we're running W2K16 servers here using Citrix. We also installed the latest TSA and when a user logs in he is properly recognized on the firewall and the TSA assigns a port-range dedicated to the user.
When establishing new TCP-connection that is also properly recognized on the firewall and permissions can be granted depending on the user. So on first sight everything works perfect.
Now let me explain our problem. Whenever you start a file-explorer or try to open a file within a software (e.g. a Word-Document or Excel-File) access to remote-servers (SMB-Share) is not done from the ports assigned to the user. All traffic seems to be sent from the system-account and therefore the firewall cannot map the user.
So my problem is now, how could I limit the access to file-servers for requests coming from the Citrix-Server running the TSA to specific users?
User1,2 should be able to access file-server 1 but not 2
User 3,4 should be able to access file-server 2 but not 1
We had already opened a support ticket on Palo Alto and they confirmed this behaivour but they had not been able to provide a solution.
I think this is a nightmare as File-Access is one of the core-features each software needs and I can't imagine that we're the only one having that problem. Any one else here having that problem? Any solutions? Is there a magic switch on Windows that enables a SMB-session per User, instead of per Machine? Or is no one else in this community doing file-operations on remote systems?
This is because fileshares are accessed at the system level rather than the user level on windows machines, This happens below the level where TSAgent is able to intercept and change source port
Thanks for the answer,
In the meantime I found in the internet, that other Terminal Service Agents are facing the same problem. It also seems, that there is no workaround known for that issue.
I'm quite surprised that it seems, that no one has the use-case to allow file access based on detected users. Of course SMB brings some security features and I need to rely on the security of AD anyway when using user-detection. But limiting the access of potentially attackable servers would reduce the attack surface.
So I'm quite surprised that it seems like no vendor (Palo, Cisco, Checkpoint, etc.) is trying to convience Microsoft to modify the behavior on TS-Servers that SMB-Sessions are not handled in System-Context.
Anyone out there having a solution or workaround?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!