![]() Network interface and management network interface. Group Policy administration for Amazon WorkSpaces, refer to theĮach Amazon WorkSpace has two network interfaces, called the Group Policy settings for Windows WorkSpaces, or with theįile for Amazon Linux WorkSpaces. Customers canĪctively change this to 256-bit, either using PCoIP-specific AD Using ports 4172 (TCP and UDP), is encrypted by using AES 128-Īnd 256-bit ciphers, but default to 128-bit. Initial outbound UDP port is 55002.) The streaming connection, (Refer to documentation forĪddress and Port Requirements for Amazon WorkSpaces. Gateway and a WorkSpaces desktop over the management interface Port TCP 4172 with the return traffic on port UDP 4172.Īdditionally, the initial connection between the streaming The connection is initiated by the client on The WorkSpace then initiates an authentication request to theĬonfigured AWS Directory Service, using standard KerberosĪfter the WorkSpace is successfully logged in, the PCoIP Login on the WorkSpace, using the user’s retrieved Kerberos TGT. Using Kerberos TGT pass-through, the gateway initiates a Windows (which is encrypted using the client user’s password) and, by The streaming gateway also receives the TGT from the client User-specific WorkSpaces information from the Amazon WorkSpaces Using the OAuth2.0 token, the streaming gateway requests the This session isĪES-256 encrypted and uses the PCoIP port for communication Streaming gateway (using the OAuth 2.0 token). The desktop client requests to open a PCoIP session with the The OAuth 2.0 token and, as a result, the client receives theĮndpoint information of the WorkSpaces streaming gateway. The desktop client authenticates itself by sending Queries Amazon WorkSpaces services (Broker Connection Manager) ![]() Gateway, if the authentication succeeded), the desktop client Broker stageĪfter receiving the OAuth 2.0 token (from the authentication (Internet Key Exchange (IKE) and IPSEC SAs) with AES-128 or AES-256 symmetric encryption keys, SHA-1 or SHA-256 for integrity hash,Īnd DH groups (2,14-18, 22, 23 and 24 for phase 1 1,2,5, 14-18, 22, 23 and 24 for phase 2) using perfect forward secrecy (PFS). ![]() When using an AWS hardware VPN connection, customers can set up encryption in transit by using standard IPSEC Increased security, it is possible to connect a WorkSpaces VPC with the on-premises network (where AD resides) using a VPNĬonnection. No user credentials are transmitted in plaintext at any time. The AWS Directory Service also supports LDAP with TLS. Before implementing client-side LDAPS functionality, review Client-side LDAPS support in ADC is also available toĮncrypt queries between Microsoft AD and AWS Applications. The communication from the authentication gateway toĪWS Directory Service takes place over HTTPS, so no userĬredentials are transmitted in plaintext.Īuthentication - Active Directory Connector (ADC)ĪD Connector uses Kerberos to establish authenticatedĬommunication with on-premises AD, so it can bind to LDAP and execute subsequent LDAP queries. Gateway sends an authentication request to AWS Directory (HTTPS) traffic, for updates, registration, and authentication.Īfter receiving credentials from the client, the authentication The authentication gateway returns an OAuth 2.0 token to theĭesktop client, through the same HTTPS connection.Īpplication supports the use of a proxy server for port 443 At the end of this stage, if the authentication succeeds, The communicationīetween the desktop client and authentication gateway uses The desktop client initiates authentication by sendingĬredentials to the authentication gateway. The desktop client application communicates with Amazon for Of the encryption used by Amazon WorkSpaces in transit isįor information about the encryption at rest, refer to the The AWS Directory Service can be found in this section.Īmazon WorkSpaces uses cryptography to protect confidentiality atĭifferent stages of communication (in transit) and also to protectĭata at rest (encrypted WorkSpaces). How to control end device access to WorkSpaces by using TrustedĪdditional information on authentication (including MFA support) in This section also provides information on It describes encryption in transitĪnd at rest, and the use of security groups to protect networkĪccess to the WorkSpaces. This section explains how to secure data by using encryption when
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |