Use Veyon to remote control and monitor virtual labs on Amazon WorkSpaces

Virtual labs built with Amazon AppStream 2.0 or Amazon WorkSpaces provide students a flexible and accessible way to participate in lab exercises from anywhere, at any time. While students can connect to these labs remotely the primary challenge faced by the teachers is monitoring the activity of the students and gaining remote control of the student’s lab in case they need help during the lab session.

Overview of Solution

In this post, I show you how to deploy Veyon for monitoring and controlling Amazon WorkSpaces sessions. This same Veyon configuration will also work with Amazon AppStream 2.0.

Veyon is a free and open-source software for monitoring and controlling computers across multiple platforms. Veyon supports you in teaching in digital learning environments, performing virtual training or giving remote support. The following features are available in Veyon:

• Monitoring: overview of a (class) room with screen contents of computers being shown in thumbnails
• Remote view or control sessions
• Broadcast the teacher’s screen to all other computers in real time (full screen/window demo)
• Lock computers to control attention
• Distribute documents and other files to students
• Send text messages to students
• Power on, reboot or shutdown computers remotely
• Log out users
• Launch programs and open websites

Veyon consists of a server component called a master and a service component which realize the interaction between teacher and student computers. Refer to Veyon Components for additional information.

Walkthrough

In this article, you will complete the following tasks:

• Register AWS Managed Microsoft Active Directory with Amazon WorkSpaces.
• Provision two Ubuntu Amazon WorkSpaces that will be used to create a custom image.
• Install and Configure Veyon for Teachers.
• Create a custom image for Teachers.
• Install and Configure Veyon for Students.
• Create a custom image for Students.
• Create a Security Group to allow traffic for Veyon between the Amazon WorkSpaces instances.
• Monitor and remote-control sessions using Veyon from Amazon WorkSpaces.

Prerequisites

For this walkthrough, you will need the following:

• An AWS account to provision the Amazon WorkSpaces.
• AWS Identity and Access Management (IAM) permissions to create Amazon WorkSpaces.
• An active AWS Managed Microsoft AD directory and permissions to administer it.
• Deploy the template at Getting Started with Amazon WorkSpaces Workshop GitHub repository.

Register Active Directory with Amazon WorkSpaces

Amazon WorkSpaces requires an AWS Directory Service for authentication and management purposes. The Amazon WorkSpaces service can create a directory for you using either Simple AD or AWS Managed Microsoft AD. Additionally, you can connect to an existing Active Directory using the Active Directory Connector or AWS Managed Microsoft AD via a standard domain trust through the AWS Directory Services console.

In this walkthrough, I will use an AWS Managed Microsoft AD that has been created when I deployed the workshop template from GitHub.

1. Open the Amazon Directory Services console
2. Select the Directory ID for the directory named workspaces.labx.com to view the details.
3. Review the configuration and confirm Status is Active.
4. Navigate to the WorkSpaces console
5. Select the directory from the list and then choose Actions, Register.
6. On the Register directory prompt, select the two private subnets 10.0.1.0/24 and 10.0.2.0/24. Select Enable self-service permissions then choose Register.
7. This will start to register the AWS Managed Microsoft AD and show a Registered status of Registering.
8. It takes a few minutes for the registration process to complete. Once it has successfully registered, the Registered value changes to True.

Launch Ubuntu WorkSpaces then Install and Configure Veyon for Teachers

Launch an Amazon WorkSpaces using Standard with Ubuntu 22.04 hardware bundle.

