Hello tpfann,
first, sorry for my maybe weird questions - as I’m only using Guacamole and RADIUS as additional apps I falsely assumed, that only Guacamole runs as docker app.
About the firewall - I didn’t configure anything regarding firewall settings on the UCS (all default), but it looks like that it’s enabled by default - here they say:
In the default setting, all incoming ports are blocked by the UCS firewall.
univention-firewall is a set of rules for iptables.
In fact, there are IPTables rules defined (I guess they are auto-generated when installing an application). Specially the entries in the FORWARD Chain for the docker network (iptables -L -v -n):
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
and the NAT entries (iptables -L -v -n -t nat):
Chain POSTROUTING (policy ACCEPT 26731 packets, 2076K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:8080
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40001 to:172.17.0.3:8080
172.17.0.3 is the ip-address of the guacamole web-interface-container
Could you check these rules? Maybe there is something what’s restricting the access to the reverse-proxy to your local subnet.
For explanation: The ReverseProxy configuration for Guacamole is required as the app should be accessible through default-ssl port (443).
i.e. https://ucs-host.your-domain/guacamole
and not
http://ucs-host.your-domain:40001/guacamole
Best regards