topic Re: User-ID mapping in General Topics

User-ID mapping

AzerbaijanSupermarkets — Mon, 04 Dec 2017 14:16:01 GMT

Hello. We have such kind of problem. This user has allowed privilege to visit this category and the other one, but PA very frequently identify it by ip, not the username (with User-ID). we use agentless client for mapping between PA and our AD.

The problem happens very often with a small amount of users (for example exactly with this one). Maybe some of you have already faced with this?

Thanks in advance.

Re: User-ID mapping

BPry — Mon, 04 Dec 2017 14:21:48 GMT

@AzerbaijanSupermarkets,

Could you send a screenshot of your User Mapping settings, specifically what your User Identification Timeout is set to. The biggest cause for this type of issue is inproper Log Monitor Frequency or having the User Identification Timeout set to low to actually keep the user mapped to the IP.

Re: User-ID mapping

AzerbaijanSupermarkets — Mon, 04 Dec 2017 15:48:40 GMT

BPry,

you think that I should set this timeout higher than 45 minutes?

Re: User-ID mapping

BPry — Mon, 04 Dec 2017 15:51:42 GMT

@AzerbaijanSupermarkets,

Most definitively this is what's causing your issue. If the user does not generate an authentication event on the server within the 45 minute time period you are losing the mapping. Most office workers, esspecially on Windows, will not be generating any events on the AD server for the agent to read within a 45 minute time period.

Re: User-ID mapping

AzerbaijanSupermarkets — Mon, 04 Dec 2017 16:26:04 GMT

@BPry

I changed this time to 3 hours. Right now this problem happens only at one user. Hope this is going to help me.
Thank you.

Re: User-ID mapping

TerjeLundbo — Tue, 05 Dec 2017 11:24:34 GMT

Sorry for hijacking this thread, but I have been looking for a recommendation when it comes to user-id timeout value. We have a few thousand users logging in and out of Citrix throughout the day, but others work only locally on their laptops. We have user-id agents on all domain controllers and TS agents on all Citrix servers. In addition we have loads of users with BYOD devices on a wireless network where we get IP-user-mappings from the wireless controllers (Syslog events).

Re: User-ID mapping

BPry — Tue, 05 Dec 2017 13:49:45 GMT

@TerjeLundbo,

The timeout value really depends on the enviroment. In an active enviroment where people will be generating logging events throughout the day, such as Citrix, the time can be set relatively low. When employees are working on one machine throughout the day I would generally set the timeout to equal your average work period, for example 480 mins for a total of an 8 hour ageout period.

The only thing to really remember is that setting a higher ageout period could cause users to maintain the last user mapping longer than intended. In the majority of rulebases this wouldn't really be a big concern, but that would be dependant on what your configuration actually looks like.

Re: User-ID mapping

TerjeLundbo — Wed, 06 Dec 2017 12:23:45 GMT

Thanks @BPry

My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time.

Re: User-ID mapping

BPry — Wed, 06 Dec 2017 13:51:24 GMT

@TerjeLundbo,

What do you currently have your ageout value set to? You generally would not want to get any info from your Exchange servers.

Re: User-ID mapping

TerjeLundbo — Wed, 06 Dec 2017 13:58:05 GMT

@BPry

45 minutes.

Re: User-ID mapping

BPry — Wed, 06 Dec 2017 14:02:41 GMT

@TerjeLundbo,

You really shouldn't have any issues raising this value, the Citrix information should stay up-to-date and your thick clients will maintain their user-id information.

Re: User-ID mapping

jvalentine — Wed, 06 Dec 2017 14:53:01 GMT

I would recommend adding Exchange as another source for User-ID mapping. Users may only login to the domain once in a day, but they check e-mail many times throughout the day. Each time they open/use Outlook is another opportunity to refresh their user-to-ipaddress mapping. With User-ID, more sources is a good thing(tm).

Also, what's your DHCP lease set to? A good starting point for your user mapping timeout value is 1/2 the DHCP lease time.

Re: User-ID mapping

TerjeLundbo — Fri, 08 Dec 2017 14:05:33 GMT

For employee clients we use 8 days as DHCP lease time, so 4 days user-ID timeout would perhaps be a bit excessive 🙂 But thanks for all the input, I'll probably increase the timeout to 4 hours as a start.

What do others think about adding Exchange servers to the user-ID agents?

Re: User-ID mapping

Brandon_Wertz — Fri, 08 Dec 2017 19:19:59 GMT

A max timeout for user IP mapping is 24hrs so you don't need to worry about anything beyond that.