Skip to content

WorkSpaces Manager Installation Guide

This guide is constantly updated. For the most recent administration guide, including visual walkthroughs,  we recommend downloading the latest for your version and using within Adobe Acrobat.

Please be aware that Nuvens are able to offer a 30 day free trial including installation. Please contact us at sales@nuvens.co.uk to request more information. 

Amazon AWS WorkSpaces Installation
WorkSpaces Manager Version 4.4 – Updated 2nd June 2021 >>>>

WorkSpaces Manager Version 4.3

WorkSpaces Manager Version 4.2

WorkSpaces Manager Version 3.0

WorkSpaces Manager Version 2.0

User Guide

Please refer to PDF’s above for absolute latest revisions. 

Updated 8th February 2021 for WorkSpaces Manager 4.1.0

WorkSpaces Manager provides a full Amazon WorkSpaces management portal.

Product highlights:

  • WorkSpaces Environment Management with optional application self-service feature for domain group-based application deployment.
  • Task driven User & WorkSpaces provisioning.
  • Performance monitoring
  • Multi-AWS Account
  • Multi-Domain
  • Automatic reboot schedule defined on a per WorkSpaces basis.
  • Cost reporting and Cost Optimisation.
  • WorkSpaces Performance Monitor Agent to report on Processer, Memory and Disk statistics

WorkSpaces Manager provides a full Amazon WorkSpaces management portal. Containing both a user self-service portal and administration portal administration of WorkSpaces in a simple to use browser-based portal.  This removes the need to provide staff with access to the AWS console and provides easy searching across all WorkSpaces and User information.

The WorkSpaces Performance Monitor Agent can be deployed by domain GPO to gather hourly metrics on Processer and Memory utilisation and available disk space for root and user drives, as well as logon\logoff\inactivity\disconnect times. See Section 6 for instructions.

The User portal can be extended to provide application self-service if the environment, provide group- based application deployment service such as Cloudpaging, Liquidware FlexApp, SCCM or similar products.

WorkSpaces Manager is deployed as an appliance from the AWS Marketplace as an EC2 instance.

Version

4.1.0

By

Nuvens Consulting Limited

Categories

Application Development

Infrastructure as Code

Operating System

Windows, Windows Server 2016

Delivery Method

AWS Marketplace \ Amazon Machine Image

Revision History

Revision Date

Version

Changes

13/01/2021

1.0

Initial Document

22/01/2020

1.1

Minor wording changes. Added HA and single deployment diagrams in Section 7.

08/02/2021

1.2

Amended supported browsers

Contents

Revision History.

  1. Introduction.
  2. Software requirements.

2.1         WorkSpaces Portal requirements.

2.2         WorkSpaces Performance Monitor Agent requirements.

2.3         Additional requirements.

  1. Prerequisites for to the WorkSpaces Manager appliance installation.

3.1         AWS WorkSpaces Cost Optimizer.

3.2         Active Directory Service Account

  1. Obtain a license for the WorkSpaces Manager appliance.
  2. Installing the WorkSpaces Management appliance from AWS Marketplace.

5.1         Join your WorkSpaces Manager instance to your Active Directory Domain.

5.2         First Time Setup.

5.2.1     Licenses.

5.2.2     SMTP.

5.2.3     Remote Service Account

5.2.4     Auto Change Compute Type.

5.2.5     Active Directory (Single\Multiple Domain Forest)

5.2.6     Amazon Web Services

5.2.7     Additional Options

5.2.8     Applications

  1. Installing the WorkSpaces Performance Monitor Agent
  2. High Availability

7.1         Database.

7.2         User/Admin Portal

  1. Securing the Portal and adding a friendly portal address.

8.1         Portal address.

8.2         SSL Certificate.

1.    Introduction

This guide has been authored by experts at Nuvens to provide information and guidance concerning the installation and configuration of WorkSpaces Manager. 

Information in this document is subject to change without notice. No part of this publication may be reproduced in whole or in part, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any external use by any person or entity without the express prior written consent of Nuvens Consulting Ltd.

