diff --git a/1-setup.sh b/1-setup.sh
index 511f7c3..e1d9606 100644
--- a/1-setup.sh
+++ b/1-setup.sh
@@ -17,8 +17,8 @@
 # 1-setup.sh is a central script that manages all inputs, options and sequences other included 'install' scripts.
 # 2-install-guacamole is the main guts of the whole build. This script downloads and builds Guacamole from source.
 # 3-install-nginx.sh automatically installs and configures Nginx to work as an http port 80 front end to Guacamole
-# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed SSL certificates.
-# 4b-install-ssl-letsencrypt-nginx.sh sets up Nginx with public SSL certificates from LetsEncrypt.
+# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed TLS certificates.
+# 4b-install-tls-letsencrypt-nginx.sh sets up Nginx with public TLS certificates from LetsEncrypt.
 # Scripts with "add" in their name can be run post guacamole setup to add optional features not included in the main install
 
 clear
@@ -32,6 +32,7 @@ LGREEN='\033[0;92m'
 LYELLOW='\033[0;93m'
 NC='\033[0m' #No Colour
 
+# Make sure the user is NOT running this as root 
 if [[ $EUID -eq 0 ]]; then
     echo
     echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2
@@ -39,6 +40,7 @@ if [[ $EUID -eq 0 ]]; then
     exit 1
 fi
 
+# Make sure the user is a member of the sudo group
 if ! [ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]; then
     echo
     echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2
@@ -51,11 +53,11 @@ if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*'
     # Script branding header
     echo
     echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
-    echo -e "                               ${LGREEN}Powered by Guacamole"
+    echo -e "                       ${LGREEN}Powered by Guacamole"
     echo
     echo
 
-    echo -e "${LRED}Possible previous temp files detected in current build path. Please review and remove old 'guacamole-*' & 'mysql-connector-j-*' files before proceeding.${GREY}" 1>&2
+    echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files files before proceeding.${GREY}" 1>&2
     echo
     exit 1
 fi
@@ -70,7 +72,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
 DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups/
 TMP_DIR=$DOWNLOAD_DIR/tmp
 
-# Github download branch
+# GitHub download branch
 GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/"
 
 #Version of Guacamole to install
@@ -84,6 +86,7 @@ MYSQLJCON="8.0.33"
 
 # Select a specific MySQL version. See https://mariadb.org/mariadb/all-releases/
 MYSQL_VERSION="" # If left blank, script will use Linux distro default version packages.
+# Setup MySQL package name variables to call based on the above MYSQL_VERSION option
 if [ -z "${MYSQL_VERSION}" ]; then
     # Use Linux distro default version.
     MYSQLSRV="default-mysql-server default-mysql-client mysql-common"
@@ -115,7 +118,7 @@ LOG_LOCATION="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
 GUAC_URL=http://localhost:8080/guacamole/
 
 # Depending on the Linux distro, required libraries have varied names. Standardising with names makes adapting
-# to other distros easier.
+# to other distros easier. Here the variables for the library dependency names are initialised.
 source /etc/os-release
 OS_FLAVOUR=$ID
 OS_VERSION=$VERSION
@@ -172,15 +175,15 @@ INSTALL_DUO=""                  # Add DUO MFA extension (can't be installed simu
 INSTALL_LDAP=""                 # Add Active Directory extension (true/false)
 CHANGE_ROOT=""                  # Set default Guacamole URL to http root (remove extra "/guacamole" from the default URL)
 INSTALL_NGINX=""                # Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false)
-PROXY_SITE=""                   # Local DNS name for reverse proxy and/or self signed ssl certificates
-SELF_SIGN=""                    # Add self signed SSL support to Nginx (Let's Encrypt not available with this, true/false)
+PROXY_SITE=""                   # Local DNS name for reverse proxy and/or self signed TLS certificates
+SELF_SIGN=""                    # Add self signed TLS support to Nginx (Let's Encrypt not available with this option, true/false)
 CERT_COUNTRY="AU"               # Self signed cert setup: 2 country character code only, must not be blank
 CERT_STATE="Victoria"           # Self signed cert setup: Optional to change, must not be blank
 CERT_LOCATION="Melbourne"       # Self signed cert setup: Optional to change, must not be blank
 CERT_ORG="Itiligent"            # Self signed cert setup: Optional to change, must not be blank
 CERT_OU="I.T."                  # Self signed cert setup: Optional to change, must not be blank
 CERT_DAYS="3650"                # Self signed cert setup: Number of days until self signed certificate expiry
-LETS_ENCRYPT=""                 # Add Lets Encrypt public SSL support for Nginx (self signed SSL certs not available with this option, true/false)
+LETS_ENCRYPT=""                 # Add Lets Encrypt public TLS support for Nginx (self signed TLS certs not available with this option, true/false)
 LE_DNS_NAME=""                  # Public DNS name to bind with Lets Encrypt certificates
 LE_EMAIL=""                     # Webmaster/admin email for Lets Encrypt notifications
 BACKUP_EMAIL=""                 # Email address for backup notifications
@@ -192,7 +195,7 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer name
 # Script branding header
 echo
 echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
-echo -e "                               ${LGREEN}Powered by Guacamole"
+echo -e "                       ${LGREEN}Powered by Guacamole"
 echo
 echo
 
