Terminal server user identification

L4 Transporter

Terminal server user identification

Hello.We have terminal server in which there are many users logged in.But we see them in traffic monitoring only as one Ip address and no separate users.I have installed terminal service agent on terminal server and everything is ok.IT shows connected and green and TS agent define the users.But in firewall i cant see the separate users in monitoring -traffic log. i want to mention that i use agentless ldap integration.But can check with user id agent also.Is there any tips regarding terminal server?
L4 Transporter

Re: Terminal server user identification

any ideas

Community Manager

Re: Terminal server user identification

hi @Radmin_85

 

 

so if I understand correctly, the TSAgent is showing you all the users correctly?

 

I saw this once before where a <Well known AV vendor> webfiltering client was also installed on the terminal server.

It intercepted all connections and proxied them locally, which caused the port mapping provided by the TSAgent to stop working (TSAgent also intercepts connections and changes the source port so the firewall knows which connections belong to a certain user)

 

If something similar is installed on your terminal server, you may need to deactivate the url filrtering, or disable the proxying


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Terminal server user identification

Issue:

 

File shares set up by users on the terminal server are not identified by the TS Agent and are not mapped to a user in the traffic log.


Resolution:

 

If the traffic is initiated by an application running with the context of a user (e.g. telnet), the socket information can be intercepted by the TS Agent which will replace the source port. However, if the traffic is generated by a service running with System context, the agent is not able to determine the user information. The TS-Agent will not identify SMB traffic a this is run in a system context.
The System Source Port Allocation Range and System Reserved Source Ports fields specify the range of ports that will be allocated to non-user sessions. Make sure the values specified in these fields do not overlap with the ports you designate for user traffic. These values can only be changed by editing the corresponding Windows registry settings.

 

i have read this in the Internet.How one can handle with it?

L7 Applicator

Re: Terminal server user identification


@Radmin_85wrote:

 

i have read this in the Internet.How one can handle with it?


Not the answer you want to hear, but there is no solution. For SMB and other connections in system context you will not have user-ip-port mappings. If you really want to restrict connections from terminalservers to user connections you have to deny these connections (except the ones that that are required like SMB to Domaincontroller, Profileshares, ...) somewhere (on other external firewalls or with the local firewall.

L4 Transporter

Re: Terminal server user identification

But how about internet traffic

Is it possible to identify separate users who go to Internet

L7 Applicator

Re: Terminal server user identification

This definately is possible. What output does the following command show you: "show user ip-port-user-mapping all"?

L4 Transporter

Re: Terminal server user identification

Screenshot_1.pngthe output shows doman name\usernames

so it is ok

Community Manager

Re: Terminal server user identification

are you seeing these same source ports appear in your firewall's sessions from that server's IP address ?

 

except for a handful of 'system' services like SMB, every normal user session should be sourced from those source ports. if you see different source ports, you may need to check if htere's a proxy, webfiltering or AV service installed on the server that could intercept outgoing connections and alter the source port once more


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Terminal server user identification

I will check it
I also used to ping 8.8.8.8 by logging in with one of the users credentials .But in logs i only see the source ip of terminal server and no user
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!