Home » KBArticles

Cloud Hosting With Multiple Proxy Servers

Scenario

A customer had a requirement for Cloud Hosting With Multiple Proxy Servers and wanted to send some traffic direct to the internet (host or url whitelist), some hosts or urls to one proxy in their cloud hosting and some traffic via another proxy in another peered network in their cloud hosting.

Solution

Our solution in the end was simple but it does required endpoint configuration (the browsers needs to point to the pac file in order for this to work – this was configured via AD GPO for the AppStream instances in Amazon Web Services as the AppStream instances were domain joined.)

This is also supported on Windows and Mac Endpoints via the proxy autoconfiguration file.

This means we can whitelist traffic to the internet, we can send other url or hosts specific matches to various internal proxy servers and for all else we can return a proxy server that doesnt exist and if it points to 127.0.0.1 its a very quick ‘failure’ response.

The response message to the clients is not perfect (users receive ‘The Proxy Server is not responding’) but as a simple working solution this was considered tolerable.

Windows > Configure it in Internet Explorer

Internet Explorer pac file configuration
Internet Explorer pac file configuration

Mac > Configure it in Network Settings

Mac automatic proxy configuration
Mac automatic proxy configuration

PAC File Configuration

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
if (shExpMatch(host, "*.microsoft.com") ||
shExpMatch(host, "*.google.com"))
return "DIRECT";

// If the hostname matches, send direct.
if (shExpMatch(host, "*.myotherwebsite.com") ||
shExpMatch(host, "*.myotherwebsite2.com"))
return "PROXY internal.squid.proxy:3128";

// If the hostname matches, send direct.
if (shExpMatch(host, "*.myotherwebsite3.com") ||
shExpMatch(host, "*.myotherwebsite4.com"))
return "PROXY internal.squid.proxy2:3128";


// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY 127.0.0.1:8081";

}

Scripts for AWS S3 powershell Upload and Download of Folders and Subfolders

UPLOAD LOCAL FOLDER and SUBFILES to S3

#Load AWS Powershell Extensions
import-module "C:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1"

#Set AWS Creds to connect to S3. The S3 user should have a specific IAM policy to lock them down to this specific bucket only. See here for example s3 policy
Set-AWSCredentials -AccessKey <BUCKETUSERACCESSKEY> -SecretKey <SECRETKEY> -StoreAs default

#Upload AWS bucket folder using AWS Powershell Tools
#usage example write-s3object -BucketName <BUCKETNAME> -Folder <LOCALPath> -keyprefix <REMOTE> -recurse
write-s3object -BucketName mys3bucket -Folder d:\folder1\ -keyprefix folder1\ -recurse

#Remove AWS Credentials
Remove-AWSCredentialProfile -ProfileName default -Force

 

DOWNLOAD LOCAL FOLDER and SUBFILES to LOCAL

#Load AWS Powershell Extensions
import-module "C:\Program Files (x86)\AWS Tools\PowerShell\AWSPowerShell\AWSPowerShell.psd1"

#Set AWS Creds to connect to S3. The S3 user should have a specific IAM policy to lock them down to this specific bucket only. See here for example s3 policy
Set-AWSCredentials -AccessKey <BUCKETUSERACCESSKEY> -SecretKey <SECRETKEY> -StoreAs default

#Download AWS bucket folder called 'build' using AWS Powershell Tools
#read-s3object -BucketName <MYBUCKETNAME>  -Folder <LOCALPATH> -keyprefix <REMOTE>
read-s3object -BucketName <MYBUCKETNAME>  -Folder c:\Build\ -keyprefix Build

#Remove AWS Credentials
Remove-AWSCredentialProfile -ProfileName default -Force

 

 

AWS AppStream 2.0 Whats New?

AWS AppStream 2.0 Whats New for June 2018?

AWS have updated AppStream 2.0 to introduce some fantastic new features in the May & June 2018 releases.

Google Drive support has been added (selectable at fleet creation). It only supports G-suite enterprise and must be enabled in G-Suite to function, but it also has support for multiple G-Suite domains.

This means clients can avoid the clumsy upload and download of files from the local device to the remote and simply log into Google Drive and have immediate access to their files within the AppStream session.

Screenshot of google drive integration for AWS AppStream 2.0
Google Drive integration for AWS AppStream 2.0

 

 

 

Google Drive integration within AppStream 2.0 session
Google Drive integration within AppStream 2.0 session

Here is a screenshot of the Windows Explorer integration and conveniently shows my free space as approx 8000 Petabytes! Good to know!

Google Drive AppStream 2.0 Windows Explorer integration
Google Drive AppStream 2.0 Windows Explorer integration

Support for Administrative controls have also been added (again selectable at fleet creation). Giving the administrator greater control and flexibility in the solution they deploy to the users for things like local device copy and paste, file upload or download (or upload only or download only or disabled) and local print options.

control clipboard, file transfer and print options for AWS AppStream 2.0
Selective administrative controls for AWS AppStream 2.0

Happy Clouding!

