LogoLogo
Keeper Connection Manager
Keeper Connection Manager
  • Overview
  • Security Architecture
  • Installation
    • License Key
    • System Requirements
    • Preparing for Installation
    • Auto Docker Install
      • Service Management
      • Upgrading
      • Adding Packages
    • Docker Compose Install
      • keeper/guacamole
      • keeper/guacd
      • Database images
        • keeper/guacamole-db-mysql
        • keeper/guacamole-db-postgres
      • SSL Termination
        • keeper/guacamole-ssl-nginx
        • Using a Custom SSL Cert
      • Upgrading
    • Podman Install
    • Backup & Recovery
  • Authentication Options
    • SSO Auth (SAML)
      • Microsoft Azure
      • Okta
      • Google Workspace
      • OneLogin
      • Oracle
      • PingIdentity
    • 2FA with TOTP
    • 2FA with Duo
    • SSL/TLS Client Authentication
    • Multiple Hostnames
    • PIV/CAC/Smart cards
    • Account Approve/Deny Workflow
    • OpenID Connect Auth
    • LDAP Auth
      • Using Multiple LDAP Servers
      • Storing connection data within LDAP
      • Using LDAP with a database
    • Account Restrictions
  • Connection Protocols
    • RDP
    • SSH
    • VNC
    • Telnet
    • Remote Browser Isolation
    • Kubernetes
    • MySQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • PostgreSQL
      • Importing and Exporting
      • Keyboard Shortcuts
    • Microsoft SQL Server
      • Importing and Exporting
      • Keyboard Shortcuts
    • Connecting to Host Instance
    • Persistent Reverse SSH Tunnel
      • AutoSSH as a Windows Service
      • Linux - AutoSSH
      • Windows - OpenSSH
  • How to Use KCM
    • Login Screen
    • Home Screen
    • Creating Connections
      • Batch Import and API
    • How to Use KCM
    • File Transfer Config
    • Sharing Connections
    • Session Recording and Playback
    • AWS EC2 Discovery
    • Credential Pass-Through
    • Dynamic Connections
    • Custom Branding
      • Add Your Logo
  • Vault Integration
    • Connecting KCM to your Vault
    • Dynamic Tokens
    • Static Tokens
    • Multiple Vaults Integration
    • EC2 Cloud Connector
    • Advanced
    • KeeperPAM
  • Custom Extensions
  • Guest Mode
  • Advanced Configuration
    • guacamole.properties
      • SAML 2.0 Authentication Configuration Properties
      • Duo Two-Factor Authentication Configuration Properties
      • Encrypted JSON Configuration Properties
      • LDAP Configuration Properties
      • MySQL / MariaDB Configuration Properties
      • PostgreSQL Configuration Properties
      • SQL Server Configuration Properties
      • Login Attempts Properties
  • Troubleshooting
  • Importing Connections
  • Exporting Connections
  • High Availability
  • Pre-Release Testing
  • Changelog
  • Licensing and Open Source
  • Scope of Support
  • Security Advisories
  • Accessibility Conformance
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • Overview
  • Prerequisites
  • Activating Guest Mode
  • Build the Guest Mode Extension
  • Configure Default Connection
  • Modify Docker Compose
  • Upload Extension Jar
  • Update the Containers
  • Optional: Start KCM on Reboot

Was this helpful?

Export as PDF

Guest Mode

Providing access to connections without authentication

PreviousCustom ExtensionsNextAdvanced Configuration

Last updated 5 months ago

Was this helpful?

Overview

In certain scenarios, it may be necessary to provide controlled and restricted internet access to users, such as students in an educational environment. This guide demonstrates how to achieve this using Keeper Connection Manager (KCM) with "Guest Mode" and remote browser isolation.

In this example implementation, we will configure web browsing access for users, limiting it to a predefined set of approved websites for students. Users will be presented with a custom "home page" that allows them to choose from these approved websites. This approach is particularly valuable in environments where full internet access is not permitted, such as classrooms or exam settings.

Example Site: https://guest-mode-demo.com

Using Keeper Connection Manager for this purpose offers significant advantages over traditional methods like firewall-based restrictions. These include:

  • Session Monitoring: All browsing sessions can be fully recorded for auditing and accountability.

  • Ease of Access: Users can connect seamlessly without requiring additional software on their devices.

  • Device Agnostic: The version or type of browser on the user's device does not impact functionality.

  • Enhanced Security: The device is shielded from data exfiltration, malicious sites, and potential manipulation through the use of isolated browsing sessions.

This guide provides step-by-step instructions for setting up this controlled browsing environment on a dedicated KCM instance, tailored to meet the needs of educational institutions and similar use cases.

