERE dialect (the dialect typically used by <code class="docutils literal notranslate"><span class="pre">egrep</span></code>).</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">login-failure-regex</span></code></dt><dd><p>The regular expression to use when detecting that the login attempt has
failed. This parameter is optional. If specified, the connection will be
closed with an explicit login failure error if text matching this regular
expression has been received from the telnet server. The regular
expression must be written in the POSIX ERE dialect (the dialect typically
used by <code class="docutils literal notranslate"><span class="pre">egrep</span></code>).</p>
</dd>
</dl>
</section>
<section id="adding-a-telnet-connection">
<span id="adding-telnet"></span><h4>Adding a telnet connection<a class="headerlink" href="#adding-a-telnet-connection" title="Link to this heading"></a></h4>
<p>If you are using the default authentication built into Guacamole, and you wish
to grant access to a telnet connection to a particular user, you need to locate
the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section for that user within your <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>, and add
a section like the following within it:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"Unique Name"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>telnet<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"port"</span><span class="nt">></span>23<span class="nt"></param></span>
<span class="nt"></connection></span>
</pre></div>
</div>
<p>If added exactly as above, a new connection named “<code class="docutils literal notranslate"><span class="pre">Unique</span> <span class="pre">Name</span></code>” will be
available to the user associated with the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section containing it.
The connection will use telnet to connect to localhost at port 23. Naturally,
you will want to change some or all of these values.</p>
<p>As telnet is inherently insecure compared to SSH, you should use SSH instead
wherever possible. If Guacamole is set up to use HTTPS then communication with
the Guacamole <em>client</em> will be encrypted, but communication between guacd and
the telnet server will still be unencrypted. You should not use telnet unless
the network between guacd and the telnet server is trusted.</p>
</section>
</section>
<section id="kubernetes">
<h3>Kubernetes<a class="headerlink" href="#kubernetes" title="Link to this heading"></a></h3>
<p>Kubernetes provides an API for attaching to the console of a container over the
network. As with SSH and telnet, Guacamole’s Kubernetes support emulates a
terminal on the server side which renders to the Guacamole client’s display.</p>
<p>Kubernetes support for Guacamole is provided by the libguac-client-kubernetes
library, which will be installed as part of guacamole-server if the required
dependencies are present during the build.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>In addition to the Kubernetes-specific parameters below, Guacamole’s Kubernetes
support also accepts the parameters of several features that Guacamole provides
for multiple protocols:</p>
<ul class="simple">
<li><p><a class="reference internal" href="#disable-clipboard"><span class="std std-ref">Disabling clipboard access</span></a></p></li>
<li><p><a class="reference internal" href="#graphical-recording"><span class="std std-ref">Graphical session recording</span></a></p></li>
<li><p><a class="reference internal" href="#typescripts"><span class="std std-ref">Text session recording (typescripts)</span></a></p></li>
<li><p><a class="reference internal" href="#stdin-pipe"><span class="std std-ref">Providing terminal input directly from JavaScript</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-behavior"><span class="std std-ref">Controlling terminal behavior</span></a></p></li>
<li><p><a class="reference internal" href="#terminal-display-settings"><span class="std std-ref">Terminal display settings</span></a></p></li>
<li><p><a class="reference internal" href="#wake-on-lan"><span class="std std-ref">Wake-on-LAN</span></a></p></li>
</ul>
</div>
<section id="network-container-parameters">
<span id="kubernetes-network-parameters"></span><h4>Network/Container parameters<a class="headerlink" href="#network-container-parameters" title="Link to this heading"></a></h4>
<p>Attaching to a Kubernetes container requires the hostname or IP address of the
Kubernetes server and the name of the pod containing the container in question.
By default, Guacamole will attach to the first container in the pod. If there
are multiple containers in the pod, you may wish to also specify the container
name.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">hostname</span></code></dt><dd><p>The hostname or IP address of the Kubernetes server
that Guacamole should connect to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">port</span></code></dt><dd><p>The port the Kubernetes server is listening on for
API connections. <em>This parameter is optional.</em> If
omitted, port 8080 will be used by default.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">namespace</span></code></dt><dd><p>The name of the Kubernetes namespace of the pod containing the container
being attached to. <em>This parameter is optional.</em> If omitted, the namespace
“default” will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">pod</span></code></dt><dd><p>The name of the Kubernetes pod containing with the container being
attached to.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">container</span></code></dt><dd><p>The name of the container to attach to. <em>This parameter is optional.</em> If
omitted, the first container in the pod will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">exec-command</span></code></dt><dd><p>The command to run within the container, with input and output attached to
this command’s process. <em>This parameter is optional.</em> If omitted, no
command will be run, and input/output will instead be attached to the main
process of the container.</p>
<p>When this parameter is specified, the behavior of the connection is
analogous to running <strong class="command">kubectl exec</strong>. When omitted, the behavior
is analogous to running <strong class="command">kubectl attach</strong>.</p>
</dd>
</dl>
</section>
<section id="authentication-and-ssl-tls">
<span id="kubernetes-authentication"></span><h4>Authentication and SSL/TLS<a class="headerlink" href="#authentication-and-ssl-tls" title="Link to this heading"></a></h4>
<p>If enabled, Kubernetes uses SSL/TLS for both encryption and authentication.