2.    Software requirements

WorkSpaces Manager is available as a standalone product and consists of three parts: The Management Portal, the Update Service, and the WorkSpaces Performance Monitor Agent.  The WorkSpaces Management Portal provides one central location where users can manage their own WorkSpace and administrators can provision, manage & monitor the WorkSpaces environment.

To deploy as an HA cluster, please refer to Section 7 (High Availability) or contact support@nuvens.co.uk for assistance.

2.1     WorkSpaces Portal requirements

Component

Requirements

Platforms Support

Windows Server 2008 R2/2012/2012 R2/2016/2019. Only 64-bit versions where applicable are supported. Both physical and virtual instances are also supported.

Additional Software

·         Microsoft® .NET Framework 4.6.2 or higher

·         Microsoft SQL Server Express or higher

All additional software is included with the Workspaces Manager installer

Browsers Supported

(minimum version)

Chrome 22.x, Firefox 12.x, Opera 12.x, Safari 5.1x, Microsoft Edge 88.x

CPU

2 CPUs 1 gigahertz (GHz) or faster

Memory

4 GB RAM

Storage

20Gb of additional storage is provisioned with the Appliance

If the WorkSpaces Manager Portal is being used to provision user accounts in AD a service account will be required with delegated access to the OU’s that accounts will be created in.

2.2     WorkSpaces Performance Monitor Agent requirements

The WorkSpaces Performance Monitor Agent requires .NET 4.6.2 or higher pre-installed on the WorkSpaces themselves. If it is not installed, the agent will prompt for the installation. The installation is covered in Section 6.

2.3     Additional requirements

WorkSpaces Manager requires Active Directory to deploy its client files to the desktop and point the user to its configuration file. Users also must use Active Directory to login to their physical or virtual desktops.

 

3.    Prerequisites for to the WorkSpaces Manager appliance installation

3.1     AWS WorkSpaces Cost Optimizer

Whilst this is not a mandatory requirement, we recommend that this is applied and initially run in “Dry Run’ mode.

This AWS service auto-switches WorkSpaces between Hourly and Monthly Cost modes on a monthly basis to ensure the WorkSpaces costs are optimised. ‘Dry Run’ mode means that recommendations will be shown in the WorkSpaces Manager Portal, but the recommended changes will not be applied. ‘Dry Run’ mode can be turned off later in the WorkSpaces Manager portal as to enable this function.

Please refer to the link below for more details and deployment instructions.

Please ensure that you are in the correct region before deployment.

https://aws.amazon.com/solutions/amazon-workspaces-cost-optimizer/

After deploying the WorkSpaces cost optimiser please make a note of the S3 Bucket ARN created.

3.2     Active Directory Service Account

When creating the AD Service Account to support AWS WorkSpaces you will have already provided an account with permissions to create computer objects within AD to the OU specified at the time.

We recommend using the same service account and providing additional permissions to delete computer objects.  Through the Management Portal when a WorkSpace is terminated the system will then be able to remove the orphaned computer object.

The AD service account is also used to create user accounts and add/remove users from AD groups if the application management option is used.

Using Active Directory Users and Computers, you can delegate the administration of an Organizational Unit to user or group that may not have the administration permissions otherwise.

To do this, follow these steps:

  1. On your domain controller, click Start and point to Administrative Tools.
  2. Click on Active Directory Users and Computers.
  3. In Active Directory Users & Computers, select the OU to delegate administration.
  4. Right click the OU and click on Delegate Control. This will start the delegation control wizard.
  5. In select User Account window, click Add.
  6. Find the correct User or group and double click.
  7. Click OK.
  8. In Tasks to Delegate window, choose the permissions to assign and click Next.
  9. Review the summary and click Finish.

