×
Community Blog How to Create a Secure Remote Workspace on Alibaba Cloud

How to Create a Secure Remote Workspace on Alibaba Cloud

This thorough article explains how to create a secure remote workspace on Alibaba Cloud in four steps.

By Victor Mak, Lead Solutions Architect from Alibaba Cloud Intelligence International Macau

Background Information

The coronavirus outbreak forced unprecedented changes in work culture worldwide, and most people worked from home. From a company perspective, building a remote workspace become a new trend. However, security, employee satisfaction, and cost-efficiency become the main challenges:

  • Security – How can a company make sure the network communication is secure without data leaks? (e.g. screen capture, transferring company documents via USB drive, etc.)
  • Employee Satisfaction – How can a company provide high-performance remote connectivity to graphic designers and engineers to work on designs or video scenarios remotely?
  • Cost Efficiency – 90% of employees do not remote to their workspace during non-office hours, the company still need to pay for those computing resources even they were wasted, the company needs to find a way to lower costs. For example, shut down the workspaces during non-office hours and dynamically scale up the workspace resources for those ad-hoc projects.

Alibaba Cloud Workspace Solution

Alibaba Cloud Elastic Desktop Services (EDS) is a product that allows quick and convenient creation and deployment as well as centralized management and O&M for desktop environments. The company can create a secure, high-performance, and cost-efficient cloud desktop quickly without making large hardware investments upfront. EDS is widely applied in fields, such as finance, design, video, and education, which have high requirements for secure data management and control and high-performance computing.

Some EDS benefits:

Secure and Reliable - Data is stored on the cloud, which reduces the risks of data leaks. Data access protocols are encrypted securely, and storage reliability is 99.9999999% (nine 9's).

On-Demand Deployment - You can deploy cloud desktops on-demand and access your cloud desktops anytime, anywhere, and from any EDS client.

Access Security - EDS uses Active Directory (AD) for secure account management. This allows access to the authentication systems of enterprises.

Support for GPUs - EDS supports high-performance display protocols, such as image design and modeling protocols, to meet video editing requirements.

Combine with Alibaba Cloud VPN and Identity as a Service (IDaaS), a cloud-based identity and access management service (IAM) covering comprehensive functions that enable user portal, user directory, flexible authentication, single sign-on, centralized authorization, and audit reporting to provide a secure remote workspace and extreme performance to employees to enjoy their work at any time at anywhere.

Best Practice for Secure Remote Workspace

The section below describes how to build up a secure remote workspace based on Alibaba Cloud best practices step by step:

Architecture Diagram

The following figure illustrates the architecture to build a secure workspace:

1

Prerequisites

Before you begin, make sure of the following:

  • You have an Alibaba Cloud account. If not, sign up with Alibaba Cloud and add a payment method.
  • If you have an existing Microsoft Active Directory Server, it can be on-premise or on the cloud. Make sure the server network connectivity can connect to Alibaba Cloud via VPN or lease line. In this tutorial, we will use the ECS instance act below as an Active Directory server with the internal IP address 172.30.64.58 and use Alibaba Cloud Enterprise Network (CEN) to connect EDS and Active Directory Server.

2

Step 1: Configure Alibaba Cloud Elastic Desktop Service (EDS) Secure Office Network

Since Elastic Desktop Service (EDS) needs to communicate with Active Directory Server via Cloud Enterprise Network (CEN), please follow the step below to create a CEN instance:

1.  Log on to the CEN console

2.  On the Instances page, click Create CEN Instance:

3
4

3.  Click Create Transit Router, Select the Region where your Active Directory is located (e.g. Hong Kong Region), and fill in the Name for Transit Router:

5

4.  Once you have created the transit router, you need to add the VPC where your Active Directory is located into the transit router by clicking Create Connection:

6

5.  In the Network Type, select VPC and fill in corresponding information about where the VPC is located:

7
8

Step 2: Enable EDS Active Directory (AD) Integration and Apply the Secure Policies

Before you can enable Active Directory (AD) integration in EDS, you need to create a workspace. A workspace is a collection of environment configurations of cloud desktops and includes settings, such as secure office networks, user account systems, and Internet access. Cloud desktops are deployed within workspaces. This topic describes the terms and features of workspaces. Please follow the steps below to create a workspace in EDS:

1.  Log on to the EDS console

2.  On the left-side navigation pane, click Overview. Then, on the Overview page, click Create Workspace:

9

3.  In the create workspace step, select a region, enter a workspace name, and specify the IPv4 CIDR block. To connect the workspace to the Active Directory Server, you need to select the Join cloud enterprise network you created above. Then, click Next: Configure Account System.