@@ -210,8 +213,8 @@ cd $DOWNLOAD_DIR
 echo -e "${GREY}Downloading setup files...${DGREY}"
 wget -q --show-progress ${GITHUB}2-install-guacamole.sh -O 2-install-guacamole.sh
 wget -q --show-progress ${GITHUB}3-install-nginx.sh -O 3-install-nginx.sh
-wget -q --show-progress ${GITHUB}4a-install-ssl-self-signed-nginx.sh -O 4a-install-ssl-self-signed-nginx.sh
-wget -q --show-progress ${GITHUB}4b-install-ssl-letsencrypt-nginx.sh -O 4b-install-ssl-letsencrypt-nginx.sh
+wget -q --show-progress ${GITHUB}4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
+wget -q --show-progress ${GITHUB}4b-install-tls-letsencrypt-nginx.sh -O 4b-install-tls-letsencrypt-nginx.sh
 # Grab Guacamole manual add on/upgrade scripts
 wget -q --show-progress ${GITHUB}add-auth-duo.sh -O add-auth-duo.sh
 wget -q --show-progress ${GITHUB}add-auth-ldap.sh -O add-auth-ldap.sh
@@ -220,7 +223,7 @@ wget -q --show-progress ${GITHUB}add-smtp-relay-o365.sh -O add-smtp-relay-o365.s
 wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh
 # Grab backup and security hardening scripts
 wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh
-wget -q --show-progress ${GITHUB}add-ssl-guac-gaucd.sh -O add-ssl-guac-gaucd.sh
+wget -q --show-progress ${GITHUB}add-tls-guac-daemon.sh -O add-tls-guac-daemon.sh
 wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh
 # Grab a (customisable) branding extension
 wget -q --show-progress ${GITHUB}branding.jar -O branding.jar
@@ -231,7 +234,7 @@ clear
 # Script branding header
 echo
 echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
-echo -e "                               ${LGREEN}Powered by Guacamole"
+echo -e "                       ${LGREEN}Powered by Guacamole"
 echo
 echo
 
@@ -249,7 +252,7 @@ sudo chown -R $SUDO_USER:root $TMP_DIR
 
 # We need a default hostname value available to apply even if we do not want to change the hostname. This approach allows the
 # user to simply hit enter at the prompt without this creating a blank entry into the /etc/hosts file.
-# hostnames and matching DNS entries are essential for implementing SSL successfully.
+# hostnames and matching DNS entries are essential for implementing TLS successfully.
 if [[ -z ${SERVER_NAME} ]]; then
     echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}"
     read -p "                        Enter new HOSTNAME : " SERVER_NAME
@@ -269,7 +272,7 @@ else
     sudo systemctl restart systemd-hostnamed &>>${LOG_LOCATION}
 fi
 
-# We need a dns suffix to append to the hostname so as SSL can be available.
+# We need a dns suffix to append to the hostname so as TLS can be available.
 if [[ -z ${LOCAL_DOMAIN} ]]; then
     echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}"
     read -p "                        Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN
@@ -310,7 +313,7 @@ clear
 # Script branding header
 echo
 echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
-echo -e "                               ${LGREEN}Powered by Guacamole"
+echo -e "                       ${LGREEN}Powered by Guacamole"
 echo
 echo
 
@@ -504,10 +507,10 @@ if [ -z "${PROXY_SITE}" ]; then
     PROXY_SITE="${DEFAULT_FQDN}"
 fi
 
-# Prompt for self signed SSL reverse proxy option
+# Prompt for self signed TLS reverse proxy option
 if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
-    # Prompt the user to see if they would like to install self signed SSL support for Nginx, default of no
-    echo -e -n "FRONT END: Add self signed SSL support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: "
+    # Prompt the user to see if they would like to install self signed TLS support for Nginx, default of no
+    echo -e -n "FRONT END: Add self signed TLS support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: "
     read PROMPT
     if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
         SELF_SIGN=true
@@ -516,19 +519,19 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
     fi
 fi
 
-# Optional prompt to assign the self sign SSL certificate a custom expiry date, un-comment to force a manual entry
+# Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry
 #if [ "${SELF_SIGN}" = true ]; then
-#	read - p "PROXY: Enter number of days till SSL certificate expires [default 3650]: " CERT_DAYS
+#	read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
 #fi
 
-# If no self sign SSL certificate expiry given, lets assume a generous 10 year default certificate expiry
+# If no self sign TLS certificate expiry given, lets assume a generous 10 year default certificate expiry
 if [ -z "${CERT_DAYS}" ]; then
     CERT_DAYS="3650"
 fi
 
-# Prompt for Let's Encrypt SSL reverse proxy configuration option
+# Prompt for Let's Encrypt TLS reverse proxy configuration option
 if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then
-    echo -e -n "FRONT END: Add Let's Encrypt SSL support to Nginx reverse proxy [y/N] [default n]: ${GREY}"
+    echo -e -n "FRONT END: Add Let's Encrypt TLS support to Nginx reverse proxy [y/N] [default n]: ${GREY}"
     read PROMPT
     if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
         LETS_ENCRYPT=true
@@ -565,7 +568,7 @@ fi
 clear
 echo
 echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
-echo -e "                               ${LGREEN}Powered by Guacamole"
+echo -e "                       ${LGREEN}Powered by Guacamole"
 echo
 echo
 echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
@@ -599,11 +602,11 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh
 sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh
-sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
-sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
-sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
-sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
-sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh
+sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
+sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
 
