How to create a jump server in AWS VPC

本来是写的Word文档，给其他国家的同时看的，所以一开始就是英文写的，也没打算翻译成为中文了，顺便抱怨下，网上资料找了很久的资料都没有看到介绍怎么在单机环境下搭建RD Gateway的，写本文的目的是给公司的同事介绍下怎么搭建一台跳转机来做远程登录，同时希望可以帮到有需要的人。

在AWS的VPC中，我们是把所有的服务器都独立于外部的，不允许外部直接进行访问，所以如果要远程登录到VPC里面的服务器，是需要通过一台跳转服务器来进行远程登录的。这里在Windows的环境下是通过RD Gateway over SSL 的方式搭建的。本人已经测试过了，可以正常使用。

由于个人比较偷懒，不想在Blog中进行编辑了，所以原始文档中的图片就都没法插入到博客中了，下面在每个具体的任务中的数字排序也有点乱了。但是如果你要看的话，就是按照顺序看下就好了，操作步骤也是一步一步操作的。基本上文字描述大家都比较清楚。如果你有什么问题不明白的可以留言问我。

Create jump box

Request a server from AWS

1. Select an AMI, here we select the windows server 2012 R2 Base

1. Select t2.small as instance type
2. In the step of ‘Configure Instance’, follow by:

Network: the VPC you just created

Subnet: select the public subnet

Auto-Assign public IP: Enable

Others by default.

1. Default 30G size is ok in the step of ‘Add Storage’
2. In the ‘Add Tags’ step, please specify the name: Group(your number)-JumperBox
3. In the step of ‘Configure Security Group’, we create a new security group here, and allow the port of 3389, 443 to access by everyone(in the real case, 3389 only for administrator’s IP access)

1. When you click the ‘Launch’ button, it will ask you to select a key pairs, please create a new one here, and for the coming EC2 request, you should use the same key pairs file.

1. Go back to Instance page, and find the EC2 server you just created, find the IP, then prepare to remote to this server(please note you have to switch to non-Merck network environment to remote this server)

1. Click this server, and from the Actions menu to get this server’s password, here you need to upload the key pairs file to get the password

1. Open your compute, start->run->input ‘mstsc /f’ command. Input username and password. Then login to the server.
2. Copy the certificate generation tool from sharefoler to a place you want to save.
3. Open your cmd window, locate into the tool folder:

Create the certificate

1. Create a self-sign root cert(issuer):

makecert -n "CN=yourpublicip" -r  -eku 1.3.6.1.5.5.7.3.1 -sv yourpublicip.pvk yourpublicip.cer

 

input the password, for testing purpose, you can just input 1

1. Convert the pvk file to pfx file, execute the bellow two commands one bye one, input password 1 in the second command.

cert2spc yourpublicip.cer yourpublicip.spc

pvk2pfx -pvk yourpublickip.pvk -spc yourpublicip.spc -pfx youpublicip.pfx

 

Now the pfx file is created.

1. So far, we have one .cer file, and one .pfx file. we will use the two files later
2. Click Server Manager->on the Dashboard->Add roles and features
3. Select Role-based or feature-based installation

Install the Remote Desktop Services

1. Select the current server

1. In the server roles, select Remote Desktop Services

1. In the role services, select Remote Desktop Gateway, it will prompt a window to ask you add related features, please add all.

1. In the Network Policy And Access Services, please select the Network Policy Server

1. In the Web Server Role(IIS), except for the default selection, please add one more: ASP.NET 4.5.

1. Click install and wait it till to complete.
2. You will see the components like below screenshot if you installed successfully
3. In the administrative tools, open the internet information services(IIS) manager.
4. click the computer name node:
5. locate into the Server Certificates which is on the right pane under IIS section, double click it

Configure the RD Gateway over SSL

1. in the Actions pane, click Import… link, it will ask you provide the .pfx file

1. Browse the .pfx file you saved in the last step. And password should be empty, click OK button

1. Locate into the Default Web Site node

1. In the right pane, click Bindings… link

1. Add 443 port, and select the cert you just upload. Then click OK button.

1. Go back to the administrative tools, click Remote Desktop Gateway Manager

1. Under the policies, select the Connection Authorization Policies, and Create New Policy

1. Using the wizard

1. Input the name

1. Add who can connect this RD gateway, here we let all users who are in the builtin\users group

1. Keep default in the Device Redirection secton

1. Session timeout, enable session timeout

1. Click next till to finish.
2. Follow the above same step, create another policy 2, in this policy, we allow the administrators group user can connect the RD Gateway
3. Now you have created two policies as bellow:

1. Let’s start to create RAP now

1. Add the users group

1. Allow users to connect to any network resource(computer)

1. Allow connections only to port 3389

1. Click finish, and the same, create another RAP policy for administrators, then you can see the bellow screenshot

1. We are almost done, last we need to configure the SSL for the RD Gateway, locate into computer node, right click and select properties

1. Click the SSL Certificate tab, and select Import a certificate…

1. Browse and import certificate which you just save at the before step.

1. Empty password, click OK button to show the bellow alert.

1. Uncheck the UDP Transport Settings in the Transport Settings tab
2. Click Apply and close this window
3. Restart the RD Gateway services.

Create a user in server

1. Create a user

1. Password never expires

1. Make sure this user only in the Users group.

Install certificate on your personal computer

1. Copy the .cer file from server to your laptop
2. Double click the cert
3. Click Install Certificate… button

1. Choose the ‘Trusted Root Certification Authorities’ as the certificate store.

1. Click Next ,when you click finish button, it will have alter window, please click Yes button
2. To verify the cert if is ok, open your IE, and input https://yourpublicip , if there is no warning page, then it turns out you are in the right status.

Start remote desktop connection from your computer

1. In the advanced tab, click Settings…
2. Select ‘Use these RD Gateway server settings’
3. Input the server IP
4. Check the Bypass RD Gateway….
5. Uncheck ‘Use my RD Gateway…’
6. Save the file, and click to connect
7. Firstly, it will ask you to input the credential of the RD Gateway user name and password, if pass, then it will ask you to input the target server credentials.