Steps to Launch
Launch the TrueStack Server from the AWS Marketplace.
Launch Considerations
- Region:
- Select the region where your Windows Domain Controller is located.
- Note: If you are using TrueStack to enable computers to access a Windows Domain Controller and you already have a Windows Domain Controller in your AWS account, launch the TrueStack server in the same Region, and Availability Zone as the Windows server. This ensures that the TrueStack server can communicate with the Windows Domain Controller.
- Instance Type:
- TrueStack operates efficiently on lightweight instance types.
- Recommendation: Select t3.micro or t2.micro for cost-effectiveness, which is covered under the AWS Free Tier for eligible users.
- Networking Configuration:
- Attach the instance to the same Virtual Private Cloud (VPC) as your Windows Domain Controller.
- If using TrueStack purely for VPN tunneling, use the defaults VPC or configure a suitable VPC for internet traffic.
- Security Group Rules:
- If you create a custom security group, ensure the following rules are included:
- TCP: Ports 80 and 443 for web interface access.
- UDP: Port 7473 for VPN connections.
- If you create a custom security group, ensure the following rules are included:
Next Steps
Refer to Using TrueStack for detailed configuration and management guidance.
Configuring AWS Networking for use with Windows Domain Controllers.
Follow these steps to enable communication between your Windows Active Directory (AD) server and computers connected through the TrueStack Server:
- Disable Source/Destination Check for the TrueStack Server Instance:
- Open the AWS EC2 Console.
- Locate your TrueStack Server instance.
- Navigate to Actions > Networking > Change source/destination check.
- Select the option to Stop Source/Destination Check.
- This step ensures that VPN-connected computers can be accessed and managed by the Windows Active Directory server through the secure tunnel created by the TrueStack Server.
- Assign an Elastic IP (Static IP) to the TrueStack Server Instance:
- Temporarily shut down the TrueStack Server instance.
- Go to the Elastic IPs section in the AWS Management Console.
- Allocate a new Elastic IP (AWS’s term for a static IP) and associate it with the TrueStack Server instance.
- Restart the TrueStack Server once the Elastic IP is assigned.
- This ensures consistent connectivity to the TrueStack Server.
- Add a Route in the VPN for Subnet
5.6.0.0/16
(if using Active Directory):- This route is only required if you want to manage VPN-connected computers using a Windows Active Directory server. It enables administrators to use Group Policy, PowerShell commands, and apply Active Directory changes to the computers.
- If no AD server is involved and the TrueStack Server is solely used to create an encrypted tunnel for internet traffic, this step is not necessary.
- Open the AWS VPC Console and locate the route table for your VPC.
- Edit the route table and add a new route:
- Destination:
5.6.0.0/16
. - Target: Select Instance, then choose your TrueStack Server instance.
- Destination:
- Save the changes.
Recommended Security Group Configuration
We recommend assigning the TrueStack server to its own security group since it functions as a front-facing web server. Refer to the #NetworkSecurity guidelines for more information. If you need to isolate Windows servers from each other, assign each server to its own security group. For communication between the TrueStack server and Windows servers, follow these steps:
- Create a Security Group for the TrueStack Server:
- Add an All Traffic rule to allow traffic from the Windows server(s) by their specific IP addresses (/32).
- Move the TrueStack server to this newly created security group.
- Note: If you launched the TrueStack server from the AWS Marketplace, the setup process might have already created this security group.
- Configure Windows Server Security Groups:
- Add an All Traffic rule to allow traffic from the TrueStack server’s specific IP address (/32).
- Move the Windows server(s) to their respective security groups.
Security Group Rules
The TrueStack security group must have the following inbound rules to enable proper functionality. IPv6 rules are recommended but not mandatory:
Inbound Rules for TrueStack Security Group:
- Type: HTTP
- Source: Anywhere-IPv4
- (Optional) Source: Anywhere-IPv6
- Type: HTTPS
- Source: Anywhere-IPv4
- (Optional) Source: Anywhere-IPv6
- Type: Custom UDP (Port: 7473)
- Source: Anywhere-IPv4
- (Optional) Source: Anywhere-IPv6
Additional Rules:
- Type: All Traffic
- Source: Custom (Specify the Windows server’s IP address, e.g.,
<Windows_Server_IP>/32
).
- Source: Custom (Specify the Windows server’s IP address, e.g.,
Windows Server Security Group(s):
- Type: All Traffic
- Source: Custom (Specify the TrueStack server’s IP address, e.g.,
<TrueStack_Server_IP>/32
).
- Source: Custom (Specify the TrueStack server’s IP address, e.g.,
Firewall Configuration for Multiple Windows Servers
To isolate individual Windows servers, create a separate security group for each server. For each security group, add an All Traffic rule with the destination set to the IP/32 of the TrueStack server. In the TrueStack server’s security group, add All Traffic rules with the source set to the IP/32 of each Windows server.
If server isolation is not required, you can simplify management by placing all Windows servers within a single security group.
For Windows servers within the same security group that need to communicate with each other, configure an All Traffic rule that allows traffic from the security group itself.
If server isolation is necessary but communication between specific servers is required, add an All Traffic rule in each relevant security group, specifying the IP/32 of the Windows servers that need to communicate.
For additional details on managing Windows Active Directory computers with TrueStack, refer to the guide: Using TrueStack to Manage Windows Active Directory Computers.