Delegate policy-related permissions on a domain, OU, or site using GPMC

http://technet.microsoft.com/en-us/library/cc759064%28WS.10%29.aspx

Delegating Administration of Account and Resource OUs

http://technet.microsoft.com/en-us/library/cc784406%28WS.10%29.aspx

4.    Obtain a license for the WorkSpaces Manager appliance

Go to the AWS Marketplace and search for ‘Workspaces Manager’ and select ‘Nuvens’ as the Vendor filter. Select the product WorkSpaces Manager

Now select ‘Continue to Subscribe’.

If you are asked to set up an account, proceed with this. If you have already subscribed to WorkSpaces Manager, but did not set up an account, select the link below which will take you through to the registration area.

You will now fill in the registration information. The only information you need to fill in for a license are highlighted below. Estimate the number of licenses that you will require, and you can change this later on. Your license will be emailed to you and you can then proceed with setting up the WorkSpaces Manager appliance in Section 5.

5.    Installing the WorkSpaces Management appliance from AWS Marketplace

Firstly, ensure that you are logged on to your AWS Console. Then go to the AWS Marketplace and search for ‘Workspaces Manager Appliance’.  Alternatively, click this link to take you there.

When found, select ‘Continue to subscribe’.

You now need to subscribe to the software. Select ‘Accept Terms’.

Now select ‘Continue to Configuration’.

Change your Region to the region that you want your WorkSpaces Manager appliance to reside. Then select ‘Continue to Launch’.

From ‘Choose Action’, select ‘Launch CloudFormation’. Then select ‘Launch’.

On the next section, accept all entries and select ‘Next’.

You now specify your parameters for your stack configuration. Enter:

Stack Name:            Your stack name. Call it something that Is relevant for your own identification.

Instance Type:         Leave a t3a.medium as they should be sufficient to run WorkSpaces Manager. (Drop down list)

Key Name:                You may have multiple key names under your IAM account for your own account. Select one – this will be used to provide you with the local administrator credentials to the WorkSpaces Manager EC2 instance further down the line. NOTE : You will need the associated key file to be able to decrypt the password later on.

RDPLocation:           Enter a CIDR from which both WorkSpaces and Admins will access WorkSpaces Manager. You can amend this later.

Subname:                 Select a Private subnet for your WorkSpaces Manager to reside. (Drop down list)

VPCName:                Select the VPC that you wish to place the WorkSpaces Manager in. (Drop down list)

You now configure your stack options.

Tags:                          You can tag the resources if you wish.

Permissions:             Leave this blank as permissions will be created for you.

Advanced Options: Keep all options as default. You can enter an SNS Topic ARN to notify you of when the stack is created, but this is not necessary. You will know when it is finished as the WorkSpaces Manager will appear as an EC2 instance in the console.

Then select ‘Next’.

You will now find yourself at the ‘Review’ screen. Scroll down to the bottom, select the acknowledgement, and then select ‘Create Stack’.

You will now return to the stack status screen where you can see the progress of the WorkSpaces Manager stack.

You can view the tasks as they are being performed. When the stack creation is complete, the status will change from ‘CREATE_IN_PROGRESS’ to ‘CREATE_COMPLETE’. The stack creation takes around 3-4 minutes to complete.

If you now view your EC2 instances in the region that you chose to install WorkSpaces Manager, you’ll see the WorkSpaces Manager instance. Give this around 5-10 minutes for the Status Checks to finish and for local administrator password the auto generated.

Now RDP to your instance using the Private IP assigned to the instance using the local administrator password and using the KeyName and associated keyfile that you specified in the Stack Details section above. If you cannot RDP to the instance, you need to be connecting from a device in the network CIDR that you specified in RDPLocation in Stack Details section above.    

 

5.1     Join your WorkSpaces Manager instance to your Active Directory Domain

Connect to the WorkSpaces Manager instance and join it to your Active Directory domain. Once complete, you can now go to the next section on ‘First Time Setup’.

PLEASE NOTE: You need to have your DHCP options set in AWS to be able to find your domain or enter your DNS servers manually in the TCP/IPv4.

 

5.2     First Time Setup

Please Note: The instance MUST have Internet connectivity.

