AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud
Upcoming SlideShare
Loading in...5
×
 

AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud

on

  • 776 views

This webinar reviews our new Remote Desktop Gateway Reference Implementation Guide which will help you deploy Remote Desktop Gateway on AWS in about an hour. Included is an overview of the reference ...

This webinar reviews our new Remote Desktop Gateway Reference Implementation Guide which will help you deploy Remote Desktop Gateway on AWS in about an hour. Included is an overview of the reference architecture, best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration. Also provided are AWS CloudFormation templates to help automate deployment.

Statistics

Views

Total Views
776
Views on SlideShare
771
Embed Views
5

Actions

Likes
0
Downloads
16
Comments
0

1 Embed 5

http://www.slideee.com 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud Presentation Transcript

  • 1. Deploying Remote Desktop Gateway in the AWS Cloud AWS Whitepaper by Mike Pfeiffer 1
  • 2. Introduction This reference deployment guide includes architectural considerations and configuration steps for deploying Remote Desktop Gateway (RD Gateway) on the Amazon Web Services (AWS) cloud. We’ll discuss best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration. We also provide links to automated AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account. This presentation gives an overview of the process to create the example solution. It does not outline each step. For the detailed overview, please consult the whitepaper available here: http://aws.amazon.com/quickstart 2
  • 3. Before You Get Started This is an advanced topic. If you are new to AWS, see the Getting Started section of the AWS documentation. You should also be familiar with the following topics: • Amazon EC2 • Amazon VPC • AWS CloudFormation • Windows Server 2012 or 2008 R2 • Remote Windows Administration using Remote Desktop Protocol (RDP) 3
  • 4. Microsoft Platform on AWS • Partnership to support running Windows Server-based workloads on AWS • Amazon Machine Images (AMIs) with Windows Server and SQL Server today that were jointly developed by Microsoft and AWS • SharePoint Server and other Microsoft server products can be licensed to run on AWS Two licensing models: •Windows Server •SQL Server Standard Pay-as-you-go – AMI pricing includes software •SQL Server Enterprise •SharePoint Server •Other qualifying Microsoft Windows Server products* BYOL – use existing licenses on AWS *General info on AWS and License Mobility for a variety of MS server products: http://aws.amazon.com/windows/mslicensemobility/ Detail on AWS and License Mobility with SQL Server: http://aws.amazon.com/windows/mslicensemobility/sql/ Microsoft “License Mobility through Software Assurance” gives Microsoft Volume Licensing customers the flexibility to deploy Windows Server applications with active Software Assurance (SA) on Amazon Web Services. 4
  • 5. What We’ll Cover Considerations When Deploying RD Gateway RD Gateway Setup Client Configuration Automated Deployment • Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC • Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC 5
  • 6. Considerations When Deploying RD Gateway RD Gateway Setup Client Configuration Automated Deployment • Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC • Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC 6
  • 7. Considerations When Deploying RD Gateway The Principle of Least Privilege • Refers to users having the least possible privilege necessary to perform their job functions • Helps reduce the attack surface of your environment, making it much harder for an adversary to exploit • Reduce the attack surface by exposing the absolute minimal set of ports to the network while also restricting the source network or IP address that will have access to your Amazon EC2 instances
  • 8. Considerations When Deploying RD Gateway Amazon Virtual Private Cloud (VPC) • Amazon VPC lets you provision a private, isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. • You can define a virtual network topology closely resembling a traditional network that you might operate on your own premises. • You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
  • 9. Considerations When Deploying RD Gateway Network Access Control Lists • Can be attached to any network subnet in an Amazon VPC to provide stateless filtering of traffic • Can be used for inbound or outbound traffic and provide an effective way to blacklist a CIDR block or individual IP address • Can contain ordered rules to allow or deny traffic based upon IP protocol, service port, or source or destination IP address
  • 10. Considerations When Deploying RD Gateway Security Groups • Allow you to set policies to control open ports and provide isolation between application tiers • Can act as an instance-level firewall or be associated with multiple instances
  • 11. Considerations When Deploying RD Gateway RD Gateway Setup Client Configuration Automated Deployment • Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC • Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC 11
  • 12. RD Gateway Setup Initial Remote Administration Architecture • Servers in public subnet will need inbound Security Group rule permitting TCP port from administrator’s source IP address or subnet • Windows instances sitting behind RD Gateway in a private subnet should be in their own isolated tier • Administrator can use traditional RDP connection to an RD Gateway to configure local server • RD Gateway can also be used as a “jumpbox” • RD Gateway service should be installed and configured with an SSL certificate and Connection and Authorization policies 12
