AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud

Download AWS Webcast - Deploying Remote Desktop Gateway on the AWS Cloud

Post on 06-Jan-2017

6.146 views

Category:

Technology

1 download

TRANSCRIPT

  • Deploying Remote Desktop Gateway

    in the AWS Cloud

    AWS Whitepaper by Mike Pfeiffer

  • Introduction

    This reference deployment guide includes architectural considerations and configuration steps for deploying Remote Desktop Gateway (RD Gateway) on the Amazon Web Services (AWS) cloud. Well discuss best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration.

    We also provide links to automated AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account.

    This presentation gives an overview of the process to create the example solution. It does not outline each step. For the detailed overview, please consult the whitepaper available here: http://aws.amazon.com/quickstart

    http://aws.amazon.com/quickstart/

  • Before You Get Started

    This is an advanced topic. If you are new to AWS, see the

    Getting Started section of the AWS documentation.

    You should also be familiar with the following topics:

    Amazon EC2

    Amazon VPC

    AWS CloudFormation

    Windows Server 2012 or 2008 R2

    Remote Windows Administration using Remote Desktop Protocol (RDP)

    http://docs.aws.amazon.com/gettingstarted/latest/awsgsg-intro/gsg-aws-intro.html

  • Microsoft Platform on AWS

    Partnership to support running Windows

    Server-based workloads on AWS

    Amazon Machine Images (AMIs) with

    Windows Server and SQL Server today

    that were jointly developed by Microsoft

    and AWS

    SharePoint Server and other Microsoft

    server products can be licensed to run on

    AWS

    Two licensing models:

    Windows Server

    SQL Server Standard

    Pay-as-you-go AMI pricing

    includes software

    SQL Server Enterprise

    SharePoint Server

    Other qualifying Microsoft Windows Server products*

    BYOL use existing licenses on

    AWS

    *General info on AWS and License Mobility for a variety of MS server products:

    http://aws.amazon.com/windows/mslicensemobility/

    Detail on AWS and License Mobility with SQL Server:

    http://aws.amazon.com/windows/mslicensemobility/sql/

    Microsoft License Mobility through Software Assurance gives Microsoft Volume Licensing

    customers the flexibility to deploy Windows Server applications with active Software

    Assurance (SA) on Amazon Web Services.

    http://aws.amazon.com/windows/mslicensemobility/http://aws.amazon.com/windows/mslicensemobility/sql/

  • What Well Cover

    Considerations When Deploying RD Gateway

    RD Gateway Setup

    Client Configuration

    Automated Deployment

    Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC

    Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC

  • Considerations When Deploying RD Gateway

    RD Gateway Setup

    Client Configuration

    Automated Deployment

    Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC

    Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC

  • Considerations When Deploying RD Gateway

    The Principle of Least Privilege

    Refers to users having the least possible privilege necessary to perform their job functions

    Helps reduce the attack surface of your environment, making it much harder for an adversary to exploit

    Reduce the attack surface by exposing the absolute minimal set of ports to the network while also restricting the source network or IP address that will have access to your Amazon EC2 instances

  • Considerations When Deploying RD Gateway

    Amazon Virtual Private Cloud (VPC)

    Amazon VPC lets you provision a private, isolated section of the AWS cloud

    where you can launch AWS resources in a virtual network that you define.

    You can define a virtual network topology closely resembling a traditional

    network that you might operate on your own premises.

    You have complete control over your virtual networking environment, including

    selection of your own IP address range, creation of subnets, and configuration

    of route tables and network gateways.

  • Considerations When Deploying RD Gateway

    Network Access Control Lists

    Can be attached to any network subnet in an

    Amazon VPC to provide stateless filtering of

    traffic

    Can be used for inbound or outbound traffic

    and provide an effective way to blacklist a

    CIDR block or individual IP address

    Can contain ordered rules to allow or deny

    traffic based upon IP protocol, service port, or

    source or destination IP address

  • Considerations When Deploying RD Gateway

    Security Groups

    Allow you to set policies to control

    open ports and provide isolation

    between application tiers

    Can act as an instance-level

    firewall or be associated with

    multiple instances

  • Considerations When Deploying RD Gateway

    RD Gateway Setup

    Client Configuration

    Automated Deployment

    Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC

    Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC

  • RD Gateway Setup

    Initial Remote Administration Architecture

    Servers in public subnet will need inbound Security

    Group rule permitting TCP port from administrators

    source IP address or subnet

    Windows instances sitting behind RD Gateway in a

    private subnet should be in their own isolated tier

    Administrator can use traditional RDP connection to

    an RD Gateway to configure local server

    RD Gateway can also be used as a jumpbox

    RD Gateway service should be installed and configured with an SSL certificate

    and Connection and Authorization policies

  • RD Gateway Setup

    Gateway Installation

    Can be performed from Server Manager or with a single

    PowerShell command on Windows Server 2012

    Once complete, RD Gateway role, along with all pre-requisite

    software and administration tools, will be installed on your

    Windows Server 2012, Amazon EC2 instance

    For Windows Server 2008 R2 based installations, we recommend following the detailed installation instructions at http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx

  • RD Gateway Setup

    SSL Certificates

    SSL certificates must be installed on

    each RD Gateway

    Larger environments should use a

    public certificate but smaller test

    environments can use a self-signed

    certificate

    Implementing a Self-Signed

    Certificate can allow you to get up and

    running quickly in 5 steps.

