Desktop and Application Streaming
Securely connect users to AWS with the Leostream Platform and NICE DCV
The Leostream Platform offers a variety of components that provide an intuitive way for remote end users to securely access NICE DCV servers. The Leostream platform consolidates the IT management of Virtual Desktop Infrastructure, as well as prioritizes the security posture of your deployment. Through its interface, end users visualize their resources through a high-performance streaming protocol. The Leostream platform supports the native AWS display protocol, NICE DCV, to securely stream end user sessions.
The key components to the Leostream Platform are the Leostream Connection Broker, Leostream Gateway, and Leostream Agent. Architecting with these components allows organizations and service providers to offer a hosted desktop or application environment in AWS. Leostream Connection Broker offers several different configuration profiles that reduce the administrative overhead of managing desktop or application environments at scale.
In this blog, you will create a Leostream Platform environment using all of the key components. The environment created from this blog acts as a foundation to build on top of during your virtual desktop journey to the cloud. After you successfully deploy and test the environment, follow the guidance in the conclusion section on how to prepare it for production.
Time to read | 10 minutes |
Time to complete | One hour |
Cost to complete | <$10 |
Learning level | 300 |
Services used | Amazon Elastic Compute Cloud (Amazon EC2), AWS Identity and Access Management (IAM), AWS Marketplace, NICE DCV |
Architecture
Step 1
- The architecture above illustrates how the Leostream Connect client or the Leostream web portal creates the user’s DCV session.
Step 2
- The session is orchestrated by the Leostream Connection Broker communicating with the Leostream Agent running on the DCV server. Once a session is created, the end user’s web or DCV client connects to a backend DCV server’s session.
Step 3
- Once a session is created, the end user’s web or OS-based DCV client will connect to a backend DCV server’s session.
- Session traffic depicts the end users egress traffic originating from their DCV server. Both the DCV servers and Leostream Connection Broker are secured in private subnets and are contacted through the Leostream Gateway.
Prerequisites
To follow this blog, you will need the following:
- An Amazon Virtual Private Cloud (Amazon VPC) to deploy resources in.
- An active Leostream serial number. If you do not have an active serial number, you can request a free trial.
- IAM permissions to deploy three Amazon EC2 instances.
- IAM permissions to subscribe to AWS Marketplace images.
- Networking access to the instances that are deployed.
- A locally installed DCV client.
- An existing Amazon EC2 key pair.
Walkthrough
In this section, you complete four steps to create, configure, and test your Leostream environment. Proceeding this section, you can reduce future costs by following the Clean up guidance. Alternatively, you may review the Conclusion section on how to prepare the environment for production.
Step 1: Provision Leostream Platform components
Subscribing to Leostream Connection Broker through the AWS Marketplace
- Navigate to the AWS Marketplace Leostream Connection Broker Amazon Machine Image (AMI) product page.
- On the Product Overview page, select Continue to Subscribe in the top right corner.
- On the Subscribe to this software page, review the Leostream terms and conditions. Select Accept Terms.
- Once your subscription registers, select Continue to Configuration.
- On the Configure this software page, confirm the Region dropdown reflects the Region of your target Amazon VPC. The rest of the options can be left as default. Select Continue to Launch.
- On the Launch this software page, update the EC2 Instance Type dropdown to t3.large.
- Select your VPC ID on the VPC Settings dropdown.
- Select your broker target subnet from the Subnet Settings dropdown. This component should be placed in a private subnet since in a later step you will configure the gateway to forward broker logins.
- For the Security Group Settings, select a security group from the dropdown for your broker instance. Alternatively, you may select Create New Based On Seller Settings to have a new security group created. For this walkthrough, ports 80 and 443 inbound will need to be open. For additional port requirements, see the Leostream Installation Guide.
- Select your existing key pair in the Key Pair Settings dropdown.
- Select Launch.
- Within the EC2 console, take note of the private IP of the instance in the Details section. Optionally, you may name the instance for searchability.
Subscribing to Leostream Gateway through the AWS Marketplace
- Navigate to the AWS Marketplace Leostream Gateway AMI product page.
- On the Product Overview page, select Continue to Subscribe in the top right corner.
