Amazon WorkSpaces provides businesses with secure, managed desktops in the Amazon cloud, and offers an enhanced security posture, the ability to support the needs of a modern mobile workforce, and the flexibility to scale globally. In this session, you’ll hear about how organizations can simplify end user computing by moving desktops to the cloud. The session will cover identity and access management, network access and design, integration with on-premises IT infrastructure, application delivery, and the end user experience. Generalized deployment model and office in the box with a deconstructed network. You will also hear first-hand from customers who have implemented WorkSpaces and best practices for deploying Amazon WorkSpaces at scale. Topics will include security and network access, identity and access management, application delivery, and end user experience.
2. Before we begin: quick survey
Does any of this sound familiar?
• Do you have fleets of terminal servers?
• Why does my new laptop need all these
patches on first boot?
• “Why can’t I use my (fill-in-the-blank
machine with 123,233,233 video drivers)
at work? aka it works great in my house!”
• Hey Helpdesk, I lost my laptop and need
one now !!
If this is you….
stick around!
3. Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: Amazon VPC, DX, and security
Image management
• Images and bundles
• Application deployment
The end user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned
4. Getting started: identify the team
• Operations / Engineering teams
• Small team: usually 2-3 members
• 2-3 weeks: introduction, overview, deeper dives
• Networking team
• 1-2 members
• 4 weeks +
• Ingress into network via service broker interface
• Integration with network via DX/VPN
• The inbound firewall
• Security team
• 1-2 members
• 4 Weeks +
• Network access from anywhere vs. private broker
• MFA, selective MFA
• Device security, root of trust concerns
This can take some time
5. Getting started: POC vs. pilot
POC vs. Pilot, aren’t they the same?
POC – concept only, e.g., don’t miss it when it’s gone
• Explore – delete and repeat
• Lessons learned– push the limits, make mistakes –you won’t break
the service!
• Diversity– pick lots of different data points
• Enforce your POCs: artificially-constrained VPC, VPN integration (no
DX); this phase cannot go Prod
Pilot – this could turn into a successful disaster
• Build a platform without the need to refactor
• Smart VPC design, consideration to imaging, prepare a realistic rollout
plan
6. Getting started: managing the POC
Requirements will be all over the place
• Everyone will want something different
• Everyone is trying to go to the same place
Keep the POC focused, disagree and commit
• Operations / Engineering – Usable desktops. Custom
imaging. Automated provisioning. Process alignment.
Devices.
• Networking – What ports do I open on the firewall?
• Security – The WorkSpaces client acts like a VPN.
What’s the MFA strategy?Don’t try to boil the ocean!
7. Getting started: studying the POC and its
phases
POC 1 – Limited POC
• 10-15 people: Operations / Engineering,
Networking, security
• Work out the kinks
• Can you work exclusively in your WorkSpace?
POC 2 – Expand the POC
• 50 people, all shapes and sizes
• Executives, compliance, project stakeholder, your boss
• Gather as much positive and negative feedback as
possible
Remember!
• Plan your exit, focus on requirements
• Set up the transition to pilot with parallel efforts during Round 2
8. Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: Amazon VPC, DX, and security
Image management
• Images and bundles
• Application deployment
End user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned
9. Focus on the basics: a refresher
Rules to remember
• Directory = Amazon Directory Service instance
• A directory spans exactly 2 subnets
• A directory = 2 Amazon EC2 instances (1 per
subnet)
• You can have multiple directories in 1 Amazon
VPC
• Each directory has its own registration code
• Zero client: each registration code needs its
own URL
Key takeaways:
• A WorkSpace is tied to exactly 1 directory
• A WorkSpace will live in 1 of the 2 directory
subnets
TIP: Map 1 Service to 1 Directory
Connector, e.g.,WorkMail, WorkDocs,
WorkSpaces
10. Focus on the basics: networking
Early discussions
• Access from my existing network
• Access from anywhere (e.g., favorite coffee shop)
Further discussions
• Should I use a public endpoint?
