Direct ChassisLink Incorporated (DCLI) is the largest provider of marine and domestic container chassis to the U.S. Intermodal industry. Headquartered in Charlotte, North Carolina, DCLI has been a leading provider of services to cargo owners, ocean carriers, motor carriers, and domestic shippers across more than 500 locations since 2009.
DCLI, faced with rapid business growth and the demand to quickly onboard numerous contract employees, needed a scalable solution capable of sustaining their business needs.
The Challenge
DCLI has a primary office in Charlotte North Carolina and another office located in Chicago Illinois. Each office has application and file servers that need to be accessible to the contractors for them to perform their job duties. DCLI requires the ability to rapidly deploy a workstation and quickly onboard an employee regardless of location, while still securely authenticating users to their applications.
The Solution
The solution designed for DCLI followed a structured process of “Discover, Design, and Deploy,” ensuring a comprehensive approach to deploying an AWS environment and supporting infrastructure for AWS WorkSpaces.
In the Discover phase, the customer and Aufsite identified the need for connectivity back to on-premises systems, which involved setting up S2S VPN and FortiGate Firewall connectivity at both the Chicago and Charlotte locations. Aufsite assessed the requirements for VPC, subnets, NAT & IGW, and directory services, including SAML authentication with Azure AD. This phase involved a thorough review of the workspace build process, image creation and management, and deployment strategies for AWS WorkSpaces.
Transitioning to the Design phase, through several meetings with key stakeholders, Aufsite created a design diagram detailing the flow of traffic, contractor access requirements, and fault tolerance considerations. The final design consisted of four subnets, 2 public and 2 private using a /24 subnet mask to allow for future growth and expansion of DCLI’s Workspace needs. The public subnets allowed for direct access to the Internet such as software updates, or public-facing services. The NAT gateway allows Internet traffic while still obscuring their internal IP addresses. This protects the Workspace users from external attacks initiated from the Internet while still allowing them the access needed for their applications. Aufsite leveraged an AD Connector across two availability zones that support AWS Workspaces in the US-east-1 region. Two customer gateway connections were configured to prevent a single point of failure with the Site-to-Site VPN connections into AWS. The customer configured BGP on their on-premises firewalls to propagate routes and set priorities on those routes to prevent routing loops. Following the detailed steps outlined in AWS SAML authentication setup guides, we configured the IdP within IAM and then configured the SAML authentication to allow the Workspace users to authenticate using their Active Directory credentials.
In the Deployment phase, the designed infrastructure was executed as code, resulting in the creation of a VPC, subnets, gateways, route tables, security groups, and VPNs. This phase included working sessions to review the infrastructure, establish VPN tunnels, and configure the AD Connector and SAML authentication manually. Further sessions focused on the WorkSpace image creation process, bundle creation, deployment, rebuilds, and restore operations, along with the maintenance of the WorkSpaces and software updates through KACE. This end-to-end process ensured that DCLI’s AWS WorkSpaces were deployed with a robust, scalable, and secure infrastructure.
In the DCLI case study, Aufsite has effectively resolved the customer’s challenges of a highly scalable, secure solution with the ability to onboard contractors quickly. The solution involved the following components:
- Virtual Private Cloud (VPC) and VPN: Aufsite established a VPC within the AWS cloud, ensuring each site was connected through a secure VPN. This setup enabled centralized access to all sites eliminating a single point of failure.
- AWS Workspaces: Utilizing AWS Workspaces allowed secure and compliant access across sites. Each Workspace had an encrypted drive, with connections secured through VPN and SSL encryption with the ability to deploy multiple Workspaces at a moment’s notice rapidly.
- SAML Authentication: AWS Identity Provider configuration with AWS WorkSpace services and Azure AD, we were able to seamlessly integrate SAML Authentication of Azure AD with AWS WorkSpaces for a secure authentication method.
- WorkSpaces Image Management: By documenting and reviewing the image creation and management process with DCLI, they are now comfortable with how they will not only create custom WorkSpace images but also maintain the images going forward.