- On the Subscribe to this software page, review the Leostream terms and conditions. Select Accept Terms.
- Once your subscription registers, select Continue to Configuration.
- On the Configure this software page, confirm the Region dropdown reflects the Region of your target Amazon VPC. The rest of the options can be left as default. Select Continue to Launch.
- On the Launch this software page, update the EC2 Instance Type dropdown to t3.medium. See the Leostream Installation Guide for gateway sizing.
- Select your VPC ID on the VPC Settings dropdown.
- Select your gateway target subnet from the Subnet Settings dropdown. This placement must be reachable from your end users. Ensure the subnet has activated auto-assign public IPv4 addresses or you have an Elastic IP that you can associate for public access.
- For the Security Group Settings, select a security group from the dropdown for your gateway instance. Alternative you may select Create New Based On Seller Settings to have a new security group created. For this walkthrough, you will randomize the gateway ports, therefore using the security group based on the seller’s settings is recommended. For additional port requirements, see the Leostream Installation Guide.
- Select your existing key pair in the Key Pair Settings dropdown.
- Select Launch.
- Within the EC2 console, take note of the public and private IP of the instance in the Details section. Optionally, you may name the instance for searchability.
Step 2: Provision Leostream fleet instance
In this step, you provision a new EC2 instance that has DCV installed and configured. The instance must have the Leostream Agent configured so that the machine automatically registers with the broker. Note that Leostream and DCV support a variety of OS types, but for this walkthrough you will use Windows Server. By default, when a user connects through the Leostream web portal, Leostream will save a local connection file that contains the username and plain-text password. Since this walkthrough will use the web portal, the procedure applies a configuration to avoid this potential security risk. To prioritize security, your machine uses the broker as an external authenticator, which uses a token for access opposed to the user’s password.
Launching your Windows-based Leostream fleet instance
- Navigate to the EC2 Console.
- Select Launch instances.
- (Optional) Name your instance Leostream DCV Windows Fleet.
- For Application and OS Images (Amazon Machine Image), choose any Windows Server base image.
- For Instance type, choose the instance type to use. Note that the resources allocated for this instance are the resources utilized by your end user.
- In the Key pair (login) section, select your EC2 key pair from the dropdown.
- In the Network settings section, choose what VPC and private subnet to deploy the fleet instance in. Note that since you are using a gateway, the DCV server does not need to be public facing to be accessed via the public internet.
- Select a security group that will allow communication between the Leostream Gateway, Leostream Connection Broker, and the DCV fleet instance running the Leostream Agent. The default ports utilized are 8443 for DCV streaming and 8080 for Leostream broker to Agent communication.
- Configure your desired storage.
- Expand Advanced details. In addition to organizational EC2 Role policies, include the permissions required for DCV licensing.
- After applying your specific requirements, copy the user data below and paste it into the User data section. Update the script in two places for the Leostream Agent and external authentication configurations. The placeholder is the following:
- –Leostream-Broker-PrivateIP–: The private IP address of your Leostream Connection broker noted in step 1.
-
<powershell> Start-Job -Name Installers -ScriptBlock { Invoke-WebRequest -uri https://d1uj6qtbmh3dt5.cloudfront.net/nice-dcv-virtual-display-x64-Release.msi -OutFile C:\Windows\Temp\DCVDisplayDriver.msi ; Invoke-WebRequest -uri https://d1uj6qtbmh3dt5.cloudfront.net/nice-dcv-server-x64-Release.msi -OutFile C:\Windows\Temp\DCVServer.msi ; Invoke-WebRequest -uri https://leostream.com/downloads/leostream-agent-windows-latest -OutFile C:\Windows\Temp\LeostreamAgent.exe } Wait-Job -Name Installers Invoke-Command -ScriptBlock {Start-Process "msiexec.exe" -ArgumentList "/I C:\Windows\Temp\DCVDisplayDriver.msi /quiet /norestart" -Wait} Invoke-Command -ScriptBlock {Start-Process "msiexec.exe" -ArgumentList "/I C:\Windows\Temp\DCVServer.msi ADDLOCAL=ALL /quiet /norestart /l*v dcv_install_msi.log " -Wait} Start-Process -FilePath C:\Windows\Temp\LeostreamAgent.exe -ArgumentList 'LANG=enUS','/CBADDRESS=--Leostream-Broker-PrivateIP--','/VERYSILENT' -PassThru while (-not(Get-Service dcvserver -ErrorAction SilentlyContinue)) { Start-Sleep -Milliseconds 250 } New-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\connectivity" -Name enable-quic-frontend -PropertyType DWORD -Value 1 -force Remove-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\session-management" -Name create-session -force New-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\security" -Name authentication -PropertyType string -Value none -force New-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\security" -Name auth-token-verifier -PropertyType string -Value https://--Leostream-Broker-PrivateIP--/rest/dcv_auth -force New-ItemProperty -Path "Microsoft.PowerShell.Core\Registry::\HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\security" -Name no-tls-strict -PropertyType DWORD -Value 1 -force Restart-Service dcvserver </powershell>
- Select Launch instance.
