On Mon, Sep 27, 2021 at 9:29 AM Stratton, Craig <[email protected]> wrote:
> Hi Mike, Nick, > > Running out of ideas now, at least until the Firewall vendor responds to > my support case. > > > > I have set the enable-websocket: false and also now changed Tomcat to SSL > support, as shown in this syslog entry: > > > > “Sep 27 15:50:33 psmguc01 tomcat9[142913]: 15:50:33.634 > [https-openssl-nio-8443-e > > xec-15] INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP > tunnel > > (not WebSocket). Performance may be sub-optimal." > > > > Still no joy, am in the same boat. > > ... > > I have a the Catalina log entry from 2 connection attempts, and even > though WebSocket is disabled, it seems the first connection attempt still > tries to use it. > There is no "enable-websocket" property and attempting to set it will have no effect. You'll see some references to that property in ancient documentation for versions of Guacamole back when WebSocket was still considered experimental, but this has not been the case for years. WebSocket is always enabled. If your firewall vendor can help correct things such that WebSocket works, that would be the best path forward. If you want to block WebSocket entirely for now to attempt to work around the firewall issues, you can set up a reverse proxy and configure that proxy to explicitly block access to the WebSocket tunnel. For example, Apache HTTPD normally has to be manually configured to handle WebSocket traffic for Guacamole's WebSocket tunnel: http://guacamole.apache.org/doc/gug/proxying-guacamole.html#websocket-and-apache If you alter that to instead return 404, or set up a different reverse proxy like Nginx and configure it to do the same, you will block WebSocket. Michael Jumper CEO, Lead Developer Glyptodon Inc <https://glyp.to/>.
