topic Re: Terminal Services User-ID Agent Flaw in General Topics

Terminal Services User-ID Agent Flaw

dpayne — Wed, 23 Nov 2011 18:37:59 GMT

A new customer during deployment was wanting to test how well the TS User ID agent was working at identifying users. We logged on as User A and started a specific ping. We search the log file, and there was the ping. We had it running continuous for several minutes. During a refresh, we started to notice that other users were also pinging this exact same address from the same TS. This was very unlikley, so we logged in User B. As soon as we logged in, the log indicated the User B was responsible for the pings, even though we could clearly see this was not the case. After explaining these results to Support, here was the explanation:

Since the TS User-ID agent uses port ranges to identify each user, it only is capable of identifying the traffic for a user if the protocol tcp/udp (because they are port based).

My customer is a Bank, and they consider the feature unusable, because the last user to login, may not be allowed to ping, or gre, or whatever.

Has anyone else noticed this behavior? Any workarounds or fixes in the mix?

Re: Terminal Services User-ID Agent Flaw

bradenmcg — Wed, 23 Nov 2011 19:08:45 GMT

I'm not sure why they would consider it "unusable?" The main purpose of the TS UserID function is to enable you to do per-user web filtering from a Terminal Server, without having to use virtual IPs per each individual.

I would never allow my users to do anything that would involve GRE from a terminal server. That could do $deity knows what to other people on the same terminal server and is not a good idea.

Ping is ICMP so it isn't tracked by UserID, but really, is that something you are concerned about? Our users can't even access the command line on our terminal servers, so they don't really have any way to ping.

Re: Terminal Services User-ID Agent Flaw

dpayne — Wed, 23 Nov 2011 20:04:15 GMT

I suppose that's fine if you only want web filtering, however, that is not the case here.

Re: Terminal Services User-ID Agent Flaw

bpappas — Wed, 23 Nov 2011 21:21:44 GMT

@dpayne:

As you have learned from your call to Technical Support the Terminal Services agent works by restricting the source port on a per user basis for TCP and UDP protocols. For applications that use other network protocols the Terminal Services agent will be unable to perform any function.

If you wish to see the Terminal Services agent support protocols other than TCP and UDP you will need to have your sales team submit a feature request.

-Benjamin

Re: Terminal Services User-ID Agent Flaw

dpayne — Wed, 23 Nov 2011 21:26:34 GMT

Yes, I have done so. Personally, I can work around it, and hopefully the custoemr can as well. I was just kind of surprised is all.

Thanks,