Step 3: Configure the Leostream Connection Broker
In this step, you license your Leostream Connection Broker. After licensing, complete configuration steps to permit and route DCV connections through your Leostream Gateway to your DCV server running the Leostream Agent.
Configure forwarding Connection Broker Logins through the Gateway
- SSH into your Leostream Gateway with the leostream user.
- Run the following command to activate Connection Broker forwarding on the gateway.
sudo leostream-gateway --broker <Broker-PrivateIP>
- Wait for the following success message to appear.
“Connection Broker forwarding is enabled”
- Exit your SSH session
Licensing the Leostream Connection Broker
- Navigate to the public IP of the gateway that you took note of in step 1 within your browser. Note that, by default, the broker uses a self-signed certificate, so you will need to accept it when your browser prompts you. The URL format is the following:
https://Leostream-Gateway-PublicIP/login
- Login and license your broker. For more information, see the Licensing your Leostream Connection Broker section of the installation guide.
Configuring the Leostream Gateway for the Leostream Connection Broker
- From the Leostream admin portal, navigate to the Gateways tab within the Setup section on the left side.
- Select Add Gateway at the top of the page.
- For Name, enter a name to identify your gateway.
- For Public IP address or FQDN for use in Protocol Plans, enter the public IP of your gateway in step 1.
- For IP address or FQDN used for Connection Broker communications to this Gateway, enter the private IP of your gateway.
- The Method for routing display protocol traffic through this Leostream gateway dropdown can be left as default. Using a randomized gateway port will allow users coming from the same NAT IP to be connected correctly.
- (Optional) Add a note relating to the gateway.
- Select Save.
Configuring the default protocol for the Leostream Connection Broker
- From the Leostream admin portal, navigate to the Protocol Plans tab within the Configuration section on the left side.
- Locate the Default plan and select Edit.
- Within the Leostream Connect and Thin Clients Writing to Leostream API section, set the RDP and RemoteFX priority dropdown to Do not use.
- Set the DCV dropdown priority dropdown to 1.
- Within the Configuration file section, remove {PLAIN_PASSWORD} so that the plain-text password is not included in the file. After removing, the line will read as password=.
- Toggle the Use DCV External authenticator with token button.
- For the Gateway dropdown, select the gateway name that you specified when linking your gateway in the previous step.
- Within the Web Browser section, set the RDP priority dropdown to Do not use.
- Set the DCV dropdown priority dropdown to 1.
- Within the Configuration file section, remove {PLAIN_PASSWORD} so that the plain-text password is not included in the file. After removing, the line will read as password=.
- Toggle the Use DCV External authenticator with token button.
- For the Gateway dropdown, select the gateway name that you specified when linking your gateway in the previous step.
- (Optional) Add a note to your default protocol plan.
- Select Save.
Step 4: Testing your configuration
In this step, you will test your configuration. The Leostream Platform can integrate with a variety of identity providers, but, for this walkthrough, you use the broker for authentication. See the conclusion section for more information on integrating with different authentication entities.
Create a Leostream test user
- From the Leostream admin portal, navigate to the Users tab within the Resources section on the left side.
- Select Create User.