Log on to the WorkSpaces Manager EC2 instance, go to Internet Explorer and browse to http://localhost.

From a browser, connect to the Private IP address of the WorkSpaces Manager portal instance from a device in the ‘RDPLocation’ CIDR range specified above in ‘Specify Stack Details’. If you get this message, you can either enter your DOMAIN\USERNAME and password, or you can go to Internet Explorer > Internet Options and add the website address (e.g., http://private-ip-of-your-instance) to Trusted Sites or Local Intranet. You can also provide your portal with a friendly portal name address (e.g., http://workspacesmanager.yourdomain) which means that it will most likely be accepted from most\all browsers in your organisation without amending the Trusted Sites or Local Intranet settings. To give it a friendly name, see the section ‘Securing the Portal and adding a friendly portal address’.

When you can successfully connect to the portal, you will be presented with a setup screen to enter information for:

  • License key (obtained in Section 4).
  • Active Directory settings
  • SMTP settings
  • Amazon Web Services settings
  • Additional options settings

The license key will have been sent via email when you registered on the AWS Marketplace in Section 4.

For any assistance with the License key or setting up the WorkSpaces Manager Appliance please contact support@nuvens.co.uk

Now press ‘Save’. Please wait for up to 30 seconds for the next screen to appear. Again, make sure that the instance has Internet access otherwise it will give you a error saying that the license code is invalid.

When it completes, it will show the administration section of the portal on the Options\Settings page. You can change settings in here where you see them. The various sections are covered below.

 

5.2.1   Licenses

This shows the WorkSpaces Manager version, the number of licenses procured, the current number of licenses in use and the expiry date of the license.

 

5.2.2   SMTP

This enables you to send emails to users when their new WorkSpace is ready and\or if their password is to expire.

You could use AWS Simple Email Service to achieve this, or your own SMTP setup. You can test the connection by selecting the icon highlighted.

5.2.3   Remote Service Account

This is an account that you configure to remote control user devices using Dameware, etc. This is the generic account that you connect with (which will be standard throughout your organisation). You can remote control a user’s WorkSpaces by selecting ‘Dameware’ (if you have selected the ‘Enable Dameware’ option in ‘Additional Options’ and it downloads a connection file for you to run.

5.2.3.1 Enable RDP

Enables the option for downloading an RDP file to connect to the user’s WorkSpace from within the Portal.

5.2.3.2 Enable DameWare

Enables the option for downloading an RDP file to connect to the user’s WorkSpace from within the Portal.

 

5.2.4   Auto Change Compute Type

You can opt for WorkSpaces Manager to automatically change compute type of a WorkSpace. This is useful if, for example, you had a user running heavy spreadsheets on a Standard WorkSpace and it would benefit them with being upgraded to a Performance WorkSpace.

Set Low and High Processor and Memory values (these are up to you). WorkSpaces Manager will also advise you of recommendations.

 

5.2.5   Active Directory (Single\Multiple Domain Forest)

You can either have a single Active Directory domain for WorkSpaces, or multiples.

On initial setup, and by default, you will have one domain. You can enable multiple domains by enabling the feature below in Additional Options.

You will then add the details for your domain.

AD Service Account and password:

When creating the AD Service Account to support AWS WorkSpaces you will have already provided an account with permissions to create computer objects within AD to the OU specified at the time.

We recommend using the same service account and providing additional permissions to delete computer objects. 

NetBIOS name:      

NetBIOS name of the domain that your WorkSpaces will be joining.

FQDN:

Fully Qualified Domain Name of the domain that your WorkSpaces will be joining.

Default User OU:

If you create a user in the ‘Add User’ section of the Portal, this is where it will place

that user. If you use the ‘Import Template’ then you can specify where you want the

user(s) to be located per OU or by copying template users.

