Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 13643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Per user authentication on Terminal Server

EddyMinet

Hi,

 

I wonder if it is possible to authenticate different users (for firewalling / web filtering purpose) that are in multiple windows remote session on a single machine (single ip).

The AD transparent system seems to have a "per IP" behaviour.

I made a try with the authentication agent but noticed that those user that have not the agent installed in their sessions are seen in the UTM as the username that use the agent in the other session (should be anonymous).

Any clue about how to handle it ??



This thread was automatically locked due to age.
Parents
  • 0 in reply to sachingurung

    Hi Sachingurung,

    I've followed all the steps to install and configure SATC.

    At the moment I type this command in the console : "system auth thin-client add citrix-ip <server-ip>"
    Here is the strange behavior I get :

      - user appear in "Live users" with type "Thin client" (good)
      - the user aware firewall rule does not match
      - the userless firewall rule does match instead AND the webfilter policy applyed to it stop working for requests incoming from the RDS server ip ! so the user simply stop being filtered.
      - in logs : firewall logs that userless rule match (with no username) and webfilter logs nothing coming from the rds ip (no allow nor deny)

    I get this behavior even if I uninstall SATC on the server.

    So, when I disable the command ("system auth thin-client delete citrix-ip <server-ip>") the filtering system is working again.

  • 0 in reply to EddyMinet

    Hi Eddy,

    Did you place the firewall rule on the TOP and select "Captive Portal to unknown users" option?

    Show me the screenshot of the configuration.

    Thanks

  • 0 in reply to sachingurung

    I placed it above the "userless" rule, but I don't want anonymous users to be redirected to the captive page .....

  • 0 in reply to EddyMinet

    Hi EddyMinet , 

    The rules follow from top to bottom, So if you add the user-less rule on the top it would make no sense and will be bypassed. Now if the user-less rule is at the bottom of the authentication rule . The users who are not authenticated will not match with the rule and will seek the client-less rule. The match is based on the parameters of the rule. If the rule is not present and the parameters did not match with any other rule it would simply throw captive portal . 

Reply
  • 0 in reply to EddyMinet

    Hi EddyMinet , 

    The rules follow from top to bottom, So if you add the user-less rule on the top it would make no sense and will be bypassed. Now if the user-less rule is at the bottom of the authentication rule . The users who are not authenticated will not match with the rule and will seek the client-less rule. The match is based on the parameters of the rule. If the rule is not present and the parameters did not match with any other rule it would simply throw captive portal . 

Children
No Data