OCI Secure Desktop
- subhash496
- Feb 13, 2024
- 2 min read
The Oracle Cloud Infrastructure Secure Desktops service allows an administrator to create a set of identically configured virtual desktops, which individual users can then securely access.
The sections below contains OCI Secure Desktop setup steps for compartments, policies for users and groups, compute images, storage, and network.
Section 1: Setup the OCI Tenancy for Secure Desktop
1.1 OCI Compartment
Create a Compartment for Secure Desktop pool,
Compartment Name: SecureDesktop
1.2 Create Dynamic Group
Create a Dynamic Group
Dynamic group name = DesktopPoolsDynamicGroup |
Match any rules defined below |
All {resource.type = 'desktoppool', resource.compartment.id = '<CompOCID>'} |
1.3 Create Policies
In the root compartment, add the following policies for the DesktopPoolsDynamicGroup dynamic group
Allow dynamic-group DesktopPoolsDynamicGroup to {DOMAIN_INSPECT} in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to inspect users in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to inspect compartments in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to use tag-namespaces in tenancy |
Allow dynamic-group DesktopPoolsDynamicGroup to {DOMAIN_INSPECT} in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to inspect users in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to inspect compartments in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to use tag-namespaces in tenancy Allow dynamic-group DesktopPoolsDynamicGroup to use virtual-network-family in compartment Network Allow dynamic-group DesktopPoolsDynamicGroup to {VCN_ATTACH, VCN_DETACH} in compartment Network Allow dynamic-group DesktopPoolsDynamicGroup to manage virtual-network-family in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to read instance-images in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to manage instance-family in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to manage volume-family in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to manage dedicated-vm-hosts in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to manage orm-family in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to {VNIC_CREATE, VNIC_DELETE} in compartment SecureDesktop Allow dynamic-group DesktopPoolsDynamicGroup to manage instance-configurations in compartment SecureDesktop |
1.4 Add a Service Gateway and NAT Gateway to the VCN
Add a Service Gateway and a NAT Gateway to the VCN that will be used for Secure Desktop Pool.
Add routing rules attached to the Secure Desktop VCN for the Service Gateway and NAT Gateway.
Section 2: Create Windows Image
2.1 Create a Windows Compute
Create a Windows compute with following properties:
Networking: Choose a VCN and Private subnet
Image: Choose a Windows flavour that will determine the underlying OS for the guest secure desktops
Shape: Choose a compute shape that reflects the guest secure desktops e.g. VM.Standard.E4.Flex
2.2 Install applications and update windows settings
Install applications on the above windows compute that are required in the guest secure desktop e.g. putty, chrome, Firefox, FileZilla etc
2.3 Create Windows custom image
Click More actions -> Create custom image from the above shown compute screen to create a custom image based on the above compute.
IMPORTANT: Add following tags when creating the custom image:
oci:desktops:is_desktop_image true |
oci:desktops:image_os_type Windows |
oci:desktops:use_dedicated_host false |
Section 3: Create Secure Desktop pool
3.1 Create desktop pool
Create a desktop pool using the VCN & custom image configured in the previous steps.
3.2 Confirm desktop pool status
Confirm the Desktop Pool has been created and in ACTIVE status.
Confirm at least One Desktop image has been created and is in status Active.
Section 4: Setup Users and Groups
4.1 Create Secure Desktop User and Administrator group
Create Secure Desktop Users and Administrator Groups and assign relevant users to the groups.
4.2 Create policies for the Secure Desktop User and Administrator groups
Create Policies for the Secure Desktop Users and Administrator Groups for assigning access to the users to the Secure Desktop pool.
Section 5: Launch Secure Desktop
5.1 Access Secure Desktop Portal
The Secure Desktop default URL is
https://published.desktops.<region>.oci.oraclecloud.com/client
e.g.
Login using users OCI login credentials and confirm launch of the landing page.
5.2 Launch Desktop using Web Client
Click on the desktop-pool-01 or the three dots to launch the desktop in the browser.
Optionally download Windows/Linux/MacOS client to launch the secure virtual desktop.
Note: The virtual desktop may fail to launch due to browser popup blocker. Click on the Pop-ups blocked notification to launch the virtual desktop.
References:
Comments