Rublon

Secure Remote Access

By

Last updated on May 6, 2025

Overview of MFA for Amazon WorkSpaces

Multi-Factor Authentication (MFA) for Amazon WorkSpaces is an extra layer of security that requires users to complete two verification methods in order to access Amazon WorkSpaces. After entering their Active Directory/ RADIUS username and password, the user must complete an additional authentication step using one of the available methods such as a Mobile Push or Email Link. This additional step of MFA ensures that hackers are unable to gain access to Amazon WorkSpaces with just the user’s login credentials.

This document describes how to enable Rublon Multi-Factor Authentication (MFA) for users logging in to Amazon WorkSpaces. In order to achieve that, you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Amazon WorkSpaces to add Multi-Factor Authentication to your logins.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Required Components

  • EC2 Instance – Windows Server 2012 R2 or Windows Server 2016 or Windows Server 2019 – to act as a Domain Controller
  • EC2 Instance – Ubuntu 16.04/18.04/20.04 – to install Rublon Authentication Proxy
  • Amazon WorkSpaces with AD Connector set as Directory Service

The Configuration section is going to walk you through setting up all three of those components.

Configuration of MFA for Amazon WorkSpaces

Follow these steps to enable Rublon 2FA for Amazon WorkSpaces.

Configure Windows Server and Active Directory

1. Launch a new instance from the EC2 Instances console.

2. Click Choose AMI and select your desired Windows version.

3. Click Choose Instance Type. Select the desired Instance Type and the size of your Windows instance. There are no specific requirements for the size of the Windows instance. Select an instance adequate to your company size.

4. Click Next: Configure Instance Details.

5. Fill in the form. Some of the options relate to the network side. Make sure that both of your instances reside in the same VPC and Subnet. If you wish, you can create a new VPC and Subnet. Alternatively, select the default options. 

Write down the values of VPC and Subnet. You are going to need these later when setting up the Ubuntu instance.

Make sure to set Auto-assign Public IP to Enable. Later on, you will have to connect to both instances and it might be more convenient to use the standard RDP and SSH connection instead of the AWS Console.

Keep the rest of the settings as they are or change them according to your needs.

6. Click Next: Add storage. Specify the size of the volume for your instance. Set the size according to your needs or keep the default value of 30GB.

7. Click Next: Add tags. You do not have to specify any tags for this configuration to work. Add tags if you need tags for some other reason.

8. Click Next: Configure Security Group. If you already have an existing Security Group for your VPC, edit the existing group. Otherwise, create a new Security Group.

Verify that the following ports are open on your directory controllers for the Amazon WorkSpaces VPC CIDR:

  • TCP/UDP 53: DNS
  • TCP/UDP 88: Kerberos authentication
  • UDP 123: NTP
  • TCP 135: RPC
  • UDP 137-138: Netlogon
  • TCP 139: Netlogon
  • TCP/UDP 389: LDAP
  • TCP/UDP 445: SMB
  • TCP 1024-65535: Dynamic ports for RPC

Add TCP port 3389 and open this port to your public IP address if you wish to connect to this instance using RDP.

9. Click Review and Launch and then Launch to finish your instance creation.

10. Wait for the instance to start and then connect to the instance.

11. Install Active Directory if you have not already and promote this server to a Domain Controller. Either create a new forest or join this Domain Controller to an already existing domain.

12. Create a user account with administrator privileges (best to copy an existing Administrator account). Write down the password for this user. This account will act as a service account for AWS AD Connector.

Note

Remember to add email addresses to your user account profiles in Active Directory. Rublon requires email addresses to authenticate users.

Configure Ubuntu and Rublon Authentication Proxy

1. Launch a new instance from the EC2 Instances console.

2. Click Choose AMI and select the desired Ubuntu version from 16.04 to 20.04.

3. Click Choose Instance Type and select the desired Instance Type and the size of your instance. There are no specific requirements for the size of the instance. Select an instance adequate to your company size.

4. Click Next: Configure Instance Details and fill in the form. Note that the options you choose here should correspond to the options you chose during Windows instance creation in the previous section. Make sure that the VPC and Subnet are the same as for the Windows Server instance. Enable Auto-assign Public IP as this option might come in handy when connecting remotely to the instance via SSH. Keep the rest of the settings as they are or change them according to your needs.

