Solving common Amazon WorkSpaces connection issues to on-premises setups

Frequently we get questions about establishing a connection to on-premises Active Directory through an AD Connector for Amazon WorkSpaces setup on Amazon Web Services (AWS). In this post, we look at the most common issues customers have with on premises connection setup in addition to what should be kept in mind when trying to resolve general connectivity issues with WorkSpaces.

Amazon WorkSpaces client network connectivity requirements

Your users can connect to their WorkSpaces by using the client application on a supported device. To provide your users with a good experience with their WorkSpaces, verify that their client devices meet the network requirements. Please also note that you can configure the WorkSpaces Client application to use an HTTP proxy.

If connectivity issues do arise, use the common issues and resolutions to troubleshoot issues with your WorkSpaces.

IP Address and Port Requirements for Amazon WorkSpaces

Your WorkSpaces must be able to communicate with your on-premises data centers over the 16 ports/protocols for Active Directory communication.

Enabling Advanced Logging

You can enable advanced logging on any Amazon WorkSpaces client to help troubleshoot the issues that your users might experience while connecting to WorkSpaces. Advanced logging can give you a clearer indication on why the connection fails. It also generates log files that contain diagnostic information and debugging-level details, including verbose performance data. Advanced logging can be enabled for every subsequent client session until you disable it.

CloudTrail captures API calls for WorkSpaces as events. The calls captured include calls from the Amazon WorkSpaces console and code calls to the Amazon WorkSpace.

Connect to your WorkSpace using a Remote Desktop Protocol (RDP)

You can connect to a WorkSpace using an RDP client for troubleshooting. You can do this by updating Amazon WorkSpaces security group settings to allow connections from the IP address of your RDP client machine. It is helpful to troubleshoot Group Policy Object (GPO) and remote connection issues.

Active Directory sites and Services configurations

Activity Directory Sites and Services configuration can impact the performance of WorkSpaces as they are critical components of Active Directory. You can refer to Amazon WorkSpaces best practices whitepaper for WorkSpaces setup with Activity Directory sites.

You can deploy a Windows-based EC2 instance into the private subnet where your AD Connector or WorkSpaces reside to test the connection. AD Connector also has a port testing tool that you can utilize from the same EC2 instance to validate that the ports are open.

Windows WorkSpace with an interactive logon banner

If an interactive logon message has been implemented to display a logon banner, this prevents users from being able to access their Windows WorkSpaces. The interactive logon message Group Policy setting is not currently supported by Amazon WorkSpaces.

Move the WorkSpaces to an organizational unit (OU) where the policy, Interactive logon: Message text for users attempting to log on isn’t applied.

Review any other internal Active Directory policies are blocking your WorkSpaces

Review existing Active Directory group policies and remove any other internal Active Directory policies that are blocking your workspaces connection.

It is also recommended that you create a separate service account in the on-premises Active Directory domain. AD Connector uses the service account for making LDAP queries, creating computer accounts, and to join WorkSpaces to the on-premises Active Directory domain.

Identify the Supported Regions

Amazon WorkSpaces is available in a subset of the Availability Zones for each supported Region.
When creating the subnets for your WorkSpaces, you must ensure that they are created in Availability Zone that support the WorkSpaces service.

Common Error Messages

When you encounter error messages like “Connectivity issues detected” during Amazon WorkSpaces configuration, you can refer to the troubleshooting for specific issues in Amazon WorkSpaces troubleshooting guide.

Conclusion

We hope that you find these recommendations helpful when connecting from on-premises to your Amazon WorkSpaces. You can reach out to AWS Solutions Architect and AWS Support teams for further assistance.

To get a jump-start, you can use the Quick Setup with Amazon WorkSpaces, which provides a Quick Setup option to launch your WorkSpace.

You can review the best practices for the deployment of Amazon WorkSpaces. This whitepaper covers network considerations, directory services and user authentication, security, and monitoring and logging. Get started today!

About the Authors

Raghavarao Sodabathina is an Enterprise Solutions Architect at AWS, focused on big data and AI/Machine Learning. Raghavarao enjoys working with customers and helping them deliver complex solutions by providing reliable and cost-effective cloud native technical guidance in AWS. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies. Raghavarao holds Master of Engineering from Indian Institute of Science, Bangalore.

Changbin Gong is a senior solutions architect at AWS, focusing on Cloud Native, AI/ML, Data Analytics and Edge Computing. He engages with customers to create innovative solutions that address customer business problems and accelerate the adoption of AWS services.  In his spare time, Changbin enjoys reading, running and traveling.