Prerequisites

To set up Guest Mode, this guide assumes the following:

  • You have installed KCM on an instance using the Auto Docker Install method as documented

  • You have assigned a DNS name, set up SSL with Let's Encrypt or another method

  • You're able to login to Keeper Connection Manager as guacadmin

In this example, we'll be setting up the demo site https://guest-mode-demo.com.

Activating Guest Mode

To activate the Guest Mode feature, follow the below steps.

  • Build the Guest Mode Extension

  • Configure Default Connection

  • Modify Docker Compose

  • Upload Extension Jar

  • Update the Containers

Build the Guest Mode Extension

The guest mode source code for KCM is published at the below Github page:

Download the .zip or clone the Git repository to your workstation (or server).

Ensure you have a recent version of Java 17 installed:

$ java -version

openjdk version "17.0.13" 2024-10-15 LTS
OpenJDK Runtime Environment Corretto-17.......
OpenJDK 64-Bit Server VM Corretto-17......

If you don't have Java installed, we recommend using Amazon Corretto and following their installation instructions on your environment.

On the terminal, navigate to the repo location and build with Maven. If you don't have Maven installed, use this command (on a mac):

brew install maven

From the repo folder, build the Jar file:

mvn clean package

The resulting jar file will be published to the local folder structure:

[INFO] Building jar: /Path/to/kcm-auth-guest-main/target/kcm-auth-guest-1.5.2-2.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  22.350 s
[INFO] Finished at: 2025-01-19T07:58:48-08:00
[INFO] ------------------------------------------------------------------------

Save the package kcm-auth-guest-1.5.2-2.jar for the next steps.

Configure Default Connection

Login to Keeper Connection Manager as the "guacadmin" user, or any other admin user account.

Under Settings > Connections, create a Remote Browser Isolation connection.

Set up the Hostname with the URL of the landing page. In this case, we'll set it to https://lurey.com/demo.html. This page contains some basic HTML with links into the various allowed sites.

If session recording is desired, fill out the Recording Path with the value of ${HISTORY_PATH}/${HISTORY_UUID} and save the connection details.

Save the connection.

Next, create a Group called "guests" which is assigned to the connection.

In the Connections section, assign the group to the desired connection.

Modify Docker Compose

Add the following changes to the guacamole section of your Docker Compose file located in /etc/kcm-setup/docker-compose.yml.

  • Add ADDITIONAL_GUACAMOLE_PROPERTIES to the guacamole environment section.

  • Change XX.XX.XX.XX to an IP address which will be considered "admin" and will be excluded from guest mode. This is used when changes are needed on the KCM configuration.

  • Add the volume mount for the KCM Auth Guest plugin, built in the first step.

    guacamole:
        ...
        environment:
            ADDITIONAL_GUACAMOLE_PROPERTIES: "kcm-non-guest-networks:XX.XX.XX.XX"
        volumes:
            - "/etc/kcm-setup/kcm-auth-guest-1.5.2-2.jar:/etc/guacamole/extensions/kcm-auth-guest-1.5.2-2.jar:ro"

Note:

kcm-non-guest-networks represents a comma-separated list of all IP addresses and/or subnets (CIDR notation) that should not be considered guest users. If omitted, absolutely all users will be considered guest users.

If you don't want "guests" to be the default group name, this can be customized by adding another guacamole property called kcm-guest-group. If omitted, the default group name guests will be used.

Upload Extension Jar

Transfer the extension jar file kcm-auth-guest-1.5.2-2.jar built in step 1 above to the server in the folder /etc/kcm-setup/.

Update the Containers

To update the containers with this new configuration and extension:

sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade
sudo ./kcm-setup.run start

The service will start and begin serving the assigned connection to guest users.

Guest Mode also supports multiple connections assigned to the "guests" group. If multiple connections are assigned to the group, the user will be provided with a selection.

Optional: Start KCM on Reboot

This may not be necessary based on your Docker Compose file structure and Docker restart parameters. Adding the script below to a file called /etc/systemd/system/kcm.service will ensure that the service starts up on reboot.

[Unit]
Description=Keeper Connection Manager Service
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'sudo /home/ec2-user/kcm-setup.run start'
WorkingDirectory=/home/ec2-user
RemainAfterExit=yes
User=ec2-user

[Install]
WantedBy=multi-user.target

Activate the service

sudo systemctl daemon-reload
sudo systemctl enable kcm
sudo systemctl start kcm
sudo systemctl status kcm
GitHub - Keeper-Security/kcm-auth-guest: Authentication extension for demo KCM deployments.GitHub
Logo
Guest Mode demo for Students
Create "guests" group
Assign the Demo Home Page to the "guests" group