• Workspace

workspace
  1. Help Center
  2. Workspace
  3. User Guide
  4. FAQs (Administrators)
  5. How Do End Users Access the Internet?

How Do End Users Access the Internet?

The administrator can enable user desktops to access the Internet as follows:
  • using NAT gateway
  • using SNAT
  • using a proxy server

Method 1: using NAT gateway

The NAT gateway provides the Network Address Translation (NAT) service for Workspace desktops in a VPC so that multiple Workspace desktops can share an EIP to access the Internet.

For detailed operations, see the NAT Gateway User Guide.

After configuring the NAT gateway, you need to set the number of interface metrics on the user desktop.

  1. Log in to the desktop.
  2. Go to Network and Sharing Center.
  3. In the View your active networks area, click Local Area Connection 2 or Ethernet 2.

    The Local Area Connection 2 Status dialog box or the Ethernet 2 Status dialog box is displayed.

  4. Click Properties.

    The Local Area Connection 2 Properties dialog box or the Ethernet 2 Properties dialog box is displayed.

  5. Click Advanced.

    The Advanced TCP/IP Settings dialog box is displayed.

  6. Deselect Automatic metric, and set Interface metric to 2.
  7. Click OK in sequence to save the settings and close the dialog boxes.
  8. Click Close to close the Local Area Connection 2 Status dialog box or the Ethernet 2 Status dialog box.

Method 2: using SNAT

Based on the SNAT service provided by the public cloud, within the specified bandwidth, Workspace desktops without EIPs can access the Internet. In this way, end users can download software updates via the Internet. Currently, Workspace desktops are allowed to access the Internet, but cannot be accessed from the Internet. The bandwidth is shared by all Workspace desktops.

Basic principle: ECSs assigned with public EIPs are used as SNAT routers or gateways of Workspace desktops in the same subnet or VPC, thereby enabling Workspace desktops to access the Internet.

Different versions of CentOS have different network configuration methods. The following Internet solution is provided by CentOS6.5 as an example.

Creating a SNAT server

  1. Create an ECS with an EIP as the SNAT server. The ECS is in the same VPC with the Workspace desktops, runs on CentOS, and has one NIC. The following uses CentOS 6.5 as an example.

Setting the NIC and security group rule of the SNAT server

  1. Log in to the management console.
  2. On the page that is displayed, choose Computing > Elastic Cloud Server.
  3. On the displayed page, locate the target ECS in the ECS list and click the ECS name to switch to the page showing ECS details.
  4. Click the NIC tab and disable the source/destination check function.
  5. Select Security Group, and add an inbound Any rule for WorkspaceUserSecurityGroup.

Configuring routing information

  1. Log in to the management console.
  2. In the navigation pane on the left, choose Virtual Private Cloud.
  3. In the navigation pane on the left, select a VPC to which a route is to be added and click Route Table.
  4. On the Route Table page, click Add Route.
  5. Set route information on the displayed page.
    • Destination: indicates the destination network segment. The value can be a network segment of subnets in the VPC. The default value is 0.0.0.0/0. The destination of each route must be unique.
    • Next Hop: indicates the IP address of the next hop. Set it to a private IP address or a floating private IP address in a VPC.
    NOTE:

    If Next Hop is set to a floating private IP address, the floating private IP addresses in the VPC cannot have EIPs bound. Otherwise, the route will not take effect.

  6. Click OK.

Configuring the SNAT server

  1. On the ECS console, use the remote login function to log in to the ECS on which SNAT is to be configured.
  2. Run the following command and enter the password of user root to switch to user root:

    su - root

  3. Run the following command to check whether the ECS can successfully connect to the Internet:

    ping www.google.com

    The ECS can access the Internet if the following information is displayed:

    [root@localhost ~]# ping www.google.com
    PING www.a.shifen.com (xxx.xxx.xxx.xxx) 56(84) bytes of data.
    64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=51 time=9.34 ms
    64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=51 time=9.11 ms
    64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=51 time=8.99 ms
  4. Run the following command to check whether IP forwarding of the Linux OS is enabled:

    cat /proc/sys/net/ipv4/ip_forward

    In the command output, 1 indicates enabled, and 0 indicates disabled. The default value is 0.

    • If IP forwarding in Linux is enabled, go to 8.
    • If IP forwarding in Linux is disabled, go to 5.
  5. Run the following command to edit the /etc/sysctl.conf file. Press I to enter the edit mode and set net.ipv4.ip_forward to 1.

    vi /etc/sysctl.conf

  6. Press Esc, type :wq, and press Enter.

    Save the settings and exit the vi editor.

