We use guacamole as a way to gatekeep access to servers which are explicitly made vulnerable for students to attack.
We give students a Kali Linux box, and a server with dozens of vulnerabilities.. and we don't have to worry about those vulnerable targets being otherwise internet accessible. We've done over 200,000 VMs behind Guacamole over 4 years without incident, despite having machines with the username/password of "student", or being unpatched for 4 years (spinning up old Ubuntu 14 images)
We give students a Kali Linux box, and a server with dozens of vulnerabilities.. and we don't have to worry about those vulnerable targets being otherwise internet accessible. We've done over 200,000 VMs behind Guacamole over 4 years without incident, despite having machines with the username/password of "student", or being unpatched for 4 years (spinning up old Ubuntu 14 images)