Cloud Security
Published in

Cloud Security

Zoom on Amazon Workspaces

Step by step approach to using Zoom on Amazon Workspaces

I previously wrote an article as to why you might want to run Zoom on AWS. I recently had to participate in more and more video conferences and podcasts since I can’t speak in person. Although I blogged about this topic before, I had some issues the last time I tried to use it and forgot a few steps. I decided to document it more carefully for future reference. This blog post includes step by step setup instructions. It also chronicles some troubleshooting on a Mac.

CAVEAT: At this moment, the solution is not working for me but I hope to update this blog post with the help of Fabulatech and AWS to get it working again soon.

  1. Subscribe to the Webcam for Remote Desktop software from Fabulatech.

I forgot where I got this software when I tried to start an EC2 instance for a recent video call. One mistake I made was that I was searching for the software in the AWS Marketplace. You won’t find it there. You can access and subscribe to this software from the Workspaces Application Manager. Log in and navigate to the Workspaces service in AWS. Click “Applications” on the left. Search for the product and subscribe.

2. Set up an AWS Workspace.

The software I mentioned in my prior blog post runs specifically on AWS Workspaces. So the first thing you need to do is set up an AWS Workspace, which is essentially a desktop in the cloud. I chose a Windows desktop that works with the above software.

Note that AWS Workspaces uses Active Directory to manage users. You can click on Directories on the left to find your directory. You’ll set up a username and password for your workspaces users. Note the cost for workspaces and directories. Running Workspaces includes Simple AD at no additional charge. AWS Directory Services for Microsoft AD costs extra. If you stop using AWS Workspaces, remember to terminate those instances and the directory.

3. Check to see your Workspace exists in the workspace list

When you create the Workspace, you’ll set up a user in whichever type of directory you choose and give the user a password. Then you’ll create a workspace for the user. Once you go through the wizard, your Workspace should appear in the list. You can get to this list by clicking Workspaces in the left menu of the Workspaces dashboard.

4. Note the registration code for registration and troubleshooting.

Another thing you’ll need for registration and troubleshooting is the registration code. When you create the user and Workspace, you can send the information to the user in an email. If you need to get back to that registration code, click on the Workspace, click select Actions > Invite User. Note that you won’t be able to invite a user when the Workspace is running. You can also find this code when you click the down arrow next to a workspace.

5. Download and install the client:

6. Double click on the desktop icon to run it.

7. Install any updates!

Make sure you leave extra time — up to two or three hours — before any video conference to install updates. First of all, another security firm told me they found a vulnerability, which is hopefully in one of these updates, so you want to make sure you are always using the latest version. I’ll explain how you can protect yourself even if there is a vulnerability using secure networking below. Secondly, the updates may start automatically, or you may accidentally click a button, such as I did right before a video conference. Then you’re stuck, unable to log in while you wait for updates.

Update the client software (this will pop up if you have updates to install):

Also, run the Windows Update process to update your desktop, as explained below.

8. Make sure the registration code is correct.

If you set up a new workspace and followed the process to get set up, you should be good to go. However, if you set up a new workspace or haven’t logged in for a while, you may want to check that the registration code is accurate. You can click the Change Registration Code link at the bottom of this screen and edit the code as needed to match the one in the email. I’ve had problems with the application not correctly updating the workspaces configuration file on my laptop and then had to edit it manually to get it to work a few times.

8. Note the menu bar at the top of a screen.

For whatever reason, it took me a while to notice a menu bar at the top of the screen. I kept looking at the application window only and didn’t realize the additional options in that menu to help troubleshoot issues.

9. Check your network connectivity.

Choose Connections > Network to see if your network connectivity is OK. Let this run until it completes or times out. It will show you any inaccessible network ports. You will need to check the rules in your localhost firewall, network firewall, AWS NACLs, or AWS Security groups to figure out where they are blocked. AWS Workspaces uses some unusual ports. You can see below that I need to allow 4172 outbound for TCP and UDP, which is currently not allowed through my firewall rules.

10. Create minimalist network rules

Along with keeping your systems up to date, create minimalist network rules that only allow traffic to and from the correct hosts. That will limit your exposure in the case of vulnerabilities. My book on Cybersecurity for Executives in the Age of Cloud explains why this is important to prevent security problems. I’m hoping to write more on home networking on this blog in the future. I have a whole day on cloud networking in my cloud security class, where we do hands-on labs to demonstrate attacks and concepts in more detail.

You can lock down your local firewall to only allow outbound traffic on 4172 UDP and TCP to the correct AWS IP ranges for AWS Workspaces rather than the entire Internet. On the AWS side, if your local IP address is static, you can lock down your AWS network to that. Otherwise, you may want to set up a VPN and restrict access to your AWS Workspace from your VPN CIDR block only.

I wish this were a bit more obvious in the AWS console, but Amazon does create some networking for your directory and Workspace. A lot of the rules are open to anywhere on the Internet. You’ll probably want to change this. Especially risk ports like 445 — a risky port I talk about in my book in relation to malware like WannaCry and NotPetya.