Standard SSL/TLS client authentication requires both a client certificate and
client key, which Guacamole will use to identify itself to the Kubernetes
server. If the certificate used by Kubernetes is self-signed or signed by a
non-standard certificate authority, the certificate for the certificate
authority will also be needed.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">use-ssl</span></code></dt><dd><p>If set to “true”, SSL/TLS will be used to connect to the Kubernetes
server. <em>This parameter is optional.</em> By default, SSL/TLS will not be
used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">client-cert</span></code></dt><dd><p>The certificate to use if performing SSL/TLS client authentication to
authenticate with the Kubernetes server, in PEM format. <em>This parameter is
optional.</em> If omitted, SSL client authentication will not be performed.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">client-key</span></code></dt><dd><p>The key to use if performing SSL/TLS client authentication to authenticate
with the Kubernetes server, in PEM format. <em>This parameter is optional.</em>
If omitted, SSL client authentication will not be performed.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">ca-cert</span></code></dt><dd><p>The certificate of the certificate authority that signed the certificate
of the Kubernetes server, in PEM format. <em>This parameter is optional.</em> If
omitted, verification of the Kubernetes server certificate will use only
system-wide certificate authorities.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">ignore-cert</span></code></dt><dd><p>If set to “true”, the validity of the SSL/TLS certificate used by the
Kubernetes server will be ignored if it cannot be validated. <em>This
parameter is optional.</em> By default, SSL/TLS certificates are validated.</p>
</dd>
</dl>
</section>
<section id="adding-a-kubernetes-connection">
<span id="adding-kubernetes"></span><h4>Adding a Kubernetes connection<a class="headerlink" href="#adding-a-kubernetes-connection" title="Link to this heading"></a></h4>
<p>If you are using the default authentication built into Guacamole, and you wish
to grant access to a Kubernetes connection to a particular user, you need to
locate the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section for that user within your <code class="docutils literal notranslate"><span class="pre">user-mapping.xml</span></code>,
and add a section like the following within it:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><connection</span><span class="w"> </span><span class="na">name=</span><span class="s">"Unique Name"</span><span class="nt">></span>
<span class="w"> </span><span class="nt"><protocol></span>kubernetes<span class="nt"></protocol></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"hostname"</span><span class="nt">></span>localhost<span class="nt"></param></span>
<span class="w"> </span><span class="nt"><param</span><span class="w"> </span><span class="na">name=</span><span class="s">"pod"</span><span class="nt">></span>mypod<span class="nt"></param></span>
<span class="nt"></connection></span>
</pre></div>
</div>
<p>If added exactly as above, a new connection named “<code class="docutils literal notranslate"><span class="pre">Unique</span> <span class="pre">Name</span></code>” will be
available to the user associated with the <code class="docutils literal notranslate"><span class="pre"><authorize></span></code> section containing it.
The connection will connect to the Kubernetes server running on localhost and
attach to the first container of the pod “mypod”.</p>
</section>
</section>
<section id="common-configuration-options">
<h3>Common configuration options<a class="headerlink" href="#common-configuration-options" title="Link to this heading"></a></h3>
<section id="disabling-clipboard-access">
<span id="disable-clipboard"></span><h4>Disabling clipboard access<a class="headerlink" href="#disabling-clipboard-access" title="Link to this heading"></a></h4>
<p>Guacamole provides bidirectional access to the clipboard by default for all
supported protocols. For protocols that don’t inherently provide a clipboard,
Guacamole implements its own clipboard. This behavior can be overridden on a
per-connection basis with the <code class="docutils literal notranslate"><span class="pre">disable-copy</span></code> and <code class="docutils literal notranslate"><span class="pre">disable-paste</span></code> parameters.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">disable-copy</span></code></dt><dd><p>If set to “true”, text copied within the remote desktop session will not
be accessible by the user at the browser side of the Guacamole session,
and will be usable only within the remote desktop. This parameter is
optional. By default, the user will be given access to the copied text.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">disable-paste</span></code></dt><dd><p>If set to “true”, text copied at the browser side of the Guacamole session
will not be accessible within the remote ddesktop session. This parameter
is optional. By default, the user will be able to paste data from outside
the browser within the remote desktop session.</p>
</dd>
</dl>
</section>
<section id="file-transfer-via-sftp">
<span id="common-sftp"></span><h4>File transfer via SFTP<a class="headerlink" href="#file-transfer-via-sftp" title="Link to this heading"></a></h4>
<p>Guacamole can provide file transfer over SFTP even when the remote desktop is
otherwise being accessed through a different protocol, like VNC or RDP. If SFTP
is enabled on a Guacamole RDP connection, users will be able to upload and
download files as described in <a class="reference internal" href="using-guacamole.html"><span class="doc std std-doc">Using Guacamole</span></a>.</p>
<p>This support is independent of the file transfer that may be provided by the
protocol in use, like RDP’s own “drive redirection” (RDPDR), and is
particularly useful for remote desktop servers which do not support file
transfer features.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">enable-sftp</span></code></dt><dd><p>Whether file transfer should be enabled. If set to “true”, the user will
be allowed to upload or download files from the specified server using
SFTP. If omitted, SFTP will be disabled.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-hostname</span></code></dt><dd><p>The hostname or IP address of the server hosting SFTP. This parameter is
optional. If omitted, the hostname of the remote desktop server associated
with the connection will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-port</span></code></dt><dd><p>The port the SSH server providing SFTP is listening on, usually 22. This
parameter is optional. If omitted, the standard port of 22 will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-host-key</span></code></dt><dd><p>The known hosts entry for the SFTP server. This parameter is optional,
and, if not provided, no verification of SFTP host identity will be done.