1. Navigate to the WorkSpaces console
2. From the WorkSpaces navigation pane, choose WorkSpaces.
3. Choose Create WorkSpaces
4. For Select a directory, Choose the row containing workspaces.labx.com then choose Next.
5. On the Create Users screen, choose Create additional user, Enter Username, First name, Last name and Email, then choose Next.
   Note that if you don’t use a valid email address, you’ll need to retrieve the registration link from the WorkSpaces console.
6. For Identify Users, choose the account created in the previous step. Choose Next.
7. On the Select Bundle screen, to filter the list of bundles, choose Any hardware, Standard. Then choose Any protocols, WSP. Select Standard with Ubuntu 22.04 from the filtered list and choose Next.
8. On the WorkSpaces Configuration, choose the AlwaysOn or AutoStop running mode and specify tags then choose Next.
9. On the Customization page, leave encryption unselected and choose Next.
10. On the Review screen verify the details then scroll to the bottom and choose Create WorkSpaces. Note this will start the process and will take around 20 minutes to complete.
11. The WorkSpaces dashboard opens, and your WorkSpace will show a status of Pending.
12. Once the WorkSpaces instance status shows Available and the user will receive an email containing the Registration Code with instructions on downloading the client https://clients.amazonworkspaces.com/
13. Connect to the Workspaces instance.

Add Repository and Install Veyon

1. Open a Terminal window and then run the following command at the prompt to add the repository:

   sudo add-apt-repository ppa:veyon/stable
   sudo apt update

2. Run the following command to install Veyon:

   sudo apt install veyon -y

Before beginning the configuration, you will need to gather the below information about/from Microsoft Active Directory. Note that the settings below are from the workshop environment I deployed previously but may differ in your environment.

To begin with the setup, Choose Activities on the top bar then search and start the Veyon Configurator.

Select LDAP Basic Tab:

1. In Basic settings, Set LDAP server and port from the details gathered above.
2. Select Use bind credentials
3. Set Bind DN and Bind password
4. Update Fixed base DN.
   Note: If you are not using AWS Managed AD, it would usually be the root of AD Domain, for example DC= workspaces,DC=labx,DC=com
5. Select Environment settings, Set User tree value to “OU=Users”, Group tree value to “OU=Users”, Computer tree value to “OU=Computers”.
6. Choose Checkbox Perform recursive search operations in object trees.
7. Set Object attributes as below
   • User login name attribute as “sAMAccountName”
   • Group member attribute as “member”
   • Computer display name attribute as “cn”
   • Computer hostname attribute as “name”
   • Location name attribute as “ou”.

8. Select Advanced settings, Set Optional object filters as below
   • Filter for users as “(objectClass=person)”
   • Filter for user group as “(objectClass=group)”
   • Filter for computers as “(objectClass=computer)”
   • Filter for computer containers as “(objectClass=organizationalUnit)”
9. Set Group member identification to Distinguished name (Samba/AD).
10. Set Computer locations identification to Computer containers or OUs.
11. Choose Apply.
12. On the Restart Veyon Service dialog, Select Yes.

Next, select General Settings Tab:

1. Set Authentication Method to “Logon Authentication”
2. Set Network object directory Backend to “LDAP Basic (load computers and locations from LDAP/AD)”
3. Set Update interval to “30 seconds”
4. Choose Apply.
5. On the Restart Veyon Service dialog, Select Yes.

Next, select Service Settings Tab:

1. Choose Checkbox Show notification when an unauthorized access is blocked.
2. Set Session mode to “Multi session mode”
3. Set Maximum session count to 1
4. Set VNC server Plugin to “Builtin VNC server (x11vnc)”
5. Choose Apply.
6. On the Restart Veyon Service dialog, Select Yes.

Next, select Master Settings Tab

1. Accept Default Value for Basic Settings
2. Select Behavior, Choose Perform access control under Program Start and Hide local computer under Computer locations
3. Choose Apply.
4. On the Restart Veyon Service dialog, choose Yes.

Next, select Access Control Tab

1. Set Computer access control, User groups backend to “LDAP Basic (load users and groups from LDAP/AD)”
2. Choose usage of domain groups
3. Select Grant access to every authenticated user (default). Note that you can restrict access Veyon to members of specific groups, with this condition you can define that either the accessing or the locally logged on user must be a member of a specific group. But for this post will use the default.
4. Choose Apply.
5. On the Restart Veyon Service dialog, Select Yes.

Create Custom Image and Bundle for Teachers

Now that I’ve customized the Teachers WorkSpace, it’s time to create a custom image that I can use for subsequent deployments.

