Deploying Remote Desktop Gateway
in the AWS Cloud
AWS Whitepaper by Mike Pfeiffer
Introduction
This reference deployment guide includes architectural considerations and configuration steps for deploying Remote Desktop Gateway (RD Gateway) on the Amazon Web Services (AWS) cloud. We’ll discuss best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration.
We also provide links to automated AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account.
This presentation gives an overview of the process to create the example solution. It does not outline each step. For the detailed overview, please consult the whitepaper available here: http://aws.amazon.com/quickstart
Before You Get Started
This is an advanced topic. If you are new to AWS, see the
Getting Started section of the AWS documentation.
You should also be familiar with the following topics:
• Amazon EC2
• Amazon VPC
• AWS CloudFormation
• Windows Server 2012 or 2008 R2
• Remote Windows Administration using Remote Desktop Protocol (RDP)
Microsoft Platform on AWS
• Partnership to support running Windows
Server-based workloads on AWS
• Amazon Machine Images (AMIs) with
Windows Server and SQL Server today
that were jointly developed by Microsoft
and AWS
• SharePoint Server and other Microsoft
server products can be licensed to run on
AWS
Two licensing models:
• Windows Server
• SQL Server Standard
Pay-as-you-go –AMI pricing
includes software
• SQL Server Enterprise
• SharePoint Server
• Other qualifying Microsoft Windows Server products*
BYOL – use existing licenses on
AWS
*General info on AWS and License Mobility for a variety of MS server products:
http://aws.amazon.com/windows/mslicensemobility/
Detail on AWS and License Mobility with SQL Server:
http://aws.amazon.com/windows/mslicensemobility/sql/
Microsoft “License Mobility through Software Assurance” gives Microsoft Volume Licensing
customers the flexibility to deploy Windows Server applications with active Software
Assurance (SA) on Amazon Web Services.
What We’ll Cover
Considerations When Deploying RD Gateway
RD Gateway Setup
Client Configuration
Automated Deployment
• Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC
• Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC
Considerations When Deploying RD Gateway
RD Gateway Setup
Client Configuration
Automated Deployment
• Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC
• Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC
Considerations When Deploying RD Gateway
The Principle of Least Privilege
• Refers to users having the least possible privilege necessary to perform their job functions
• Helps reduce the attack surface of your environment, making it much harder for an adversary to exploit
• Reduce the attack surface by exposing the absolute minimal set of ports to the network while also restricting the source network or IP address that will have access to your Amazon EC2 instances
Considerations When Deploying RD Gateway
Amazon Virtual Private Cloud (VPC)
• Amazon VPC lets you provision a private, isolated section of the AWS cloud
where you can launch AWS resources in a virtual network that you define.
• You can define a virtual network topology closely resembling a traditional
network that you might operate on your own premises.
• You have complete control over your virtual networking environment, including
selection of your own IP address range, creation of subnets, and configuration
of route tables and network gateways.
Considerations When Deploying RD Gateway
Network Access Control Lists
• Can be attached to any network subnet in an
Amazon VPC to provide stateless filtering of
traffic
• Can be used for inbound or outbound traffic
and provide an effective way to blacklist a
CIDR block or individual IP address
• Can contain ordered rules to allow or deny
traffic based upon IP protocol, service port, or
source or destination IP address
Considerations When Deploying RD Gateway
Security Groups
• Allow you to set policies to control
open ports and provide isolation
between application tiers
• Can act as an instance-level
firewall or be associated with
multiple instances
Considerations When Deploying RD Gateway
RD Gateway Setup
Client Configuration
Automated Deployment
• Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC
• Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC
RD Gateway Setup
Initial Remote Administration Architecture
• Servers in public subnet will need inbound Security
Group rule permitting TCP port from administrator’s
source IP address or subnet
• Windows instances sitting behind RD Gateway in a
private subnet should be in their own isolated tier
• Administrator can use traditional RDP connection to
an RD Gateway to configure local server
• RD Gateway can also be used as a “jumpbox”
• RD Gateway service should be installed and configured with an SSL certificate
and Connection and Authorization policies
RD Gateway Setup
Gateway Installation
• Can be performed from Server Manager or with a single
PowerShell command on Windows Server 2012
• Once complete, RD Gateway role, along with all pre-requisite
software and administration tools, will be installed on your
Windows Server 2012, Amazon EC2 instance
For Windows Server 2008 R2 based installations, we recommend following the detailed installation instructions at http://technet.microsoft.com/en-us/library/dd983949(v=ws.10).aspx
RD Gateway Setup
SSL Certificates
• SSL certificates must be installed on
each RD Gateway
• Larger environments should use a
public certificate but smaller test
environments can use a self-signed
certificate
• Implementing a Self-Signed
Certificate can allow you to get up and
running quickly in 5 steps.
