topic Re: Terminal server user identification in General Topics

Terminal server user identification

Radmin_85 — Tue, 13 Mar 2018 09:56:32 GMT

Hello.We have terminal server in which there are many users logged in.But we see them in traffic monitoring only as one Ip address and no separate users.I have installed terminal service agent on terminal server and everything is ok.IT shows connected and green and TS agent define the users.But in firewall i cant see the separate users in monitoring -traffic log. i want to mention that i use agentless ldap integration.But can check with user id agent also.Is there any tips regarding terminal server?

Re: Terminal server user identification

Radmin_85 — Wed, 14 Mar 2018 09:11:45 GMT

any ideas

Re: Terminal server user identification

reaper — Thu, 15 Mar 2018 10:31:57 GMT

hi @Radmin_85

so if I understand correctly, the TSAgent is showing you all the users correctly?

I saw this once before where a <Well known AV vendor> webfiltering client was also installed on the terminal server.

It intercepted all connections and proxied them locally, which caused the port mapping provided by the TSAgent to stop working (TSAgent also intercepts connections and changes the source port so the firewall knows which connections belong to a certain user)

If something similar is installed on your terminal server, you may need to deactivate the url filrtering, or disable the proxying

Re: Terminal server user identification

Radmin_85 — Sat, 17 Mar 2018 10:00:40 GMT

Issue:

File shares set up by users on the terminal server are not identified by the TS Agent and are not mapped to a user in the traffic log.

Resolution:

If the traffic is initiated by an application running with the context of a user (e.g. telnet), the socket information can be intercepted by the TS Agent which will replace the source port. However, if the traffic is generated by a service running with System context, the agent is not able to determine the user information. The TS-Agent will not identify SMB traffic a this is run in a system context.
The System Source Port Allocation Range and System Reserved Source Ports fields specify the range of ports that will be allocated to non-user sessions. Make sure the values specified in these fields do not overlap with the ports you designate for user traffic. These values can only be changed by editing the corresponding Windows registry settings.

i have read this in the Internet.How one can handle with it?

Re: Terminal server user identification

Remo — Sat, 17 Mar 2018 17:28:02 GMT

@Radmin_85wrote:

i have read this in the Internet.How one can handle with it?

Not the answer you want to hear, but there is no solution. For SMB and other connections in system context you will not have user-ip-port mappings. If you really want to restrict connections from terminalservers to user connections you have to deny these connections (except the ones that that are required like SMB to Domaincontroller, Profileshares, ...) somewhere (on other external firewalls or with the local firewall.

Re: Terminal server user identification

Radmin_85 — Mon, 19 Mar 2018 06:58:27 GMT

But how about internet traffic

Is it possible to identify separate users who go to Internet

Re: Terminal server user identification

Remo — Mon, 19 Mar 2018 08:22:54 GMT

This definately is possible. What output does the following command show you: "show user ip-port-user-mapping all"?

Re: Terminal server user identification

Radmin_85 — Mon, 19 Mar 2018 10:29:57 GMT

the output shows doman name\usernames

so it is ok

Re: Terminal server user identification

reaper — Mon, 19 Mar 2018 11:05:18 GMT

are you seeing these same source ports appear in your firewall's sessions from that server's IP address ?

except for a handful of 'system' services like SMB, every normal user session should be sourced from those source ports. if you see different source ports, you may need to check if htere's a proxy, webfiltering or AV service installed on the server that could intercept outgoing connections and alter the source port once more

Re: Terminal server user identification

Radmin_85 — Mon, 19 Mar 2018 11:10:32 GMT

I will check it
I also used to ping 8.8.8.8 by logging in with one of the users credentials .But in logs i only see the source ip of terminal server and no user

Re: Terminal server user identification

reaper — Mon, 19 Mar 2018 11:11:45 GMT

well ... ping is a system service .... 😉

Re: Terminal server user identification

Radmin_85 — Mon, 19 Mar 2018 11:14:21 GMT

Ok...
But what is best way to check it? Just type something in browser?make http request ?

Re: Terminal server user identification

reaper — Mon, 19 Mar 2018 11:17:36 GMT

yes, try browsing to a common website like cnn or wikipedia

Re: Terminal server user identification

Retired Member — Fri, 05 Feb 2021 06:56:58 GMT

Hi,

do you remember the last situation of this problem ? were you able to solve it ?(and how)

Regards