 # Export the relevant variable selections to child install scripts
 export BACKUP_EMAIL=$BACKUP_EMAIL
@@ -675,16 +678,16 @@ if [ "${INSTALL_NGINX}" = true ]; then
     echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
-# Apply self signed SSL certificates to Nginx reverse proxy if option is selected
+# Apply self signed TLS certificates to Nginx reverse proxy if option is selected
 if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
-    sudo -E ./4a-install-ssl-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
+    sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
     echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
-# Apply Let's Encrypt SSL certificates to Nginx reverse proxy if option is selected
+# Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected
 if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
-    sudo -E ./4b-install-ssl-letsencrypt-nginx.sh
-    echo -e "${LGREEN}Let's Encrypt SSL configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
+    sudo -E ./4b-install-tls-letsencrypt-nginx.sh
+    echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
 # Duo Settings reminder - If Duo is selected you can't login to Guacamole at all until this extension is fully configured
diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh
index fc0d393..c68b57e 100644
--- a/2-install-guacamole.sh
+++ b/2-install-guacamole.sh
@@ -4,8 +4,6 @@
 # For Ubuntu / Debian / Raspbian
 # David Harrop
 # April 2023
-# Special thanks to MysticRyuujin for much of the guac install outline here
-# pls see https://github.com/MysticRyuujin/guac-install for more
 #######################################################################################################################
 
 # Prepare text output colours
diff --git a/3-install-nginx.sh b/3-install-nginx.sh
index 5805aa5..09ee68d 100644
--- a/3-install-nginx.sh
+++ b/3-install-nginx.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #######################################################################################################################
-# Add Nginx reverse proxy fromt end to default Guacamole install
+# Add Nginx reverse proxy front end to default Guacamole install
 # For Ubuntu / Debian / Raspbian
 # 3 of 4
 # David Harrop
@@ -55,8 +55,6 @@ fi
 sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf 
 sudo sed -i "/SSL Settings/a \        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
 
-
-
 # Symlink from sites-available to sites-enabled
 ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/
 
diff --git a/4a-install-ssl-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh
similarity index 75%
rename from 4a-install-ssl-self-signed-nginx.sh
rename to 4a-install-tls-self-signed-nginx.sh
index ff47212..734fa81 100644
--- a/4a-install-ssl-self-signed-nginx.sh
+++ b/4a-install-tls-self-signed-nginx.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #######################################################################################################################
-# Add self signed SSL certificates to Guacamole with Nginx reverse proxy
+# Add self signed TLS certificates to Guacamole with Nginx reverse proxy
 # For Ubuntu / Debian / Rasbpian
 # 4a of 4
 # David Harrop
@@ -18,41 +18,15 @@ NC='\033[0m' #No Colour
 
 echo
 echo
-echo -e "${LGREEN}Setting up self signed SSL certificates for Nginx...${GREY}"
+echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
 echo
 
 # Setup script cmd line arguments for proxy site and certificate days
 SSLNAME=$1
 SSLDAYS=$2
 
-#######################################################################################################################
-# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
-# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
-# values to complete the reconfiguration of Nginx.
-
-# Variable inputs
-#TOMCAT_VERSION="tomcat9" # Not needed for general SSL install(if Guacamole not present, also comment the tomcat restart)
-#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
-#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
-#TMP_DIR=/tmp
-#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
-#CERT_COUNTRY="AU" # must be two letter code!
-#CERT_STATE="Victoria"
-#CERT_LOCATION="Melbourne"
-#CERT_ORG="Itiligent"
-#CERT_OU="I.T. dept"
-#PROXY_SITE=$SSLNAME
-
-# To run manually or to regenerate SSL certificates, this script must be run in the current user environment [-E switch]
-# Be aware that running this script just as sudo will save certs to sudo's home path with incorrect permissions,
-# plus the custom certificate install instructions shown after running will be invalid.
-
-# e.g. sudo -E ./4a-install-ssl-self-signed-nginx.sh proxy-site-name 3650
-
-#######################################################################################################################
-
 # Discover IPv4 interface
-echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new SSL certificate..."
+echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new TLS certificate..."
 DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
 if [ $? -ne 0 ]; then
     echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@@ -62,8 +36,8 @@ else
     echo
 fi
 
-echo -e "${GREY}New self signed SSL certificate attributes are shown below...${DGREY}"
-# Display the new SSL cert parameters.
+echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
+# Display the new TLS cert parameters.
 cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
 [req]
 distinguished_name  = req_distinguished_name
@@ -88,18 +62,12 @@ subjectAltName      = @alt_names
 DNS.1               = $PROXY_SITE
 IP.1                = $DEFAULT_IP
 EOF
-# Add IP.2 & IP.3 above EOF as needed.
-#IP.2                = $IP3
-#IP.3                = $IP3
-# Additional DNS names can also be manually added into the above cat <<EOF as needed.
-#DNS.2               =
-#DNS.3               =
 
-# Set default certificate file destinations. These can be adapted for any other SSL application.
+# Set default certificate file destinations. These can be adapted for any other TLS application.
 DIR_SSL_CERT="/etc/nginx/ssl/cert"
 DIR_SSL_KEY="/etc/nginx/ssl/private"
 
-# Make directories to place SSL Certificate if they don't exist
+# Make directories to place TLS Certificate if they don't exist
 if [[ ! -d $DIR_SSL_KEY ]]; then
     sudo mkdir -p $DIR_SSL_KEY
 fi
@@ -113,7 +81,7 @@ if [[ $SSLDAYS == "" ]]; then
 fi
 
 echo
-echo "{$GREY}Creating a new Nginx SSL Certificate ..."
+echo "{$GREY}Creating a new Nginx TLS Certificate ..."
 openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
 if [ $? -ne 0 ]; then
     echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@@ -123,7 +91,7 @@ else
     echo
 fi
 