10

4.  Select Enterprise AD account number, enter the Active Directory Server IP address in the DNS Address field, and add a Domain Name. (In this example, we used “alibabacloud.local”):

11

5.  Enter the username and password of the domain administrator and click Next: Access Public Network Settings if you need to enable Internet access for those EDS resources. (Note: If you do not need to access the Internet, you can click Create a workspace immediately without public network services.)

12

6.  Select Open public network access for desktop and specify the peak bandwidth value. Click Create workspace now:

13

7.  After you have created the workspace, you should verify the result on the Secure office network section on the left-hand side. You can see an Active Directory Connector is in Registering Status. The connection address is 192.168.255.251.

14

8.  Before configuring AD integration between your Active Directory and EDS, make sure the EDS VPC can access the Active Directory services with the configured firewall policies below:

15

9.  You must enable zone transfer for the DNS addresses of the domains of your enterprise AD system:

  • Log on to the DNS server of the enterprise AD domain
  • In the DNS Manager dialog box, click Forward Lookup Zones
  • Right-click a zone and select Properties. On the Zone Transfers tab of the Properties dialog box, select Only to the following servers and enter 192.168.255.251. (Note: Repeat the following steps to configure the properties for the two zones, msdcs zone and domain zone)

16

10.  You must configure the conditional forwarder for the DNS addresses of the domains of your enterprise AD system. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder. Enter ecd.acs in the DNS domain and IP address 192.168.255.251 of the master servers and click OK:

17

11.  After the preceding configurations are complete, the Active Directory Connector is now in the Registered state:

18

12.  You can create a desktop by navigating to Desktops under Cloud Desktops and clicking Create Cloud Desktop:

19

13.  On the Elastic Desktop Service Create Desktop page, configure the parameters for the cloud desktop. (In this example, under billing method, select Subscription, enter desktop name, and select the workspace you created before and the number of cloud desktops you want to purchase):

20

14.  Select Desktop Templates for cloud desktop and duration and click Confirm Order:

21
22

15.  The desktop you created is up and running now:

23

16.  On the Cloud Desktops page, find the cloud desktop that you want to assign to regular users, click the More icon in the Actions column, and then click Assign Users:

24

17.  In the Assign Users panel, select users in the Active Directory and click OK.

25

Step 3: Apply the Secure Policies and Security Protection

A policy is a set of security rules used to control security configurations when regular users use cloud desktops. A policy contains a basic policy (USB redirection and watermarks) and one or more network control rules (inbound and outbound traffic rules):

1.  On the left-side navigation pane, click Policy Management and then Create Policy:

26

2.  Here are the best practices settings to build a secure remote workspace. You can also modify the settings based on company policies and leads:

  • USB Redirection – Disable
  • Watermark – Enable
  • Local Disk Mapping – Disable
  • Clipboard - Disable

27

3.  After you have successfully created secure policies, on the Cloud Desktops page, find the cloud desktop for which you want to change the policy, click the More icon in the Actions column, and then click Change Policy.

28

4.  In the Change Policy panel, select a policy and click Modify:

29

The security protection feature provides antivirus and vulnerability detection and fixing for all cloud desktops within a specific region to ensure security. The security protection feature provides the following capabilities based on Security Center:

  • Antivirus - Detects and removes common trojan viruses, ransomware, mining viruses, and DDoS trojans
  • Vulnerability Detection and Fixing - Detects and fixes common vulnerabilities, including Windows system vulnerabilities and Linux software vulnerabilities

1.  On the left-side navigation pane, choose Security Protection under Security Center and click Try it now:

30

2.  After security protection is enabled, the system scans your cloud desktops once every day. You can also trigger scanning manually based on your needs by clicking Scan Now and selecting the workspace for which you want to perform manual scanning.

31

3.  After completing security scanning, the statistics of the scan results are displayed by severity, as shown in the following figure:

32

4.  On the left-side navigation pane, choose Vulnerability Fix under Security Center. You can filter vulnerabilities by selecting the required options from the Emergency level. Find the vulnerability that you want to fix and click Repair in the Actions column:

33

5.  You can either select automatically create snapshots and repair or repair directly without creating snapshot. Then, click Repair Now.