1. Navigate to the WorkSpaces console
2. Ensure the Status of the WorkSpace is Available
3. Choose the WorkSpace, Choose View Details.
4. Choose Create Image.
5. On the Create Image screen, Enter Image name and Image description
6. Choose Create image. Note this process takes approximately 45 minutes to complete. Once the image capture begins, the WorkSpace will be unavailable and show a status of Suspended.
7. In the WorkSpaces console navigation pane, choose Images. Once the status changes to Available, the custom image is ready.

Now that the custom image is captured, it’s time to create a custom bundle based on the image.

1. Navigate to the WorkSpaces console
2. In the navigation pane, choose Images.
3. Choose the new image, choose Actions and Create bundle.
4. In the New bundle screen, Provide Bundle name, Description.
5. Choose Bundle hardware type, Standard
6. In Storage Settings, Choose Root Volume size : 80 GB and User volume size: 10 GB.
7. Choose Create bundle.

Launch Ubuntu WorkSpaces, Install and Configure Veyon for Students

Launch another Amazon WorkSpaces instance using Standard with Ubuntu 22.04 hardware bundle and once it is ready, connect to the WorkSpace instance and install Veyon in the same way as earlier.

Once again, start the Veyon Configurator.

Select General Settings Tab

1. Set Authentication Method to “Logon Authentication”
2. Set Network object directory Backend to “LDAP Basic (load computers and locations from LDAP/AD)”
3. Set Update interval to “60 seconds”

Next, select Service Settings Tab

1. Choose Checkbox Show notification when an unauthorized access is blocked.
2. Set Session mode to “Local session mode”
3. Set VNC server Plugin to “Builtin VNC server (x11vnc)”
4. Choose Apply.
5. On the Restart Veyon Service dialog, Select Yes.

Create a Security Group with a rule to allow traffic for Veyon

Create a security group called “Veyon”. Add an inbound rule to allow “Custom TCP” “TCP” Protocol “11100, 11200,11300, 11400” Port Range from Source which will be “Veyon” the security group itself to the security group.

Add the security group as the default WorkSpaces security group to the directory

1. Navigate to the WorkSpaces console and choose Directories.
2. Select the directory and choose Edit security group.
3. Select “Veyon” from the dropdown and Choose Save.

Create Image and Bundle for Students

Create a custom image and custom bundle for Students from the customized WorkSpace using Standard Bundle hardware type in the same way as earlier.

Monitor and Remote-control Sessions

Create a WorkSpaces instance for the Teacher and multiple instances for the Students using the appropriate custom bundle created in the previous step.

Once the WorkSpaces instances have a status of Available:

1. Launch the WorkSpaces Client and login using a username which has been provisioned using Teachers custom bundle.
2. Choose Activities on the top bar then search and start the application “Veyon-master”.
3. Enter Veyon Logon, which are the same credentials used to login to WorkSpaces.
4. In Veyon, choose Locations and computers at the bottom of the screen to view the list of OUs configured in Active Directory under the Computers OU.

5. Select an OU to list all computers in the selected OU, In a few second a live preview of all the current sessions can be seen with Current logged on Username and Computer Name at the bottom of each of them.
6. To Remote Control, Right Choose on the session and select Remote Control. Once done select Exit from the fly in menu on the top of the Remote-Control session.

Cleaning up

To avoid incurring future charges, delete the WorkSpaces instances, remove the custom bundles and images, deregister Microsoft Active Directory from the WorkSpaces service and delete the CloudFormation Stack to remove all of the cloud-based networking components that were built and used. This includes the VPC, Elastic IP, NAT Gateway and Directory Service for Microsoft AD.

Conclusion

In this blog, I walked you through configuring Veyon – a free and open source software for remotely monitoring and controlling of Amazon WorkSpaces. This solution also works with Amazon AppStream 2.0.

Learn more about Veyon from Veyon Documentation, review the Administration Guide to learn more about Amazon WorkSpaces and Amazon AppStream 2.0.

Preenesh Nayanasudhan Preenesh Nayanasudhan is a Solutions Architect working with Public Sector India. He works closely with Education Sector Customers in India helping them to adopt and realize potential of AWS Cloud technologies.