How to create a jumper box in AWS VPC

本来是写的Word文档,给其他国家的同时看的,所以一开始就是英文写的,也没打算翻译成为中文了,顺便抱怨下,网上资料找了很久的资料都没有看到介绍怎么在单机环境下搭建RD Gateway的,写本文的目的是给公司的同事介绍下怎么搭建一台跳转机来做远程登录,同时希望可以帮到有需要的人。

在AWS的VPC中,我们是把所有的服务器都独立于外部的,不允许外部直接进行访问,所以如果要远程登录到VPC里面的服务器,是需要通过一台跳转服务器来进行远程登录的。这里在Windows的环境下是通过RD Gateway over SSL 的方式搭建的。本人已经测试过了,可以正常使用。

由于个人比较偷懒,不想在Blog中进行编辑了,所以原始文档中的图片就都没法插入到博客中了,下面在每个具体的任务中的数字排序也有点乱了。但是如果你要看的话,就是按照顺序看下就好了,操作步骤也是一步一步操作的。基本上文字描述大家都比较清楚。如果你有什么问题不明白的可以留言问我。

Create jump box

Request a server from AWS

  1. Select an AMI, here we select the windows server 2012 R2 Base
  1. Select t2.small as instance type
  2. In the step of ‘Configure Instance’, follow by:

Network: the VPC you just created

Subnet: select the public subnet

Auto-Assign public IP: Enable

Others by default.

  1. Default 30G size is ok in the step of ‘Add Storage’
  2. In the ‘Add Tags’ step, please specify the name: Group(your number)-JumperBox
  3. In the step of ‘Configure Security Group’, we create a new security group here, and allow the port of 3389, 443 to access by everyone(in the real case, 3389 only for administrator’s IP access)
  1. When you click the ‘Launch’ button, it will ask you to select a key pairs, please create a new one here, and for the coming EC2 request, you should use the same key pairs file.
  1. Go back to Instance page, and find the EC2 server you just created, find the IP, then prepare to remote to this server(please note you have to switch to non-Merck network environment to remote this server)
  1. Click this server, and from the Actions menu to get this server’s password, here you need to upload the key pairs file to get the password
  1. Open your compute, start->run->input ‘mstsc /f’ command. Input username and password. Then login to the server.
  2. Copy the certificate generation tool from sharefoler to a place you want to save.
  3. Open your cmd window, locate into the tool folder:

Create the certificate

  1. Create a self-sign root cert(issuer):

makecert -n "CN=yourpublicip" -r  -eku 1.3.6.1.5.5.7.3.1 -sv yourpublicip.pvk yourpublicip.cer

 

input the password, for testing purpose, you can just input 1

  1. Convert the pvk file to pfx file, execute the bellow two commands one bye one, input password 1 in the second command.

cert2spc yourpublicip.cer yourpublicip.spc

pvk2pfx -pvk yourpublickip.pvk -spc yourpublicip.spc -pfx youpublicip.pfx

 

Now the pfx file is created.

  1. So far, we have one .cer file, and one .pfx file. we will use the two files later
  2. Click Server Manager->on the Dashboard->Add roles and features
  3. Select Role-based or feature-based installation

Install the Remote Desktop Services

  1. Select the current server
  1. In the server roles, select Remote Desktop Services
  1. In the role services, select Remote Desktop Gateway, it will prompt a window to ask you add related features, please add all.
  1. In the Network Policy And Access Services, please select the Network Policy Server
  1. In the Web Server Role(IIS), except for the default selection, please add one more: ASP.NET 4.5.
  1. Click install and wait it till to complete.
  2. You will see the components like below screenshot if you installed successfully
  3. In the administrative tools, open the internet information services(IIS) manager.
  4. click the computer name node:
  5. locate into the Server Certificates which is on the right pane under IIS section, double click it

Configure the RD Gateway over SSL

  1. in the Actions pane, click Import… link, it will ask you provide the .pfx file
  1. Browse the .pfx file you saved in the last step. And password should be empty, click OK button
  1. Locate into the Default Web Site node
  1. In the right pane, click Bindings… link
  1. Add 443 port, and select the cert you just upload. Then click OK button.
  1. Go back to the administrative tools, click Remote Desktop Gateway Manager
  1. Under the policies, select the Connection Authorization Policies, and Create New Policy
  1. Using the wizard
  1. Input the name
  1. Add who can connect this RD gateway, here we let all users who are in the builtin\users group
  1. Keep default in the Device Redirection secton
  1. Session timeout, enable session timeout
  1. Click next till to finish.
  2. Follow the above same step, create another policy 2, in this policy, we allow the administrators group user can connect the RD Gateway
  3. Now you have created two policies as bellow:
  1. Let’s start to create RAP now
  1. Add the users group
  1. Allow users to connect to any network resource(computer)
  1. Allow connections only to port 3389
  1. Click finish, and the same, create another RAP policy for administrators, then you can see the bellow screenshot
  1. We are almost done, last we need to configure the SSL for the RD Gateway, locate into computer node, right click and select properties
  1. Click the SSL Certificate tab, and select Import a certificate…
  1. Browse and import certificate which you just save at the before step.
  1. Empty password, click OK button to show the bellow alert.
  1. Uncheck the UDP Transport Settings in the Transport Settings tab
  2. Click Apply and close this window
  3. Restart the RD Gateway services.