• Private VIF – Can we only access from our existing
network?
• Secure client computing
• Content filtering – can we restrict access?
11. Focus on the basics: the golden rules of VPC
Q: “What is the best VPC design?”
A: Every use case is different
Rule #1: Don’t over analyze
Rule #2: Eliminate IP waste
• AWS subnet costs 5 IP addresses
• 2 Regions = 2 VPCs minimum = 2 IP blocks
Rule #3: Be flexible to accommodate what you don’t
know
• Treat your end state as an unknown
TIP: Largest VPC size: /16 (65K addresses)
12. Authentication
Gateway
Active
Directory
Agency
servers
AWS Direct
Connect
Agency
network
Users
Agency
network
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) Agency-managed (public and/or private)
MFA
Accessing Amazon WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How client traffic flows
access from Agency
(wired, wireless, VPN)
Government-
provided hardware
From your Agency’s network
Zero Client
Gateway
B
Agency VPC
A
Content
filtering
source filtering
by IP
Transit
InfoSec Logging
all Agency network access
untrusted prior to filtering
US East
end users
us-east-1
• regional proximity
• tie into network via DX
redundant
private VIFs
• use existing IP space
10.x.x.x/2010.x.x.x/8 • restrict network access
KEY POINT
Kerb/TGT
ticket
Streaming
Gateway IP
13. Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Corp Net
Users
Corporate
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) Agency-managed (public and/or private)
MFA
Accessing Amazon WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How client traffic flows
access from ANY network
GFE hardware
From ANY network
Zero Client
Gateway
B
Agency VPC
A
Content
filtering
source filtering
by IP
Transit
InfoSec logging
All agency network access
untrusted prior to filtering
Standalone
Network
• BYOD: use ANY device, not just
GFE hardware
• BYON: more than just BYOD …
bring your own network
-or-
BYOD
• NEXT-GEN: the new network for
your agency
14. Focus on the basics: the public endpoint
Most public VIFs / DX tie into an agency’s
network
Inbound is free
Keep network traffic separate from outbound
traffic
Larger general Internet pipes, go north of the
border
Broader carrier selection, more competitive
pricing
BYOD can be accomplished
15. Focus on the basics: the private VIF
Cost – are you paying for managed infrastructure
Security – do you offer public VPN endpoint
connectivity?
Use a public VIF to access AWS endpoints from your
agency’s network
WorkSpaces access your agency’s on-prem
resources via private VIFs
Doesn’t WorkSpaces client act like a VPN?
16. Focus on the basics: secure client computing
• Transparent filtering – firewall/filter: WorkSpaces binding
• Internally NAT’d networks – leads to regionalization
• Centralized logging – catch it before it goes to the border
• On-premises or in AWS – understanding who owns the
border
This is possible today
• L3-L7: Sophos, Ocedo, etc. …
• L7: Squid, WebSense, etc. …
• Most advanced configuration, operationally challenging
18. Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: VPC, DX, and security
Image management
• Images and bundles
• Application deployment
The end user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned
19. Image management: the old way
1. Start from stock image
2. Install security and other patches
3. Install malware protection, patch and asset
management, and software distribution agents
4. Create a golden image
5. Deploy image to new workstations
Are we done? Nope! It’s Patch Tuesday, time for a new image.
20. Image management: how to make an image
1. Thick: OS + security patches and all software
2. Thin: OS + light footprint
(management and security patches)
3. Bare bones: Core OS + software distribution agents
(push software, patches, management/protection agents)
TIP: Find the balance between “get going” and automation
Experiments are good. Ask yourself, “Can I work from a
base image or should I regenerate every time?”
21. Image management: image-bundle relationship
A bundle maps to an image
An image can be used by multiple bundles
Bundles can have 1 or more active WorkSpaces
TIP: You cannot remove a bundle with active WorkSpaces
What will my bundle look like in 2 years?
