Your SlideShare is downloading. ×
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Amazon AWS Workspace Howto
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Amazon AWS Workspace Howto

4,123

Published on

Guide to configuring AWS Workspace

Guide to configuring AWS Workspace

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total Views
4,123
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
73
Comments
1
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Part 1 - AWS Workspaces with On-Premise Directory + OpenVPN Server (How-to) route table VPC subnet router VPC subnet AZ AZ Internet gateway OpenVPN NAT (Public IP) (Public IP) Internet WorkSpace Client Direct Corp Network VPN Client WorkSpace Client On Premises/Corporate Network design (for demo)
  • 2. Goal is to test AWS Workspace, without using AWS VPN Gateway or Hardware VPN, at the same time mimic that behavior, see diagram below On Premises/Corporate Network design (recommended by AWS) Contents o Create AWS account, sign in and create key pair o Create and configure VPC, subnet and routes o Configure Proxy on NAT Instance o Create and configure OpenVPN Server o Create 2 windows instances in Private Subnet o Configure Active Directory on Windows instances o Configure Security Groups to allow access o Implement pre-requisites to connect to Workspace Directory o Connect On premises Active Directory to Workspace Directory o Launch Workspace and connect with Workspace Client
  • 3.  Create AWS Account , Sign In and create a key pair o http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/AboutAWSAcco unts.html o If you are a federal employee/contractor and testing, it’s advisable to request an invoice of a finite amount from AWS GSA reseller, instead of using Government credit card. (Pcard). There 2 reasons for this, one you might over charge than allocated amount and two if you have to move test to production, this is a preferred route. http://aws.amazon.com/contractcenter/ o http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having- ec2-create-your-key-pair o EC2 Dashboard  Resources  Key Pairs o Use putty kegen to convert .pem to .ppk format http://support.cdh.ucla.edu/help/132-file-transfer-protocol-ftp/583-converting-your- private-key
  • 4.  Create VPC with public and private subnet option o VPN Wizard o Chose Public and Private Subnet Option
  • 5. o Subnet Options in creating VPC Note 1: I have chosen 172.16.x.x range merely to show we can have custom subnet and ranges here.
  • 6.  Configure VPC o Subnets & Routing  Private Subnet connects to NAT Instance  Public Subnet connects to Internet Gateway o Security Group and VPC  Allow access from your IP to VPC, add MY IP to default security group  Note: AWS has a cool feature where it automatically adds Public IP accessing AWS Console to “My IP” in drop out.
  • 7.  NAT Instance Configuration o Name instance, security group and interface o NAT Interface o Connect to NAT instance
  • 8. o Install & Configure Squid Proxy (This will be later used allow traffic from private subnet to internet)
  • 9.  Create OpenVPN Server instance o Create OpenVPN server instance from AWS marketplace o Select Instance type (t1. Micro) for the demo o Connect Instance to private subnet and allow automatic public IP address Note: I choose to connect open VPN directly private, so design is similar Hardware VPN/Customer gateway
  • 10. o Add “My IP” to security group to allow access o Choose the previously created key pair o Instance up and live
  • 11. ******************PROBLEM & Solution**************  OpenVPN instance has a public interface, but inaccessible since there is no route between private subnet from Internet  Systems within a public subnet cannot communicated to each other, since it represents a DMZ in AWS World  Systems within a Private subnet can communicate to each other and connect to Internet only via NAT Instance. (Refer to Routing/Subnet Screenshot earlier)  In read world we would hardware VPN to connect to private subnet, for the demo, we will have to connect Private subnet directory directly “Internet”.  Routing Scenarios discuss further in below document. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html  Updated Routes shows direct connection between private subnet and internet gateway  After these changes we can directly connect to OpenVPN Server ******************Completed**************
  • 12.  Configure OpenVPN Server o SSH Open Server using existing key pair (Answer “yes” to all questions) Initial Configuration Complete! During normal operation, OpenVPN AS can be accessed via these URLs: Admin UI: https://54.86.45.124:943/admin Client UI: https://54.86.45.124:943/ openvpn@openvpnas2:~$ sudo su - root root@openvpnas2:~# passwd openvpn (aws123!) o Login to Admin interface and add Private Subnet
  • 13.  Create two Windows 2008 R2 Instances on Private Subnet o Launch Windows 2008 R2 instances o Configure instances to be part of private subnet only o Configure security group to allow RDP access from public and private subnet only
  • 14. o Instances up and live o Download and install OpenVPN client http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html
  • 15. o RDP into both windows system by decrypting password using key
