Using AWS Simple AD with Clearlogin 2

Follow

Overview
This guide will walk you through the process of creating an AWS Directory Service Simple AD server for use with Clearlogin. Simple AD is an easy way to stand up a managed, cloud hosted Microsoft Active Directory compatible server. It takes away the burden of server and backup management so you can focus on more important things.

Note that this guide assumes you are working with a blank AWS account. If you already have Simple AD running, you can skip to the IP Tables section, provided you have your VPC configured with a NAT instance.

Why use Simple AD and Clearlogin?
We recommend Simple AD when our customers want to be able to leverage the additional LDAP compatibility and features that Clearlogin Directory may not provide.

Simple AD provides you with all the features of Active Directory (password policies, user management, group policies, and more) without the headache of handling backups, maintaining security patches, or worrying about downtime.

Simple AD is traditionally used for internal AWS applications but with this guide we will show you how to provide access to your Simple AD server in a secure fashion without the hassle of setting up a VPN. Not only will this benefit you in that you now have a cost effective way to use Active Directory with Clearlogin, but any other application you may want to use as well.

Caveats
There are two major caveats when using Simple AD. One is that despite the name, getting the server configured and managed is not as simple as you might want it to be. If you follow this guide, however, you should have no issues.

The other caveat is that Simple AD only supports internal, unencrypted traffic over port 389.  This is a specific limitation of Amazon’s offering. This guide will show you how to implement a secure infrastructure using an Elastic Load Balancer to allow for external, firewalled, Simple TLS connections.

If this is all too complicated, please contact sales@clearlogin.com to learn more about our VPN and VPC Peering offerings.

Getting Started in AWS
The first thing you will need to do before creating your Simple AD server is to satisfy a few prerequisite conditions. You must have a VPC with at least two private subnets in different availability zones. Your VPC also requires an Amazon NAT instance in a public subdomain.

Create a Key Pair
If you don’t already have one, you will need to create a Key Pair for SSH access to your instances.

From the main AWS Admin Console, select EC2 under Compute.



Then, from the left menu select Key Pairs​ under NETWORK & SECURITY​.
Click the blue Create Key Pair​ button.
Give your key a name and click Create.



Your browser will automatically download the key. You cannot download it again so do not lose it.

Creating the VPC
From the main AWS Admin Console, select VPC under Networking.



Then, from the VPC Dashboard click the Start VPC Wizard button.



Configure your VPC to your needs. The following is an example configuration for a relatively small address pool. (You will need to select Use a NAT instance instead.​)



Once you have your VPC configured, click Create VPC​.
Once your VPC has been created you will need to create an additional subnet.
Select Subnets from the left menu and then click Create Subnet​.



Configure your subnet, be sure to select a different availability zone than your first private subnet and click Yes, Create​.

The subnet should be created with the default route table which is the private route table.

Create Simply AD
Next you will want to create your Simple AD server.
From the main Admin Console select Directory Service​ under Security & Identity.



Choose Set up directory​ or Get Started Now​.
Choose Create Simple AD​.
Configure your server to your needs and use the following as an example. Be sure to select your VPC and two private subnets.



The Administrator password​ is very important and will be necessary later.
Once you have the configuration complete, click Next Step​ and then Create Simple AD​ and then Done​. Simple AD takes upwards of 1 0 minutes to provision completely.

Once it has been fully provisioned (you may need to click the refresh button in the upper right) click the Directory ID to get more information about the directory.



On this screen you will want to note the values for DNS Address.



In this case we have 10.0.0.30​ and 10.0.0.53​. You will need this information later.

Create Security Groups
Next you will want to create a security group to allow SSH access to your NAT instance and LDAPS access to your ELB.
From the VPC Dashboard, select Security Groups​ on the left.
Then click Create Security Group​ and be sure to select your VPC.



Click Yes, Create​ to create the security group.

You will then want to select the security group you just created from the list.
In the lower panel select the Inbound Rules​ tab and then click Edit​.



You will want to add rules for SSH for your local IP address (sources must be in CIDR format).

After adding this rule click Save​.

Next you will want to attach this security group to your NAT Instance.
From the EC2 Management Console select Instances​ on the left.
Find your NAT Instance and right click it.
Select Networking​ then Change Security Groups​.



Check the box next to the new security group you created.
Be sure to leave the default security group checked as well.



Finally, click Assign Security Groups​ to save your changes.

Now we are going to add the security group for the ELB we will need to create.
From the VPC Dashboard, select Security Groups​ on the left.
Then click Create Security Group​ and be sure to select your VPC.



You will then want to select the security group you just created from the list.
In the lower panel select the Inbound Rules​ tab and then click Edit​.

You are going to want to add Custom TCP Rule​s for port 636.



You will need one rule for each of Clearlogin’s IP addresses. You can find the most up to date list of Clearlogin IPs at the following link.

https://clearlogin.zendesk.com/hc/en-us/articles/202568803-Firewall-Requirements

Click Save​ after after creating the rules.

Configure IP Tables
Next you will need to SSH to your NAT instance to configure additional rules to handle routing traffic to your Simple AD server. Please refer to the following guide from Amazon for the specifics of connecting to EC2 instances via SSH.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

You will need to know the IP address of your NAT instance as well as have the key you created earlier. You can get the IP address by viewing your EC2 instances and finding your NAT instance. You want the Public IP​ value. You will also need the Private IPs​ value.

