RDP, VNC, SSH Access through GlobalProtect Clientless VPN

RDP, VNC, SSH Access through GlobalProtect Clientless VPN

Created On 09/25/18 18:55 PM - Last Modified 05/28/21 21:10 PM

GlobalProtect Clientless VPN supports access to remote desktops (RDPs), VNC or SSH. This document provides information on how you can enable your existing virtual or remote terminal applications with GlobalProtect Clientless VPN to perform RDP or VNC or SSH.

  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • GlobalProtect Clientless VPN


Enabling RDP / VNC / SSH access

To enable remote desktop access through Clientless VPN, configure the virtual and/or terminal services environment that you already use in your enterprise to translate the RDP / VNC / SSH protocol in the backend to one of the Clientless VPN supported web technologies in the front end and publish that as a Clientless VPN application for your end-users. Web technologies supported by Clientless VPN include HTML, HTML5, HTML5-Web-Sockets.



The following videos demonstrate common virtual and/or terminal services environment published as a Clientless VPN application for users to RDP / VNC or SSH

VMware Horizon with HTML5 support

VMware Horizon allows enterprise administrators to run remote desktops and applications in their data center and deliver these as managed services to end users where ever they are. VMware Horizon with HTML5 access is needed to work with GlobalProtect Clientless VPN. For more details on VMware Horizon and configuration notes on using HTML5 access with VMware Horizon, refer here and here.




VMware vSphere and vCenter with HTML5 support

 VMware vSphere and vCenter allows enterprise administrator to centrally manage VMware virtual infrastructure. vSphere 6.5 provides support for HTML5 web based access to vCenter Server.
As long as vSphere and vCenter Server support HTML5 based access it can be accessed using GlobalProtect Clientless VPN. For more details on vSphere Client, refer here



Citrix XenDesktop (or XenApp) VDI

To enable users to access the Citrix environment securely and remotely through GlobalProtect Clientless VPN, Citrix deployment should be configured to support HTML5 based Receiver. HTML5 based receiver uses secure websockets for remote connection to Virtual Delivery Agents (VDAs). This allows the users to access the published desktops and applications from a browser and do not need to install any additional plugins or software on the user's machine.  For more information on how to configure Citrix environment with HTML5 receiver refer here 


Thinfinity Workstation 

Thinfinity Remote Desktop Server allows users to securely access remote Windows desktops and applications from any device with an HTML5 compatible browser. GlobalProtect Clientless VPN can provide RDP access to Windows desktops using Thinfinity. For more details on Thinfinity, refer here.





Use Apache Guacamole to help provide VNC, SSH and RDP access through Clientless VPN.

Apache Guacamole is a clientless remote desktop gateway. It supports standard RDP, VNC and SSH protocols and uses HTML5 to deliver access to the end user. For more details on Apache Guacamole, refer here.




The instructions below are for setting up Guacamole on a Ubuntu machine.


1. Get all updates for your Ubuntu machine

  • sudo apt-get update


2. Install all required dependencies for your Ubuntu machine

  • sudo apt-get install libcairo2-dev libjpeg62-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat7 tomcat7-admin tomcat7-user


3. Download and configure Guacamole Server

4. Download and configure Guacamole Client
  1. cd /var/lib/tomcat7/

  2. sudo wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.9.war

  3. sudo mv guacamole-0.9.9.war guacamole.war

  4. sudo mkdir /etc/guacamole

  5. sudo mkdir /usr/share/tomcat7/.guacamole

  6. cd /etc/guacamole/

  7. sudo vi guacamole.properties

    • guacd-hostname: localhost

    • guacd-port: 4822

    • user-mapping: /etc/guacamole/user-mapping.xml

    • auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

    • basic-user-mapping: /etc/guacamole/user-mapping.xml

  8. sudo ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole/

  9. sudo vi user-mapping.xml

 Screen Shot 2017-07-19 at 9.46.19 PM.png


10. sudo chmod 600 /etc/guacamole/user-mapping.xml
11. sudo chown tomcat7:tomcat7 /etc/guacamole/user-mapping.xml

12. cd /var/lib/tomcat7/
13. sudo cp guacamole.war webapps/.


5. Start Guacamole

  • sudo service tomcat7 start 2
  • sudo /usr/local/sbin/guacd &

  • Print
  • Copy Link


Choose Language