  • 13. RD Gateway Setup Gateway Installation • Can be performed from Server Manager or with a single PowerShell command on Windows Server 2012 • Once complete, RD Gateway role, along with all pre-requisite software and administration tools, will be installed on your Windows Server 2012, Amazon EC2 instance For Windows Server 2008 R2 based installations, we recommend following the detailed installation instructions at http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx 13
  • 14. RD Gateway Setup SSL Certificates • SSL certificates must be installed on each RD Gateway • Larger environments should use a public certificate but smaller test environments can use a self-signed certificate • Implementing a Self-Signed Certificate can allow you to get up and running quickly in 5 steps. 14
  • 15. RD Gateway Setup Connection and Resource Authorization Policies Once you’ve installed the RD Gateway role and an SSL certificate, you are ready to configure Connection and Resource Authorization policies. – Connection Authorization Policies — Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway instance. For example, you can select a group of users from your domain, such as "Domain Admins.” – Resource Authorization Policies — Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal Windows-based instances that remote users can connect to through an RD Gateway instance. For example, you can choose specific domain-joined computers which administrators can connect to through the RD Gateway. 15
  • 16. RD Gateway Setup RD Gateway Architecture on the AWS Cloud • You can modify the Security Group for RD Gateway to use a single inbound rule permitting TCP port 443 • Increases the security of the connection and also prevents the need to initiate an RDP session to the desktop of the RD Gateway 16
  • 17. Considerations When Deploying RD Gateway RD Gateway Setup Client Configuration Automated Deployment • Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC • Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC 17
  • 18. Client Configuration Connection and Resource Authorization Policies Configuring your administrative clients requires: 1. Installation of any root certificates 2. Name resolution for the RD Gateway FQDN 3. Proper Configuration of the Remote desktop Gateway 18
  • 19. Considerations When Deploying RD Gateway RD Gateway Setup Client Configuration Automated Deployment • Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC • Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC 19
  • 20. Sample Deployment Scenario #1 Deploy RD Gateway into a New Amazon VPC The AWS CloudFormation template performs these actions to deploy this scenario. • Set up the Amazon VPC, including subnets in two Availability Zones • Configure private and public routes • Launch Windows Server 2012 Amazon Machine Images (AMIs) • Configure security groups and rules for traffic between application tiers • Set up and configure AD Sites and Subnets • Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop Gateway and NAT instances LaunchStack
  • 21. Template Customization • Sample Template 1 allows for customization of 12 defined parameters • These can be modified or extended just like Template 1
  • 22. Sample Deployment Scenario #2 Deploy RD Gateway into an Existing Amazon VPC The AWS CloudFormation template performs these actions to deploy this scenario. • Launch Windows Server 2012 Amazon Machine Images (AMIs) • Configure security groups and rules for traffic between application tiers • Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop Gateway and NAT instances LaunchStack
  • 23. Template Customization • Sample Template 2 allows for customization of 9 defined parameters • These can be modified or extended just like Template 1
  • 24. More Reference Deployments from AWS • Active Directory – Reference Architecture Whitepaper – Advanced Implementation Guide and CloudFormation templates • SharePoint Server – Reference Architecture Whitepaper – Advanced Implementation Guide and CloudFormation templates • SQL Server – “Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud” • Microsoft Exchange – “Microsoft Exchange Server 2010 in the AWS Cloud: Planning and Implementation Guide” These and more can be found at http://aws.amazon.com/microsoft/whitepapers/ 24
  • 25. Additional Resources Web Pages Microsoft on AWS http://aws.amazon.com/microsoft/ Windows on AWS (includes pricing) http://aws.amazon.com/windows/ Reference Deployment Quickstart http://aws.amazon.com/quickstart/ AWS Windows and .NET Developer Center (with sdk) http://aws.amazon.com/net/ Amazon EC2 Windows Guide http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ Scenarios for Amazon VPC http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scen arios.html Microsoft Licensing http://aws.amazon.com/windows/mslicensemobility/ Covers Exchange, SharePoint, SQL, Lync, SCOM, and Dynamics. See page for specific details, including which versions are covered. Whitepapers Implementing Active Directory Domain Services on AWS Exchange on AWS Implementation & Planning Guide Implementing Microsoft Windows Server Failover Clustering and SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud SharePoint Server on AWS Reference Architecture more at http://aws.amazon.com/microsoft/whitepapers Contact Us https://aws.amazon.com/microsoft/contact-us/ If you have either business or technical questions about running Microsoft software on AWS, please don’t hesitate to contact us. 25
  • 26. Deploying Remote Desktop Gateway in the AWS Cloud Thank You 26