Microsoft Terminal Services Control Type Library
Merlina Magobet
This Guidance demonstrates how to deploy Remote Desktop Gateway to the AWS Cloud. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection between remote users and Amazon Elastic Compute Cloud (Amazon EC2) instances running Microsoft Windows, without a virtual private network. This helps reduce attacks on your Windows-based instances while providing a remote administration solution for administrators. You can choose to deploy RD Gateway into a new virtual private cloud (VPC) in your AWS account, or into an existing VPC, either standalone or domain-joined.
Step 1
Use the AWS CloudFormation template to deploy RD Gateway in a new or existing Amazon Virtual Private Cloud (Amazon VPC) spanning two Availability Zones with public and private subnets. Use the separate CloudFormation template to deploy Active Directory domain-joined (requiring an existing VPC) or non-domain joined Windows instances in the private subnets.
Step 2
AWS Secrets Manager securely stores credentials (such as username and password) used for accessing RD Gateway instances. Note: We strongly recommend enabling multi-factor authentication (MFA) on RD Gateway instances for additional security.
Step 3
AWS Systems Manager automates the deployment of the Amazon EC2 Auto Scaling group spanning the two public subnets by fetching username and password values from Secrets Manager and configuring RD Gateway instances.
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
CloudFormation templates describe your desired resources and their dependencies in a single stack and allow you to create, update, and delete an entire stack as a single unit, making it easy for you to manage cloud resources for the public and private subnets across Availability Zones.
Systems Manager centralizes operational data in a hub from multiple AWS services and automates tasks across your resources on AWS. It offers operations management for monitoring health and performance, application management to streamline operational workflows, change management to simplify operational changes to application configuration, and node management to accelerate troubleshooting and automate patching.
Secrets Manager securely encrypts and centrally audits secrets in combination with fine-grained AWS Identity and Access Management (IAM) and resource-based policies. This protects access to your applications, services, and IT resources and enables you to meet regulatory and compliance requirements for data security and privacy. For additional security, enable MFA on RD Gateway instances.
The private subnet in Amazon VPC contains a security group for the instances to allow access to the necessary ports. Public subnets contain RD Gateway instances for secure remote access to instances in the private subnets. The public subnet has a direct route to an internet gateway allowing for access to the public internet; the private subnet has no direct route to an internet gateway and requires a NAT gateway to access the public internet.
Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. It is also optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. Network Load Balancer operates at the connect level (Level 4) so you can load balance both TCP and UDP traffic, routing connections to targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, microservices, and containers.
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of EC2 instances available to handle the load for your application. You create collections of EC2 instances called Auto Scaling groups. Amazon EC2 Auto Scaling makes sure your group always has the number of instances that you have specified to meet your desired capacity. If you specify scaling policies, then Amazon EC2 Auto Scaling can launch or terminate instances on demand as your application load increases or decreases.
Amazon EC2 Auto Scaling optimizes workload performance and cost by combining purchase options and instance types. This service lets you provision and automatically scale instances across purchase options, Availability Zones, and instance families in a single application to optimize scale, performance, and cost. You can include Amazon EC2 Spot instances with On-Demand and Reserved instances in a single Auto Scaling group to save up to 90 percent on compute.
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.
Most aspects of deploying think-cell are the same on both supported platforms (Windows or macOS). If there is some variation in detail, this is mentioned directly in the text. The mechanics of the initial installation and the distribution mechanism of configuration settings differ more substantially and are described in separate sections. If you only administer think-cell on Windows, feel free to skip the installation section for macOS, and vice versa.
All supported languages are included in the same, unified installation package. If a language is not yet supported by think-cell, English is used. It is not possible to alter the automatic language selection behaviour.
think-cell tightly integrates with PowerPoint and Excel to offer its streamlined user interface and wealth of functionality. Due to the tight integration, it is not possible to guarantee compatibility with unknown future changes to Microsoft Office. Therefore:
think-cell has built-in automatic update support. In this way, we ensure compatibility with any Microsoft update and provide new features. When PowerPoint or Excel are started, the software checks for a new version. If there is one, the software attempts to install the update.
If available, think-cell uses the Microsoft Background Intelligent Transfer Service (BITS) to download updates on Windows. BITS automatically frees bandwidth when the user needs it, and also recovers gracefully from network interruptions common in mobile computing environments. Each update is approximately 95 MB in size.
All files that are executed and installed by the automatic update are digitally signed by think-cell. The integrity of the update is verified against a self-signed certificate that is included in the version of think-cell currently installed.
Current Channel (Preview):
The think-cell update is available for download, but we do not always trigger a timely automatic update. When a conflict occurs and you have error reporting enabled, the update will be installed automatically. If you have error reporting disabled and support email not redirected (see Troubleshooting and critical errors), and the user selects Request Support in the error dialog, they will get an automatic email response even outside of our business hours including a link to the update download.
Beta Channel
We make the think-cell update available as soon as possible after the Microsoft update, but outages may occur. Once the think-cell update is ready, the distribution mechanism is the same as for Preview channels.
think-cell can be configured in a variety of ways to fit with your particular needs and environment. Below is a table of think-cell configuration parameters available for both Windows and Mac installations. On Windows, some additional configuration options for the A.2.2.4 Ribbon are available. For details on how to use a parameter with:
7fc3f7cf58