Upload
mailbhargav
View
3.990
Download
9
Embed Size (px)
DESCRIPTION
Guide to configuring AWS Workspace
Citation preview
Part 1 - AWS Workspaces with On-Premise Directory +
OpenVPN Server (How-to)
route table
VPC subnet
router
VPC subnet
AZ
AZ
Internet gateway
OpenVPN
NAT
(Public IP)
(Public IP)
Internet
WorkSpace Client
Direct
Corp Network
VPN Client
WorkSpace Client
On Premises/Corporate Network design (for demo)
Goal is to test AWS Workspace, without using AWS VPN Gateway or Hardware VPN, at the same time
mimic that behavior, see diagram below
On Premises/Corporate Network design (recommended by AWS)
Contents
o Create AWS account, sign in and create key pair
o Create and configure VPC, subnet and routes
o Configure Proxy on NAT Instance
o Create and configure OpenVPN Server
o Create 2 windows instances in Private Subnet
o Configure Active Directory on Windows instances
o Configure Security Groups to allow access
o Implement pre-requisites to connect to Workspace Directory
o Connect On premises Active Directory to Workspace Directory
o Launch Workspace and connect with Workspace Client
Create AWS Account , Sign In and create a key pair
o http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/AboutAWSAcco
unts.html
o If you are a federal employee/contractor and testing, it’s advisable to request an invoice
of a finite amount from AWS GSA reseller, instead of using Government credit card.
(Pcard). There 2 reasons for this, one you might over charge than allocated amount and
two if you have to move test to production, this is a preferred route.
http://aws.amazon.com/contractcenter/
o http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-
ec2-create-your-key-pair
o EC2 Dashboard Resources Key Pairs
o Use putty kegen to convert .pem to .ppk format
http://support.cdh.ucla.edu/help/132-file-transfer-protocol-ftp/583-converting-your-
private-key
Create VPC with public and private subnet option
o VPN Wizard
o Chose Public and Private Subnet Option
o Subnet Options in creating VPC
Note 1: I have chosen 172.16.x.x range merely to show we can have custom subnet and
ranges here.
Configure VPC
o Subnets & Routing
Private Subnet connects to NAT Instance
Public Subnet connects to Internet Gateway
o Security Group and VPC
Allow access from your IP to VPC, add MY IP to default security group
Note: AWS has a cool feature where it automatically adds Public IP accessing
AWS Console to “My IP” in drop out.
NAT Instance Configuration
o Name instance, security group and interface
o NAT Interface
o Connect to NAT instance
o Install & Configure Squid Proxy (This will be later used allow traffic
from private subnet to internet)
Create OpenVPN Server instance
o Create OpenVPN server instance from AWS marketplace
o Select Instance type (t1. Micro) for the demo
o Connect Instance to private subnet and allow automatic public IP address
Note: I choose to connect open VPN directly private, so design is similar Hardware
VPN/Customer gateway
o Add “My IP” to security group to allow access
o Choose the previously created key pair
o Instance up and live
******************PROBLEM & Solution**************
OpenVPN instance has a public interface, but inaccessible since there is no route between
private subnet from Internet
Systems within a public subnet cannot communicated to each other, since it represents a DMZ
in AWS World
Systems within a Private subnet can communicate to each other and connect to Internet only
via NAT Instance. (Refer to Routing/Subnet Screenshot earlier)
In read world we would hardware VPN to connect to private subnet, for the demo, we will have
to connect Private subnet directory directly “Internet”.
Routing Scenarios discuss further in below document.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html
Updated Routes shows direct connection between private subnet and internet gateway
After these changes we can directly connect to OpenVPN Server
******************Completed**************
Configure OpenVPN Server
o SSH Open Server using existing key pair (Answer “yes” to all questions)
Initial Configuration Complete!
During normal operation, OpenVPN AS can be accessed via these URLs:
Admin UI: https://54.86.45.124:943/admin
Client UI: https://54.86.45.124:943/
openvpn@openvpnas2:~$ sudo su - root
root@openvpnas2:~# passwd openvpn
(aws123!)
o Login to Admin interface and add Private Subnet
Create two Windows 2008 R2 Instances on Private Subnet
o Launch Windows 2008 R2 instances
o Configure instances to be part of private subnet only
o Configure security group to allow RDP access from public and private subnet only
o Instances up and live
o Download and install OpenVPN client
http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html
o RDP into both windows system by decrypting password using key
Install & Configure Active Directory
o These 2 instances will be domain controllers for the “work.local” domain and represent
Corporate Active Directory. Later we will establish connection between Workspace
Directory and Corporate Directory.
o Hostnames/IP Address: 172.16.1.136 – c6.work.local and 172.16.1.177 – c7.work.local
o Change the computer names and run dcpromo.exe on both instances.
o Note 1: Domain Level should be Windows 2008 R2 or above otherwise, workspace
configuration fails.
o Note 2: For test I have selected t1.micro but selecting larger instance type will speed up
the configuration process.
o Install and Configure First Domain controller 172.16.1.137(c7) in the forest(AD wizard)
Run Dcpromo.exe , AD wizard
Note: Change the IP addresses to static.