-# Place SSL Certificate within defined path
+# Place TLS Certificate within defined path
 sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key
 sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt
 
@@ -151,7 +119,7 @@ else
 fi
 
 # Update Nginx config to accept the new certificates
-echo -e "${GREY}Configuring Nginx proxy to use self signed SSL certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
+echo -e "${GREY}Configuring Nginx proxy to use self signed TLS certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
 #cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
 cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
 server {
@@ -233,7 +201,7 @@ SHOWASTEXT1='$mypwd'
 SHOWASTEXT2='"Cert:\LocalMachine\Root"'
 
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
-${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
 + 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
 + 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
@@ -241,7 +209,7 @@ ${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONT
 echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
 echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
-${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
 + 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
 + 2. Import the CRT file into your Linux client certificate store with the below command:
@@ -250,7 +218,7 @@ echo -e "(If certutil is not installed, run apt-get install libnss3-tools)"
 echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N"
 echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $SSLNAME -i $SSLNAME.crt"
 printf "+-------------------------------------------------------------------------------------------------------------\n"
-echo -e "${LYELLOW}The above SSL browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"
+echo -e "${LYELLOW}The above TLS browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"
 
 # Done
 echo -e ${NC}
diff --git a/4b-install-ssl-letsencrypt-nginx.sh b/4b-install-tls-letsencrypt-nginx.sh
similarity index 70%
rename from 4b-install-ssl-letsencrypt-nginx.sh
rename to 4b-install-tls-letsencrypt-nginx.sh
index cebfbe8..f705579 100644
--- a/4b-install-ssl-letsencrypt-nginx.sh
+++ b/4b-install-tls-letsencrypt-nginx.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #######################################################################################################################
-# Add Let's Encrypt SSL Certificates to Guacamole with Nginx reverse proxy
+# Add Let's Encrypt TLS Certificates to Guacamole with Nginx reverse proxy
 # For Ubuntu / Debian / Raspbian
 # 4b of 4
 # David Harrop
@@ -18,54 +18,9 @@ NC='\033[0m' #No Colour
 
 echo
 echo
-echo -e "${LGREEN}Installing Let's Encrypt SSL configuration for Nginx...${GREY}"
+echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
 echo
 
-#######################################################################################################################
-# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
-# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
-# values to complete the reconfiguration of Nginx.
-
-# Variable inputs
-#TOMCAT_VERSION="tomcat9" # Not be needed for genreral SSL install SSL (i.e. where Guacamole not present)
-#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
-#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
-#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
-
-# Find the existing nginx site name
-#echo -e "${GREY}Discovering exising proxy sites to configure with SSL...${GREY}"
-#for file in "/etc/nginx/sites-enabled"/*
-#do
-#PROXY_SITE="${file##*/}"
-#done
-#if [ $? -ne 0 ]; then
-#	echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
-#	exit 1
-#	else
-#	echo -e "${LGREEN}OK${GREY}"
-#fi
-#echo
-# Prompt for the FQDN of the new Let's encrypt certificate
-#while true
-#do
-#echo -e "${LGREEN}"
-#read -p "Enter the public FQDN for your proxy site: " LE_DNS_NAME
-#echo
-# [ "${LE_DNS_NAME}" != "" ] && break
-#done
-
-# Prompt for the admin/webmaster email for Let's encrypt certificate notifications
-#while true
-#do
-#echo -e "${LGREEN}"
-#read -p "Enter the email address for Let's Encrypt notifications : " LE_EMAIL
-#echo
-# [ "${LE_EMAIL}" != "" ] && break
-#done
-#echo -e "${GREY}"
-
-#######################################################################################################################
-
 # Install nginx
 apt-get update -qq &>>${LOG_LOCATION}
 apt-get install nginx certbot python3-certbot-nginx -qq -y &>>${LOG_LOCATION}
@@ -83,7 +38,7 @@ else
 fi
 
