https://live.paloaltonetworks.com/t5/general-topics/userid-issue-when-using-rdp-via-globalprotect-client/m-p/379534#M89579 <P>&nbsp;Have you tried increasing the user ID timeout.</P><P>The default is 45 mins so after that time the original GP auth mapping will be lost.</P><P>&nbsp;</P><P>Users can then connect to many devices within the same GP connection.</P><P>&nbsp;</P><P>I would prefer to place users in different groups and then use group membership in the policies.</P> Wed, 13 Jan 2021 12:46:06 GMT Mick_Ball 2021-01-13T12:46:06Z https://live.paloaltonetworks.com/t5/general-topics/userid-issue-when-using-rdp-via-globalprotect-client/m-p/379466#M89572 <P>Hello,</P><P>I have the following issue when using RDP via GlobalProtect client.</P><P><STRONG>Situation:</STRONG></P><UL><LI>PaloAlto 820 with PAN-OS 9.0.9, GloablProtect Client 5.2.4, Windows 2016 Active Directory</LI><LI>For remote access we use GlobalProtect with Active Directory accounts (RADIUS authentication to AD)</LI><LI>User-ID is used utilizing an UserID agent installed on the DC</LI><LI>User-based policies are used</LI></UL><P><STRONG>Issue:</STRONG></P><P>When a user connects via Global Protect it's traffic is associated with the domain user name used for establishing VPN connection. It has all access allowed for that user name. At some point, user makes RDP connection to some server or workstation, and logs into it using the same user name (it is his own domain user name, the only one he has). From that moment that user name is mapped to the IP address of remote computer, and is no longer mapped to the IP address he/she was assigned when VPN connection was established. As a result, traffic coming from that user via VPN connection is no longer associated with it's user name, and he/she can't create new connections allowed by user based policies. For example user can't establish second RDP session!&nbsp;</P><P>&nbsp;</P><P><STRONG>Used Solution:</STRONG></P><P>We make different IP pools, assign GP users IP addresses from pools according to group membership, and create policies based on IP address. So we don't use user id based policies for VPN users. However, this "solution" is not good for us.</P><P>&nbsp;</P><P><STRONG>Other possible solutions we see</STRONG>:</P><P>Use different User ID for GlobalProtect only. That would be problematic for users, which would need to have one more user/password combination. It will also make administration of policies harder, as we have to use two different usernames for the same user - one for VPN related policies, and another - for other policies.</P><P>&nbsp;</P><P>If you have any ideas, or if you I'm getting wrong the reason for that effect, please let me know. Thank you!</P> Wed, 13 Jan 2021 10:50:31 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-issue-when-using-rdp-via-globalprotect-client/m-p/379466#M89572 GeorgeAPH 2021-01-13T10:50:31Z https://live.paloaltonetworks.com/t5/general-topics/userid-issue-when-using-rdp-via-globalprotect-client/m-p/379534#M89579 <P>&nbsp;Have you tried increasing the user ID timeout.</P><P>The default is 45 mins so after that time the original GP auth mapping will be lost.</P><P>&nbsp;</P><P>Users can then connect to many devices within the same GP connection.</P><P>&nbsp;</P><P>I would prefer to place users in different groups and then use group membership in the policies.</P> Wed, 13 Jan 2021 12:46:06 GMT https://live.paloaltonetworks.com/t5/general-topics/userid-issue-when-using-rdp-via-globalprotect-client/m-p/379534#M89579 Mick_Ball 2021-01-13T12:46:06Z