If the parameter is provided the identity of the server will be checked
against the data.</p>
<p>The format of this parameter is that of a single entry from an OpenSSH
<code class="docutils literal notranslate"><span class="pre">known_hosts</span></code> file.</p>
<p>For more information, please see <a class="reference internal" href="#ssh-host-verification"><span class="std std-ref">SSH Host Verification</span></a>.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-username</span></code></dt><dd><p>The username to authenticate as when connecting to the specified SSH
server for SFTP. This parameter is optional if a username is specified for
the remote desktop connection. If omitted, the username specified for the
remote desktop connection will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-password</span></code></dt><dd><p>The password to use when authenticating with the specified SSH server for
SFTP.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-private-key</span></code></dt><dd><p>The entire contents of the private key to use for public key
authentication. If this parameter is not specified, public key
authentication will not be used. The private key must be in OpenSSH
format, as would be generated by the OpenSSH <strong class="command">ssh-keygen</strong>
utility.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-passphrase</span></code></dt><dd><p>The passphrase to use to decrypt the private key for use in public key
authentication. This parameter is not needed if the private key does not
require a passphrase.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-directory</span></code></dt><dd><p>The directory to upload files to if they are simply dragged and dropped,
and thus otherwise lack a specific upload location. This parameter is
optional. If omitted, the default upload location of the SSH server
providing SFTP will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-root-directory</span></code></dt><dd><p>The directory to expose to connected users via Guacamole’s
<a class="reference internal" href="using-guacamole.html#file-browser"><span class="std std-ref">Using the file browser</span></a>. If omitted, the root directory will be used by default.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-server-alive-interval</span></code></dt><dd><p>The interval in seconds at which to send keepalive packets to the SSH
server for the SFTP connection. This parameter is optional. If omitted,
the default of 0 will be used, disabling sending keepalive packets. The
minimum value is 2.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-disable-download</span></code></dt><dd><p>If set to true downloads from the remote system to the client (browser)
will be disabled. The default is false, which means that downloads will be
enabled.</p>
<p>If sftp is not enabled, this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">sftp-disable-upload</span></code></dt><dd><p>If set to true uploads from the client (browser) to the remote system will
be disabled. The default is false, which means that uploads will be
enabled.</p>
<p>If sftp is not enabled, this parameter will be ignored.</p>
</dd>
</dl>
</section>
<section id="graphical-session-recording">
<span id="graphical-recording"></span><h4>Graphical session recording<a class="headerlink" href="#graphical-session-recording" title="Link to this heading"></a></h4>
<p>Sessions of all supported protocols can be recorded graphically. These
recordings take the form of Guacamole protocol dumps and are recorded
automatically to a specified directory. Recordings can be subsequently
<a class="reference internal" href="recording-playback.html"><span class="doc std std-doc">played back directly in the browser from the connection history screen</span></a>
or translated to a normal video stream using the <strong class="program">guacenc</strong> utility
provided with guacamole-server.</p>
<p>For example, to produce a video called <code class="samp docutils literal notranslate"><em><span class="pre">NAME</span></em><span class="pre">.m4v</span></code> from the recording
“<code class="docutils literal notranslate"><span class="pre">NAME</span></code>”, you would run:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>guacenc<span class="w"> </span>/path/to/recording/NAME
</pre></div>
</div>
<p>The <strong class="program">guacenc</strong> utility has additional options for overriding default
behavior, including tweaking the output format, which are documented in detail
within the manpage:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>man<span class="w"> </span>guacenc
</pre></div>
</div>
<p>If recording of key events is explicitly enabled using the
<code class="docutils literal notranslate"><span class="pre">recording-include-keys</span></code> parameter, recordings can also be translated into
human-readable interpretations of the keys pressed during the session using the
<strong class="program">guaclog</strong> utility. The usage of <strong class="program">guaclog</strong> is analogous to
<strong class="program">guacenc</strong>, and results in the creation of a new text file containing
the interpreted events:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>guaclog<span class="w"> </span>/path/to/recording/NAME
<span class="go">guaclog: INFO: Guacamole input log interpreter (guaclog) version 1.5.5</span>
<span class="go">guaclog: INFO: 1 input file(s) provided.</span>
<span class="go">guaclog: INFO: Writing input events from "/path/to/recording/NAME" to "/path/to/recording/NAME.txt" ...</span>
<span class="go">guaclog: INFO: All files interpreted successfully.</span>
<span class="gp">$</span>
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Guacamole will never overwrite an existing recording. If necessary, a numeric
suffix like “.1”, “.2”, “.3”, etc. will be appended to <NAME> to avoid
overwriting an existing recording. If even appending a numeric suffix does not
help, the session will simply not be recorded.</p>
</div>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">recording-path</span></code></dt><dd><p>The directory in which screen recording files should be created. <em>If a
graphical recording needs to be created, then this parameter is required.</em>
Specifying this parameter enables graphical screen recording. If this
parameter is omitted, no graphical recording will be created.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">create-recording-path</span></code></dt><dd><p>If set to “true”, the directory specified by the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code>
parameter will automatically be created if it does not yet exist. Only the
final directory in the path will be created - if other directories earlier
in the path do not exist, automatic creation will fail, and an error will
be logged.</p>
<p><em>This parameter is optional.</em> By default, the directory specified by the
<code class="docutils literal notranslate"><span class="pre">recording-path</span></code> parameter will not automatically be created, and attempts
to create recordings within a non-existent directory will be logged as
errors.</p>
<p>This parameter only has an effect if graphical recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code> is not specified, graphical session recording will be
disabled, and this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">recording-name</span></code></dt><dd><p>The filename to use for any created recordings. <em>This parameter is
optional.</em> If omitted, the value “recording” will be used instead.</p>
<p>This parameter only has an effect if graphical recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code> is not specified, graphical session recording will be
disabled, and this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">recording-exclude-output</span></code></dt><dd><p>If set to “true”, graphical output and other data normally streamed from
server to client will be excluded from the recording, producing a
recording which contains only user input events. <em>This parameter is