 # Configure Nginx to accept the new certificates
-echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt SSL and setting up automatic HTTP redirect...${GREY}"
+echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt TLS and setting up automatic HTTP redirect...${GREY}"
 cat >/etc/nginx/sites-available/$PROXY_SITE <<EOL
 server {
     listen 80 default_server;
diff --git a/ACTIVE-DIRECTORY-HOW-TO.md b/ACTIVE-DIRECTORY-HOW-TO.md
index 26c4e73..7c8300c 100644
--- a/ACTIVE-DIRECTORY-HOW-TO.md
+++ b/ACTIVE-DIRECTORY-HOW-TO.md
@@ -41,9 +41,9 @@ ldap-max-search-results:200
 ```
   - **_Important note on `ldap-user-base-dn:`_** _This value sets a position in the directory as a relative root to search within. All Guacamole users to be authenticated by Active Directory must be placed in a lower position within the directory tree to this value. This line can be added multiple times to more efficiently search across multiple branches of a directory tree._
 
-  - **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in you tree._ 
+  - **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in your tree._ 
 
-  - **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._
+  - **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to Guacamole sessions connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._
 
 ## **4. Run the (now customised) LDAP configuration script**
 
@@ -51,7 +51,7 @@ ldap-max-search-results:200
 
 ## **5. Logging on to Guacamole with the new guacbind-ad account**
 
-- When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passes through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console.
+- When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passed through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console.
 
 ## **6. Manually creating and configuring new Guacamole users for Active Directory authentication**
 
@@ -59,15 +59,15 @@ ldap-max-search-results:200
 
 ## **7. Logging on using either the local vs the domain guacbind-ad account**
 
-- As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some admin functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
+- As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some application functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
 
 ## **8. Creating a quasi Single Sign On user experience for Windows RDP access**
 
 - Create a Global Security domain group (e.g. Guac_Users) and populate it with selected domain users as required. 
 - Now add this new security group to the built-in “Remote Desktop Users” domain group.
-- Next, for each connection profile you wish to create the SSO behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows... 
+- Next, for each connection profile you wish to create the SSO experience and behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows... 
   - Add the parameter token `${GUAC_USERNAME}` to the Username field for each connection profile
   - Add the parameter token `${GUAC_PASSWORD}` to the Password field for each connection profile
 - If the user has been given directory rights to the Guacamole session object, Guacamole will first authenticate the user to the Guacamole application (via a brokered Active Directory challenge) and then seamlessly pass the user's same domain credentials through to the Guacamole remote desktop session, thus avoiding any further remote desktop authentication prompts.
 - For more info on other dynamic connection settings see https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
-- For full SSO, the SAML authentication must be used. As the SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project. 
\ No newline at end of file
+- For full SSO, the SAML authentication extension must be used. As the Guacamole SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project. If your organisation already uses SAML within your infrastructure then you likely already know what to do to implement.
\ No newline at end of file
diff --git a/README.md b/README.md
index bdc5d7c..6f0e081 100644
--- a/README.md
+++ b/README.md
@@ -1,68 +1,64 @@
 # **Guacamole 1.5.3 VDI / Jump Server Appliance Build Script**
 
-A menu based build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening.
+A menu based source build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening.
 
 ### **Automatic build, install & config script**
 
-To install Guacamole, paste the following command into your terminal **(do not run as sudo)**:
+To build the Guacamole appliance, paste the below link into a terminal and follow prompts **(do not run as sudo)**:
 