 

5.2.6   Amazon Web Services

 

5.2.6.1 Single\Multi-AWS Account

WorkSpaces Manager allows you manage WorkSpaces across single, or multiple, AWS accounts. When you set up WorkSpaces Manager, you will set up a single account. You can set up multi-AWS accounts by enabling this function and following the instructions in Section 7 of the ‘WorkSpaces Manager Administrator Guide’.

You will see a summary of the Account ID(s) when they are added.Click on one and you will see the options. You can turn some on and off (like Dry Run mode) as preferences.

5.2.6.2 WorkSpaces

Turns on the WorkSpaces Management menu function.

5.2.6.3 AppStream

Turns on the AppStream Management menu function.

5.2.6.4 Default AWS Region

This is the AWS Region that your Amazon WorkSpaces are hosted in. For example, Ireland will be eu-west-1. A full list of Regions can be located here.

5.2.6.5 Cost Optimizer Bucket

This is the bucket name mentioned in the ‘AWS WorkSpaces Cost Optimizer’ section earlier on the document.

5.2.6.6 AppStream Bucket

Specifies the AppSteam Usage bucket.

5.2.6.7 AWS Cost Optimizer

This enables the AWS Cost Optimiser.

5.2.6.8 Dry Run

Running the Cost Optimiser in Dry Run Mode will show you the changes that would have been made.

 

5.2.6.9 Auto Reboot

This gives the ability to set reboot times on WorkSpaces. This is available once you have set up the Portal.

5.2.7   Additional Options

5.2.7.1 Statistics Retention Days

If the WorkSpace Performance Monitor Agent has been deployed to the WorkSpaces, it will be reporting back to the server key metric statistics periodically as defined in the Group Policy (see Section 6 for installing the WorkSpaces Performance Monitor Agent). In a large estate, this will create millions of rows within the database over a period. The number of days that are retained within the database can be specified here. If the number of days is too high on a large estate (e.g., 60) then it will have an impact on queries of statistics and increased disk space usage. For smaller estates, you can set this to 30 days and monitor from there.

5.2.7.2 WorkSpace Service Update Frequency (mins)

This will automatically update the local database with up-to-date information on this period. 15 minutes is sufficient for most cases, but you would not want to do this on, for example, a 1-minute period on a very large WorkSpaces and user estate. If you need to do a manual update for any reason, you can do this in the Update section of the portal.

5.2.7.3 Portal URL

Enter your portal URL here.  e.g.  http://ourwsmportal.mycompany.internal.

5.2.7.4 Multiple Account

This enables management of WorkSpaces across multiple AWS accounts. Please refer to Section 7 of the ‘WorkSpaces Manager Administrator Guide’ which tells you how to set it up.

5.2.7.5 Multiple Domains

If you are using a multi-domain forest, you can add multiple domains that host your user accounts. Therefore, their WorkSpaces can be managed, searched, and reported on.

5.2.7.6 Password Expiry Emails

If this is chosen, users will receive a notification email two weeks prior to their password expiring. This can be turned on\off whenever and is not required to complete the Portal configuration at this stage.

5.2.7.7 User Restore

Enables the Self-Service function for a user to restore their WorkSpace to a last known healthy state. Automatic snapshots for use when restoring a WorkSpace are scheduled every 12 hours. 

If the WorkSpace is healthy, snapshots of both the root volume and user volume are created around the same time. If the WorkSpace is unhealthy, these snapshots are not created.

If needed, a user can restore a WorkSpace to its last known healthy state. This recreates both the root volume and user volume, based on the most recent snapshots of these volumes that were created when the WorkSpace was healthy.

5.2.7.8 User Rebuild

Enables the Self-Service function for a user to rebuild their WorkSpace.

The system is refreshed with the most recent image of the bundle that the WorkSpace was created from. Any applications that were installed, or system settings that were changed after the WorkSpace was created, are lost.

The user volume (for Microsoft Windows, the D drive; for Linux, /home) is recreated from the most recent snapshot. The current contents of the user volume are overwritten.

Automatic snapshots for use when rebuilding a WorkSpace are scheduled every 12 hours. If the WorkSpace is healthy, a snapshot of the user volume is created. If the WorkSpace is unhealthy, the snapshot is not created.

