A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Amazon WorkSpaces and SSL Errors with Deep Packet Inspection

, , ,

I was recently doing a new FortiGate deployment for a customer and one of the requirements included setting up Deep Packet SSL Inspection for their users. The customer already has an Internal CA so we generated a certificate for the FortiGate to use for encryption and clients already trusted the certificate as it was part of their Active Directory deployment. During UAT we found that their VDI solution, Amazon WorkSpaces – wouldn’t connect for their end users if their traffic was going through a Firewall policy that had SSL Deep Packet Inspection, so I’ve documented the process of adding the required exceptions here.

A quick search revealed some documentation, I found here outlining all the required connection FQDN URLs, IP Addresses and Ports you need to allow through your Firewall. Based off of that list AWS provide and working out the region we have the deployment in, we then need to create a number of Address Objects and then an Address Group to keep them all together.

So go to Policy & Objects > Addresses and then create an Address Object for each of the fqdn/IP Addresses that cover your Amazon WorkSpaces region/deployment.

Since we’re dealing with quite a number of objects, you can also use the CLI to create them, something similar to the below – changing the FQDN for the right URLs specified by AWS for you in the link provided. I have also anonymised some of the entries (auth endpoints) – so again, make sure you review this list!

config firewall address    
	edit "WorkSpaces Connectivity Check"
        set type fqdn
        set fqdn "connectivity.amazonworkspaces.com"
    next
    edit "WorkSpaces Client Metrics"
        set type fqdn
        set fqdn "skylight-client-ds.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces Dynamic Messaging"
        set type fqdn
        set fqdn "ws-client-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces Dir Auth"
        set type fqdn
        set fqdn "d32i4gd7xxxx.cloudfront.net"
    next
    edit "WorkSpaces Customer Dir Auth"
        set type fqdn
        set fqdn "d21ui22axxxx.cloudfront.net"
    next
    edit "WorkSpaces Customer Auth Media"
        set type fqdn
        set fqdn "dodwxjr2xxxx.cloudfront.net"
    next
    edit "WorkSpaces Forrester Log Service"
        set type fqdn
        set fqdn "fls-na.amazon.com"
    next
    edit "WorkSpaces Broker"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces API Endpoint 1"
        set type fqdn
        set fqdn "workspaces.ap-southeast-1.amazonaws.com"
    next
	    edit "WorkSpaces Health Check DRP"
        set type fqdn
        set fqdn "drp-syd.amazonworkspaces.com"
    next
    edit "WorkSpaces Smart Card Auth Endpoints"
        set type fqdn
        set fqdn "smartcard.ap-southeast-2.signin.aws"
    next
    edit "WorkSpaces WS Broker 1"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-1.amazonaws.com"
    next
    edit "WorkSpaces WS Broker 2"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces API Endpoint 2"
        set type fqdn
        set fqdn "workspaces.ap-southeast-2.amazonaws.com"
    end

We can then use the CLI again to create an Address Group for all those Address objects we created. 

config firewall addrgrp
    edit "Amazon WorkSpaces"
        set member "WorkSpaces API Endpoint 1" "WorkSpaces API Endpoint 2" "WorkSpaces Broker" "WorkSpaces Client Metrics" "WorkSpaces Connectivity Check" "WorkSpaces Dynamic Messaging" "WorkSpaces Forrester Log Service" "WorkSpaces Health Check DRP" "WorkSpaces WS Broker 1" "WorkSpaces WS Broker 2"
    next
end

Once done we can go into Policy & Objects > Firewall Policy and find the Policy that affects our users and performs the SSL inspection. We then edit the SSL Inspection profile, in this case custom-deep-inspection and in the Except from SSL Inspection section, we add the Address Group we created earlier, in this case Amazon WorkSpaces.

Once you click OK twice the policy applies, and users should begin to have their traffic expect from SSL inspection for those services.

And there you have it – you can use the process for any other service (such as ConnectWise Control) or website that you find doesn’t play nice with Deep Packet SS:L Inspection and the client-server connection requires a valid certificate.

Leave a Reply

More Posts

Change Windows 10 Taskbar Icons Script Deploying a custom taskbar for Windows 10

Over the summer holiday period, I was assisting a school with building out an SoE for the new year.  One of the things we used to do with Windows 7 was tweak the Taskbar to contain only items we were after instead of the default items of Internet Explorer, Windows Explorer and Windows Media Player. […]

Configure IIS to allow downloads for file types

I was recently in a bit of a bind and needed to get a large file from a server to another workstation, the server had IIS and was already live on the internet but when I copied across the file and tried to download it but was getting a 404 File not found. The file […]

Specify ClickView Server IP settings via the Registry using Group Policy with an ADMX Template

So I was recently going through our Group Policy and found that we were applying a reg file to specify the Server IP for our ClickView Players.  I don’t really like this approach anymore and tend to try and have everything nice and neat so I set about creating a ADM file to store the […]