Modernize remote access to Amazon S3 File Gateway for a hybrid workforce

Enterprises deploy Amazon S3 File Gateway to facilitate cloud migration from on-premises file servers to Amazon S3. For example, an enterprise might run out of on-premises file server storage capacity. In that case, it can deploy Amazon S3 File Gateway to help system administrators copy data from the on-premises file server to the gateway appliance to alleviate on-premises storage capacity bottlenecks.

Over time, as more and more files and folders were copied to Amazon S3, the employee’s storage focus shifted from the local file server to the gateway appliance. All was well until the pandemic broke out, and employees had to work remotely from home. The challenge was that the Amazon S3 File Gateway is a local file server appliance, but most of the employees had moved to working at remote locations. There is no access to the Amazon S3 File Gateway unless employees are on the same local network. If employees need remote file access, they must first set up Virtual Private Network (VPN) access. However, VPN is often considered a security risk because it puts the entire network at risk. In addition, the VPN can cause a traffic jam. In the past, only a few people connected to the VPN, and now, most remote employees connect to the VPN, causing traffic congestion. Another issue is that most mobile applications on the iPhone or iPad do not support direct file server network sharing, so accessing these files and folders from mobile devices is a challenge.

Amazon S3 backs Amazon S3 File Gateway, so S3 is available on the internet. If developers provide another file server interface through an HTTPS endpoint, users can access the same files and folders through the wide area network (WAN)  via the HTTPS interface. This interface can have the same drive mapping, file locking, and Active Directory authentication features as the previous Amazon S3 File Gateway access.

Triofox helps construct your file server interface over HTTPS. It becomes another broker that enables the file server interface over wide area network (WAN). Together, Amazon S3 File Gateway provides access via local area network (LAN), and Triofox provides access via WAN. This solution helps you modernize remote file access to S3 File Gateway for your hybrid workforce.

In this post, I share a solution that provides an HTTPS-based drive mapping solution via Amazon S3 with Active Directory integration and folder permissions. You can use this solution to enable remote and mobile access to the same Amazon S3 bucket that is backing a local S3 File Gateway instance. The integration enables office-based employees to access files and folders through the local S3 File Gateway. Remote users can access files and folders as if it were still the same S3 File Gateway, with additional benefits for web and mobile features.

Prerequisites

You must complete the following prerequisites before implementing this Triofox Cloud File Server solution:

1. Subscribe Triofox Cloud File Server in AWS Marketplace, and then to proceed to configuration of the software by choosing Continue to Configuration.
2. To go to the Launch this software page, choose Continue to Launch.
3. Under Choose Action, select Launch through EC2 and choose Launch.
4. To follow through with launching the Amazon EC2 instance, select the EC2 tab and then Instances. Select Launch an instance. Use the default settings and choose Launch Instance.

In a few minutes, the Triofox Cloud File Server solution launches the EC2 instance. Log in to the Amazon EC2 console and switch to the EC2 Instances view. The Instance state will be Running, and the Status Check will be Initializing. Wait for the Status Check to become 2/2 checks passed.

Initial configuration of the Triofox Cloud File Server

Once the status of the Triofox Cloud File Server EC2 instance becomes 2/2 checks passed, finish the configuration by connecting to the remote desktop protocol (RDP) console of the server. To do that, do the following:

1. In the EC2 console, navigate to the EC2 instances page. In a table view at the top of the page, select the newly created Triofox server instance and choose Connect.
2. To get the Windows password of the instance and connect to the server’s console window via RDP protocol, in the upper middle tab, select the RDP client tab and choose Get password.
3. Once you have the administrator’s password, to download the RDP client file (.rdp suffix) and connect to the server console, choose Download remote desktop file. Double-click the downloaded .rdp file. This takes you to the RDP console.
4. In the RDP console, wait for a configuration web page to pop up.
5. At the first configuration page, select the Default – all in one option for the embedded database service.
6. At the second configuration page, create a default admin account. If the machine joins your Active Directory domain, you can use a domain user’s account as the default administrator. If the machine is not part of a domain, you can choose I don’t have a Domain User Account and create the default administrator with an email address and password.
7. In the Active Directory Integration configuration page, if you don’t need Active Directory for now, you can choose Configure Later.