optional.</em> If omitted, graphical output will be included in the recording.</p>
<p>This parameter only has an effect if graphical recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code> is not specified, graphical session recording will be
disabled, and this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">recording-exclude-mouse</span></code></dt><dd><p>If set to “true”, user mouse events will be excluded from the recording,
producing a recording which lacks a visible mouse cursor. <em>This parameter
is optional.</em> If omitted, mouse events will be included in the recording.</p>
<p>This parameter only has an effect if graphical recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code> is not specified, graphical session recording will be
disabled, and this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">recording-include-keys</span></code></dt><dd><p>If set to “true”, user key events will be included in the recording. The
recording can subsequently be passed through the <strong class="program">guaclog</strong> utility
to produce a human-readable interpretation of the keys pressed during the
session. <em>This parameter is optional.</em> If omitted, key events will be not
included in the recording.</p>
<p>This parameter only has an effect if graphical recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">recording-path</span></code> is not specified, graphical session recording will be
disabled, and this parameter will be ignored.</p>
</dd>
</dl>
</section>
<section id="text-session-recording-typescripts">
<span id="typescripts"></span><h4>Text session recording (typescripts)<a class="headerlink" href="#text-session-recording-typescripts" title="Link to this heading"></a></h4>
<p>The full, raw text content of SSH sessions, including timing information, can
be recorded automatically to a specified directory. This recording, also known
as a “typescript”, will be written to two files within the directory specified
by <code class="docutils literal notranslate"><span class="pre">typescript-path</span></code>: <code class="samp docutils literal notranslate"><em><span class="pre">NAME</span></em></code>, which contains the raw text data, and
<code class="samp docutils literal notranslate"><em><span class="pre">NAME</span></em><span class="pre">.timing</span></code>, which contains timing information, where <code class="docutils literal notranslate"><span class="pre">NAME</span></code> is the
value provided for the <code class="docutils literal notranslate"><span class="pre">typescript-name</span></code> parameter.</p>
<p>This format is compatible with the format used by the standard UNIX
<strong class="command">script</strong> command, and can be replayed using <strong class="command">scriptreplay</strong>
(if installed). For example, to replay a typescript called “<code class="docutils literal notranslate"><span class="pre">NAME</span></code>”, you would
run:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="gp">$ </span>scriptreplay<span class="w"> </span>NAME.timing<span class="w"> </span>NAME
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>Guacamole will never overwrite an existing recording. If necessary, a numeric
suffix like “.1”, “.2”, “.3”, etc. will be appended to <code class="docutils literal notranslate"><span class="pre">NAME</span></code> to avoid
overwriting an existing recording. If even appending a numeric suffix does not
help, the session will simply not be recorded.</p>
</div>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">typescript-path</span></code></dt><dd><p>The directory in which typescript files should be created. <em>If a
typescript needs to be recorded, this parameter is required.</em> Specifying
this parameter enables typescript recording. If this parameter is omitted,
no typescript will be recorded.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">create-typescript-path</span></code></dt><dd><p>If set to “true”, the directory specified by the <code class="docutils literal notranslate"><span class="pre">typescript-path</span></code>
parameter will automatically be created if it does not yet exist. Only the
final directory in the path will be created - if other directories earlier
in the path do not exist, automatic creation will fail, and an error will
be logged.</p>
<p><em>This parameter is optional.</em> By default, the directory specified by the
<code class="docutils literal notranslate"><span class="pre">typescript-path</span></code> parameter will not automatically be created, and
attempts to record typescripts in a non-existent directory will be logged
as errors.</p>
<p>This parameter only has an effect if typescript recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">typescript-path</span></code> is not specified, recording of typescripts will be
disabled, and this parameter will be ignored.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">typescript-name</span></code></dt><dd><p>The base filename to use when determining the names for the data and
timing files of the typescript. <em>This parameter is optional.</em> If omitted,
the value “typescript” will be used instead.</p>
<p>Each typescript consists of two files which are created within the
directory specified by <code class="docutils literal notranslate"><span class="pre">typescript-path</span></code>: <code class="samp docutils literal notranslate"><em><span class="pre">NAME</span></em></code>, which contains
the raw text data, and <code class="samp docutils literal notranslate"><em><span class="pre">NAME</span></em><span class="pre">.timing</span></code>, which contains timing
information, where <code class="docutils literal notranslate"><span class="pre">NAME</span></code> is the value provided for the <code class="docutils literal notranslate"><span class="pre">typescript-name</span></code>
parameter.</p>
<p>This parameter only has an effect if typescript recording is enabled. If
the <code class="docutils literal notranslate"><span class="pre">typescript-path</span></code> is not specified, recording of typescripts will be
disabled, and this parameter will be ignored.</p>
</dd>
</dl>
</section>
<section id="controlling-terminal-behavior">
<span id="terminal-behavior"></span><h4>Controlling terminal behavior<a class="headerlink" href="#controlling-terminal-behavior" title="Link to this heading"></a></h4>
<p>In most cases, the default behavior for a terminal works without modification.
However, when connecting to certain systems, particularly operating systems
other than Linux, the terminal behavior may need to be tweaked to allow it to
operate properly. The settings in this section control that behavior.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">backspace</span></code></dt><dd><p>This parameter controls the ASCII code that the backspace key sends to the
remote system. Under most circumstances this should not need to be
adjusted; however, if, when pressing the backspace key, you see control
characters (often either ^? or ^H) instead of seeing the text erased, you
may need to adjust this parameter. By default the terminal sends ASCII
code 127 (Delete) if this option is not set.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">terminal-type</span></code></dt><dd><p>This parameter sets the terminal emulator type string that is passed to
the server. This parameter is optional. If not specified, “<code class="docutils literal notranslate"><span class="pre">linux</span></code>” is used
as the terminal emulator type by default.</p>
</dd>
</dl>
<section id="providing-terminal-input-directly-from-javascript">
<span id="stdin-pipe"></span><h5>Providing terminal input directly from JavaScript<a class="headerlink" href="#providing-terminal-input-directly-from-javascript" title="Link to this heading"></a></h5>
<p>If Guacamole is being used in part to automate an SSH, telnet, or other
terminal session, it can be useful to provide input directly from JavaScript as
a raw stream of data, rather than attempting to translate data into keystrokes.
