Guest Mode
Providing access to connections without authentication
Last updated
Was this helpful?
Providing access to connections without authentication
Last updated
Was this helpful?
In certain scenarios, it may be necessary to provide controlled and restricted internet access to users, such as students in an educational environment. This guide demonstrates how to achieve this using Keeper Connection Manager (KCM) with "Guest Mode" and remote browser isolation.
In this example implementation, we will configure web browsing access for users, limiting it to a predefined set of approved websites for students. Users will be presented with a custom "home page" that allows them to choose from these approved websites. This approach is particularly valuable in environments where full internet access is not permitted, such as classrooms or exam settings.
Example Site: https://guest-mode-demo.com
Using Keeper Connection Manager for this purpose offers significant advantages over traditional methods like firewall-based restrictions. These include:
Session Monitoring: All browsing sessions can be fully recorded for auditing and accountability.
Ease of Access: Users can connect seamlessly without requiring additional software on their devices.
Device Agnostic: The version or type of browser on the user's device does not impact functionality.
Enhanced Security: The device is shielded from data exfiltration, malicious sites, and potential manipulation through the use of isolated browsing sessions.
This guide provides step-by-step instructions for setting up this controlled browsing environment on a dedicated KCM instance, tailored to meet the needs of educational institutions and similar use cases.
To set up Guest Mode, this guide assumes the following:
You have installed KCM on an instance using the Auto Docker Install method as documented
You have assigned a DNS name, set up SSL with Let's Encrypt or another method
You're able to login to Keeper Connection Manager as guacadmin
In this example, we'll be setting up the demo site https://guest-mode-demo.com.
To activate the Guest Mode feature, follow the below steps.
The guest mode source code for KCM is published at the below Github page:
Download the .zip or clone the Git repository to your workstation (or server).
Ensure you have a recent version of Java 17 installed:
If you don't have Java installed, we recommend using Amazon Corretto and following their installation instructions on your environment.
On the terminal, navigate to the repo location and build with Maven. If you don't have Maven installed, use this command (on a mac):
From the repo folder, build the Jar file:
The resulting jar file will be published to the local folder structure:
Save the package kcm-auth-guest-1.5.2-2.jar
for the next steps.
Login to Keeper Connection Manager as the "guacadmin
" user, or any other admin user account.
Under Settings > Connections, create a Remote Browser Isolation connection.
Set up the Hostname with the URL of the landing page. In this case, we'll set it to https://lurey.com/demo.html. This page contains some basic HTML with links into the various allowed sites.
If session recording is desired, fill out the Recording Path with the value of ${HISTORY_PATH}/${HISTORY_UUID}
and save the connection details.
Save the connection.
Next, create a Group called "guests
" which is assigned to the connection.
In the Connections section, assign the group to the desired connection.
Add the following changes to the guacamole section of your Docker Compose file located in /etc/kcm-setup/docker-compose.yml
.
Add ADDITIONAL_GUACAMOLE_PROPERTIES
to the guacamole environment section.
Change XX.XX.XX.XX
to an IP address which will be considered "admin" and will be excluded from guest mode. This is used when changes are needed on the KCM configuration.
Add the volume mount for the KCM Auth Guest plugin, built in the first step.
Note:
kcm-non-guest-networks
represents a comma-separated list of all IP addresses and/or subnets (CIDR notation) that should not be considered guest users. If omitted, absolutely all users will be considered guest users.
If you don't want "guests" to be the default group name, this can be customized by adding another guacamole property called kcm-guest-group
. If omitted, the default group name guests
will be used.
Transfer the extension jar file kcm-auth-guest-1.5.2-2.jar
built in step 1 above to the server in the folder /etc/kcm-setup/
.
To update the containers with this new configuration and extension:
The service will start and begin serving the assigned connection to guest users.
Guest Mode also supports multiple connections assigned to the "guests" group. If multiple connections are assigned to the group, the user will be provided with a selection.
This may not be necessary based on your Docker Compose file structure and Docker restart
parameters. Adding the script below to a file called /etc/systemd/system/kcm.service
will ensure that the service starts up on reboot.
Activate the service