Now the initial Triofox configuration is completed. To enter the Triofox admin portal, a Google Chrome web browser, you can go to the localhost web URL (“http://localhost/”) any time. The Triofox admin portal requires a more modern web browser than Internet Explorer 11. So, Google Chrome or Microsoft Edge are your best options after you complete the initial setup.

Architecture diagram

The following architecture diagram illustrates the components of Amazon S3 File Gateway and Triofox Cloud File Server integration.

The remote file access solution for a hybrid workforce contains the following components:

1. Amazon S3 File Gateway deployed at a corporate data center, next to the Active Directory domain. Employees at the corporate on-premises locations can use the Amazon S3 File Gateway directly as an small business file server share.
2. Triofox Cloud File Server solution is instantiated inside an Amazon VPC. The Triofox server offers an HTTPS endpoint on the front end for remote clients and mobile clients to connect. On the back end, the Triofox server is connected to Amazon S3.
3. (Optional) The on-premises Active Directory is synchronized with a cloud-based Active Directory and single sign-on service, and the Triofox server is configured to connect to the single sign-on service.
4. Remote and mobile users use Triofox agent and mobile applications to connect to the Triofox server and indirectly to the Amazon S3 service for remote file access. On-premises users use Amazon S3 File Gateway for local file access.

Solution walkthrough: Modernize remote access to Amazon S3 File Gateway

The Triofox solution conforms to a typical three-tier client-server architecture. On the server side, you must complete the configuration to connect to Amazon S3 and single sign-on service in the admin portal. To do that, follow these four steps (one is optional).

Step 1: In the Triofox admin portal, connect Amazon Simple Storage Service (Amazon S3) buckets.

Step 2: (Optional) In the Triofox admin portal, connect single Sign-on service.

Step 3: Explicitly enable users.

Step 4: On client devices, download Triofox Windows, macOS agents, or mobile applications and start using Triofox.

Step 1: Connect S3 buckets

1. To connect S3 buckets that you would like your users to access via the Triofox server, in the Triofox admin portal (“http://localhost/”) left sidebar, choose File Servers.
2. In the middle pane, choose Cloud File Server.
3. On the Cloud File Server page, to publish a file share from a cloud storage service, choose Add Cloud Share.
4. On the Publish a Share page, enter a Share Name for the new file share and choose Amazon S3 as the type of share you want to publish.
5. On the Amazon S3 Account Configuration page, enter a specific Access Key ID and the corresponding Secret Access Key that has enough privileges to access the S3 bucket and has privileges to list all the buckets. Choose Continue.
6. On the next page, select the bucket you want to use from the dropdown menu, and choose Finish.

Step 2: Connect Active Directory and single sign-on service (optional)

This step is optional because you can always create users without using the integration.

1. To enable your users to use their existing Active Directory credentials with the Triofox solution, in the Triofox admin portal (“http://localhost/”) left sidebar, choose Settings.
2. In the Settings panel, to enable Active Directory or Single Sign-on integrations, toggle the Active Directory and Single Sign-on (SAML integration) buttons. This triggers a welcome email to your users.

Step 3: Enable users explicitly

1. In the Triofox admin portal (“http://localhost/”) left sidebar, choose Users.
2. In the User Manager panel, to enable to download Triofox software agents and connect to the Triofox server, add your desired users. This triggers a welcome email to each user you add.

Step 4: Users download Triofox software agents

Your end users perform this step.

Remind your users to follow the directions in the welcome email they received when you added them in steps 2 and 3. The email directs them to the Triofox web portal to download the software agents and continue using Triofox from that point. For example, the software agent for Windows provides a mapped drive with file locking and folder permission control and integrated Active Directory sign in. The mobile applications for iOS and Android devices provide additional methods for file access to the same underlying Amazon S3 buckets.

Cleanup

If you no longer need the Triofox Cloud File Server solution, first terminate the Triofox EC2 server instance and then cancel the software subscription.

Conclusion

In this blog post, I showed you how to set up the Triofox Cloud File Server solution. This solution enables remote users to access the same Amazon S3 buckets as on-premises users accessing the same files and folders through an Amazon S3 File Gateway. It also modernizes remote file access to on-premises Amazon S3 File Gateways for a hybrid workforce.

The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.

About the author

Azam Ali is a Vice President of Customer Success at Gladinet Inc. He educates prospects and clients on using AWS cloud technologies in conjunction with Gladinet solutions. In his spare time, he enjoys playing sports, walking, and reading about changing technology trends and their impact on businesses around the world.