diff --git a/group_vars/guac.yml b/group_vars/guac.yml
new file mode 100644
index 0000000..4cdc7df
--- /dev/null
+++ b/group_vars/guac.yml
@@ -0,0 +1 @@
+desired_swap_size: 4g
diff --git a/install_kasm.yml b/install_kasm.yml
index 54df6c0..b34421d 100644
--- a/install_kasm.yml
+++ b/install_kasm.yml
@@ -2,6 +2,7 @@
     - db
     - web
     - agent
+    - guac
   roles:
     - install_common
   any_errors_fatal: true
diff --git a/inventory b/inventory
index beed6c0..c82d8f3 100644
--- a/inventory
+++ b/inventory
@@ -4,3 +4,5 @@ ubuntu18-web
 ubuntu18-db
 [agent]
 ubuntu18-agent
+[guac]
+ubuntu18-guac
diff --git a/patch_os.yml b/patch_os.yml
index 78a52af..01d5708 100644
--- a/patch_os.yml
+++ b/patch_os.yml
@@ -4,6 +4,7 @@
     - db
     - web
     - agent
+    - guac
   roles:
     - patch_os
 
diff --git a/roles/install_common/tasks/db_install.yml b/roles/install_common/tasks/db_install.yml
index 7dad42e..f686d51 100644
--- a/roles/install_common/tasks/db_install.yml
+++ b/roles/install_common/tasks/db_install.yml
@@ -1,5 +1,5 @@
 - name: Install database role
-  command: "bash {{ tempdir.path }}/kasm_release/install.sh -S db -e -Q {{database_password}} -R {{redis_password}} -U {{user_password}} -P {{admin_password}} -M {{manager_token}} {{ '-s ' ~ service_images_copy.dest if service_images_file }} {{ '-w ' ~ workspace_images_copy.dest if workspace_images_file }}"
+  command: "bash {{ tempdir.path }}/kasm_release/install.sh -S db -e -Q {{database_password}} -R {{redis_password}} -U {{user_password}} -P {{admin_password}} -M {{manager_token}} -W {{guac_token}} {{ '-s ' ~ service_images_copy.dest if service_images_file }} {{ '-w ' ~ workspace_images_copy.dest if workspace_images_file }}"
   register: install_output
   become: true
   retries: 20
@@ -8,7 +8,7 @@
   when: test is not defined
 
 - name: Install database role - test
-  command: "bash {{ tempdir.path }}/kasm_release/install.sh -S db -e -I -Q {{database_password}} -R {{redis_password}} -U {{user_password}} -P {{admin_password}} -M {{manager_token}} {{ '-s ' ~ service_images_copy.dest if service_images_file }} {{ '-w ' ~ workspace_images_copy.dest if workspace_images_file }}"
+  command: "bash {{ tempdir.path }}/kasm_release/install.sh -S db -e -I -Q {{database_password}} -R {{redis_password}} -U {{user_password}} -P {{admin_password}} -M {{manager_token}} -W {{guac_token}} {{ '-s ' ~ service_images_copy.dest if service_images_file }} {{ '-w ' ~ workspace_images_copy.dest if workspace_images_file }}"
   register: install_output
   become: true
   retries: 20
diff --git a/roles/install_common/tasks/default_credentials.yml b/roles/install_common/tasks/default_credentials.yml
index 402e6d0..2c99e52 100644
--- a/roles/install_common/tasks/default_credentials.yml
+++ b/roles/install_common/tasks/default_credentials.yml
@@ -29,4 +29,9 @@
   when: manager_token is not defined
   run_once: true
   delegate_to: localhost
- 
\ No newline at end of file
+
+- set_fact:
+    guac_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=22') }}"
+  when: guac_token is not defined
+  run_once: true
+  delegate_to: localhost 
diff --git a/roles/install_common/tasks/guac_install.yml b/roles/install_common/tasks/guac_install.yml
new file mode 100644
index 0000000..0686142
--- /dev/null
+++ b/roles/install_common/tasks/guac_install.yml
@@ -0,0 +1,17 @@
+- name: Check connection from guac to webserver
+  uri:
+    url: "https://{{ web_ip }}/api/__healthcheck"
+    timeout: 5
+    validate_certs: false
+  register: _result
+  until: _result.status == 200
+  retries: 7
+  delay: 5
+
+- name: Install guac role
+  command: "bash {{ tempdir.path }}/kasm_release/install.sh -S guac -e -p {{ web_ip }} -W {{ guac_token }} {{ '-s ' ~ service_images_copy.dest if service_images_file }}"
+  register: install_output
+  become: true
+  retries: 20
+  delay: 10
+  until: install_output is success or ('Failed to lock apt for exclusive operation' not in install_output.stderr and '/var/lib/dpkg/lock' not in install_output.stderr)
diff --git a/roles/install_common/tasks/main.yml b/roles/install_common/tasks/main.yml
index ad97645..cc999df 100644
--- a/roles/install_common/tasks/main.yml
+++ b/roles/install_common/tasks/main.yml
@@ -85,6 +85,13 @@
     - "'agent' in group_names"
     - not kasm_installed
 
+- name: Run Kasm guac install tasks
+  include_tasks:
+    file: guac_install.yml
+  when:
+    - "'guac' in group_names"
+    - not kasm_installed
+
 - name: enable the docker service to run at boot
   service:
     name: docker
@@ -104,6 +111,7 @@
       - "Database Password: {{ database_password }}"
       - "Redis Password: {{ redis_password }}"
       - "Manager Token: {{ manager_token }}"
+      - "Guac Token: {{ guac_token }}"
       - "user@kasm.local password: {{ user_password }}"
       - "admin@kasm.local password: {{ admin_password }}"
   run_once: true
diff --git a/start_kasm.yml b/start_kasm.yml
index 95f1da3..c4be0ba 100644
--- a/start_kasm.yml
+++ b/start_kasm.yml
@@ -2,6 +2,7 @@
     - db
     - web
     - agent
+    - guac
   serial: 1
   gather_facts: no
   tasks:
diff --git a/uninstall_kasm.yml b/uninstall_kasm.yml
index d33c2ce..f550a14 100644
--- a/uninstall_kasm.yml
+++ b/uninstall_kasm.yml
@@ -2,5 +2,6 @@
     - db
     - web
     - agent
+    - guac
   roles:
     - uninstall