在AWS的VPC中,我們是把所有的服務(wù)器都獨(dú)立于外部的,不允許外部直接進(jìn)行訪問(wèn),所以如果要遠(yuǎn)程登錄到VPC里面的服務(wù)器,是需要通過(guò)一臺(tái)跳轉(zhuǎn)服務(wù)器來(lái)進(jìn)行遠(yuǎn)程登錄的。這里在Windows的環(huán)境下是通過(guò)RD Gateway over SSL 的方式搭建的。本人已經(jīng)測(cè)試過(guò)了,可以正常使用。
Select an AMI, here we select the windows server 2012 R2 Base
?
Select t2.small as instance type
In the step of ‘Configure Instance’, follow by:
Network: the VPC you just created
Subnet: select the public subnet
Auto-Assign public IP: Enable
Others by default.
Default 30G size is ok in the step of ‘Add Storage’
In the ‘Add Tags’ step, please specify the name: Group(your number)-JumperBox
In the step of ‘Configure Security Group’, we create a new security group here, and allow the port of 3389, 443 to access by everyone(in the real case, 3389 only for administrator’s IP access)
?
When you click the ‘Launch’ button, it will ask you to select a key pairs, please create a new one here, and for the coming EC2 request, you should use the same key pairs file.
?
Go back to Instance page, and find the EC2 server you just created, find the IP, then prepare to remote to this server(please note you have to switch to non-Merck network environment to remote this server)
?
Click this server, and from the Actions menu to get this server’s password, here you need to upload the key pairs file to get the password
?
Open your compute, start->run->input ‘mstsc /f’ command. Input username and password. Then login to the server.
Copy the certificate generation tool from sharefoler to a place you want to save.
Open your cmd window, locate into the tool folder:
So far, we have one .cer file, and one .pfx file. we will use the two files later
Click Server Manager->on the Dashboard->Add roles and features
Select Role-based or feature-based installation
Install the Remote Desktop Services
?
Select the current server
?
In the server roles, select Remote Desktop Services
?
In the role services, select Remote Desktop Gateway, it will prompt a window to ask you add related features, please add all.
?
In the Network Policy And Access Services, please select the Network Policy Server
?
In the Web Server Role(IIS), except for the default selection, please add one more: ASP.NET 4.5.
?
Click install and wait it till to complete.
You will see the components like below screenshot if you installed successfully
In the administrative tools, open the internet information services(IIS) manager.
click the computer name node:
locate into the Server Certificates which is on the right pane under IIS section, double click it
Configure the RD Gateway over SSL
?
in the Actions pane, click Import… link, it will ask you provide the .pfx file
?
Browse the .pfx file you saved in the last step. And password should be empty, click OK button
?
Locate into the Default Web Site node
?
In the right pane, click Bindings… link
?
Add 443 port, and select the cert you just upload. Then click OK button.
?
Go back to the administrative tools, click Remote Desktop Gateway Manager
?
Under the policies, select the Connection Authorization Policies, and Create New Policy
?
Using the wizard
?
Input the name
?
Add who can connect this RD gateway, here we let all users who are in the builtin\users group
?
Keep default in the Device Redirection secton
?
Session timeout, enable session timeout
?
Click next till to finish.
Follow the above same step, create another policy 2, in this policy, we allow the administrators group user can connect the RD Gateway
Now you have created two policies as bellow:
?
Let’s start to create RAP now
?
Add the users group
?
Allow users to connect to any network resource(computer)
?
Allow connections only to port 3389
?
Click finish, and the same, create another RAP policy for administrators, then you can see the bellow screenshot
?
We are almost done, last we need to configure the SSL for the RD Gateway, locate into computer node, right click and select properties
?
?
Click the SSL Certificate tab, and select Import a certificate…
?
Browse and import certificate which you just save at the before step.
?
Empty password, click OK button to show the bellow alert.
?
Uncheck the UDP Transport Settings in the Transport Settings tab
Click Apply and close this window
Restart the RD Gateway services.
?
Create a user in server
Create a user
?
Password never expires
?
Make sure this user only in the Users group.
?
Install certificate on your personal computer
Copy the .cer file from server to your laptop
Double click the cert
Click Install Certificate… button
?
Choose the ‘Trusted Root Certification Authorities’ as the certificate store.
?
Click Next ,when you click finish button, it will have alter window, please click Yes button
To verify the cert if is ok, open your IE, and input https://yourpublicip , if there is no warning page, then it turns out you are in the right status.
?
Start remote desktop connection from your computer
In the advanced tab, click Settings…
Select ‘Use these RD Gateway server settings’
Input the server IP
Check the Bypass RD Gateway….
Uncheck ‘Use my RD Gateway…’
Save the file, and click to connect
Firstly, it will ask you to input the credential of the RD Gateway user name and password, if pass, then it will ask you to input the target server credentials.
