2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Agenda
1. AWS Directory Service
2. Amazon WorkSpaces
3. Amazon WorkMail
4. Amazon WorkDocs
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service overview
• “Directory as a Service”
– Windows 2008 R2 compatible forest/domain
– Amazon EC2 instances can join the domain at launch
– Deploy AD-dependent applications on Windows in Amazon EC2
– Enables single sign-in to the AWS management console and
services
• Alleviates the pain of deploying, configuring, and
maintaining directory infrastructure in Amazon EC2
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service modes
AWS Directory Service operates in one of
two modes:
– Simple AD
– AD Connector
*Does not support EC2 Classic network*
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Simple AD directory mode
Simple AD directory mode:
• Samba 4 as the backend
• Resides only in the AWS cloud; cannot extend to on-premises
• Limited to VPC EC2 instances
• Supports applications such as SQL and SharePoint
• Supports Kerberos
• Group Policies
• Manage directory via common LDAP tools or Microsoft Directory Services MMC
• Supports ADSIedit
• Windows Event Viewer compatible logs
• Windows CLI tools such as dsadd, dsmod, and the csvde import tool
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Simple AD prerequisites
Simple AD directory for use with VPC instances:
• A VPC
• At least two subnets in different Availability Zones
• Directory Service creates two ENIs in your VPC to be
used as DNS servers
• Directory Service creates a security group to allow
you to control access to your directory
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Simple AD Directory Service ports
• TCP/UDP 53 – DNS
• TCP/UDP 88 - Kerberos authentication
• UDP 123 – NTP
• TCP 135 – RPC
• UDP 137-138 – Netlogon
• TCP 139 – Netlogon
• TCP/UDP 389 – LDAP
• TCP/UDP 445 – SMB
• TCP 873 – FRS
• TCP 3268 - Global Catalog
• TCP/UDP 1024-65535 - Ephemeral ports for RPC
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service backups
• Ability to backup directory data by creating
snapshots:
– Manual
– Auto
• Restore the directory from snapshots
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service AD Connector
AD Connector mode:
• Enables use of existing AD credentials on on-premises Active Directory domain
• Connects your on-premises directory to AWS apps and services such as
WorkSpaces, WorkDocs, and WorkMail
• Allows single sign-in to the AWS console
• On-premises data is not stored on AWS
• Forwards requests (i.e., authentication, query/search) and sends them to the on-
premises domain
• Choice of small or large connector type
• Support for Multi-Factor Authentication (MFA) – Radius
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Directory Service AD Connector
AD Connector directory requirements:
– Requires VPC with VPN connection (software-based or hardware-based)
– IP address of on-premises DNS servers
– Credentials of domain-privileged user (required by AD Connector account)
• Read all user information
• Join a computer to the domain
– AWS Directory Service creates a Connect SecurityGroup that is used on the
customer side
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon Directory Services access URL
• Globally unique, ‘friendly’ identifier for a directory, for example:
mobyapp.awsapps.com
• One unique access URL per directory
• Used by Amazon WorkMail and Amazon WorkDocs to access the
service and/or access the AWS management console
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS console access
– Ability to use your on-premises AD or Simple AD
directory credentials to log in to the AWS
management console
– Map users or groups to Amazon IAM roles (new
or existing)
– Use access URL of directory followed by /console
(ie. https://mobyapp.awsapps.com/console)
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkSpaces availability
Available in the following regions:
• us-east-1 (N. Virginia)
• us-west-2 (Oregon)
• eu-west-1 (Ireland)
• ap-southeast-2 (Sydney)
• ap-northeast-1 (Tokyo)
• ap-southeast-1 (Singapore)
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkSpaces: key service features
• Highly secure cloud workspace accessible from
any device
• Persistent, highly secure cloud-based storage
• Amazon WorkSpaces can be joined to your
Active Directory
• Integration with customer VPC/VPN to provide
access to on-premises resources
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkSpaces devices
• iPad
• Kindle Fire HDX (keyboard & mouse)
• Android tablet
• Microsoft Windows
• Mac
• Zero clients
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Keep data highly secure and available
• No data stored on end-user device
• Only pixels delivered to users (PCoIP)
• User volume backed up by Amazon S3
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Getting started – what are the steps?
