Amazon AWS Workspace Howto

Uploaded on

Guide to configuring AWS Workspace

Guide to configuring AWS Workspace

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Part 1 - AWS Workspaces with On-Premise Directory + OpenVPN Server (How-to) route table VPC subnet router VPC subnet AZ AZ Internet gateway OpenVPN NAT (Public IP) (Public IP) Internet WorkSpace Client Direct Corp Network VPN Client WorkSpace Client On Premises/Corporate Network design (for demo)
  • 2. Goal is to test AWS Workspace, without using AWS VPN Gateway or Hardware VPN, at the same time mimic that behavior, see diagram below On Premises/Corporate Network design (recommended by AWS) Contents o Create AWS account, sign in and create key pair o Create and configure VPC, subnet and routes o Configure Proxy on NAT Instance o Create and configure OpenVPN Server o Create 2 windows instances in Private Subnet o Configure Active Directory on Windows instances o Configure Security Groups to allow access o Implement pre-requisites to connect to Workspace Directory o Connect On premises Active Directory to Workspace Directory o Launch Workspace and connect with Workspace Client
  • 3.  Create AWS Account , Sign In and create a key pair o unts.html o If you are a federal employee/contractor and testing, it’s advisable to request an invoice of a finite amount from AWS GSA reseller, instead of using Government credit card. (Pcard). There 2 reasons for this, one you might over charge than allocated amount and two if you have to move test to production, this is a preferred route. o ec2-create-your-key-pair o EC2 Dashboard  Resources  Key Pairs o Use putty kegen to convert .pem to .ppk format private-key
  • 4.  Create VPC with public and private subnet option o VPN Wizard o Chose Public and Private Subnet Option
  • 5. o Subnet Options in creating VPC Note 1: I have chosen 172.16.x.x range merely to show we can have custom subnet and ranges here.
  • 6.  Configure VPC o Subnets & Routing  Private Subnet connects to NAT Instance  Public Subnet connects to Internet Gateway o Security Group and VPC  Allow access from your IP to VPC, add MY IP to default security group  Note: AWS has a cool feature where it automatically adds Public IP accessing AWS Console to “My IP” in drop out.
  • 7.  NAT Instance Configuration o Name instance, security group and interface o NAT Interface o Connect to NAT instance
  • 8. o Install & Configure Squid Proxy (This will be later used allow traffic from private subnet to internet)
  • 9.  Create OpenVPN Server instance o Create OpenVPN server instance from AWS marketplace o Select Instance type (t1. Micro) for the demo o Connect Instance to private subnet and allow automatic public IP address Note: I choose to connect open VPN directly private, so design is similar Hardware VPN/Customer gateway
  • 10. o Add “My IP” to security group to allow access o Choose the previously created key pair o Instance up and live
  • 11. ******************PROBLEM & Solution**************  OpenVPN instance has a public interface, but inaccessible since there is no route between private subnet from Internet  Systems within a public subnet cannot communicated to each other, since it represents a DMZ in AWS World  Systems within a Private subnet can communicate to each other and connect to Internet only via NAT Instance. (Refer to Routing/Subnet Screenshot earlier)  In read world we would hardware VPN to connect to private subnet, for the demo, we will have to connect Private subnet directory directly “Internet”.  Routing Scenarios discuss further in below document.  Updated Routes shows direct connection between private subnet and internet gateway  After these changes we can directly connect to OpenVPN Server ******************Completed**************
  • 12.  Configure OpenVPN Server o SSH Open Server using existing key pair (Answer “yes” to all questions) Initial Configuration Complete! During normal operation, OpenVPN AS can be accessed via these URLs: Admin UI: Client UI: openvpn@openvpnas2:~$ sudo su - root root@openvpnas2:~# passwd openvpn (aws123!) o Login to Admin interface and add Private Subnet
  • 13.  Create two Windows 2008 R2 Instances on Private Subnet o Launch Windows 2008 R2 instances o Configure instances to be part of private subnet only o Configure security group to allow RDP access from public and private subnet only
  • 14. o Instances up and live o Download and install OpenVPN client
  • 15. o RDP into both windows system by decrypting password using key
