Part 1 - AWS Workspaces with On-Premise Directory +

OpenVPN Server (How-to)

route table

VPC subnet

router

VPC subnet

AZ

AZ

Internet gateway

OpenVPN

NAT

(Public IP)

(Public IP)

Internet

WorkSpace Client

Direct

Corp Network

VPN Client

WorkSpace Client

On Premises/Corporate Network design (for demo)

Goal is to test AWS Workspace, without using AWS VPN Gateway or Hardware VPN, at the same time

mimic that behavior, see diagram below

On Premises/Corporate Network design (recommended by AWS)

Contents

o Create AWS account, sign in and create key pair

o Create and configure VPC, subnet and routes

o Configure Proxy on NAT Instance

o Create and configure OpenVPN Server

o Create 2 windows instances in Private Subnet

o Configure Active Directory on Windows instances

o Configure Security Groups to allow access

o Implement pre-requisites to connect to Workspace Directory

o Connect On premises Active Directory to Workspace Directory

o Launch Workspace and connect with Workspace Client

Create AWS Account , Sign In and create a key pair

o http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/AboutAWSAcco

unts.html

o If you are a federal employee/contractor and testing, it’s advisable to request an invoice

of a finite amount from AWS GSA reseller, instead of using Government credit card.

(Pcard). There 2 reasons for this, one you might over charge than allocated amount and

two if you have to move test to production, this is a preferred route.

http://aws.amazon.com/contractcenter/

o http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-

ec2-create-your-key-pair

o EC2 Dashboard Resources Key Pairs

o Use putty kegen to convert .pem to .ppk format

http://support.cdh.ucla.edu/help/132-file-transfer-protocol-ftp/583-converting-your-

private-key

Create VPC with public and private subnet option

o VPN Wizard

o Chose Public and Private Subnet Option

o Subnet Options in creating VPC

Note 1: I have chosen 172.16.x.x range merely to show we can have custom subnet and

ranges here.

Configure VPC

o Subnets & Routing

Private Subnet connects to NAT Instance

Public Subnet connects to Internet Gateway

o Security Group and VPC

Allow access from your IP to VPC, add MY IP to default security group

Note: AWS has a cool feature where it automatically adds Public IP accessing

AWS Console to “My IP” in drop out.

NAT Instance Configuration

o Name instance, security group and interface

o NAT Interface

o Connect to NAT instance

o Install & Configure Squid Proxy (This will be later used allow traffic

from private subnet to internet)

Create OpenVPN Server instance

o Create OpenVPN server instance from AWS marketplace

o Select Instance type (t1. Micro) for the demo

o Connect Instance to private subnet and allow automatic public IP address

Note: I choose to connect open VPN directly private, so design is similar Hardware

VPN/Customer gateway

o Add “My IP” to security group to allow access

o Choose the previously created key pair

o Instance up and live

******************PROBLEM & Solution**************

OpenVPN instance has a public interface, but inaccessible since there is no route between

private subnet from Internet

Systems within a public subnet cannot communicated to each other, since it represents a DMZ

in AWS World

Systems within a Private subnet can communicate to each other and connect to Internet only

via NAT Instance. (Refer to Routing/Subnet Screenshot earlier)

In read world we would hardware VPN to connect to private subnet, for the demo, we will have

to connect Private subnet directory directly “Internet”.

Routing Scenarios discuss further in below document.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html

Updated Routes shows direct connection between private subnet and internet gateway

After these changes we can directly connect to OpenVPN Server

******************Completed**************

Configure OpenVPN Server

o SSH Open Server using existing key pair (Answer “yes” to all questions)

Initial Configuration Complete!

During normal operation, OpenVPN AS can be accessed via these URLs:

Admin UI: https://54.86.45.124:943/admin

Client UI: https://54.86.45.124:943/

openvpn@openvpnas2:~$ sudo su - root

root@openvpnas2:~# passwd openvpn

(aws123!)

o Login to Admin interface and add Private Subnet

Create two Windows 2008 R2 Instances on Private Subnet

o Launch Windows 2008 R2 instances

o Configure instances to be part of private subnet only

o Configure security group to allow RDP access from public and private subnet only

o Instances up and live

o Download and install OpenVPN client

http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html

o RDP into both windows system by decrypting password using key

Install & Configure Active Directory

o These 2 instances will be domain controllers for the “work.local” domain and represent

Corporate Active Directory. Later we will establish connection between Workspace

Directory and Corporate Directory.

o Hostnames/IP Address: 172.16.1.136 – c6.work.local and 172.16.1.177 – c7.work.local

o Change the computer names and run dcpromo.exe on both instances.

o Note 1: Domain Level should be Windows 2008 R2 or above otherwise, workspace

configuration fails.

o Note 2: For test I have selected t1.micro but selecting larger instance type will speed up

the configuration process.

o Install and Configure First Domain controller 172.16.1.137(c7) in the forest(AD wizard)

Run Dcpromo.exe , AD wizard

Note: Change the IP addresses to static.

