Using Amazon FSx for Windows File Server with Amazon WorkSpaces

Amazon WorkSpaces provides users with secure access to their desktop application environment. Key to be able to use applications effectively is the ability to save and access data – documents, spreadsheets, reports, interesting pictures of cats. WorkSpaces users can make use of Amazon WorkDocs Drive to store their data. You can access files stored in WorkDocs Drive directly from your WorkSpace. While this approach meets the requirements for a number of our users, we also have many WorkSpaces customers who have asked us to support native Windows file shares for specific applications such as Sage Accounting, AutoCAD and MatLab. Also, we have customers who need storage that can be readily accessed from a number of WorkSpaces; for example to provide consistency of experience for users’ new cloud desktop and their existing environment, or to have a common location to launch automated application installations, or to share data between teams users of Windows and Linux cloud desktops in secure environments. Customers look to use Windows file shares to help them best match their existing configuration and workflow, simplifying their migration to AWS.

Customers who wanted to use a Windows file share with Amazon WorkSpaces had to create and maintain Windows file servers with EC2 instances and EBS volumes. This meant worrying about availability, durability, patching of the operating system hosting the share. Can this be made less cumbersome?

It can.

Amazon FSx for Windows File Server is a fully-managed Windows file storage service, backed by a Windows native file system. FSx for Windows File Server eliminates the administrative overhead of setting up and provisioning file servers and storage volumes. Amazon FSx file systems provide fast performance, security, high availability and durability. Your Amazon FSx file system can be integrated into your Active Directory domain, and you can use native Windows capabilities to manage user and group permissions.

This blog post shows how to use Amazon FSx with Amazon WorkSpaces for two use-cases. To provide profile and home folder access for consistent experience, and to access to a shared team folder for Windows and Linux WorkSpaces users. If you are new to Amazon WorkSpaces, you can create your first Amazon WorkSpaces environment by following our getting started guide.

To follow these examples, you need the following:

• An AWS Managed Active Directory domain – hosting Amazon WorkSpaces instances for domain users.
• An Amazon FSx file system – See https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html for learning how to create an Amazon FSx file system.
• One or more Windows file shares created within the Amazon FSx file system -See https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-file-shares.html for learning how to create and manage Windows file shares.
• An active WorkSpaces session for a user with Active Directory Domain rights to manage users and group policies. They could use their existing options for administration of course.
• An active Windows WorkSpaces session for a test user.
• An active Linux WorkSpaces session for another test user.

The following sections show how to:

• Provide WorkSpaces users with their own roaming profile using Amazon FSx for Windows File Server.
• Provide a shared folder for team collaboration using Amazon FSx for Windows File Server

Provide Roaming Profile support using Amazon FSx for Windows File Server

You can use Amazon FSx to provide Roaming Profile support to users in your organization. A user will have permissions to access only their Roaming Profile. The folder will be automatically connected using Active Directory Group Policies. With a Roaming Profile users’ data and desktop settings are saved on log off to an Amazon FSx file share allowing documents and settings to be shared between different WorkSpaces instances, or automatically backed up using Amazon FSx daily automatic backups.

Step 1: Create profile folder location for domain users using Amazon FSx

1. Create a file system using the Amazon FSx Console. For steps, see https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html#getting-started-step1
2. Access your Amazon FSx file system from an EC2 instance running Windows Server or from a WorkSpace. For steps, see https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html#getting-started-step2.
3. Create a folder within your Amazon FSx file system. I created a folder called profiles inside the default Windows file share called share that came with my Amazon FSx file system. You are welcome to use that, or make your own excitement.

Step 2: Link Amazon FSx file share to User Accounts

1. On your test user’s WorkSpace – Select Windows → System →Advanced System Settings
2. In System Properties, select the Advanced tab and press the Settings button in the User Profiles section. The logged on user will have a profile Type of Local
3. Log off the Test User from the WorkSpace
4. Set the test user to have a roaming profile located on your Amazon FSx file system. In your administrator WorkSpace, open a PowerShell console and type the following command (I’m using the profiles folder I created in Step 1):
   1. Set-ADUser testusername -ProfilePath \\<fsx-file-system-dns-name>\share\profiles\testusername
5. Log on to the Test User WorkSpace
6. In System Properties, select the Advanced tab and press the Settings button in the User Profiles section. The logged on user will have a profile type of Roaming
7. Browse the Amazon FSx shared folder; in the profiles folder, you’ll see a folder for the user
8. Create a document in the test user’s Documents folder, or save a picture of a cat to the test user’s Pictures folder.
9. Log off the Test User from their WorkSpace
10. If you log back on as the Test User and browse to their profile store you will see the files you created.