The primary elastic network interface is recreated. The WorkSpace receives a new private IP address.

5.2.7.9 Disable Scheduler

This quickly disables ALL automation of the WSM Appliance.

5.2.7.10           Activity Reporting

This enabled\disables the sending of a daily report on user login, logoff, idle times and when activity was resumed.:

5.2.7.11           Email For Report

The email of the person\group that receives the Activity report.

5.2.7.12           Auto Delete

You can set up WSM to automatically delete unused workspaces after a defined period of days.

5.2.7.13           Auto Delete Days

This value is the number of days a WorkSpace should be considered for deletion e.g., 45 or 60 days.

 

5.2.7.14           Safety Days Before Termination

This value is the number of days a user will be given to inform their helpdesk or IT Function that they still require the WorkSpace before deletion.

For example, if Autodelete was set for 60 days. On the 60th day of the WorkSpace being unused, the user that is associated with the WorkSpace will receive an email informing them that their WorkSpace is to be deleted in (Safety days VALUE) with the request for them to contact support remove the Autodeletion request.  After the safety days value and if autodeletion is not removed.

5.2.7.15           Auto-Provision

In version 4.0 Auto Provision has been provided however, the configuration is performed directly on the server via SQL Server Manager with the “AutoProvisions” table.

Within Active Directory, a group will need to be created which will be used to determine that WorkSpaces should be provisioned and the configuration of the WorkSpace.

The record created associates the group name with:

  • AWS Account
  • BundleId
  • DirectoryId
  • Region
  • Running Mode
  • Encryption requirements

If Auto-Provision is enabled, the service will poll the Active Directory group every 15 minutes for new members.

Removing a user from the AD group will not terminate the WorkSpace.  This functionality can be obtained in conjunction with Auto-Delete.

5.2.7.16           Unhealthy Reboot

If this option is enabled the service will check for any WorkSpaces with a status of “UnHealthy” every 10 minutes.  Any WorkSpaces found in this state will have there status re-evaluated and if still found to be “UnHealthy” they will be rebooted.  If after a reboot the status remains at “UnHealthy” the WorkSpace running mode will be set to “Auto-Stop” (if not already) and the WorkSpace Stopped.  Once Stopped the WorkSpace will be Started again and its original running mode restored.  This action can initiate a migration from the underlying physical host.

If the WorkSpace remains in an “UnHealthy” state an error is recorded on the admin dashboard.

5.2.8   Applications

This allows users to Self-Service their applications in their dashboard – from Numecent Cloudpaging and products such as FlexApp, APP-V, etc. You can enable both here.

5.2.8.1 AD Group applications

Enable this is you use software distribution on to your WorkSpaces from the likes of Liquidware FlexApp, App-V, etc. This allows users to add and remove applications available to them through the Self-Service side of the WorkSpaces Manager Portal. You can change this to your own prefix when you have logged into the Portal. For example, your FlexApp groups could be prefixed ‘FA-USR’.

By default, any new imported applications based on the prefix group name (in the example below, ‘FA-USR’) are given the ‘Application Group’ of ‘App’ and the ‘Type’ of ‘Free’.

For an application group to be imported into this list, it will need to have a Description and the group prefix specified in the ‘Application Group Prefix’ field of ‘Options > Settings > Applications’.

This is a list of applications that a user can add\remove as a Self-Service function in the WorkSpaces Manager portal. To know more about this, go to Section 5 of the ‘WorkSpaces Manager Administrator Guide’ where you will be shown how to amend this list where it says ‘Type’. All imported applications are ‘Free’ of Type by default – a user can add and remove themselves from the application in the WorkSpaces Manager Self-Service portal. However, you may want to amend the ‘Type’ to ‘Paid’ for such applications as Visio which have licensing constraints. A user can hence remove themselves from the group, but will have to ask the Service Desk (or another AD administrator) to add them back in.