This is test setup and we are not authoritative for work.local, choose “Yes” and
continue.
Domain Controller 1, installation complete.
o Edit security group to allow all traffic between domain controllers
o Install and Configure Second Domain Controller
Add first controller IP in second controller(c6) DNS before starting configuration
Prerequisites for connecting to Workspace Directory
o Delegating Connect Privileges:
http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_delegate_privile
ges.html
o Create a test user Mary Major (marym) with password “Password”
o Notes :
Disable IE ESC Mode
Squid Proxy Server to IE (172.16.0.83:3128) on domain Controllers
Add Reverse Lookup Zone to Domain Controllers
Allow access to port 3128 on NAT Instance from Domain Controllers(Internet
Access for DCs)
o Connect Verification
http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_verificati
on.html
Note: Ignore the closed ports
o Add additional subnet in different Availability Zone required by Workspace
o Add Internet gateway to Additional Subnet
o Allow all traffic to Domain Controller from Local Subnet. As a best practice we should add
individual ports listed on below link.
o http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_directory.html
Create a join between Workspace Directory and Private Active Directory
o Register directory “work.local” to Amazon Workspace.
o http://docs.aws.amazon.com/workspaces/latest/adminguide/using_connect_directory.
html
o Run Advance Setup and Workspaces Connect
o Entire required details for AWS work to connect to corporate directory
Note: Best practice is have second domain controller on different subnet on different
AZ.
o Connection Bug: I noticed that directory connection failed multiple times. Added
allowed all Inbound traffic from default VPC security group and Domain controller
security group and it worked. Not a recommended design.
o Directory Join Complete
Launch Workspace for User
Connect to Test Workspace
o Download and install a Workspaces Client for your favorite devices:
http://clients.amazonworkspaces.com/
o Launch the Client and enter the following registration code: SLiad+CA7Z9Y
o Login with your password. Your username is marym
o Connected to Workspace – Success!!
Note: Workspace computer object created in AD
o Connect Workspace to Internet
Add Squid Proxy to the web browser
o Install and configure Synclient
http://docs.aws.amazon.com/workspaces/latest/adminguide/sync_client_help.html
Part 2 - AWS Workspaces with Cloud Directory (How-to)
Goal, Implement AWS Workspace with cloud directory. Follow AWS guide.
http://docs.aws.amazon.com/workspaces/latest/adminguide/cloud_directory.html
Contents o Create new VPC
o Add subnet and configure routing in VPC
o Setup Cloud Directory
o Add Test User and Launch Workspace
o Connect to Workspace
o Internet Access to Workspace
o Administering Cloud Directory
o Printing in Workspace
Create New VPC
o Choose Public/Private Option
o Create a new CIDR Block for new VPC
o New VPC Created
o Create new subnet in different AZ
Subnet & Routes
o Private Subnets routed to NAT Instance
o Public NAT is route to Internet Gateway
Setup Cloud Directory
o Cloud Directory Wizard
o Entire VPC and Subnet Details
o Cloud Directory up and running
Launch Workspaces
o Create a Test User
o Choose Workspace Type and Launch User Workspace
o Workspace up and running
o Change User Password
o Connect to Workspace – Success!
o Internet Access to Workspace
When Cloud directory is created 2 security group are added. As per
documentation only Port 443 and Port 80 Outbound access rules needs
to be added to “members” group. While Testing I had to ‘All traffic” for
Internet to work.
Administrating Cloud Directory
o Install Tools on Workspace.
o http://docs.aws.amazon.com/workspaces/latest/adminguide/managing_a_direc
tory.html#install_ad_tools_win2008
o Run the tool as Administrator to Create Users C:\>runas /user:cwork.awsapps.com\Administrator "mmc
dsa.msc"
Enter the password for cwork.awsapps.com\Administrator:
Attempting to start mmc dsa.msc as user
"cwork.awsapps.com\Administrator" ...
o Create New User “John Smith”, Launch Workspace and Test
o Workspace Live and running
o Connected to Workspace
Printing
o Direct printing from AWS Workspace to Desktop printer non available.
Workaround is to use Google Cloud Print and ThinPrint(trail/paid)
o Google Cloud Print.
http://www.google.com/landing/cloudprint/
Regular Desktop Sign to Google using Chrome Settings
Advanced Google Cloud Print Add Classic Printer
Option 1) AWS Workspace Sign to Google Connect to URL
https://www.google.com/landing/cloudprint --> Print Upload File
Select Printer & Print
Option 2) Download Chrome and Google Cloud Printer. Select File to Print
Select Google Cloud Printer Sign to Google Select Printer & Print
o ThinPrint
Complex installation and configuration
o Printnode/Printshare