- Fill in Name, Email address, Login name, and a Password for your test user. The rest of the fields can be left as default.
- Select Save.
Customize the user login experience
- From the Leostream admin portal, navigate to the Roles tab within the Configuration section on the left side.
- Locate the User role and select Edit.
- Within the End-User Session Permissions, update the Log user into remote desktops as dropdown to Local user (create on login; delete user on logout). As the fleet instance is not Active Directory domain-joined, this will allow the Leostream user to be present as a local Windows user.
- Select Save.
Login with your test user
- Navigate to your broker URL and login with your test user. The URL format is the following:
https://Leostream-Gateway-PublicIP/login
- Within the user web portal, you will see the instance you provisioned in step 2 in the Resources section. Select Connect.
- This will download a DCV connection file. Open the file to initiate the connection within your locally installed DCV client. Note the broker is an external authenticator, so the user credentials will not be present within the file.
- The connection will establish through the Leostream Gateway and you land on the lock screen of the instance. Send ctrl-alt-delete through the DCV client to proceed with logging into the Windows machine with the local user credentials of your test user.
Clean up
To clean up the environment you built following this blog, simply terminate the three EC2 instances. The resources that have cost implications include the Leostream Connection Broker, Leostream Gateway, and DCV Windows server respectively.
Conclusion
In this blog, you deployed a Leostream Platform environment as a proof of technology. You configured a Leostream Connection Broker, a Leostream Gateway, and a DCV EC2 instance running the Leostream Agent. You configured a Leostream user that can be used to login to Leostream managed DCV instances. This environment provides a seamless experience for users to access managed AWS compute over a high-performance streaming protocol; NICE DCV.
As a next step, you can build from this architecture to meet your business requirements for production use. This allows your enterprise users to securely connect to DCV sessions through the Leostream Platform at scale. To make this configuration ready for production, account for the following items:
- Integrate with your enterprise identity provider
- In this walkthrough, you created a user local to the Leostream Platform. Leostream offers a variety of authentication options, including Active Directory, OpenLDAP, and SAML. To integrate with Active Directory or OpenLDAP, see the Authenticating Users chapter of the Leostream Connection Broker administration guide. To integrate with your SAML provider, see the Integrating with SAML-Based Identity Providers administration guide.
- High Availability
- Both the Leostream Connection Broker and the Leostream Gateway may be scaled across Availability Zones. For the gateway, see the Configuring Leostream Gateway Clusters section of the Leostream Gateway administration guide. To scale the broker, you first need to create a cluster of brokers. For more information, see the Using Clusters to Maximize Availability section of the Leostream Scalability administration guide. Additionally, you will need to externalize the broker’s database. For more information, see the Using an External Database section of the Leostream Scalability administration guide. To leverage a database with low administrative overhead, you may use Amazon Aurora.
- Enterprise Security
- In this walkthrough, you leveraged the Leostream Connection Broker’s self-signed certificate. To avoid the security warning when users are connecting, it is recommended to distribute certificates from your enterprise certificate authority. For more information, see the Working with SSL Certificates section of the Leostream Connection Broker administration guide.
- Reducing administrative overhead for fleet management
- In this walkthrough, you deployed an EC2 fleet instance for your test user that is self-managed within your Amazon VPC. If you would like to minimize the management overhead of your fleet infrastructure, you may integrate with Amazon WorkSpaces Core. This will allow all of the backend desktop infrastructure to be managed by Amazon WorkSpaces while you still control how your users are connecting. WorkSpaces Core also supports DCV.
Applying additional Leostream configurations is out of scope of this blog, but can be accomplished by exploring Leostream’s art-of-the-possible. For additional information about what the Leostream Platform is capable of, reach out to sales@leostream.com.
. . | Andrew came to AWS in 2019 from a large datacenter environment where he specialized in VMware, Cisco UCS, and automation. His AWS career began on the Windows team in Premium Support. By 2020, he was the Lead Subject Matter Expert on Amazon WorkSpaces. He then transitioned to a Solutions Architecture role specializing in End User Computing (EUC). Through his work on EUC services, he developed a passion for the DCV streaming protocol. In 2022, he started his current role as the DCV Developer Advocate. |