5. Click Next: Add storage. Specify the size of the volume for your instance. Set the size according to your needs or keep the default value of 8GB.

6. Click Next: Add tags. This section relates to tags. Note that you do not have to specify any tags for this configuration to work. Add tags if you need them for some other reason.

7.  Click Next: Configure Security Group. Use the group you have created for the Windows instance or create a new group, depending on your needs. Make sure the following ports are open in Inbound Rules:

  • TCP/UDP 1812
  • TCP/UDP 1813

RADIUS requires the two preceding ports so they have to be open. Furthermore, add an SSH port and open it to your public IP address, so you can remotely SSH to your instance.

8. Click Review and Launch. At launch you will see an option to select an existing key pair or create a new key pair. Do as you wish but make sure to download and save the key file. You are going to need this key to connect to your instance. The username for the AWS Ubuntu instance is Ubuntu.

9. Wait a few minutes for the instance to start and connect to the instance using the key you have downloaded at instance launch.

10. Install and configure Rublon Authentication Proxy on your Ubuntu instance.

The configuration file (config.yaml) should look like this:

log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token: system_token_obtained_from_rublon_admin_console
  secret_key: secret_key_obtained_from_rublon_admin_console

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    ip: private_ip_of_the_ubuntu_instance
    port: 1812
    radius_secret: secret_to_communicate_with_the_proxy
    mode: nocred
    auth_method: email

Make sure you set “PROXY” → “MODE” to nocred.

Set up Amazon WorkSpaces with AD Connector

1. Open your AWS Management Console and navigate to WorkSpaces.

2. You have to create a workspaces directory using AD Connector. In the left pane click Directories and then click the Set up Directory button.

3. Select AD Connector as the directory type and click Next.

4. Select Directory Size suitable for your organization and click Next.

5. Specify the VPC and Subnets for your directory. The VPC you set here has to be the VPC where your Windows Server and Ubuntu instances reside. Subnets are not that important for this configuration but you can specify the same subnet as for one of your instances.

6. Click Next and provide your Active Directory information. Refer to the following image and table.

Organization nameSet a name for your organization.
Directory DNS nameEnter the fully qualified domain name of the directory.
DNS IP addressesEnter the IP address of the DNS server. Make sure the server is accessible inside the VPC you set in Step 5.
Service account usernameEnter the username of the service account you created in your Active Directory.
Service account passwordEnter the password for the service account.
Confirm passwordRetype the password.

7. Click Next. Click Review and Launch and then Launch. It might take up to a few minutes for the Directory Service to initialize and start. Once started, the Status will change to Active.

8. Check your directory and select Actions → Update Details to edit your directory’s settings and set up Multi-Factor Authentication.

9. Expand the Multi-Factor Authentication section and fill in the form. Click Update and Exit when done. Refer to the following image and table for more information.

RADIUS server IP address(es)Enter the IP address of your Ubuntu instance where Rublon Authentication Proxy is installed.
Port1812
Shared secret codeEnter the same secret you have specified in Rublon Authentication Proxy config.yaml file.
Confirm shared secret codeRetype the secret.
ProtocolSelect PAP.
Server timeout (in seconds)Enter the same value that you have specified in config.yaml.
Recommended: 30
Max retriesEnter the same value that you have specified in config.yaml.
Recommended: 3

10. Go to Amazon WorkSpaces and create a workspace for one or more of your users. Creating a workspace might take up to 20 minutes.

11. Your configuration is complete. You can now log in to Amazon WorkSpaces with Rublon 2FA enabled.

Testing MFA for Amazon WorkSpaces

This example portrays logging in to Amazon WorkSpaces using the WorkSpaces Client. We assume you have already supplied the Registration Code from your workspace.

1. Initialize login in the WorkSpaces Client.

2. Provide your username and password.

3. In the MFA Code field type the name of the authentication method or a Passcode:

  • push – sends a Mobile Push notification to your phone
  • mail – sends an Email Link to your email
  • 123456 – verifies the Passcode generated by Rublon Authenticator or a third-party app like Google Authenticator or Microsoft Authenticator; must be exactly 6 characters long with no spaces in between
  • 123456789 – verifies the Bypass Code; must be exactly 9 characters long with no spaces in between

4. Click Sign In.

5. You will be sent an automatic push notification on your phone.

7. You will be logged in to Amazon WorkSpaces.

Troubleshooting MFA for Amazon WorkSpaces

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations