Menu
Amazon WorkSpaces
Administration Guide (Version 1.0)

Preparing Your Network for an AD Connector Directory

Amazon WorkSpaces uses an AWS Directory Service AD Connector directory to connect to your on-premises directory. The following topics explain how to prepare to connect Amazon WorkSpaces to your on-premises directory.

Architecture

The following is the basic system architecture of Amazon WorkSpaces when using an AD Connector directory and a VPN.

Amazon WorkSpaces with AD Connector and VPN network architecture

The following is the basic system architecture of Amazon WorkSpaces when using an AD Connector directory and AWS Direct Connect.

Amazon WorkSpaces with AD Connector and AWS Direct Connect network architecture

Requirements

To use AD Connector to connect to your on-premises directory, you must meet the prerequisites identified in Prerequisites in the AWS Directory Service Administration Guide.

In addition, you need the following:

  • For Amazon WorkSpaces to communicate with your on-premises directory, the firewall for your on-premises network must have the following ports open to the CIDRs for both subnets in the VPC:

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP 1024-65535 - Dynamic ports for RPC

To test if these criteria are met, before connecting to your on-premises directory, see Connect Verification.

Multi-factor Authentication Prerequisites

To support multi-factor authentication with your AD Connector directory, you need the following:

  • A Remote Authentication Dial In User Service (RADIUS) server in your on-premises network that has two client endpoints. The RADIUS client endpoints have the following requirements:

    • To create the endpoints, you need the IP addresses of the AD Connector servers. These IP addresses can be obtained from the Directory IP Address field of your Amazon WorkSpaces directory details.

    • Both RADIUS endpoints must use the same shared secret code.

  • Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AD Connector servers.

  • The usernames between your RADIUS server and your on-premises directory must be identical.

For more information about enabling multi-factor authentication with your AD Connector directory, see Multi-factor Authentication.