• Integrate VPC with corporate Active Directory (or
use Simple Directory)
• Choose Amazon WorkSpaces bundle
• Select users to receive Amazon WorkSpaces
• Launch Amazon WorkSpaces
• Users receive email when provisioned
• Users connect to Amazon WorkSpaces
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
eth0 serves WorkSpaces
pixels back to the client
device
eth1 serves traffic to:
• Internet
• Resources in VPC
• Resources on-prem
eth0
eth1
Corp on-prem
network
Corp VPC
eni
Internet gateway
Internet
AWS Direct Connect
Amazon WorkSpaces are dual-homed
Windows Server 2008 R2 instances
with Windows 7 experience
eth1 = Corp VPC
Amazon
Client connects to a “WorkSpaces gateway”
between your device and your WorkSpaces
PCoIP
tcp and udp 4172
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkMail overview
• Provides a highly secure email and
calendaring service
• Integrates with an existing corporate directory
• Controls both the keys that encrypt data and
the location in which the data is stored
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkMail access
• Microsoft Outlook clients (Windows & OS X)
• Exchange ActiveSync protocol-enabled devices
– iPhone, iPad
– Kindle Fire, Fire Phone
– Android
– Windows Phone
– BlackBerry 10
• Web browser
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkMail limits
• Up to 25 users for a 30-day free trial
• Mailbox size: 50 GB
• Maximum in/out message size: 25 MB
• Maximum number of recipients per email: 500
• Each user can send mail to up to 3,000
recipients every 24 hours
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkMail FAQs
• Mailbox’s data at-rest is encrypted
• Data in-transit is encrypted
• Mail is scanned for spam, malware, viruses
• Integrates with Amazon Simple Directory and on-premises Active
Directory
• Supports @corpname.com email suffix
• Supports Active Directory distribution groups
• Mailboxes managed via AWS console
• Supports Mobile Policies
• Integrates with Amazon WorkDocs*
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkMail regions (as of June 25, 2015)
• us-east-1 (N. Virginia)
• eu-west-2 (Ireland)
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs
Fully managed, highly secure enterprise storage and sharing
service.
Amazon WorkDocs users can:
– Comment on files
– Send documents to others for feedback
– Upload new versions
– Sync files between PC/MAC and Amazon WorkDocs
Eliminates the need to email and track changes to documents
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs supported platforms
• Supported platforms:
– PCs
– Macs
– Tablets
– Phones
• Integrates with existing corporate directory (via AD
Connector)
• Has flexible sharing policies, audit logs, and provides
control of the location where data is stored
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs administration & control
• Simple user management
• Delegated administration
• Fine-grained quota controls
• Employee content migration
• Viral invite option
• Audit logs
• Multi-Factor Authentication
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs
Sync client for Mac and Windows
• Download client from Amazon Web Services
• Register client
• Provide credentials (AD username/password)
• Choose files to sync and folders to sync
29. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs sync excluded files
• .lock or .~doctor.ppt
• hello.txt~ or ~hello.txt
• ppt.C407.tmp or ~WRD000.tmp
• Microsoft User Data or Outlook file
• */:<>?|
• Files over 5 TB
30. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon WorkDocs
• Supports MFA with Radius
• Single sign-in available from an Amazon
WorkSpaces session
31. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
DEMO corporate directory integration
Users: Get to use existing enterprise credentials
IT: WorkSpaces control like regular desktops
32. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Hinweis der Redaktion
Today I am going to speak about Directory Service, WorkSpaces, WorkMail, and WorkDocs. This is a deep dive into these subjects, therefore I am assuming you are relatively familiar with the services and acronyms such as EC2, ENI, S3 and so on.
This is a Directory Service that makes it simple to use log into Servers and Workstations, as well as AD dependent applications and Amazon applications such as WorkSpaces, WorkMail and WorkDocs up and going in minutes.
Some use cases are Dev/test Environments, Connecting On-Prem Active Directory with VPC resources, SSO access to the AWS Console.
The Directory Service functions like Windows 2008R2 Active Directory Mode.