  • RD Gateway Setup

    Connection and Resource Authorization Policies

    Once youve installed the RD Gateway role and an SSL certificate, you are ready to

    configure Connection and Resource Authorization policies.

    Connection Authorization Policies Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway instance. For example, you can select a group of users from your domain, such as "Domain Admins.

    Resource Authorization Policies Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal Windows-based instances that remote users can connect to through an RD Gateway instance. For example, you can choose specific domain-joined computers which administrators can connect to through the RD Gateway.

  • RD Gateway Setup

    RD Gateway Architecture on the AWS Cloud

    You can modify the Security Group

    for RD Gateway to use a single

    inbound rule permitting TCP port

    443

    Increases the security of the connection

    and also prevents the need to initiate an

    RDP session to the desktop of the RD

    Gateway

  • Considerations When Deploying RD Gateway

    RD Gateway Setup

    Client Configuration

    Automated Deployment

    Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC

    Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC

  • Client Configuration

    Connection and Resource Authorization Policies

    Configuring your administrative clients requires:

    1. Installation of any root certificates

    2. Name resolution for the RD Gateway FQDN

    3. Proper Configuration of the Remote desktop Gateway

  • Considerations When Deploying RD Gateway

    RD Gateway Setup

    Client Configuration

    Automated Deployment

    Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC

    Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC

  • Sample Deployment Scenario #1

    Deploy RD Gateway into a New Amazon VPC

    The AWS CloudFormation template performs these actions to deploy this scenario.

    Set up the Amazon VPC, including subnets in two Availability Zones

    Configure private and public routes

    Launch Windows Server 2012 Amazon Machine Images (AMIs)

    Configure security groups and rules for traffic between application tiers

    Set up and configure AD Sites and Subnets

    Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop

    Gateway and NAT instances

    LaunchStack

    https://console.aws.amazon.com/cloudformation/home?region=us-west-2#cstack=sn%7ERDGW1%7Cturl%7Ehttps://s3.amazonaws.com/microsoft_windows/rdgateway/Template_1_RDGW_2012.template

  • Template Customization

    Sample Template 1

    allows for

    customization of 12

    defined parameters

    These can be modified

    or extended

  • Sample Deployment Scenario #2

    Deploy RD Gateway into an Existing Amazon VPC

    The AWS CloudFormation template performs these actions to deploy this scenario.

    Launch Windows Server 2012 Amazon Machine Images (AMIs)

    Configure security groups and rules for traffic between application tiers

    Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop

    Gateway and NAT instances

    LaunchStack

    https://console.aws.amazon.com/cloudformation/home?region=us-west-2#cstack=sn%7ERDGW2%7Cturl%7Ehttps://s3.amazonaws.com/microsoft_windows/rdgateway/Template_2_RDGW_2012.template

  • Template Customization

    Sample Template 2

    allows for

    customization of 9

    defined parameters

    These can be modified

    or extended just like

    Template 1

  • More Reference Deployments from AWS

    Active Directory Reference Architecture Whitepaper

    Advanced Implementation Guide and CloudFormation templates

    SharePoint Server Reference Architecture Whitepaper

    Advanced Implementation Guide and CloudFormation templates

    SQL Server Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability

    Groups in the AWS Cloud

    Microsoft Exchange Microsoft Exchange Server 2010 in the AWS Cloud: Planning and Implementation Guide

    These and more can be found at http://aws.amazon.com/microsoft/whitepapers/

    http://aws.amazon.com/microsoft/whitepapers/

  • Additional ResourcesWeb Pages

    Microsoft on AWS

    http://aws.amazon.com/microsoft/

    Windows on AWS (includes pricing)

    http://aws.amazon.com/windows/

    Reference Deployment Quick Start

    http://aws.amazon.com/quickstart/

    AWS Windows and .NET Developer Center (with sdk)

    http://aws.amazon.com/net/

    Amazon EC2 Windows Guide

    http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/

    Microsoft Licensing

    http://aws.amazon.com/windows/mslicensemobility/

    Covers Exchange, SharePoint, SQL, Lync, SCOM, and Dynamics.

    See page for specific details, including which versions are covered.

    Whitepapers

    Implementing Active Directory Domain Services on AWS

    Exchange on AWS Implementation & Planning Guide

    Implementing Microsoft Windows Server Failover Clustering and

    SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud

    SharePoint Server on AWS Reference Architecture

    more at http://aws.amazon.com/microsoft/whitepapers

    Contact Us

    https://aws.amazon.com/microsoft/contact-us/

    If you have either business or technical questions about running

    Microsoft software on AWS, please dont hesitate to contact us.

    http://aws.amazon.com/microsoft/http://aws.amazon.com/windows/http://aws.amazon.com/quickstart/http://aws.amazon.com/net/http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/http://aws.amazon.com/windows/mslicensemobility/http://aws.amazon.com/microsoft/whitepapers/#adhttp://aws.amazon.com/microsoft/whitepapers/#exchangehttp://aws.amazon.com/microsoft/whitepapers/#sql2012http://aws.amazon.com/microsoft/whitepapers/#sharepointhttp://aws.amazon.com/microsoft/whitepapers/https://aws.amazon.com/microsoft/contact-us/

  • Deploying Remote Desktop Gateway in the AWS

    Cloud

    Thank You

Recommended

View more >