This can be done through opening a pipe stream named “STDIN” within the
connection using the <a class="reference external" href="http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Client.html#createPipeStream"><code class="docutils literal notranslate"><span class="pre">createPipeStream()</span></code></a>
function of <a class="reference external" href="http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Client.html"><code class="docutils literal notranslate"><span class="pre">Guacamole.Client</span></code></a>:</p>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="kd">var</span><span class="w"> </span><span class="nx">outputStream</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">client</span><span class="p">.</span><span class="nx">createPipeStream</span><span class="p">(</span><span class="s1">'text/plain'</span><span class="p">,</span><span class="w"> </span><span class="s1">'STDIN'</span><span class="p">);</span>
</pre></div>
</div>
<p>The resulting <a class="reference external" href="http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.OutputStream.html"><code class="docutils literal notranslate"><span class="pre">Guacamole.OutputStream</span></code></a>
can then be used to stream data directly to the input of the terminal session,
as if typed by the user:</p>
<div class="highlight-javascript notranslate"><div class="highlight"><pre><span></span><span class="c1">// Wrap output stream in writer</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">writer</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ow">new</span><span class="w"> </span><span class="nx">Guacamole</span><span class="p">.</span><span class="nx">StringWriter</span><span class="p">(</span><span class="nx">outputStream</span><span class="p">);</span>
<span class="c1">// Send text</span>
<span class="nx">writer</span><span class="p">.</span><span class="nx">sendText</span><span class="p">(</span><span class="s2">"hello"</span><span class="p">);</span>
<span class="c1">// Send more text</span>
<span class="nx">writer</span><span class="p">.</span><span class="nx">sendText</span><span class="p">(</span><span class="s2">"world"</span><span class="p">);</span>
<span class="c1">// Close writer and stream</span>
<span class="nx">writer</span><span class="p">.</span><span class="nx">sendEnd</span><span class="p">();</span>
</pre></div>
</div>
</section>
</section>
<section id="terminal-display-settings">
<span id="id9"></span><h4>Terminal display settings<a class="headerlink" href="#terminal-display-settings" title="Link to this heading"></a></h4>
<p>Guacamole’s terminal emulator (used by SSH, telnet, and Kubernetes support)
provides options for configuring the font used and its size. In this case, <em>the
chosen font must be installed on the server</em>, as it is the server that will
handle rendering of characters to the terminal display, not the client.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">color-scheme</span></code></dt><dd><p>The color scheme to use for the terminal session. It consists of a
semicolon-separated series of name-value pairs. Each name-value pair is
separated by a colon and assigns a value to a color in the terminal
emulator palette. For example, to use blue text on white background by
default, and change the red color to a purple shade, you would specify:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>foreground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80
</pre></div>
</div>
<p>This format is similar to the color configuration format used by Xterm, so
Xterm color configurations can be easily adapted for Guacamole. This
parameter is optional. If not specified, Guacamole will render text as
gray over a black background.</p>
<p>Possible color names are:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">foreground</span></code></dt><dd><p>Set the default foreground color.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">background</span></code></dt><dd><p>Set the default background color.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">color</span><em><span class="pre">N</span></em></code></dt><dd><p>Set the color at index <code class="docutils literal notranslate"><span class="pre">N</span></code> on the Xterm 256-color palette. For example,
<code class="docutils literal notranslate"><span class="pre">color9</span></code> refers to the red color.</p>
</dd>
</dl>
<p>Possible color values are:</p>
<dl class="simple myst">
<dt><code class="samp docutils literal notranslate"><span class="pre">rgb:</span><em><span class="pre">RR</span></em><span class="pre">/</span><em><span class="pre">GG</span></em><span class="pre">/</span><em><span class="pre">BB</span></em></code></dt><dd><p>Use the specified color in RGB format, with each component in
hexadecimal. For example, <code class="docutils literal notranslate"><span class="pre">rgb:ff/00/00</span></code> specifies the color red. Note
that each hexadecimal component can be one to four digits, but the
effective values are always zero-extended or truncated to two digits;
for example, <code class="docutils literal notranslate"><span class="pre">rgb:f/8/0</span></code>, <code class="docutils literal notranslate"><span class="pre">rgb:f0/80/00</span></code>, and <code class="docutils literal notranslate"><span class="pre">rgb:f0f/808/00f</span></code> all
refer to the same effective color.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">color</span><em><span class="pre">N</span></em></code></dt><dd><p>Use the color currently assigned to index <code class="docutils literal notranslate"><span class="pre">N</span></code> on the Xterm 256-color
palette. For example, <code class="docutils literal notranslate"><span class="pre">color9</span></code> specifies the current red color. Note
that the color value is used rather than the color reference, so if
<code class="docutils literal notranslate"><span class="pre">color9</span></code> is changed later in the color scheme configuration, that new
color will not be reflected in this assignment.</p>
</dd>
</dl>
<p>For backward compatibility, Guacamole will also accept four special values as
the color scheme parameter:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">black-white</span></code></dt><dd><p>Black text over a white background.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">gray-black</span></code></dt><dd><p>Gray text over a black background. This is the default color scheme.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">green-black</span></code></dt><dd><p>Green text over a black background.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">white-black</span></code></dt><dd><p>White text over a black background.</p>
</dd>
</dl>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">font-name</span></code></dt><dd><p>The name of the font to use. This parameter is optional. If not specified,
the default of “monospace” will be used instead.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">font-size</span></code></dt><dd><p>The size of the font to use, in points. This parameter is optional. If not
specified, the default of 12 will be used instead.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">scrollback</span></code></dt><dd><p>The maximum number of rows to allow within the terminal scrollback buffer.
This parameter is optional. If not specified, the scrollback buffer will
be limited to a maximum of 1000 rows.</p>
</dd>
</dl>
</section>
<section id="wake-on-lan">
<span id="id10"></span><h4>Wake-on-LAN<a class="headerlink" href="#wake-on-lan" title="Link to this heading"></a></h4>
<p>Guacamole implements the support to send a “magic wake-on-lan packet” to a
remote host prior to attempting to establish a connection with the host. The
below parameters control the behavior of this functionality, which is disabled
by default.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>There are several factors that can impact the ability of Wake-on-LAN (WoL) to
function correctly, many of which are outside the scope of Guacamole
configuration. If you are configuring WoL within Guacamole you should also be
familiar with the other components that need to be configured in order for it
to function correctly.</p>
</div>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">wol-send-packet</span></code></dt><dd><p>If set to “true”, Guacamole will attempt to send the Wake-On-LAN packet
prior to establishing a connection. This parameter is optional. By
default, Guacamole will not send the WoL packet. Enabling this option
requires that the <code class="docutils literal notranslate"><span class="pre">wol-mac-addr</span></code> parameter also be configured, otherwise
the WoL packet will not be sent.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">wol-mac-addr</span></code></dt><dd><p>This parameter configures the MAC address that Guacamole will use in the
magic WoL packet to attempt to wake the remote system. If
<code class="docutils literal notranslate"><span class="pre">wol-send-packet</span></code> is enabled, this parameter is required or else the WoL
packet will not be sent.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">wol-broadcast-addr</span></code></dt><dd><p>This parameter configures the IPv4 broadcast address or IPv6 multicast
address that Guacamole will send the WoL packet to in order to wake the
host. This parameter is optional. If no value is provided, the default
local IPv4 broadcast address (255.255.255.255) will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">wol-udp-port</span></code></dt><dd><p>This parameter configures the UDP port that will be set in the WoL packet.