Use-case 2: Provide a shared folder to access common files

You can use Amazon FSx to provide a shared folder to users in your organization. A shared folder can be used to maintain demo files, code examples, much loved pictures of cats, and instruction manuals needed by all users. It is not uncommon to have drives mapped for shared folders, however because mapped drives use letters of the alphabet, there’s a limit to the number of shares you can have. Let’s create an Amazon FSx shared folder that’s available without a drive letter – giving you greater flexibility in assigning shares to teams.

Step 1: Create an Amazon FSx file system

1. Create a file system using the Amazon FSx Console. For steps, see https://docs.aws.amazon.com/fsx/latest/WindowsGuide/getting-started.html#getting-started-step1
2. Every Amazon FSx file system comes with a default file share that can be accessed using the address \\<fsx-file-system-dns-name>\share. You can use the default file share or create other file shares – for steps, see https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-file-shares.html. I’m going to use a folder called teamcat within the default file share within my Amazon FSx file system

Step 2: Create an Active Directory Group Policy to deploy the share

1. You’ll need to determine the name you want to appear as the folder shortcut – I’m going to use Team CatPic Shared Drive
2. You’ll need the names of the Amazon FSx file system, file share, and folder you created in Step 1 – \\<fsx-file-system-dns-name>\share\teamcat
3. Create a Group Policy to apply the setting. See https://www.petri.com/how-to-create-and-link-a-group-policy-object-in-active-directory
4. Within the Group Policy Select User Configuration→Preferences→Windows Settings→Folders
5. Create a new folder and assign the path as %APPDATA%\Microsoft\Windows\Network Shortcuts\yourfoldername . Set the folder as Read Only. Press OK to commit the change.
6. Within the Group Policy Select User Configuration→Preferences→Windows Settings→Ini Files
7. Create the first of two .ini file updates. The first update will have the following settings:
   1. Action set to Update
   2. File path: %APPDATA%\Microsoft\Windows\Network Shortcuts\yourfoldername\desktop.ini. In my example this would be Shortcuts\Team CatPic Shared Drive\desktop.ini.
   3. Section Name: .ShellClassInfo (don’t forget the leading . (dot))
   4. Property Name: CLSID2
   5. Property Value: {0AFACED1-E828-11D1-9187-B532F1E9575D}
8. The second update is configured as:
   1. Action: Update
   2. File path: %APPDATA%\Microsoft\Windows\Network Shortcuts\yourfoldername\desktop.ini. In my example this would be Shortcuts\Team CatPic Shared Drive\desktop.ini.
   3. Section Name:.ShellClassInfo (still rememerbing the . (dot)? Good show).
   4. Property Name: Flags
   5. Property Value is 2
9. To complete – we need to create a Group Policy Preferences Shortcut. Within the Group Policy Select User Configuration→Preferences→Windows Settings→Shortcuts
10. Add a new Group policy shortcut with the following parameters
    1. Name: %APPDATA%\Microsoft\Windows\Network Shortcuts\yourfoldername\target – (i.e. the full path to your folder, with a shortcut named target)
    2. Target type: File System Object
    3. Location: your full Amazon FSx folder name created earlier in this Step
11. Log on as your Test User in your Windows Workspace
12. You’ll see your Amazon FSx file location available for the PC – which can be referenced in applications Save/Open dialogue. Your users can have as many links as they like to allow them to collaborate with Amazon FSx volumes.

Step 3: Mount the share in a Linux WorkSpace

1. Log on as your Test User in your Linux Workspace
2. We want to make sure that the Samba configuration that comes with a Linux WorkSpace is only using the most secure SMB protocol. We’re going to set this in the configuration. I’m using vi as the editor here, you can choose your favourite: you’ll need to raise your admin rights.

sudo vi /etc/samba/smb.conf

3. Make sure the following two lines are in the [global] section

client max protocol = SMB3
client min protocol = SMB3

4. Save the smb.conf file. To save the file, in vi, type “esc” [the escape key] then “wq”. If you don’t use vi, you do you.
5. From the Taskbar select Places→Connect to Server
   1. For Server enter <fsx-file-system-dns-name>
   2. Set the Type to Windows Share
   3. Set Share to share
   4. You can leave folder as / – I set mine to the subfolder, teamcat
   5. You don’t need to put in your user details if you’re Linux WorkSpace is in the same domain as the FSx share.
   6. Click on Connect.

6. We’ve access to the folder, which is splendid. But… no… cats … 🙁

7. Don’t Panic.
8. In the window, select Edit→Preferences→Preview. Select “Always” for “Show thumbnails” in the section, Other Previewable Files.
9. Joy!

This completes our blog post for using Amazon FSx for Windows File Server with Amazon WorkSpaces. See the following links to learn more about the services.

• Amazon WorkSpaces documentation
• Amazon FSx for Windows File Server