5.2.8.2 Application Group Prefix

As above, this is the prefix of your application distribution groups with whatever product you are using (FlexApp, App-V, etc).

5.2.8.3 Cloudpaging Applications

If you want to use Numecent Cloudpaging applications with WorkSpaces, you can enable this feature on here.

5.2.8.4 Cloudpaging Username

This is where you enter the account name that you use for Numecent Cloudpaging.

6.    Installing the WorkSpaces Performance Monitor Agent

** RECOMMENDED FOR FULL FUNCTIONALITY **

 

The WorkSpaces Performance Monitor Agent requires .NET 4.6.2 or above. If a lower version is detected, the installation will advise you.

The WorkSpaces Performance Monitor Agent gathers information in both user and WorkSpace Metrics.

The Agent installer (‘WSM Performance Monitor.msi’) can be found in “D:\WorkSpaceAgent” on the WSM appliance.

The Agent requires registry keys value to be present to locate the database on the appliance. These keys are in D:\WorkSpaceAgent\nuvens.reg and are as follows:

[HKEY_USERS\.DEFAULT\Software\Nuvens]

“UpdateFrequency”=”60”

“Portal”=”http://10.0.1.174”

“Frequency”=dword:00000005

“IdleMinutes”=dword:00000015

“Visible”=”false”

“Portal” – Replace with http://DNS or IP address of your portal. (If you are using SSL, use https in place of http)

“Frequency” = The value data is a numeric value of minutes (e.g. ‘5’ where the Agent reports back to the database every 5 minutes with metrics. You can change this frequency to an increased value if you have a large estate as a lot of information will be stored in the database).

The best way to deploy the registry settings and the application is via a Group Policy or by using a distribution tool of your choice (such as Microsoft SCCM).

In Group Policy Manager Create a new Group policy on the OU containing the AWS WorkSpaces.  Under Computer Configuration expand Policies:

  • Expand Software Settings under Computer Configuration
  • Right-click Software Installation, select the ‘New’ from the context menu and then click on Package
  • In the Open dialog type the full UNC path of the shared package you want to assign
  • Click on the Open button
  • Click on Assigned and then click OK (the package will be added to the right pane of the “Group Policy” window)

The required Registry values can be added on the same Group Policy

Under Computer Configuration expand Preferences: –

  • Expand Windows Settings under Preferences
  • Right-click Registry and create new registry item

(a) Create the “Portal” registry value with the key [HKEY_USERS\.DEFAULT\Software\Nuvens]

  • The value name is “Portal” of type REG_SZ.
  • The value data is http (or https) and the IP address (or DNS address) of your WorkSpaces Manager appliance. (e.g. http://wsmportal).

(b) Create the “Frequency” registry value with the key [HKEY_USERS\.DEFAULT\Software\Nuvens]

  • The value name is “Frequency” of type REG_DWORD (32-bit)
  • The value data is a numeric value of minutes (i.e. 5 (decimal) where the Agent reports back to the database every 5 minutes with metrics. You can change this frequency to an increased value if you have a large estate as a lot of information will be stored in the database).

(c) Create the “UpdateFrequency” registry value with the key [HKEY_USERS\.DEFAULT\Software\Nuvens]

  • The value name is “Frequency” of type REG_SZ (32-bit)
  • The value data is 60

(d) Create the “IdleMinutes” registry value with the key [HKEY_USERS\.DEFAULT\Software\Nuvens]

  • The value name is “IdleMinutes” of type REG_DWORD (32-bit)
  • The value data is 15 (decimal)

(e) Create the “False” registry value with the key [HKEY_USERS\.DEFAULT\Software\Nuvens]

  • The value name is “Visible” of type REG_SZ
  • The value data is “false”

7.    High Availability

The WorkSpaces Manager appliance is a single EC2 instance containing IIS & SQL Express.  Providing you schedule a backup schedule for the EBS volumes associated with the appliance, recovery can be completed in under an hour.