Create a user in server

  1. Create a user
  1. Password never expires
  1. Make sure this user only in the Users group.

Install certificate on your personal computer

  1. Copy the .cer file from server to your laptop
  2. Double click the cert
  3. Click Install Certificate… button
  1. Choose the ‘Trusted Root Certification Authorities’ as the certificate store.
  1. Click Next ,when you click finish button, it will have alter window, please click Yes button
  2. To verify the cert if is ok, open your IE, and input https://yourpublicip , if there is no warning page, then it turns out you are in the right status.

Start remote desktop connection from your computer

  1. In the advanced tab, click Settings…
  2. Select ‘Use these RD Gateway server settings’
  3. Input the server IP
  4. Check the Bypass RD Gateway….
  5. Uncheck ‘Use my RD Gateway…’
  6. Save the file, and click to connect
  7. Firstly, it will ask you to input the credential of the RD Gateway user name and password, if pass, then it will ask you to input the target server credentials.
时间: 2024-11-05 12:32:51

How to create a jumper box in AWS VPC的相关文章

AWS - VPC site-to-site VPN

前面豆子学习了如何配置VPC的公网,私有网,NAT实例以及VPC Peering,现在看看一些更复杂一些的应用.豆子总结了一下如何将不同Region的VPC之间通过EC2的VPN Instance 的IPSec Tunnel来实现互相访问. 豆子的实验环境如下: 在新加坡搭建一个VPC 网络 10.2.0.0/16, 悉尼搭建一个VPC网络 10.1.0.0/16, 然后两个网络分别搭建一个EC2实例,然后通过IPsec使得两个网络可以互相访问. 基本步骤如下 配置VPC网络,包括Subnet,

AWS - VPC Peering

在AWS的核心服务中,VPC毫无疑问是最重要的一环.用户需要给虚拟机定义一个CIDR 网络范围,并在其中划分子网和配置防火墙和路由等等.那么不同的网络范围如何互相访问呢? 目前 AWS下面可以分成下面几种情况: 1. 在同一个VPC下的子网,本身默认就是可以互相访问的,用户只需要对ACL和Security Group进行访问控制即可: 2. 如果想把公司的数据中心网络和AWS联系起来,可以通过配置VPN Connection在VPC配置Virtual Private Gateway, 在公司数据

aws vpc 知识总结(助理级)

一 什么是vpc? Amazon Virtual Private Cloud(Amazon VPC)使您可以将AWS资源启动到您定义的虚拟网络中. 虚拟的云计算. /* 1 默认vpc ? 创建一个具有大小 /16 IPv4 CIDR块 (172.31.0.0/16)的VPC .这最多提供65,536个私有IPv4地址. 在每个可用区中创建一个默认的子网,大小是 /20 .每个子网最多提供4,096个地址,其中一些保留供我们使用. 创建一个互联网网关并将其连接到您的默认VPC. 默认安全组,并将

AWS标准扩容(三)

AWS扩容过程: You can increase the storage space of an existing EBS volume without losing the data on the volume. 你能够不丢数据地增加现在EBS卷上的存储空间. To do this, you migrate your data to a larger volume and then extend the file system on the volume to recognize the n

Installing the AWS SAM CLI on macOS

Installing the AWS SAM CLI on macOS https://docs.aws.amazon.com/zh_cn/serverless-application-model/latest/developerguide/serverless-sam-cli-install-mac.html The following steps help you to install and configure the required prerequisites for using th

How to use aws CloudFront for CDN

How to use aws CloudFront for CDN 1. create a new distribution in AWS cloudfront service, select alternative domain names 2. create a new subdomain, and point the new subdomain CNAME to the xxxxxxxx.cloundfront.net you just got from the service. 3. D

Box layout

Layout management with layout classes is much more flexible and practical. It is the preferred way to place widgets on a window. The QtGui.QHBoxLayout and QtGui.QVBoxLayout are basic layout classes that line up widgets horizontally and vertically. Im

Create PropertyManager Page Example (VB.NET)

1 SolidWorks API Help 2 Create PropertyManager Page Example (VB.NET) 3 This example shows how to create a PropertyManager page that contains two selection boxes, a combo box, 4 5 and a list box. This example also shows how to handle focus events for

AWS: IAM - Identity Access Management

AWS: IAM - Identity Access Management IAM is Global, not for a specific region Customize your own IAM users sign-in link:For example: https://YOUR_NAME.signin.aws.amazon.com/console Core Fundamentals: UsersGroupsRolesPolicies For root user account: F