 ```
 wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
 ```
 
 ## **Prerequisites**
- ### PLEASE NOTE: DEBIAN 12 & Tomcat 10 NOT COMPATIBLE - SEE ISSUE #10
+ ### NOTE: DEBIAN 12 & TOMCAT 10 NOT CURRENTLY COMPATIBLE - SEE ISSUE #10
 
 - **Ubuntu 18.04 - 22.x / Debian 11 & 10 / Raspbian Buster or Bullseye**
   - *(if using OS vendor cloud images - you must use **stable releases of the above OS variants.**  Daily cloud image builds are akin to rolling releases and may contain as yet unsupported updates that break Guacamole!)*
 - Minimum 8GB RAM and 40GB HDD
 - Public or private DNS entries that match the default route interface IP address (required for TLS)
 - Incoming access on TCP ports 22, 80, and 443
-- The user executing the wget installer script **must be a member of the sudo group**
+- Do not run as root. The user executing the installer script must instead be a **member of the sudo group**
 
-## **Setup Menu Flow**
+## **Installer Menu Flow**
 
-### **1. Confim the system hostname & local domain suffix**
-- Change or keep the current hostname and local DNS suffix
+### **1. Confirm the system hostname & local dns domain suffix**
 
 ### **2. Select a MySQL instance type and security baseline**
 
-- Install a new local MySQL instance, or choose an existing/remote MySQL instance. 
+- Install a new local MySQL instance, or choose an existing/remote MySQL instance? 
   - *Optionally add MySQL **mysql_secure_installation** settings to the selected MySQL instance*
   - *Optionally provide an email address for backup messages and alerts*
 
 ### **3. Pick an authentication extension**
 
-- **DUO, TOTP, LDAP or None**  
-  - *Simultaneous TOTP and DUO not possible, but LDAP with TOTP is ok.*
+- DUO, TOTP, LDAP or none?  
 
 ### **4. Choose the Guacamole front end**
 
 - **Install Nginx reverse Proxy?** [y/n]
-     - No:  Keep the Guacamole native front end & url http://server.local:8080/guacamole
-       - *Sub option: Change Guacamole's default url to http root? Yes = http://server.local:8080*
+     - No:  Keeps the Guacamole native front end & url http://server.local:8080/guacamole
      - Yes: Prompts for a reverse proxy local dns name (this can be different to the hostname)
    
-- **Install Nginx reverse proxy with a self-signed SSL certificate?** [y/n]
-  - No: Installs Nginx as **http** reverse proxy with the given local dns name e.g. http://server.local
-  - Yes: Installs Nginx as **https** reverse proxy with the given local dns name e.g  https://server.local 
-     - *Auto configures Nginx with a self signed TLS certificate and http redirect*
-     - *Auto generates Windows & Linux client browser certificates*
+- **Install Nginx reverse proxy with a self-signed TLS certificate?** [y/n]
+  - No: Installs Nginx as **http** reverse proxy, Guacamole site set to http://server.local
+  - Yes: Installs Nginx as **https** reverse proxy, Guacamole site set to https://server.local 
+     - *Nginx is configured with a self signed TLS certificate and http redirect*
+     - *Windows & Linux self signed client browser certificates generated*
 
  - **Install Nginx reverse proxy with a Let's Encrypt certificate?** [y/n] 
-    - Yes: = Prompts for a webmaster email & public reverse proxy dns name e.g https://your-public-site.com
-      - *Installs Nginx with the given public dns name*
-      - *Auto configures Nginx with a new LetsEncrypt certificate and http redirect*
-      - *Auto configures certificate notifications to the webmaster email*
-      - *Auto schedules recurring certificate renewals* 
+    - Yes: Prompts for a webmaster email & public reverse proxy dns name 
+      - *Installs Nginx as **https** reverse proxy, Guacamole site set to* https://your-public-site.com
+      - *Nginx configured with a new LetsEncrypt certificate and http redirect*
+      - *Ongoing certbot certificate renewals scheduled* 
 
-## **Optional post install hardening**
+## **Post install hardening options**
 
-The installer downloads additional scripts to manually run:
-- `add-fail2ban.sh` - Adds a conservative fail2ban lockdown policy to Guacamole & whitelists local LAN
-- `add-ssl-guac-gaucd.sh` - Encrypts internal traffic between Guacamole application and Guacd daemon with TLS
-- `add-auth-ldap.sh` - Template script for integrating with Active Directory (See ACTIVE-DIRECTORY-HOW-TO.md)
-- `add-smtp-relay-o365.sh` - Template script for email alerts via MSO65 (SMTP auth, requires BYO app password)
+The installer additionally downloads the following manual configuration scripts:
+- `add-fail2ban.sh` - Adds a baseline fail2ban lockdown policy to Guacamole (& whitelists the local subnet)
+- `add-tls-guac-daemon.sh` - Adds a TLS wrapper to internal traffic between the Guacamole application and guacd server daemon
+- `add-auth-ldap.sh` - A template script for integrating Guacamole with Active Directory
+- `add-smtp-relay-o365.sh` - A template script for email alerts via MSO65 (SMTP auth via BYO app password)
 
 ## **Active Directory integration**
 
@@ -71,32 +67,31 @@ See Active Directory authentication instructions [here](https://github.com/itili
 
 ## **Installation notes**
 
-To create a custom or unattended setup, follow these steps:
-1. From a terminal session, change to your home directory then paste and run the above wget setup link.
+The installer can be run interactively, or for a customised/unattended setup:
+1. From a terminal session, change to your home directory then paste and run the above wget autorun link.
 2. Exit the `1-setup.sh` script at the first prompt. (At this point only the scripts have downloaded).
-3. Customise the installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate. 
-    - *Note that script variables with an actual value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. This means that with the right combination of script variable inputs, it is possible to mass deploy full Guacamole appliances with zero touch.*
-4. **After setting your custom variable values in `1-setup.sh`, you must now run the modified script saved locally with `./1-setup.sh` Beware: If you run the setup script once again via the wget link you will overwrite all your changes!**
-      - *There should be no need to customise any scripts other than `1-setup.sh` as all install options are managed in this parent script.*
-      - *If you must make changes to any other downloaded scripts, you must also comment out their corresponding wget lines in the "Download GitHub Setup" section at the top of `1-setup.sh` to prevent a re-download and overwrite when re-running the setup.* 
-      - *Be aware that all optional (manually run) `add-xxxx.sh` scripts are dynamically updated during the installation with variables selected at install. Editing anything other than `1-setup.sh` may break this functionality.*
-6. If the self signed SSL option is selected, client TLS certificates are saved to `$DOWNLOAD_DIR/guac-setup`.
-7. If any TLS option is selected, Nginx is configured to only support connections using TLS 1.2 or above.
+3. Customise the many installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate. 