In most cases the UDP port isn’t processed by the system that will be
woken up; however, there are certain cases where it is useful for the port
to be set, as in situations where a router is listening for the packet and
can make routing decisions depending upon the port that is used. If not
configured the default UDP port 9 will be used.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">wol-wait-time</span></code></dt><dd><p>By default after the WoL packet is sent Guacamole will attempt immediately
to connect to the remote host. It may be desirable in certain scenarios to
have Guacamole wait before the initial connection in order to give the
remote system time to boot. Setting this parameter to a positive value
will cause Guacamole to wait the specified number of seconds before
attempting the initial connection. This parameter is optional.</p>
</dd>
</dl>
</section>
</section>
<section id="parameter-tokens">
<span id="id11"></span><h3>Parameter tokens<a class="headerlink" href="#parameter-tokens" title="Link to this heading"></a></h3>
<p>The values of connection parameters can contain “tokens” which will be replaced
by Guacamole when used. These tokens allow the values of connection parameters
to vary dynamically by the user using the connection, and provide a simple
means of forwarding authentication information without storing that information
in the connection configuration itself, so long as the remote desktop
connection uses the same credentials as Guacamole.</p>
<p>Each token is of the form <code class="samp docutils literal notranslate"><span class="pre">${</span><em><span class="pre">TOKEN_NAME</span></em><span class="pre">}</span></code> or
<code class="samp docutils literal notranslate"><span class="pre">${</span><em><span class="pre">TOKEN_NAME</span></em><span class="pre">:</span><em><span class="pre">MODIFIER</span></em><span class="pre">}</span></code>, where <code class="docutils literal notranslate"><span class="pre">TOKEN_NAME</span></code> is some descriptive
name for the value the token represents, and the optional <code class="docutils literal notranslate"><span class="pre">MODIFIER</span></code> is one of
the modifiers documented below to dynamically modify the token. Tokens with no
corresponding value will never be replaced, but should you need such text
within your connection parameters, and wish to guarantee that this text will
not be replaced with a token value, you can escape the token by adding an
additional leading “$”, as in “<code class="samp docutils literal notranslate"><span class="pre">$${</span><em><span class="pre">TOKEN_NAME</span></em><span class="pre">}</span></code>”.</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_USERNAME}</span></code></dt><dd><p>The username of the current Guacamole user. When a user accesses a
connection, this token will be dynamically replaced with the username they
provided when logging in to Guacamole.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_PASSWORD}</span></code></dt><dd><p>The password of the current Guacamole user. When a user accesses a
connection, this token will be dynamically replaced with the password they
used when logging in to Guacamole.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_CLIENT_ADDRESS}</span></code></dt><dd><p>The IPv4 or IPv6 address of the current Guacamole user. This will be the
address of the client side of the HTTP connection to the Guacamole server
at the time the current user logged in.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_CLIENT_HOSTNAME}</span></code></dt><dd><p>The hostname of the current Guacamole user. This will be the hostname of
the client side of the HTTP connection to the Guacamole server at the time
the current user logged in. If no such hostname can be determined, the
IPv4 or IPv6 address will be used instead, and this token will be
equivalent to <code class="docutils literal notranslate"><span class="pre">${GUAC_CLIENT_ADDRESS}</span></code>.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_DATE}</span></code></dt><dd><p>The current date in the local time zone of the Guacamole server. This will
be written in “YYYYMMDD” format, where “YYYY” is the year, “MM” is the
month number, and “DD” is the day of the month, all zero-padded. When a
user accesses a connection, this token will be dynamically replaced with
the date that the connection began.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">${GUAC_TIME}</span></code></dt><dd><p>The current time in the local time zone of the Guacamole server. This will
be written in “HHMMSS” format, where “HH” is hours in 24-hour time, “MM”
is minutes, and “SS” is seconds, all zero-padded. When a user accesses a
connection, this token will be dynamically replaced with the time that the
connection began.</p>
</dd>
</dl>
<p>Note that these tokens are replaced dynamically each time a connection is used.
If two different users access the same connection at the same time, both users
will be connected independently of each other using different sets of
connection parameters.</p>
<section id="token-modifiers">
<h4>Token modifiers<a class="headerlink" href="#token-modifiers" title="Link to this heading"></a></h4>
<p>At times it can be useful to use the value provided by a token, but with slight
modifications. These modifers are optionally specified at the end of the token,
separated from the token name by a colon (<code class="docutils literal notranslate"><span class="pre">:</span></code>), in the format
<code class="samp docutils literal notranslate"><span class="pre">${</span><em><span class="pre">TOKEN_NAME</span></em><span class="pre">:</span><em><span class="pre">MODIFIER</span></em><span class="pre">}</span></code>. The following modifiers are currently
supported:</p>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">LOWER</span></code></dt><dd><p>Convert the entire value of the token to lower-case. This can be useful in
situations where users log in to Guacamole with a mixed-case username, but
a remote system requires the username be lower-case.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">UPPER</span></code></dt><dd><p>Convert the entire value of the token to upper-case.</p>
</dd>
</dl>
</section>
<section id="extension-specific-tokens">
<span id="extension-tokens"></span><h4>Extension-specific tokens<a class="headerlink" href="#extension-specific-tokens" title="Link to this heading"></a></h4>
<p>Each extension can also implement its own arbitrary tokens that can
dynamically fill in values provided by the extension. Within these
extensions, attribute names are canonicalized into a standard format
that consists of all capital letters separated by underscores.</p>
<section id="cas-extension-tokens">
<span id="cas-tokens"></span><h5>CAS Extension Tokens<a class="headerlink" href="#cas-extension-tokens" title="Link to this heading"></a></h5>
<p>The CAS extension will read attributes provided by the CAS server when a user
is authenticated and will make those attributes available as tokens. The CAS
server must be specifically configured to release certain attributes to the
client (Guacamole), and configuration of that is outside the scope of this
document. Any attribute that the CAS server is configured to release should be
available to Guacamole as a token for use within a connection. The token name
will be prepended with the <code class="docutils literal notranslate"><span class="pre">CAS_</span></code> prefix. A CAS server configured to release
attributes <code class="docutils literal notranslate"><span class="pre">firstname</span></code>, <code class="docutils literal notranslate"><span class="pre">lastname</span></code>, <code class="docutils literal notranslate"><span class="pre">email</span></code>, and <code class="docutils literal notranslate"><span class="pre">mobile</span></code> would produce the