AWS Workspaces Error – This OS/platform is not authorized to access your Workspace

Situation

Recently a customer received the following message ‘this OS/platform is not authorized to access your Workspace’ when connecting to newly built AWS Workspace instance whilst attempting to connect via ‘Web Access’ https://clients.amazonworkspaces.com/

This OS/platform is not authorized to access your Workspace
If the problem persists please contact your Workspaces Administrator.
ERR_DEVICE_ACCESS_DENIED

Solution

Web Access needs to be explicitly enabled. As these were relatively new workspaces (May 2018) the workspaces also didn’t have to be rebuilt to allow web connectivity contrary to the AWS documentation.

 

Open the AWS Console

Select Workspaces

Expand Directories

Select your Directory and click Actions then Update Details

Expand the 4th Section Access Control Options

Tick Web Access

Scroll to the bottom of the update details page and click Update and Exit

 

 

 

AWS AppStream 2.0 Image Builder X Drive not being created

Problem

This month on creation of a new image builder in AWS AppStream we noticed that the AWS AppStream 2.0 Image Builder X Drive was not being created.

The X drive is the temporary drive for uploading and downloading files to and from the AppStream instance, and usually where we house deployment scripts, build scripts, GPOS and installation files.

Solution

As of AppStream Image builder version Base-Image-Builder-05-02-2018 this is by design.

You should update any scripts or pointers

from “X:\Temporary Files” drive

to “C:\Users\ImageBuilderAdmin\My Files\Temporary Files”

#aws #appstream2.0

 

How to find an AWS AppStream 2.0 users homedrive path

Scenario

AWS AppStream 2.0 generates a SHA-256 hash of the users NameID for their Home Drive – when using SAML (aka Federated) authentication. This can potentially make it difficult to find the users home share if browsing from AWS S3 or for support teams when supporting users or uploading documents to the users ‘home drive’.

Example

In this document is an example of a federated users home drive autocreated in S3 after the user has accessed AppStream 2.0 for the first time.

This script will simply create a function in Windows powershell and allow you to generate the SHA256 hash based on the NameID and so you can discover the users homepath.

Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

$myvar = Read-Host –Prompt 'Enter string to hash'
Get-StringHash $myvar "SHA256"

Result

As we know the users NameID being passed into the AppStream session (in this instance its actually my email address)

AWS IAM CERTIFICATE_VERIFY_FAILED

Situation

When attempting to call AWS CLI commands we were receiving a CERTIFICATE_VERIFY_FAILED error message. We were using a proxy service. In this specific instance we were connecting to AWS IAM via zScaler Internet Access (ZIA)

Example

we were running a simple

aws iam get-role --role-name vmimport

 

Workaround

include–no-verifyssl to by pass the ssl verification

aws iam get-role --role-name vmimport --no-verify-ssl

Solution

Drop or whitelist the iam.amazonaws.com from SSL inspection on the proxy server

Create a NetScaler Gateway Preauthentication Policy

Step Description Screenshot
1 Expand >NetScaler Gateway > Policies > Preauthentication
2 Click Add
3 Name the policy something like PreAuthPol_Notepad-is-running

Click the + next to Request Action

Note: you can call it whatever you want, I like to keep a standard format when creating policies and profiles so they are distinguishable in the various screens and in the ns.conf file as well

 4 Click Create
5 Click Expression Editor

Select Expression Type of: Client Security

Component: Process

Name*: notepad.exe

Operator: EXISTS

Then click Done

 6 Note the expression is automatically created for you now as CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

CLIENT.APPLICATION.PROCESS(notepad.exe) EXISTS

 7 Click Create
 8 Bind the new policy globally

Select NetScaler Gateway > NetScaler Gateway Policy Manager

 9 Click the + on AAA Global
 10 Click Add Binding
11 Click in the Click to Select
12 Select the only PreAuthPolicy available

Click Select

 13 Click Bind
 14 Click Done
15 Click Done
16 Browse to the gateway and check that before you type in any authentication credentials that the EPA scan is invoked

Click Yes

 17 EPA Scan with notepad not running
18 EPA Scan with notepad Running

Your users can now authenticate

 19 Authenticate against the NetScaler page again and then confirm you can access all NetScaler resources

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud

Sign-up to the Mastersof.cloud mailing list below to receive a free 200 page Citrix NetScaler Introduction guide!

Deploy the OVA File to Hypervisor – VMWare ESXi 6

In this section we are going to deploy the downloaded NetScaler firmware onto our hypervisor (VMWare).

Step Description Screenshot
Connect and authenticate to your VMWare ESX web console

Note: In this example we are connecting to VMWare ESXi 6.0 with a private IP of 192.168.1.1. The default URL is http://192.168.1.1/ui

Click Virtual Machines

Click Create / Register VM

Select Deploy a virtual machine from an OVF or OVA File

Click the section labelled ‘Click to select files or drag/drop’

Select both the OVF and the VMDK files from the firmware file downloaded from citrix, then click Next
Select an appropriate storage location for your hypervisor to deploy the NetScaler VM
Choose the network mappings and disk provisioning best for you

Note: Disk provisioning is set to thin in this example only to save on local hypervisor disk space.

Click Finish on summary page
Click on the VM in the VMWare list
Authenticate to the VMWare console prompt with your VMware username and password
Click on the Console button to get access to the VM console
Success!

The NetScaler has booted and is operational

If you want to learn more about Citrix NetScaler check out our online NetScaler course at www.mastersof.cloud