  7. Run the following command to make the change take effect:

    sysctl -p /etc/sysctl.conf

  8. Run the following command to configure the NAT conversion rule:

    iptables -t nat -A POSTROUTING -o eth0 -s VPC or subnet segment where Workspace desktops reside/mask bits -j SNAT --to internal IP address of the SNAT server

    For example, if the VPC network segment is 192.168.1.0, the mask bits is 24, and the internal IP address of the SNAT server is 192.168.1.4, run the following command:

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to 192.168.1.4

  9. Run the following command to save the configuration:

    service iptables save

  10. Run the following command to check whether the operation is successful:

    iptables -t nat --list

    The operation is successful if the information shown in Figure 1 (for example, 192.168.1.0/24) is displayed.

    Figure 1 Verifying configuration
  11. Run the following command to edit the rc.local file:

    vi /etc/rc.d/rc.local

  12. Add the following content to the end of the file:
    echo `/sbin/iptables-restore /etc/sysconfig/iptables` >>/etc/rc.d/rc.local
  13. Press Esc, type :wq, and press Enter.

    Save the settings and exit the vi editor.

  14. Run the following command to modify the ifcfg-eth0 file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  15. Add the following content to the end of the file:
    DNS=8.8.8.8
  16. Press Esc, type :wq, and press Enter.

    Save the settings and exit the vi editor.

  17. Run the following command to restart the NIC:

    service network restart

Configuring the user desktop

  1. Go to Network and Sharing Center.
  2. In the View your active networks area, click Local Area Connection 2 or Ethernet 2.

    The Local Area Connection 2 Status dialog box or the Ethernet 2 Status dialog box is displayed.

  3. Click Properties.

    The Local Area Connection 2 Properties dialog box or the Ethernet 2 Properties dialog box is displayed.

  4. Double-click Internet Protocol Version 4 (TCP/IPv4).

    The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box is displayed.

  5. Select Use the following DNS server addresses, and set the DNS server address to 8.8.8.8.
  6. Click Advanced.

    The Advanced TCP/IP Settings dialog box is displayed.

  7. Deselect Automatic metric, and set Interface metric to 2.
  8. Click OK in sequence to save the settings and close the dialog boxes.
  9. Click Close to close the Local Area Connection 2 Status dialog box or the Ethernet 2 Status dialog box.
  10. In the View your active networks area, click Local Area Connection or Ethernet.

    The Local Area Connection Status dialog box or the Ethernet Status dialog box is displayed.

  11. Click Details….

    The Network Connection Details dialog box is displayed.

  12. Record the IPv4 address, for example, 172.16.0.52.
  13. Open the cmd window and run the following command to add a route:

    route add 169.254.0.0 mask 255.255.0.0 Gateway of the primary NIC –p

    The first two segments of Gateway of the primary NIC are the same as those of the IP address recorded in 12, and the last two segments are 0 and 1 respectively.

    NOTE:

    For example, if the IPv4 address is 172.16.0.52, the gateway of the primary NIC is 172.16.0.1. Run the following command to add a route:

    route add 169.254.0.0 mask 255.255.0.0 172.16.0.1 –p

Method 3: using a proxy server

Creating a proxy server

  1. Ceate a proxy server that runs, for example, CentOS. The proxy server must reside on a subnet different from the one where Workspace resides in the same VPC.
    NOTE:

    For details about how to configure the ECS, see the Elastic Cloud Server User Guide.

  2. Configure an elastic IP address for the proxy server to access the Internet.

Installing squid

NOTE:

The following operations use Cent OS 6.6 as an example.

  1. Log in to the proxy server as user root.
  2. Run the following command to check whether squid is installed:

    rpm -qa|grep squid

    • If it is installed, go to 4.
    • If it is not installed, go to 3.
  3. Run the following command to install squid:

    yum -y install squid

  4. Run the following command to edit the squid.conf configuration file:

    vi /etc/squid/squid.conf

  5. Check whether SSH is used for connection.
    • If SSH is used, go to 6.
    • If SSH is not used, go to 7.
  6. Press I to enter the edit mode and add the following content in a blank row.

    aclSafe_ports port 22

  7. Use # to comment out http_access deny CONNECT !SSL_ports.
  8. Press Esc to exit the edit mode. Type :wq and press Enter.

    Save configurations and exit the vi editor.

  9. Run the following command to restart the squid service.

    service squid restart

Configuring security group rules

  1. Configure security group rules to ensure that the extranet cannot access any port of the proxy server and the user desktop can access only the proxy port of the proxy server.
    NOTE:

    For details about how to configure security group policies, see the Virtual Private Cloud User Guide.

Configuring the user's browser

  1. Open the proxy server setting page of the browser.
  2. Set the IP address and the port of the proxy server to the IP address and the monitoring port configured in 1, respectively.