following tokens:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">${CAS_FIRSTNAME}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${CAS_LASTNAME}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${CAS_EMAIL}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${CAS_MOBILE}</span></code></p></li>
</ul>
</section>
<section id="ldap-extension-tokens">
<span id="ldap-tokens"></span><h5>LDAP Extension Tokens<a class="headerlink" href="#ldap-extension-tokens" title="Link to this heading"></a></h5>
<p>The LDAP extension will read user attributes provided by the LDAP server and
specified in the <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> file. The attributes retrieved for a
user are configured using the <code class="docutils literal notranslate"><span class="pre">ldap-user-attributes</span></code> parameter. The user must
be able to read the attribute values from their own LDAP object. The token name
will be prepended with the <code class="docutils literal notranslate"><span class="pre">LDAP_</span></code> prefix. As an example, configuring the
following line in <code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code>:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>ldap-user-attributes: cn, givenName, sn, mobile, mail
</pre></div>
</div>
<p>will produce the below tokens that can be used in connection parameters:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">${LDAP_CN}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${LDAP_GIVENNAME}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${LDAP_SN}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${LDAP_MOBILE}</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">${LDAP_MAIL}</span></code></p></li>
</ul>
</section>
</section>
</section>
<section id="parameter-prompting">
<h3>Parameter prompting<a class="headerlink" href="#parameter-prompting" title="Link to this heading"></a></h3>
<p>In certain situations Guacamole may determine that additional information is
required in order to successfully open or continue a connection. In these
scenarios guacd will send an instruction back to the client to retrieve that
information, which will result in the user being prompted for those additional
parameters.</p>
<p>Currently the only parameters that will trigger this prompt to the user are
authentication requests for the RDP and VNC protocols where authenticators were
not provided as part of the connection configuration.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>It is important to note that requests for parameters will only be generated in
the case where that information has not already been provided as part of the
connection. <strong>The user will never be asked for parameters that replace or
override connection parameters where values have been provided</strong>, including
authentication information.</p>
<p>For example, if the configuration of a connection to a RDP server specifies a
username and password, and that username or password is incorrect and results
in an authentication failure, Guacamole will not prompt the user for additional
credentials. For RDP servers where NLA is enforced, this will result in a
connection failure. Other RDP servers may behave differently and give the user
the ability to try other credentials, but this is outside the control of
Guacamole - <strong>Guacamole will not override pre-configured authentication values
with input from the user</strong>.</p>
</div>
</section>
</section>
<section id="configuring-guacd">
<span id="guacd-conf"></span><h2>Configuring guacd<a class="headerlink" href="#configuring-guacd" title="Link to this heading"></a></h2>
<section id="id12">
<h3><code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code><a class="headerlink" href="#id12" title="Link to this heading"></a></h3>
<p>guacd is configured with a configuration file called <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code>, by
default located in <code class="docutils literal notranslate"><span class="pre">/etc/guacamole</span></code>. This file follows a simple,
INI-like format:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>#
# guacd configuration file
#
[daemon]
pid_file = /var/run/guacd.pid
log_level = info
[server]
bind_host = localhost
bind_port = 4822
#
# The following parameters are valid only if
# guacd was built with SSL support.
#
[ssl]
server_certificate = /etc/ssl/certs/guacd.crt
server_key = /etc/ssl/private/guacd.key
</pre></div>
</div>
<p>Configuration options are given as parameter/value pairs, where the name of the
parameter is specified on the left side of an “<code class="docutils literal notranslate"><span class="pre">=</span></code>”, and the value is specified
on the right. Each parameter must occur within a proper section, indicated by a
section name within brackets. The names of these sections are important; it is
the pairing of a section name with a parameter that constitutes the
fully-qualified parameter being set.</p>
<p>For the sake of documentation and readability, comments can be added anywhere
within guacd.conf using “<code class="docutils literal notranslate"><span class="pre">#</span></code>” symbols. All text following a “<code class="docutils literal notranslate"><span class="pre">#</span></code>” until
end-of-line will be ignored.</p>
<p>If you need to include special characters within the value of a parameter, such
as whitespace or any of the above symbols, you can do so by placing the
parameter within double quotes:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>[ssl]
# Whitespace is legal within double quotes ...
server_certificate = "/etc/ssl/my certs/guacd.crt"
# ... as are other special symbols
server_key = "/etc/ssl/#private/guacd.key"
</pre></div>
</div>
<p>Note that even within double quotes, some characters still have special
meaning, such as the double quote itself or newline characters. If you need to
include these, they must be “escaped” with a backslash:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span># Parameter value containing a double quote
parameter = "some\"value"
# Parameter value containing newline characters
parameter2 = "line1\
line2\
line3"
# Parameter value containing backslashes
parameter3 = "c:\\windows\\path\\to\\file.txt"
</pre></div>
</div>
<p>Don’t worry too much about the more complex formatting examples - they are only
rarely necessary, and guacd will complain with parsing errors if the
configuration file is somehow invalid. To ensure parameter values are entered
correctly, just follow the following guidelines:</p>
<ol class="arabic simple">
<li><p>If the value contains no special characters, just include it as-is.</p></li>
<li><p>If the value contains any special characters (whitespace, newlines, <code class="docutils literal notranslate"><span class="pre">#</span></code>,
<code class="docutils literal notranslate"><span class="pre">\</span></code>, or <code class="docutils literal notranslate"><span class="pre">"</span></code>), enclose the entire value within double quotes.</p></li>
<li><p>If the value is enclosed within double quotes, escape newlines, <code class="docutils literal notranslate"><span class="pre">\</span></code>, and <code class="docutils literal notranslate"><span class="pre">"</span></code>
with a backslash.</p></li>
</ol>
<section id="daemon-section">
<span id="guacd-conf-daemon"></span><h4><code class="docutils literal notranslate"><span class="pre">[daemon]</span></code> section<a class="headerlink" href="#daemon-section" title="Link to this heading"></a></h4>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">pid_file</span></code></dt><dd><p>The name of the file in which the PID of the main guacd process should be
written. This is mainly needed for startup scripts, which need to monitor
the state of guacd, killing it if necessary. If this parameter is
specified, the user running guacd must have sufficient permissions to
create or modify the specified file, or startup will fail.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">log_level</span></code></dt><dd><p>The maximum level at which guacd will log messages to syslog and, if