7.1     Database

To achieve database HA we recommend on deploying AWS RDS Microsoft SQL Server into at least 2 Availability Zones.

After deploying RDS you will need to do the following actions: –

  • Change the registry key ‘Portal’ to point to the RDS database cluster endpoint.
  • Edit the Web.Config in D:\Portal on the appliance from “127.0.0.1” to the RDS Cluster endpoint.
  • Stop the ‘PortalService’ service on the appliance. Edit the service config file in “C:\Program Files (x86)\Nuvens Consulting Ltd\Nuvens AWS WorkSpaces Management Portal Service\PortalService.exe.config” and change the database connection string from “127.0.0.1” to the RDS Cluster endpoint. Then restart the appliance.

7.2     User/Admin Portal

There are several ways that HA can be provided for the Portal including Auto Scaling Groups.  The simplest method is to make an Amazon Machine Image (AMI) of your appliance.

  1. Log into your Amazon Web Services EC2 site using your administrative credentials.
  2. Right-click on the instance to make an AMI and select Create Image.
  3. Name the Image and click Create Image

This will make a cloned image of your WorkSpaces Manager Instance.  This can be kept as a backup.

To be able to deploy the image as another instance we need to first go through a process called SysPrep and create our deployable image.

  1. Stop the original instance that the image was created from.
  2. Launch the AMI just created as a new instance.
  3. Once the instance is running connect via RDP.
  4. Click the ‘Windows’ icon on the instance and start ‘Ec2LaunchSettings’.
  5. Click on ‘Shutdown with Sysprep’ and then click ‘Apply’.
  6. This will start a process of removing Windows user and system settings. Once it has complete the instance will be left in a stopped state.
  7. The original appliance can now be started again.
  8. The Sysprepped stopped image can now be imaged again to create our master appliance image. Once the AMI has been created you can terminate the source instance.

Now that we have created a master image this can be launched into an alternative Availability Zone in the Region.  The same instructions as ‘Installing the WorkSpaces Management Portal on AWS’ can be used to launch the image however this time rather than installing from the Marketplace you will launch the instance from the AMI just created.  If you are launching with domain joined configured and ensuring that you assign the ‘WorkSpacesManager’ Role, the instance will be available after about 30 minutes.

This has provided 2 instances in different AZ’s configured to connect to HA RDS Microsoft SQL Server.  However, we now need to create a single point of entry into the Portal.

  1. From the AWS Console select ‘EC2’ Service then ‘Target Groups’.
  2. Click Create target group and provide a target group name before clicking ‘Create’.
  3. Register both WorkSpace Manager appliances with the target group.
  4. Next create an Application Load Balancer ensuring you select the Availability Zones that you used when creating the target group and the Scheme is set as ‘Internal’.
  5. On Step3: Configure Security Groups, create a new security allowing inbound HTTP from the private subnets.
  6. On Step 4: Configure Routing, select the target group we created above then click next and complete creation of the load balancer.

Once the load balancer has been created you can view the details of the load balancer including its DNS name.

The DNS name can then be used to access the portal which will be load balanced across both instances.

The portal is now in full HA mode load balanced across 2 AZ’s with an HA database supporting it.  However, the address is not very friendly. See ‘Securing the Portal and adding a friendly portal address’ in Section 8.

8.    Securing the Portal and adding a friendly portal address

8.1     Portal address

Rather than accessing the Portal via the IP address of the instance you can add a record to your DNS server.

From DNS manager add an A record to your domain referencing the IP address of the instance

This will now allow you to reference the portal in this scenario has http://portal.nuvens.local.

If you have configured load balancing, then you will need to add a CNAME record and reference the DNS record of the load balancer.

8.2     SSL Certificate

Now that we have a friendly hostname, we can associate an SSL certificate to encrypt traffic between the client browser and the host.

  1. Select the Load Balancer previously created and click on listeners.
  2. Add a listener for HTTPS port 443.
  3. Create a Default action to forward to the target group.
  4. Select the appropriate certificate from ACM.
  5. Click ‘Save’.