10. Tag Network Resources

You’ll probably want to identify and tag all this networking, so you know what it is, why it’s there. You will find tags on the items indicating they are associated with AWS Workspaces, but you can add a name tag as I did below, so a name shows up in the list for VPCs, security groups, ACLs, and subnets.

11. Turn on VPC Flow Logs

Make sure you turn on VPC Flow Logs for these resources. Not only will it help you in case of a security incident, but it will also help with troubleshooting and to determine what ports you need to leave open to what IP Ranges.

12. How to reset a Workspaces user password

If you’re like me and don’t log in too frequently, you may need to reset your AWS Workspaces user password. To do that, go to the AWS Directory Service in the AWS console, not AWS Workspaces. Click on your directory, and you’ll see the option to reset the password.

A workspaces user can also click the Forgot Password link on the client application and go through that process.

12. Login

OK, once you’ve done all that, you are ready to log in.

If all goes according to plan, your Workspace will start up, and you will be able to access your Workspace desktop remotely.

12. Troubleshooting — Check the registration ID.

When you are trying to log in, the Workspace’s ID configured on your local machine will show up in the client. If you changed your registration name, you see the name here, not the registration ID. If your client’s registration ID does not match the Workspace registration ID, you’ll have to fix your configuration, as noted in step 7.

13. Troubleshooting — Kill the client.

You can try to hit the cancel button but to no avail. You’ll likely have to wait for a timeout or kill the client application if you want to fix this.
Search for Activity Monitor and click on it (again, I’m on a Mac).

Search for the WorkspacesClient. Click on it.

Search for the WorkspacesClient. Click on it. Then click the X on the top left.

Click Force Quit.

I’ve had cases where fixing the registration code didn’t solve the problem. In that case, I had to manually find the files where the registration code exists for the application and edit it. The configuration file location seems to move around with different versions of the application. However, during this current round of troubleshooting, I did not have this problem.

14. Troubleshooting — Check the Network Logs

The first thing to check is your firewall logs: localhost firewall, local network firewall logs, AWS VPC FlowLogs. You can also use Wireshark or TCPDump to see rejected network traffic and then narrow down exactly which rules you need to add or alter.

15. After login — Windows Update

Once you are in, you can run Windows update for the reasons noted above. You don’t want to have this interrupt you right as you are about to start a video call. Note that you may have to reboot and wait for the boot and update process to complete before you log in again. Even though the Workspace says it is available, it may still be performing updates and will not let you connect until that completes.

16. Test audio and video

One way to test that everything is working is to start a zoom meeting on the Workspace instance. In my case, I set up a Zoom account specifically for this purpose and do not use my other accounts like Google or Facebook to log in on my AWS Workspace. Once you set up a meeting, you will be able to test your microphone:

You should be able to start a video.

In my case, the microphone and video did not work, so next…how to troubleshoot that.

16. Troubleshooting — Workspaces access to camera and microphone

The first thing you can check is that the Workspaces client software has access to your laptop or local computer audio and video.

Open system preferences:

Click on security and privacy:

Make sure you have AWS Workspaces enabled for both camera and microphone in the left menu:

If you are using Zoom in a Chrome browser, you also need to allow Chrome to access your camera and microphone. The following support page explains how to do that. I like running all this in the cloud because I can disallow these things on my local laptops and only allow it in the cloud system.

Troubleshooting: Fabulatech support

When all else fails, you can also follow these troubleshooting steps and contact technical support:

Those tips include gathering logs to submit a support request.

At this moment, I can’t get this working on my AWS Workspace anymore. It used to work as I demonstrated in my old blog post. I’m working on it and hope to update this blog post further soon with some good news.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2021

____________________________________________

Want to learn more about Cloud Security?

Check out: Cybersecurity for Executives in the Age of Cloud.

Cloud Penetration Testing and Security Assessments

Are your cloud accounts and applications secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Cloud Security Training

Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.

____________________________________

2020 Cybersecurity and Cloud Security Podcasts

Cybersecurity for Executives in the Age of Cloud with Teri Radichel

Teri Radichel on Bring Your Own Security Podcast

Understanding What Cloud Security Means with Teri Radichel on The Secure Developer Podcast

2020 Cybersecurity and Cloud Security Conference Presentations

RSA 2020 ~ Serverless Attack Vectors

AWS Women in Tech Day 2020

Serverless Days Hamburg

Prior Podcasts and Presentations

RSA 2018 ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent 2018 ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build 2019 ~ DIY Security Assessment with SheHacksPurple

AWS re:Invent and AWS re:Inforce 2019 ~ Are you ready for a Cloud Pentest?

Masters of Data ~ Sumo Logic Podcast

Azure for Auditors ~ Presented to Seattle ISACA and IIA

OWASP AppSec Day 2019 — Melbourne, Australia

Bienvenue au congrès ISACA Québec 2019 KeynoteQuebec, Canada (October 7–9)

Cloud Security and Cybersecurity Presentations

White Papers and Research Reports

Securing Serverless: What’s Different? What’s Not?

Create a Simple Fuzzer for Rest APIs

Improve Detection and Prevention of DOM XSS

Balancing Security and Innovation with Event-Driven Automation

Critical Controls that Could have Prevented the Target Breach

Packet Capture on AWS

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com