+    - *Script variables with a given value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. With the right combination of custom script variables, it is possible to deploy Guacamole appliance(s) with zero touch in only minutes.*
+4. **Beware: If any settings in `1-setup.sh` are edited, you must run this modified script locally. If you run the wget autorun link again you will overwrite all your changes!**
+      - *All install options are managed from within `1-setup.sh`. If you edit any of the other downloaded scripts, **you must also comment out each script's corresponding download link** within the "Download GitHub Setup" section of `1-setup.sh` to prevent re-download and overwrite when running setup.*
+      - *Some manual scripts are automatically customised at installation to reflect various install settings and options.*
+6. If the TLS self signed option is selected, client TLS certificates will be saved to `$DOWNLOAD_DIR/guac-setup`.
+7. Nginx is configured to only support TLS 1.2 or above.
 
-## **Setup download manifest**
+## **Download manifest**
 
-The setup command mentioned above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory:
+The autorun link above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory:
 
-- `1-setup.sh`: The parent install script itself
-- `2-install-guacamole.sh`: Guacamole installation script (inspired by [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install))
+- `1-setup.sh`: The parent install script itself (saved to the current directory)
+- `2-install-guacamole.sh`: Guacamole installation script (based on [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install))
 - `3-install-nginx.sh`: Installs Nginx & auto-configures a front-end reverse proxy for Guacamole (optional)
-- `4a-install-ssl-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional)
-- `4b-install-ssl-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional)
+- `4a-install-tls-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional)
+- `4b-install-tls-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional)
 - `add-auth-duo.sh`: Adds the Duo MFA extension if not selected during install (optional)
 - `add-auth-ldap.sh`: Adds the Active Directory extension and setup template if not selected at install (optional)
 - `add-auth-totp.sh`: Adds the TOTP MFA extension if not selected at install (optional)
-- `add-ssl-guac-gaucd.sh`: A hardening script to add a TLS wrapper between the guacd daemon and Guacamole client application traffic (optional, consider extra performance impact mitigations)
+- `add-tls-guac-daemon.sh`: A hardening script to add a TLS wrapper between the guacd server daemon and Guacamole application traffic (optional, consider extra performance impact mitigations)
 - `add-fail2ban.sh`: Adds a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks
-- `add-smtp-relay-o365.sh`: Sets up a TLS/SMTP auth relay with O365 for monitoring & alerts (BYO app password)
+- `add-smtp-relay-o365.sh`: Sets up an SMTP auth relay with O365 for monitoring & alerts (BYO app password)
 - `backup-guacamole.sh`: A simple MySQL Guacamole backup script
-- `branding.jar`: An example template for a customised Guacamole login screen. The extension allows some measure of branding the user interface (or delete to keep the default interface). This is a version of https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension but with further tweaks to additionally support custom browser tab favicons. Much more extensive branding is possible via CSS inside this extension.
+- `branding.jar`: An example template for a customised Guacamole login screen. Much further UI customisation is possible inside this extension via additional CSS. Delete this file to keep the default Guacmole UI. 
diff --git a/add-auth-duo.sh b/add-auth-duo.sh
index 96f4d8c..4df51e7 100644
--- a/add-auth-duo.sh
+++ b/add-auth-duo.sh
@@ -50,7 +50,7 @@ echo "duo-api-hostname: ??????????"
 echo "duo-secret-key: ??????????"
 echo "duo-application-key: (this is locally created - run 'pwgen 40 1' to manually generate this 40 char random value)"
 echo
-echo "Once this change is complete, restart Guacamole with sudo systemctl restart tomcat9"
+echo "Once this change is complete, restart Guacamole with sudo systemctl restart ${TOMCAT_VERSION}"
 
 rm -rf guacamole-*
 
diff --git a/add-auth-ldap.sh b/add-auth-ldap.sh
index 58dd3c0..aa874ba 100644
--- a/add-auth-ldap.sh
+++ b/add-auth-ldap.sh
@@ -18,7 +18,6 @@ NC='\033[0m' #No Colour
 clear
 
 # Check if user is root or sudo
-
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
diff --git a/add-auth-totp.sh b/add-auth-totp.sh
index fd4025f..fe7912d 100644
--- a/add-auth-totp.sh
+++ b/add-auth-totp.sh
@@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
 
 clear
 
+# Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
diff --git a/add-fail2ban.sh b/add-fail2ban.sh
index 889fc84..1745ad7 100644
--- a/add-fail2ban.sh
+++ b/add-fail2ban.sh
@@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
 
 clear
 
+# Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
@@ -40,10 +41,10 @@ rm -f /tmp/fail2ban.update
 # Start setup prompts #################################################################################################
 #######################################################################################################################
 
-# Prompt to install fail2ban base app, default of yes
+# Prompt to install fail2ban base package with no policy as yet, default of yes
 if [[ -z ${FAIL2BAN_BASE} ]]; then
     echo
-    echo -e -n "${LGREEN}Install Fail2ban? [default y]: ${GREY}"
+    echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}"
     read PROMPT
     if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
         FAIL2BAN_BASE=false
@@ -63,40 +64,40 @@ if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
     fi
 fi
 
-# Prompt to install Nginx fail2ban config defaults , default of no
-if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
-    echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}"
-    read PROMPT
-    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
-        FAIL2BAN_NGINX=true
-    else
-        FAIL2BAN_NGINX=false
-    fi
-fi
+# Prompt to install Nginx fail2ban config defaults , default of no - NOT IMPLEMENTED YET
+#if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
+#    echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}"
+#    read PROMPT
+#    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
+#        FAIL2BAN_NGINX=true
+#    else
+#        FAIL2BAN_NGINX=false
+#    fi
+#fi
 
-# Prompt to install SSH fail2ban config defaults , default of no
-if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
-    echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}"
-    read PROMPT
-    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
-        FAIL2BAN_SSH=true
-    else
-        FAIL2BAN_SSH=false
-    fi
-fi
+# Prompt to install SSH fail2ban config defaults , default of no - NOT IMPLEMENTED YET
+#if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
+#    echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}"
+#    read PROMPT
+#    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