  • 16.  Install & Configure Active Directory o These 2 instances will be domain controllers for the “work.local” domain and represent Corporate Active Directory. Later we will establish connection between Workspace Directory and Corporate Directory. o Hostnames/IP Address: 172.16.1.136 – c6.work.local and 172.16.1.177 – c7.work.local o Change the computer names and run dcpromo.exe on both instances. o Note 1: Domain Level should be Windows 2008 R2 or above otherwise, workspace configuration fails. o Note 2: For test I have selected t1.micro but selecting larger instance type will speed up the configuration process. o Install and Configure First Domain controller 172.16.1.137(c7) in the forest(AD wizard)  Run Dcpromo.exe , AD wizard
  • 17. Note: Change the IP addresses to static.
  • 18.  This is test setup and we are not authoritative for work.local, choose “Yes” and continue.  Domain Controller 1, installation complete. o Edit security group to allow all traffic between domain controllers o Install and Configure Second Domain Controller  Add first controller IP in second controller(c6) DNS before starting configuration
  • 19.  Prerequisites for connecting to Workspace Directory o Delegating Connect Privileges: http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_delegate_privile ges.html
  • 20. o Create a test user Mary Major (marym) with password “Password”
  • 21. o Notes :  Disable IE ESC Mode  Squid Proxy Server to IE (172.16.0.83:3128) on domain Controllers  Add Reverse Lookup Zone to Domain Controllers  Allow access to port 3128 on NAT Instance from Domain Controllers(Internet Access for DCs) o Connect Verification  http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_verificati on.html
  • 22.  Note: Ignore the closed ports
  • 23. o Add additional subnet in different Availability Zone required by Workspace o Add Internet gateway to Additional Subnet o Allow all traffic to Domain Controller from Local Subnet. As a best practice we should add individual ports listed on below link. o http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_directory.html
  • 24.  Create a join between Workspace Directory and Private Active Directory o Register directory “work.local” to Amazon Workspace. o http://docs.aws.amazon.com/workspaces/latest/adminguide/using_connect_directory. html o Run Advance Setup and Workspaces Connect
  • 25. o Entire required details for AWS work to connect to corporate directory Note: Best practice is have second domain controller on different subnet on different AZ.
  • 26. o Connection Bug: I noticed that directory connection failed multiple times. Added allowed all Inbound traffic from default VPC security group and Domain controller security group and it worked. Not a recommended design. o Directory Join Complete
  • 27.  Launch Workspace for User
  • 28.  Connect to Test Workspace o Download and install a Workspaces Client for your favorite devices: http://clients.amazonworkspaces.com/ o Launch the Client and enter the following registration code: SLiad+CA7Z9Y o Login with your password. Your username is marym o Connected to Workspace – Success!!
  • 29. Note: Workspace computer object created in AD o Connect Workspace to Internet  Add Squid Proxy to the web browser o Install and configure Synclient http://docs.aws.amazon.com/workspaces/latest/adminguide/sync_client_help.html
  • 30. Part 2 - AWS Workspaces with Cloud Directory (How-to) Goal, Implement AWS Workspace with cloud directory. Follow AWS guide. http://docs.aws.amazon.com/workspaces/latest/adminguide/cloud_directory.html Contents o Create new VPC o Add subnet and configure routing in VPC o Setup Cloud Directory o Add Test User and Launch Workspace o Connect to Workspace o Internet Access to Workspace o Administering Cloud Directory o Printing in Workspace
  • 31.  Create New VPC o Choose Public/Private Option o Create a new CIDR Block for new VPC
  • 32. o New VPC Created o Create new subnet in different AZ
  • 33.  Subnet & Routes o Private Subnets routed to NAT Instance o Public NAT is route to Internet Gateway
  • 34.  Setup Cloud Directory o Cloud Directory Wizard o Entire VPC and Subnet Details
  • 35. o Cloud Directory up and running
  • 36.  Launch Workspaces o Create a Test User o Choose Workspace Type and Launch User Workspace
  • 37. o Workspace up and running o Change User Password
  • 38. o Connect to Workspace – Success!
  • 39. o Internet Access to Workspace  When Cloud directory is created 2 security group are added. As per documentation only Port 443 and Port 80 Outbound access rules needs to be added to “members” group. While Testing I had to ‘All traffic” for Internet to work.
  • 40.  Administrating Cloud Directory o Install Tools on Workspace. o http://docs.aws.amazon.com/workspaces/latest/adminguide/managing_a_direc tory.html#install_ad_tools_win2008 o Run the tool as Administrator to Create Users C:>runas /user:cwork.awsapps.comAdministrator "mmc dsa.msc" Enter the password for cwork.awsapps.comAdministrator: Attempting to start mmc dsa.msc as user "cwork.awsapps.comAdministrator" ...
  • 41. o Create New User “John Smith”, Launch Workspace and Test o Workspace Live and running
  • 42. o Connected to Workspace
  • 43.  Printing o Direct printing from AWS Workspace to Desktop printer non available. Workaround is to use Google Cloud Print and ThinPrint(trail/paid) o Google Cloud Print.  http://www.google.com/landing/cloudprint/  Regular Desktop  Sign to Google using Chrome  Settings  Advanced  Google Cloud Print  Add Classic Printer  Option 1) AWS Workspace  Sign to Google  Connect to URL https://www.google.com/landing/cloudprint --> Print  Upload File  Select Printer & Print  Option 2) Download Chrome and Google Cloud Printer. Select File to Print  Select Google Cloud Printer  Sign to Google  Select Printer & Print o ThinPrint  Complex installation and configuration o Printnode/Printshare

×