Preparing Your Network for an AD Connector Directory
Amazon WorkSpaces uses an AWS Directory Service AD Connector directory to connect to your on-premises directory. The following topics explain how to prepare to connect Amazon WorkSpaces to your on-premises directory.
The following is the basic system architecture of Amazon WorkSpaces when using an AD Connector directory and a VPN.
The following is the basic system architecture of Amazon WorkSpaces when using an AD Connector directory and AWS Direct Connect.
To use AD Connector to connect to your on-premises directory, you must meet the prerequisites identified in Prerequisites in the AWS Directory Service Administration Guide.
In addition, you need the following:
For Amazon WorkSpaces to communicate with your on-premises directory, the firewall for your on-premises network must have the following ports open to the CIDRs for both subnets in the VPC:
TCP/UDP 53 - DNS
TCP/UDP 88 - Kerberos authentication
UDP 123 - NTP
TCP 135 - RPC
UDP 137-138 - Netlogon
TCP 139 - Netlogon
TCP/UDP 389 - LDAP
TCP/UDP 445 - SMB
TCP 1024-65535 - Dynamic ports for RPC
To test if these criteria are met, before connecting to your on-premises directory, see Connect Verification.
Multi-factor Authentication Prerequisites
To support multi-factor authentication with your AD Connector directory, you need the following:
A Remote Authentication Dial In User Service (RADIUS) server in your on-premises network that has two client endpoints. The RADIUS client endpoints have the following requirements:
To create the endpoints, you need the IP addresses of the AD Connector servers. These IP addresses can be obtained from the Directory IP Address field of your Amazon WorkSpaces directory details.
Both RADIUS endpoints must use the same shared secret code.
Your on-premises network must allow inbound traffic over the default RADIUS server port (1812) from the AD Connector servers.
The usernames between your RADIUS server and your on-premises directory must be identical.
For more information about enabling multi-factor authentication with your AD Connector directory, see Multi-factor Authentication.