This is test setup and we are not authoritative for work.local, choose “Yes” and

continue.

Domain Controller 1, installation complete.

o Edit security group to allow all traffic between domain controllers

o Install and Configure Second Domain Controller

Add first controller IP in second controller(c6) DNS before starting configuration

Prerequisites for connecting to Workspace Directory

o Delegating Connect Privileges:

http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_delegate_privile

ges.html

o Create a test user Mary Major (marym) with password “Password”

o Notes :

Disable IE ESC Mode

Squid Proxy Server to IE (172.16.0.83:3128) on domain Controllers

Add Reverse Lookup Zone to Domain Controllers

Allow access to port 3128 on NAT Instance from Domain Controllers(Internet

Access for DCs)

o Connect Verification

http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_verificati

on.html

Note: Ignore the closed ports

o Add additional subnet in different Availability Zone required by Workspace

o Add Internet gateway to Additional Subnet

o Allow all traffic to Domain Controller from Local Subnet. As a best practice we should add

individual ports listed on below link.

o http://docs.aws.amazon.com/workspaces/latest/adminguide/connect_directory.html

Create a join between Workspace Directory and Private Active Directory

o Register directory “work.local” to Amazon Workspace.

o http://docs.aws.amazon.com/workspaces/latest/adminguide/using_connect_directory.

html

o Run Advance Setup and Workspaces Connect

o Entire required details for AWS work to connect to corporate directory

Note: Best practice is have second domain controller on different subnet on different

AZ.

o Connection Bug: I noticed that directory connection failed multiple times. Added

allowed all Inbound traffic from default VPC security group and Domain controller

security group and it worked. Not a recommended design.

o Directory Join Complete

Launch Workspace for User

Connect to Test Workspace

o Download and install a Workspaces Client for your favorite devices:

http://clients.amazonworkspaces.com/

o Launch the Client and enter the following registration code: SLiad+CA7Z9Y

o Login with your password. Your username is marym

o Connected to Workspace – Success!!

Note: Workspace computer object created in AD

o Connect Workspace to Internet

Add Squid Proxy to the web browser

o Install and configure Synclient

http://docs.aws.amazon.com/workspaces/latest/adminguide/sync_client_help.html

Part 2 - AWS Workspaces with Cloud Directory (How-to)

Goal, Implement AWS Workspace with cloud directory. Follow AWS guide.

http://docs.aws.amazon.com/workspaces/latest/adminguide/cloud_directory.html

Contents o Create new VPC

o Add subnet and configure routing in VPC

o Setup Cloud Directory

o Add Test User and Launch Workspace

o Connect to Workspace

o Internet Access to Workspace

o Administering Cloud Directory

o Printing in Workspace

Create New VPC

o Choose Public/Private Option

o Create a new CIDR Block for new VPC

o New VPC Created

o Create new subnet in different AZ

Subnet & Routes

o Private Subnets routed to NAT Instance

o Public NAT is route to Internet Gateway

Setup Cloud Directory

o Cloud Directory Wizard

o Entire VPC and Subnet Details

o Cloud Directory up and running

Launch Workspaces

o Create a Test User

o Choose Workspace Type and Launch User Workspace

o Workspace up and running

o Change User Password

o Connect to Workspace – Success!

o Internet Access to Workspace

When Cloud directory is created 2 security group are added. As per

documentation only Port 443 and Port 80 Outbound access rules needs

to be added to “members” group. While Testing I had to ‘All traffic” for

Internet to work.

Administrating Cloud Directory

o Install Tools on Workspace.

o http://docs.aws.amazon.com/workspaces/latest/adminguide/managing_a_direc

tory.html#install_ad_tools_win2008

o Run the tool as Administrator to Create Users C:\>runas /user:cwork.awsapps.com\Administrator "mmc

dsa.msc"

Enter the password for cwork.awsapps.com\Administrator:

Attempting to start mmc dsa.msc as user

"cwork.awsapps.com\Administrator" ...

o Create New User “John Smith”, Launch Workspace and Test

o Workspace Live and running

o Connected to Workspace

Printing

o Direct printing from AWS Workspace to Desktop printer non available.

Workaround is to use Google Cloud Print and ThinPrint(trail/paid)

o Google Cloud Print.

http://www.google.com/landing/cloudprint/

Regular Desktop Sign to Google using Chrome Settings

Advanced Google Cloud Print Add Classic Printer

Option 1) AWS Workspace Sign to Google Connect to URL

https://www.google.com/landing/cloudprint --> Print Upload File

Select Printer & Print

Option 2) Download Chrome and Google Cloud Printer. Select File to Print

Select Google Cloud Printer Sign to Google Select Printer & Print

o ThinPrint

Complex installation and configuration

o Printnode/Printshare