• Use patch management to keep older
WorkSpaces updated
• Provision new WorkSpaces from the latest image
• Remember: 1 bundle, 1 image
• Version by creating a new image and associating
it with user bundles
22. Image management: application deployment
No technical restrictions on software installation
Manage WorkSpaces like any other desktop
Use your existing toolset to distribute applications
and patches
WorkSpaces Application Manager (WAM)
WorkSpaces Marketplace for Desktop Apps
23. Image management: managing applications with WAM
Amazon WorkSpaces
Application Manager
(Amazon WAM)
Deploy and manage applications
Package your own applications
Upload applications where you own
the license
Subscribe from the AWS Marketplace
for Desktop Apps
24. Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: VPC, DX, and security
Image management
• Images and bundles
• Application deployment
End user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned
25. The most emotional service in any workplace
• Everything is in the human context
• People like their hardware
• “From my cold dead hands…”
• Ask me about my stickers
• “What about offline?”
• How offline are you?
• Hotspot, iPhone/Android tethering?
• “I don’t like Windows.”
• It’s not that bad…
It’s all about customer choice
• Not every user needs a remote desktop
• Be clinical: stay focused on your testing!
26. End user experience: the devices
• PC, Mac, and tablet
• Familiar, eases transition, full options
• Patch and device management concerns
• Zero client
• Silicon and firmware, nothing local
• Fixed asset scenarios
• Universal across OEMs
• Thin client
• Intel or ARM, very small Linux kernel
• Both fixed and mobile
• Very specific to OEMs
• Chromebooks
• The new thin
Future state
• WI-FI and mobile
• No local data
• Easy device management
• No local patching required
27. End user experience: the zero client
• The approach
• Silicon and firmware
• Manufacturing
• Teradici designs Tera2 processor
• LeadTek labs in Asia
• OEMs source units, build systems
• Form factors and features
• Standalone, AiO
• Mostly DVI, some DisplayPort
• No HDMI, Bluetooth, or Wi-Fi
• Management
• PCoIP Management Console
• MC 1.0 w/ firmware 4.x
• MC 2.0 w/ firmware 5.x
PROs
• Truly zero, no patching, MDM
CONs
• Fixed asset
• No MFA support
28. User experience: The Chromebook
• The approach
• Browser-based OS
• Manufacturing
• Intel or ARM (Intel’s winning)
• OEMs build units, license Chrome
• Form factors and features
• Standalone, AiO, laptop, stick
• HDMI, Bluetooth, Wi-Fi
• Management
• Google Apps: Chrome Device Management
• License fee per device
• $50 annual per device
• $150 perpetuity per device (3-year)
PROs
• Zero enough, no patching, MDM
• Modern, mobile, plenty of forms
• MFA support, fast updates
• Bootstrapping is a breeze
CONs
• Available only on net-new purchases
29. Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: VPC, DX, and security
Image management
• Images and bundles
• Application deployment
End user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned
32. Background
•Migration from Xenapp Published Desktop Environment to
Amazon WorkSpaces
•About 200 Offices Nationally
•Transitioning Smaller (2 Person) Offices to Telecommuters
•1200 WorkSpaces Currently
33. Getting Started
•Make sure you size your VPC with plenty of room for
growth when setting up pilot – more than you would ever
need
•Create images frequently and keep several available in
case you need to rollback.
•Develop Printing Strategy
34. Managing Workspaces
•Assign WorkSpace Operators in AWS Identity and Access
Management (IAM) to delegate simple tasks and improve
responsiveness to issues.
•Leverage Group Policy for global setting/changes
•Basic scripting skills can help overcome obstacles
•Automate provisioning of workspaces when users are onboarded. Also
automate deletion of workspaces when accounts are disabled to limit
costs.
•Use Amazon CloudWatch to monitor Unhealthy WorkSpaces and
InSessionLatency and proactively address issues
35. Fine Tuning
•Consider migrating services that WorkSpaces depend
upon to AWS Region to improve performance
•Re-evaluate Network and ISP needs periodically as
services move between on-prem, data center and cloud