Success using ZCC on AWS Workspaces instances?

Has anyone had success using ZCC on AWS Workspaces instances? I’ve followed the guides and modified both the App and Forwarding profiles, as well as configuring a custom do not inspect for SSL, but have intermittent success using Tunnel 1.0, meaning I can reconnect to my instance but only with repeated retries With Tunnel 2.0 my remote session gets dropped almost immediately after updating the policy on the Workstation’s ZCC.
If you have it working, please share!

Would this be of any assistance?

1 Like

thank you. these directions work well for Tunnel 1.0, but i believe for tunnel 2.0 i’ll need to add bypasses to the App Profile for the list of ports for the “Management interface” and “Primary interface” listed here
Seeing as Tunnel 2.0 routes all traffic through the tunnel, it makes sense that they’d need to be added. I’ll give it a try and report back. thanks again!.

Not sure if this is related or not. I am working solely abstractly as I don’t have access to any real-world environments for this. So please bare with me. I just read the documentation and read the forums and try to make connections.

If you enable “Redirect Web Traffic to ZCC Listening Proxy” … Then it will send all web traffic through tunnel 1.0 so it has no dependency on tunnel 2.0 dtls. Not sure in this scenario if that will help. Might be getting hit with some throttling or MTU issues. Therefore, leaving application traffic through tunnel 2.0.

Also might want to look into forwarding policy pac’s and manage bypasses via app profile pac.

Again, these are just the things that I have collected overtime observing and reading though, so it might have zero impact to your solution at the end of the day.

Yes, I have it working relatively well, but there are a lot of gotchas. My points here assume you are also using ZCC to reach the WorkSpaces themselves.

  1. Tunnel 2.0 is a MUST, it will not work on 1.0
  2. Make sure you have TCP/UDP 4172, 4195 added as a Network Service (mine is called “AWS WorkSpaces”)
  3. Create a firewall rule in ZIA allowing access to that service
  4. Create a URL category with all of the WorkSpaces URLs (I can share my list if desired)
  5. Disable SSL Inspection for that URL category, with the rule being near the top
  6. In your App Profile, add 198.18.0.0/15 and 169.254.0.0/16 to “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” and “Destination Exclusions for IPv4”
  7. Add ec2.internal to “Domain Exclusions for DNS Requests”

That SHOULD get ZCC working inside of WorkSpaces for you. :slight_smile:

Hello Dan,
I made the changes you suggested, great news is it didn’t immediately disconnect! Thank you. I did not have settings in items 6 and 7 in my App Profile. I do have an extensive list of Workspaces URL’s, based on the list of host names I see here. That said,
if you would please share your list or any additions outside of the AWS doc linked above, that would be awesome.
My connection to my AWS Workspaces continues to be stable.
What specific “gotcha’s” have you encountered?
You are awesome. thank you again!

Awesome! Glad that worked out for you!

Beyond those URLs, you’ll also need to add the “portals” for each of your directories, which will be in the form of <directory>.awsapps.com, where <directory> is either the directory ID or the name you give it when you build the directory (e.g., d-906765a124.awsapps.com or my-company-appdev.awsapps.com).

I’ve attached my URL category sans directories, but bear in mind that my client is a whitelist-only org, so I have to specify every single address with few opportunities for wildcarding. You may be able to shorten your list depending on your org’s policies.

amazonworkspaces.txt (1.8 KB)

In that same category, I also have these two entries as custom keywords to match IP addresses and something that shows up in the middle of the URL:
3.227.
prod-us-east

Again, you may or may not need those or you may need different ones.

The only other gotchas I’ve really found relate to Active Directory group policy. If you can, I would recommend assigning your WorkSpaces to an OU that inherits no GPOs at all. If you can’t, just make sure it’s inheriting as few as possible.

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.