running in the foreground, the console. If omitted, the default level of
<code class="docutils literal notranslate"><span class="pre">info</span></code> will be used.</p>
<p>Legal values are <code class="docutils literal notranslate"><span class="pre">trace</span></code>, <code class="docutils literal notranslate"><span class="pre">debug</span></code>, <code class="docutils literal notranslate"><span class="pre">info</span></code>, <code class="docutils literal notranslate"><span class="pre">warning</span></code>, and <code class="docutils literal notranslate"><span class="pre">error</span></code>.</p>
</dd>
</dl>
</section>
<section id="server-section">
<span id="guacd-conf-server"></span><h4><code class="docutils literal notranslate"><span class="pre">[server]</span></code> section<a class="headerlink" href="#server-section" title="Link to this heading"></a></h4>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">bind_host</span></code></dt><dd><p>The host that guacd should bind to when listening for connections. If
unspecified, guacd will bind to localhost, and only connections from
within the server hosting guacd will succeed.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">bind_port</span></code></dt><dd><p>The port that guacd should bind to when listening for connections. If
unspecified, port 4822 will be used.</p>
</dd>
</dl>
</section>
<section id="ssl-section">
<span id="guacd-conf-ssl"></span><h4><code class="docutils literal notranslate"><span class="pre">[ssl]</span></code> section<a class="headerlink" href="#ssl-section" title="Link to this heading"></a></h4>
<dl class="simple myst">
<dt><code class="docutils literal notranslate"><span class="pre">server_certificate</span></code></dt><dd><p>The filename of the certificate to use for SSL encryption of the Guacamole
protocol. If this option is specified, SSL encryption will be enabled, and
the Guacamole web application will need to be configured within
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> to use SSL as well.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">server_key</span></code></dt><dd><p>The filename of the private key to use for SSL encryption of the Guacamole
protocol. If this option is specified, SSL encryption will be enabled, and
the Guacamole web application will need to be configured within
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> to use SSL as well.</p>
</dd>
</dl>
</section>
</section>
<section id="command-line-options">
<h3>Command-line options<a class="headerlink" href="#command-line-options" title="Link to this heading"></a></h3>
<p>You can also affect the configuration of guacd with command-line
options. If given, these options take precendence over the system-wide
configuration file:</p>
<dl class="simple myst">
<dt><code class="samp docutils literal notranslate"><span class="pre">-b</span> <em><span class="pre">HOST</span></em></code></dt><dd><p>Changes the host or address that guacd listens on.</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">bind_host</span></code> parameter within the <a class="reference internal" href="#guacd-conf-server"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[server]</span></code> section
of <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">-l</span> <em><span class="pre">PORT</span></em></code></dt><dd><p>Changes the port that guacd listens on (the default is port 4822).</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">bind_port</span></code> parameter within the <a class="reference internal" href="#guacd-conf-server"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[server]</span></code> section
of <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">-p</span> <em><span class="pre">PIDFILE</span></em></code></dt><dd><p>Causes guacd to write the PID of the daemon process to the specified file.
This is useful for init scripts and is used by the provided init script.</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">pid_file</span></code> parameter within the <a class="reference internal" href="#guacd-conf-daemon"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[daemon]</span></code> section
of <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">-L</span> <em><span class="pre">LEVEL</span></em></code></dt><dd><p>Sets the maximum level at which guacd will log messages to syslog and, if
running in the foreground, the console. Legal values are <code class="docutils literal notranslate"><span class="pre">trace</span></code>, <code class="docutils literal notranslate"><span class="pre">debug</span></code>,
<code class="docutils literal notranslate"><span class="pre">info</span></code>, <code class="docutils literal notranslate"><span class="pre">warning</span></code>, and <code class="docutils literal notranslate"><span class="pre">error</span></code>. The default value is <code class="docutils literal notranslate"><span class="pre">info</span></code>.</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">log_level</span></code> parameter within the <a class="reference internal" href="#guacd-conf-daemon"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[daemon]</span></code> section
of <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
<dt><code class="docutils literal notranslate"><span class="pre">-f</span></code></dt><dd><p>Causes guacd to run in the foreground, rather than automatically forking
into the background.</p>
</dd>
</dl>
<p>If guacd was built with support for SSL, data sent via the Guacamole protocol
can be encrypted with SSL if an SSL certificate and private key are given with
the following options:</p>
<dl class="simple myst">
<dt><code class="samp docutils literal notranslate"><span class="pre">-C</span> <em><span class="pre">CERTIFICATE</span></em></code></dt><dd><p>The filename of the certificate to use for SSL encryption of the Guacamole
protocol. If this option is specified, SSL encryption will be enabled, and
the Guacamole web application will need to be configured within
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> to use SSL as well.</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">server_certificate</span></code> parameter within the <a class="reference internal" href="#guacd-conf-ssl"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[ssl]</span></code>
section of <code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
<dt><code class="samp docutils literal notranslate"><span class="pre">-K</span> <em><span class="pre">KEY</span></em></code></dt><dd><p>The filename of the private key to use for SSL encryption of the Guacamole
protocol. If this option is specified, SSL encryption will be enabled, and
the Guacamole web application will need to be configured within
<code class="docutils literal notranslate"><span class="pre">guacamole.properties</span></code> to use SSL as well.</p>
<p>This corresponds to the <code class="docutils literal notranslate"><span class="pre">server_key</span></code> parameter within the <a class="reference internal" href="#guacd-conf-ssl"><span class="std std-ref"><code class="docutils literal notranslate"><span class="pre">[ssl]</span></code> section of
<code class="docutils literal notranslate"><span class="pre">guacd.conf</span></code></span></a>.</p>
</dd>
</dl>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="reverse-proxy.html" class="btn btn-neutral float-left" title="Proxying Guacamole" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="jdbc-auth.html" class="btn btn-neutral float-right" title="Database authentication" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>Copyright © 2024 <a href="http://www.apache.org/">The Apache Software Foundation</a>,
Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
Apache Guacamole, Guacamole, Apache, the Apache feather logo, and the Apache Guacamole project logo are
trademarks of The Apache Software Foundation.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>