There are two types of Directory Modes, Simple AD which is a SAMBA 4 Active Directory like environment. This Simple AD operates in Windows 2008 Forest/Doman modes. It doesn't’t support complex directory Integrates with Exchange or Lync, child domain and trusts. It is a Simple Directory containing computer and user objects. It comes in two sizes Small up to 10,000 Objects and Large supporting up to 100,000 Objects.
Simple AD makes it possible to connect Windows Servers in your VPC to a Directory for single User management and authorization. Additionally WorkSpaces, WorkMail and WorkDocs can use this directory and in minutes you are using the services w/o having to build out an Active Directory Infrastructure.
If you need Exchange, Lync Integration, child domains or want to integrate your corporate directory with AWS’ services SSO to the AWS Console, WorkSpaces, WorkMail and WorkDocs –you would use the AD Connector.
The First mode is Simple AD Directory Mode. It is SAMBA 4 emulating Active Directory 2008 R2 mode.
It can only be used for instances in your VPC only and it makes it simple to deploy AD-Dependent Apps such as MS SQL, MS SharePoint and you can join Windows 2003 R2 – Windows 2012 R2 Servers that live in your VPC. Active Directory GroupPolicy and Kerberos are supported. Limited to Windows clients, e.g. Linux domain joins not currently supported. Active Directory tools such as Active Directory Users and Computers to manage the Directory. ADSI edit tools and other Windows CLI tools can be used (dsadd, dsmod, and csvde)
Directory Service doesn’t support EC2 instances as Directory Service is launched into a VPC and the resources that Directory Service will access are in that VPC. Simple Directory will launch on two EC2 instances and will create two ENIs into your VPC. The purpose of these ENIs is to produce DNS endpoints for DNS clients in your VPC.
Additionally, Directory Service will create a Security Group that allows the necessary traffic for the Directory Service to communicate with your services. For Example Active Directory requires TCP/UDP ports 1024-65535 for RPC. Exact Port Requirements are listed on the next slide
These are the ports you will need open in your security group. When creating the Directory, the service creates a Security Group with these ports open from your VPC to the Directory Service Servers.
You can take up to 5 Manual Snapshots per Simple Directory. This means if you need to take a snapshot and have 5 manual snapshots, you must delete one of your stored manual snapshots. The 5 manual limit is separate from the Auto Snapshots. The Simple AD takes daily snapshots automatically, up to 10 days.
The Directory can be restored from manual or from Auto snaps.
This mode allows you to use your On-Prem directory credentials to authenticate to our AWS APPS and Services such as WorkSpaces, WorkMail, WorkDocs and perform SSO to the AWS Console.
It works by forwarding authentication requests to your Active Directory Domain. Being that we forward credentials, AWS does not store/cache any of your Active Directory data.
In order to operate the Directory Connector, a VPN or Direct Connect must exist between your Data-Center/Compute Facility (AD location) and your AWS VPC.
Lastly, Directory Service supports Multi Factor Authentication via your Radius Server. Support Octa, Ping federate,
To get AD Connector up and going you will need to deploy a VPC, create a Domain Privileged Account in your Active Directory.
That account will be used by the AD Connector as the connector account user.
The account needs the “Read all user information” and “Join a computer to the domain” privileges.
The Domain Admin group has these permissions, however as a Best Security Practice, we recommend creating a group with the Read all user information and join a computer to the domain privileges.
And creating a user with a very strong password and adding them to the group. Directory Data is not stored on the AD connector, e.g. it is a proxy like client versus a light directory mode.
The URL is globally unique and once created cannot be changed. You will have to delete the Directory Connector in order to “rename” it.
Now I am going to talk about WorkSpaces. WorkSpaces is a managed Desktop Computing Service in the Cloud. It allows you to easily provision cloud based desktops that allow you to access docs, apps, and resources on the device of your choice. WorkSpaces is offered in the following regions. The service uses PCoIP and the best experience is < 100ms latency and the protocol supports a round trip latency of 250ms .
WorkSpaces is a Secure Cloud Workspace accessible from any device using the WorkSpaces application. You can download this application from from https://clients.amazonworkspaces.com/
and is available form the Apple App Store and Google Play for IAD and Android Devices. Each workspace has Persistent Storage, therefore can survive a reboot and if needed to be rebuilt, the data persists. WorkSpaces can integrate with Active Directory (on-prem or in the AWS Cloud).