34

Step 4: Build a VPN with 2FA to use Alibaba Cloud Identity as a Service

To allow employees remote access to the cloud desktop via a secure connection, customers can use Alibaba Cloud VPN services and integrate with Alibaba Cloud Identity as a Service (iDaaS) to provide 2FA authentication via Active Directory.

1.  Log on to the Alibaba Cloud iDaaS console and click Buy iDaaS:

35

2.  Click Buy Now and Purchase to enable iDaaS:

36

3.  Once the iDaaS instance is ready, you can click Manage in the iDaaS console:

37

4.  Navigate to Authentication Sources under Authentication, find LDAP and click Add Authentication Source:

38

5.  Fill in the LDAP information:

  • Set LDAP URL to the Public IP address and port number of the AD domain
  • Set LDAP Base, LDAP Account, and LDAP account password to the values of AD
  • Set Filter Condition to (sAMAccountName=$username$)
  • Select Update iDaaS Password to update the LDAP password in iDaaS

39

6.  Make sure LDAP status is switched ON:

40

7.  Navigate to Cloud Product AD Authentication under Security Settings, select AD Authentication Source and switch to Enable. Then, click Save:

41

8.  Navigate to Organizations and Groups under Users, click Configure LDAP and Create on the right side to configure the LDAP settings:

42
43

9.  Fill in the LDAP server information on the Server Connection sheet:

  • Set Server Address and Port Number to the Public IP address and port number of the AD domain
  • Set LDAP Base DN, Administrator DN, and password to the values of AD
  • Select Windows AD
  • Click Test Connection to verify connectivity between iDaaS and AD

44

10.  Switch to Field Matching Rules, follow the instruction, fill in the necessary information, and click Save. There is configure sample below:

45

11.  Navigate to Account under Import. Then, click import and OK to import account to iDaaS:

46
47

12.  The lists of accounts are ready to import to iDaaS; select Confirm Import. Now, you have done all the iDaaS configuration. You are ready to integrate with the VPN gateway on 2FA authorization.

48

13.  Log on to the Alibaba Cloud VPN Gateway console and click Create VPN Gateway:

49

14.  Select the Region, VPC, and vSwitch that you want the VPN Gateway to create. Make sure SSL-VPN Enable is selected and click Buy Now:

50

15.  Navigate to SSL Servers and click Create SSL Server:

51

16.  Fill in the value of the SSL Server name, VPN Gateway, Local Network, and Client Subnet. Then, enable Advanced Configuration. Here is the explanation for Local Network:

  • 100.64.0.0/10 – Cloud Desktop clients should use this subnet to connect EDS gateway.
  • 192.168.0.0/16 – Cloud Desktop VPC subnet
  • 172.16.0.0/12 – Active Directory server subnet
  • 100.100.2.136/32, 100.100.2.138/32 – Alibaba Cloud Internal DNS

52

17.  Select Advanced Configuration. Enable Two-factor Authentication and select IDaaS Instance:

53

18.  Navigate to SSL Clients under VPN and click Create Client Certificate:

54

19.  Fill in the Name and select SSL Server. Then, click OK.

55

20.  Since the subnet 10.1.0.0/24 will be used for the SSLVPN client, you need to publish this route to Cloud Enterprise Network (CEN) by navigating to Route Tables under VPC. Then, click Publish.

56

21.  You have completed all the configurations! You are ready to verify the result.

Verify the Result

1.  Download the Client Certificate from SSL Clients you created:

57

2.  Depending on which operating system you are using, you need to download and install VPN software that supports the OpenVPN protocol. Since Cloud Desktop needs to communicate with gateway via domain name, you need to modify the .ovpn file and add DNS options that redirect to Alibaba Cloud Internal DNS (100.100.2.136 and 100.100.2.138).

58

3.  Double-check the .ovpn file to connect to Alibaba Cloud VPN Gateway. The VPN software will require you to log in before it establishes the VPN connection. Fill in the Active Directory username and password and click OK:

59

4.  Download and install Cloud Desktop Soft Terminal from the EDS console:

60

5.  Once installed, you can connect to Cloud Desktop via a soft terminal. Now, select region and input working directory ID. You can find the working directory ID in the Cloud Desktop console:

61
62

6.  Use your Active Directory Account and Password to log in to Cloud Desktop:

63

7.  Click Connect to log in to Cloud Desktop:

64

8.  You are now logged on to Cloud Desktop via a secure network and applied secure policies, such as watermark:

65

0 0 0
Share on

Alibaba Cloud Community

101 posts | 4 followers

You may also like

Comments