From your terminal execute:
ssh -i ~/. ssh/SimpleADNAT.pem ec2-user@NAT Instance Public IP

Once logged in, execute the following commands to add the port routing we need for Simple AD.

sudo iptables -t nat -A PREROUTING -i eth0 --dst NAT Instance Private IP ​-p tcp --dport 389 -j DNAT --to-destination Simple AD IP​: 389

sudo iptables -t nat -A POSTROUTING -p tcp --dst Simple AD IP​ --dport 389 -j SNAT --to-source NAT Instance Private IP

In this specific example the commands are:
sudo iptables -t nat -A PREROUTING -i eth0 --dst 10.0.0.9 -p tcp --dport  389 -j DNAT --to-destination 10.0.0.30:389

sudo iptables -t nat -A POSTROUTING -p tcp --dst 10.0.0.30 --dport 389 -j SNAT --to-source 10.0.0.9

You can then run sudo iptables -t nat -L to see that the new rules were added.


Create the ELB
Now you will need to create an Elastic Load Balancer to handle incoming SSL connections that will then be routed internally to your NAT instance.

You will first need to create a self signed SSL certificate. You can do this by following the instructions here.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl­server­cert.html#create­certificate

The basics are that you will want to run the following commands from your terminal:
openssl genrsa -out my-private-key.pem 2048
openssl req -sha256 -new -key my-private-key.pem -out csr.pem
openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem

Now we can create the ELB.
From the main admin console, select EC2​ under Compute.



Select Load Balancers​ on the left under Load Balancing​.
Click Create Load Balancer​.
Name your load balancer and be sure to select your VPC.
You will want to change the Load Balancer Protocol ​to SSL, and change the port to 636. The Instance Protocol ​should then be TCP and port 389.
Select your public subnet as the availability zone.



Click Next: Assign Security Groups​.

Choose Select an existing security group​ and check your default vpc security group as well as the new one you created for the ELB



Click Configure Security Settings​.
Under Certificate Type​ choose Upload a new SSL certificate.
Name your cert and paste the text contents of my-private-key.pem in the Private Key​ field and the contents of my-certificate. pem in the Public Key Certificate​ field.



Click Next.



Configure your health check to ping port 389 and click Next​.
Select your NAT instance and click Next​ and then Review and Create​, then finally Create​.

After your ELB is created it may take a few minutes for your instance to register and become healthy.
You will then want to select your ELB and get the DNS name from the description tab. You will need this information when configuring Clearlogin.



And that’s it for the preliminary AWS side of things.

Note that we only routed traffic for one Simple AD IP address. If you would like to route traffic to both, you may create a second public subnet and NAT instance to handle the second, redundant Simple AD server. It would also be possible to route the traffic using the same NAT instance using a different external port than 389.

Configuring Clearlogin
Next you will need to configure your Simple AD server as an Identity Source in Clearlogin.
Log into your Clearlogin Admin Console and select Identity Sources​, then Add New​ from the left menu.



Select AWS Directory.



Configure your AWS Directory Identity Source’s name, user domain, and other settings as you see fit. Use the configuration below for specific settings when using Simple AD. In this example we are going to bind with the Administrator account that was created when creating the Simple AD instance.

Your Hostname​ should be the DNS Name​ value of the ELB you created.
Your Search Filter​ should be (samAccountName={username})
Your Search Base​ should be CN=Users,DC=corp,DC=clearlogin­demo,DC=com
Your Bind DN​ should be cn=Administrator,CN=Users,DC=corp,DC=clearlogin­demo,DC=com
The Bind password​ is the Administrator password​ you created earlier when creating the
Simple AD server.
Port​ is 636 and Encryption Type​ is Simple TLS

Remember to change the DC components of the Search Base and Bind DN to the domain you used when creating the Simple AD server.



Once you have finished filling out the fields, click Save Identity Source​.

After the identity source has been saved, click Edit​.

Scroll to the bottom of the edit page to find the Connection Test. Enter the Bind Password​, Administrator​ for the Username​ and the same password again (as it is the same account) for the Password​. Click Test Connection​ and you should see a successful result.



Now you can check Enabled​ and save your Identity Source.
End users can now start using your Simple AD server for authentication into Clearlogin.

Note that Clearlogin does not provide management of your Simple AD server’s directory contents at this time. If you would like to add, remove, or otherwise administer your Simple AD server, please refer to the Managing Simple AD section in this guide.

Managing Simple AD
While there are a number of options to manage the users in your Simple AD, the best, most compatible, and most fully featured approach is with Windows Server 2008.

Joining the Domain
Amazon has made it relatively easy to join a Simple AD domain. You can do this by launching a new Windows Server 2008 R2 instance and selecting the Simple AD server you created as the domain to join with. More information about the launch and join process can be found here:

https://aws.amazon.com/blogs/aws/seamlessly-join-ec2-instances-to-a-domain/

We have found that you will want to pay specific attention to the SSM IAM policy for the instance. Insufficient permissions is a common failure point when the instance attempts to join the domain.

Installing Additional Software
After creating the instance you will need to remote desktop into it and install additional software to manage Active Directory. More information about that can be found here:

http://docs.aws.amazon.com/directoryservice/latest/admin-guide/install_ad_tools.html#install_ad_tools_win2008

Note that the installation process does require a reboot.

Managing Users
Once the server has rebooted, you will want to remote desktop into it using the Simple AD server Admin credentials. Be sure to set the domain value in your remote desktop software.  From here adding users is as simple as using the Active Directory Users and Computers application.

Note that the Active Directory Administrative Center does not work with Simple AD or any other Active Directory application requiring ADWS

Have more questions? Submit a request

Comments

Powered by Zendesk