Amazon WorkSpaces provides customers with a choice of devices they can use to connect to their desktop.
They can use an iPad, a Kindle Fire HDK (including the ability to use a keyboard and mouse), a Windows or Mac desktop.
The iPad and Android clients have numerous optimizations to make a desktop experience on the device intuitive, such as a slide out radial control to access commonly used functions and a choice of mouse modes.
Amazon WorkSpaces delivers only pixels to users, using the Teradici PCoIP protocol, and customer data does not stay on the end user’s device. The user volume provided for a user’s WorkSpace is regularly backed up to Amazon S3 as a snapshot, helping ensure data durability even in the case of hardware failure.
Once customers have access to the WorkSpaces service, getting started is simple. If customers want integration with their corporate Active Directory, they will need to have a VPC configured with a hardware VPN connection back to their corporate network. Once they’ve configured their directory, they just need to select the WorkSpaces Bundle they require, choose the users who will receive WorkSpaces and launch those WorkSpaces. Once the WorkSpaces are provisioned (which will include them joining the customer’s Active Directory domain if they are integrating their directory), users get an email telling them how they can install the client and connect to their WorkSpaces
WorkSpaces are Windows 2008 R2 instances with Windows 7 experience skin. PC over Internet Protocol or PCoIP is the communication protocol to connect your WorkSpaces client software to your WorkSpace Computer.
The WorkSpace is dual-homed, ETH0 is the PCoIP connection into the workspace from the internet, and an Elastic Network Interface, or ENI (ETH1) is connected to provide connectivity to your VPC and to your Corporate Network via Direct Connect or a VPN Gateway.
WorkSpace access the Internet from either the InterNet GateWay (IGW) or can use a NAT or Proxy to access the internet.
1 WorkSpaces Client iniates authentication to Oauth gateway over SSL on public Internet with user credentials
2 . Oauth gateway sends authentication request over SSL to AD Connector
3 . AD Connector does LDAP authen3ca3on to Ac3ve Directory
4 . Client receives Oath 3cket back from gateway based on authen3ca3on request
5 . Client requests PCoIP gateway IP from WorkSpaces broker . Request is over SSL and uses Oauth ticket to identify user / directory .
6 . Client requests connection to WorkSpace via PCOIP gateway . Request is over SSL using Oauth ticket .
7 . Gateway receives Oauth 3cket , and retrieves user creden3als over SSL from the WorkSpaces connec3on manager ( which retrieves creden3als from Directory Service over SSL )
8 . PCoIP gateway ini3ates Windows logon on the WorkSpace via AWS private network .
9 . User logon request to Ac3ve Directory
10 . PCoIP streaming connec3on over AES-‐256 encrypted channel
The next service I am going to talk about is WorkMail.
Data encrypted at rest AES 256? Data in transit SSL encrypted. Workdocs integration via the Web Browser client.
AWS uses one of the strongest cipher blocks to protect data at rest, AES 256 encryption. SSL protects data in transit. WorkDocs is accessed from your browser (and from client software on supported devices) via https://corpname.awsapps.com/workdocs same URL you used to create your directory.
There is built-in, true native, integration with a company’s active directory if desired. There is delegated administration. Administrators can assign quota at the company and user level. WorkDocs has workflow to migrate content from one user to another as people leave the organization. And an interesting capability that will appeal to some of the smaller to mid-size enterprises….the viral invite feature. Instead of having to administratively onboard users, just let your employees share with each other…when an invite goes to someone that isn’t already in the system, he or she is asked to create an account.
Amazon WorkSpaces integrates with customers’ Corporate Directories. This means that all WorkSpaces provisioned by a customer will join the customer’s Active Directory domain. This means that users can continue to use their existing corporate credentials to get seamless access to corporate resources (eg. Exchange, Sharepoint, other internal applications). This also means that for administrators, as the WorkSpaces join the customer’s Active Directory domain, they can be managed just like any other desktops with management tools or processes that customers are already using.
Demo of a Corp WorkSpace connected to Corp AD, with Corp Connected Lync 2013, Outlook connected to WorkMail, Demo of GPO to set Desktop background and publish IE shortcuts and settings.