RD Gateway Setup
Connection and Resource Authorization Policies
Once you’ve installed the RD Gateway role and an SSL certificate, you are ready to
configure Connection and Resource Authorization policies.
– Connection Authorization Policies — Remote Desktop connection authorization policies (RD CAPs) allow you to specify who can connect to an RD Gateway instance. For example, you can select a group of users from your domain, such as "Domain Admins.”
– Resource Authorization Policies — Remote Desktop resource authorization policies (RD RAPs) allow you to specify the internal Windows-based instances that remote users can connect to through an RD Gateway instance. For example, you can choose specific domain-joined computers which administrators can connect to through the RD Gateway.
RD Gateway Setup
RD Gateway Architecture on the AWS Cloud
• You can modify the Security Group
for RD Gateway to use a single
inbound rule permitting TCP port
443
• Increases the security of the connection
and also prevents the need to initiate an
RDP session to the desktop of the RD
Gateway
Considerations When Deploying RD Gateway
RD Gateway Setup
Client Configuration
Automated Deployment
• Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC
• Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC
Client Configuration
Connection and Resource Authorization Policies
Configuring your administrative clients requires:
1. Installation of any root certificates
2. Name resolution for the RD Gateway FQDN
3. Proper Configuration of the Remote desktop Gateway
Considerations When Deploying RD Gateway
RD Gateway Setup
Client Configuration
Automated Deployment
• Sample Deployment Scenario #1: Deploy RD Gateway into a new Amazon VPC
• Sample Deployment Scenario #2: Deploy RD Gateway into an existing Amazon VPC
Sample Deployment Scenario #1
Deploy RD Gateway into a New Amazon VPC
The AWS CloudFormation template performs these actions to deploy this scenario.
• Set up the Amazon VPC, including subnets in two Availability Zones
• Configure private and public routes
• Launch Windows Server 2012 Amazon Machine Images (AMIs)
• Configure security groups and rules for traffic between application tiers
• Set up and configure AD Sites and Subnets
• Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop
Gateway and NAT instances
LaunchStack
Template Customization
• Sample Template 1
allows for
customization of 12
defined parameters
• These can be modified
or extended
Sample Deployment Scenario #2
Deploy RD Gateway into an Existing Amazon VPC
The AWS CloudFormation template performs these actions to deploy this scenario.
• Launch Windows Server 2012 Amazon Machine Images (AMIs)
• Configure security groups and rules for traffic between application tiers
• Enable ingress traffic into the Amazon VPC for administrative access to Remote Desktop
Gateway and NAT instances
LaunchStack
Template Customization
• Sample Template 2
allows for
customization of 9
defined parameters
• These can be modified
or extended just like
Template 1
More Reference Deployments from AWS
• Active Directory– Reference Architecture Whitepaper
– Advanced Implementation Guide and CloudFormation templates
• SharePoint Server– Reference Architecture Whitepaper
– Advanced Implementation Guide and CloudFormation templates
• SQL Server– “Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability
Groups in the AWS Cloud”
• Microsoft Exchange– “Microsoft Exchange Server 2010 in the AWS Cloud: Planning and Implementation Guide”
These and more can be found at http://aws.amazon.com/microsoft/whitepapers/
Additional ResourcesWeb Pages
Microsoft on AWS
http://aws.amazon.com/microsoft/
Windows on AWS (includes pricing)
http://aws.amazon.com/windows/
Reference Deployment Quick Start
http://aws.amazon.com/quickstart/
AWS Windows and .NET Developer Center (with sdk)
http://aws.amazon.com/net/
Amazon EC2 Windows Guide
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
Microsoft Licensing
http://aws.amazon.com/windows/mslicensemobility/
Covers Exchange, SharePoint, SQL, Lync, SCOM, and Dynamics.
See page for specific details, including which versions are covered.
Whitepapers
Implementing Active Directory Domain Services on AWS
Exchange on AWS Implementation & Planning Guide
Implementing Microsoft Windows Server Failover Clustering and
SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud
SharePoint Server on AWS Reference Architecture
more at http://aws.amazon.com/microsoft/whitepapers
Contact Us
https://aws.amazon.com/microsoft/contact-us/
If you have either business or technical questions about running
Microsoft software on AWS, please don’t hesitate to contact us.
Deploying Remote Desktop Gateway in the AWS
Cloud
Thank You