+#        FAIL2BAN_SSH=true
+#    else
+#        FAIL2BAN_SSH=false
+#    fi
+#fi
 
 #######################################################################################################################
 # Fail2ban base setup #################################################################################################
 #######################################################################################################################
 
-# Install base fail2ban base application (no policy defined yet)
+# Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet)
 if [ "${FAIL2BAN_BASE}" = true ]; then
 
-    #Update and install fail2ban (and john for management of config file updates)
+    #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
     sudo apt-get update -qq >/dev/null 2>&1
     sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1
 
-    # Create the basic jail.local template
+    # Create the basic jail.local template and local subnet whitelist
     cat >/tmp/fail2ban.conf <<EOF
 [DEFAULT]
 destemail = yourname@example.com
@@ -173,7 +174,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
     # Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line
     sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt
 
-    # Finally assemble the entire syntaxt of the ignoreip whitelist for insertion into the base fail2ban config
+    # Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config
     SED_IGNORE=$(echo "ignoreip = ")
     SED_NETADDR=$(cat /tmp/netaddr.txt)
     sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf
@@ -181,7 +182,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
     # Move the new base fail2ban config to the jail.local file
     touch /etc/fail2ban/jail.local
 
-    # Apply thhe base config, keeping any pre-existing settings
+    # Apply the base config, keeping any pre-existing settings
     sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local'
 
     # Clean up
@@ -190,7 +191,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
     rm -f /tmp/netaddr.txt
     rm -f /tmp/fail2ban.update
 
-    # bounce the service to relaod the new config
+    # bounce the service to reload the new config
     sudo systemctl restart fail2ban
 
     # Done
@@ -204,16 +205,18 @@ else
 fi
 
 #######################################################################################################################
-# Fail2ban optional setup items #######################################################################################
+# Fail2ban optional policy setup items ################################################################################
 #######################################################################################################################
 
+if [ "${FAIL2BAN_GUAC}" = true ]; then
+
 # Create the Guacamole jail.local policy template
 cat >/tmp/fail2ban.conf <<EOF
 [guacamole]
 enabled = true
 port = http,https
 logpath  = /var/log/$TOMCAT_VERSION/catalina.out
-bantime = 10m
+bantime = 15m
 findtime  = 60m
 maxretry = 5
 EOF
@@ -232,8 +235,13 @@ REGEX='failregex = ^.*WARN  o\.a\.g\.r\.auth\.AuthenticationService - Authentica
 #Insert the new regex
 sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf
 
-# Bounce the service to relaod the new config
+# Done
+echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
+
+# Bounce the service to reload the new config
 sudo systemctl restart fail2ban
+echo
+fi
 
 # Clean up
 rm -f /tmp/fail2ban.conf
@@ -241,21 +249,17 @@ rm -f /tmp/ip_list.txt
 rm -f /tmp/netaddr.txt
 rm -f /tmp/fail2ban.update
 
-# Done
-echo -e "${LGREEN}Guacamole security policy applied${GREY}\n-${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
-echo
-
 ############## Start Fail2ban NGINX security policy option ###############
-if [ "${FAIL2BAN_NGINX}" = true ]; then
-    echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}"
-    echo
-fi
+#if [ "${FAIL2BAN_NGINX}" = true ]; then
+#    echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}"
+#    echo
+#fi
 
 ############### Start Fail2ban SSH security policy option ################
-if [ "${FAIL2BAN_SSH}" = true ]; then
-    echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}"
-    echo
-fi
+#if [ "${FAIL2BAN_SSH}" = true ]; then
+#    echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}"
+#    echo
+#fi
 
 #Done
 echo -e ${NC}
diff --git a/add-smtp-relay-o365.sh b/add-smtp-relay-o365.sh
index 185d12f..4ce1fe1 100644
--- a/add-smtp-relay-o365.sh
+++ b/add-smtp-relay-o365.sh
@@ -26,6 +26,7 @@ SENDER=$SUDO_USER
 SERVER=$(uname -n)
 DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//')
 
+# Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
diff --git a/add-ssl-guac-gaucd.sh b/add-tls-guac-daemon.sh
similarity index 86%
rename from add-ssl-guac-gaucd.sh
rename to add-tls-guac-daemon.sh
index f9311e2..0ff2795 100644
--- a/add-ssl-guac-gaucd.sh
+++ b/add-tls-guac-daemon.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #######################################################################################################################
-# Harden Guacd <-> Guac client traffic in SSL wrapper
+# Harden Guacd <-> Guac client traffic in TLS wrapper
 # For Ubuntu / Debian / Raspbian
 # David Harrop
 # April 2023
@@ -15,6 +15,7 @@ LGREEN='\033[0;92m'
 LYELLOW='\033[0;93m'
 NC='\033[0m' #No Colour
 
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
 CERT_COUNTRY=
 CERT_STATE=
 CERT_LOCATION=
@@ -23,13 +24,14 @@ CERT_OU=
 
 clear
 
+# Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
     exit 1
 fi
 
-# Create the special directory for guacd ssl certfifacte and key.
+# Create the special directory for guacd tls certificate and key.
 sudo mkdir /etc/guacamole/ssl
 echo
 cat <<EOF | tee -a cert_attributes.txt
@@ -57,11 +59,11 @@ DNS.1               = localhost
 IP.1                = 127.0.0.1
 EOF
 
-# Create the self signining request, certificate & key
+# Create the self signing request, certificate & key
 sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
 rm -f cert_attributes.txt
 
-# Point Gaucamole config file to certificate any key
+# Point Guacamole config file to certificate and key
 sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
 [server]
 bind_host = 127.0.0.1
@@ -71,7 +73,7 @@ server_certificate = /etc/guacamole/ssl/guacd.crt
 server_key = /etc/guacamole/ssl/guacd.key
 EOF
 
-# Enable SSL backend
+# Enable TLS backend
 sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
 guacd-ssl: true
 EOF
diff --git a/backup-guac.sh b/backup-guac.sh
index 0998c81..141f353 100644
--- a/backup-guac.sh
+++ b/backup-guac.sh
@@ -19,6 +19,7 @@ clear
 
 export PATH=/bin:/usr/bin:/usr/local/bin
 TODAY=$(date +%Y-%m-%d)
+# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
 MYSQL_HOST=
 MYSQL_PORT=
 GUAC_USER=
diff --git a/upgrade-guac.sh b/upgrade-guac.sh
index e4a8adc..1ad8012 100644
--- a/upgrade-guac.sh
+++ b/upgrade-guac.sh
@@ -21,6 +21,7 @@ LGREEN='\033[0;92m'
 LYELLOW='\033[0;93m'
 NC='\033[0m' #No Colour
 
+# Check if user is root or sudo
 if ! [ $(id -u) = 0 ]; then
     echo
     echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2