  • 16.  Install & Configure Active Directory o These 2 instances will be domain controllers for the “work.local” domain and represent Corporate Active Directory. Later we will establish connection between Workspace Directory and Corporate Directory. o Hostnames/IP Address: – and – o Change the computer names and run dcpromo.exe on both instances. o Note 1: Domain Level should be Windows 2008 R2 or above otherwise, workspace configuration fails. o Note 2: For test I have selected t1.micro but selecting larger instance type will speed up the configuration process. o Install and Configure First Domain controller in the forest(AD wizard)  Run Dcpromo.exe , AD wizard
  • 17. Note: Change the IP addresses to static.
  • 18.  This is test setup and we are not authoritative for work.local, choose “Yes” and continue.  Domain Controller 1, installation complete. o Edit security group to allow all traffic between domain controllers o Install and Configure Second Domain Controller  Add first controller IP in second controller(c6) DNS before starting configuration
  • 19.  Prerequisites for connecting to Workspace Directory o Delegating Connect Privileges: ges.html
  • 20. o Create a test user Mary Major (marym) with password “Password”
  • 21. o Notes :  Disable IE ESC Mode  Squid Proxy Server to IE ( on domain Controllers  Add Reverse Lookup Zone to Domain Controllers  Allow access to port 3128 on NAT Instance from Domain Controllers(Internet Access for DCs) o Connect Verification  on.html
  • 22.  Note: Ignore the closed ports
  • 23. o Add additional subnet in different Availability Zone required by Workspace o Add Internet gateway to Additional Subnet o Allow all traffic to Domain Controller from Local Subnet. As a best practice we should add individual ports listed on below link. o
  • 24.  Create a join between Workspace Directory and Private Active Directory o Register directory “work.local” to Amazon Workspace. o html o Run Advance Setup and Workspaces Connect
  • 25. o Entire required details for AWS work to connect to corporate directory Note: Best practice is have second domain controller on different subnet on different AZ.
  • 26. o Connection Bug: I noticed that directory connection failed multiple times. Added allowed all Inbound traffic from default VPC security group and Domain controller security group and it worked. Not a recommended design. o Directory Join Complete
  • 27.  Launch Workspace for User
  • 28.  Connect to Test Workspace o Download and install a Workspaces Client for your favorite devices: o Launch the Client and enter the following registration code: SLiad+CA7Z9Y o Login with your password. Your username is marym o Connected to Workspace – Success!!
  • 29. Note: Workspace computer object created in AD o Connect Workspace to Internet  Add Squid Proxy to the web browser o Install and configure Synclient
  • 30. Part 2 - AWS Workspaces with Cloud Directory (How-to) Goal, Implement AWS Workspace with cloud directory. Follow AWS guide. Contents o Create new VPC o Add subnet and configure routing in VPC o Setup Cloud Directory o Add Test User and Launch Workspace o Connect to Workspace o Internet Access to Workspace o Administering Cloud Directory o Printing in Workspace
  • 31.  Create New VPC o Choose Public/Private Option o Create a new CIDR Block for new VPC
  • 32. o New VPC Created o Create new subnet in different AZ
  • 33.  Subnet & Routes o Private Subnets routed to NAT Instance o Public NAT is route to Internet Gateway
  • 34.  Setup Cloud Directory o Cloud Directory Wizard o Entire VPC and Subnet Details
  • 35. o Cloud Directory up and running
  • 36.  Launch Workspaces o Create a Test User o Choose Workspace Type and Launch User Workspace
  • 37. o Workspace up and running o Change User Password
  • 38. o Connect to Workspace – Success!
  • 39. o Internet Access to Workspace  When Cloud directory is created 2 security group are added. As per documentation only Port 443 and Port 80 Outbound access rules needs to be added to “members” group. While Testing I had to ‘All traffic” for Internet to work.
  • 40.  Administrating Cloud Directory o Install Tools on Workspace. o tory.html#install_ad_tools_win2008 o Run the tool as Administrator to Create Users C:>runas /user:cwork.awsapps.comAdministrator "mmc dsa.msc" Enter the password for cwork.awsapps.comAdministrator: Attempting to start mmc dsa.msc as user "cwork.awsapps.comAdministrator" ...
  • 41. o Create New User “John Smith”, Launch Workspace and Test o Workspace Live and running
  • 42. o Connected to Workspace
  • 43.  Printing o Direct printing from AWS Workspace to Desktop printer non available. Workaround is to use Google Cloud Print and ThinPrint(trail/paid) o Google Cloud Print.   Regular Desktop  Sign to Google using Chrome  Settings  Advanced  Google Cloud Print  Add Classic Printer  Option 1) AWS Workspace  Sign to Google  Connect to URL --> Print  Upload File  Select Printer & Print  Option 2) Download Chrome and Google Cloud Printer. Select File to Print  Select Google Cloud Printer  Sign to Google  Select Printer & Print o ThinPrint  Complex installation and configuration o Printnode/Printshare