Terminal server user identification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Terminal server user identification

L4 Transporter
Hello.We have terminal server in which there are many users logged in.But we see them in traffic monitoring only as one Ip address and no separate users.I have installed terminal service agent on terminal server and everything is ok.IT shows connected and green and TS agent define the users.But in firewall i cant see the separate users in monitoring -traffic log. i want to mention that i use agentless ldap integration.But can check with user id agent also.Is there any tips regarding terminal server?
13 REPLIES 13

L4 Transporter

any ideas

hi @Radmin_85

 

 

so if I understand correctly, the TSAgent is showing you all the users correctly?

 

I saw this once before where a <Well known AV vendor> webfiltering client was also installed on the terminal server.

It intercepted all connections and proxied them locally, which caused the port mapping provided by the TSAgent to stop working (TSAgent also intercepts connections and changes the source port so the firewall knows which connections belong to a certain user)

 

If something similar is installed on your terminal server, you may need to deactivate the url filrtering, or disable the proxying

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Issue:

 

File shares set up by users on the terminal server are not identified by the TS Agent and are not mapped to a user in the traffic log.


Resolution:

 

If the traffic is initiated by an application running with the context of a user (e.g. telnet), the socket information can be intercepted by the TS Agent which will replace the source port. However, if the traffic is generated by a service running with System context, the agent is not able to determine the user information. The TS-Agent will not identify SMB traffic a this is run in a system context.
The System Source Port Allocation Range and System Reserved Source Ports fields specify the range of ports that will be allocated to non-user sessions. Make sure the values specified in these fields do not overlap with the ports you designate for user traffic. These values can only be changed by editing the corresponding Windows registry settings.

 

i have read this in the Internet.How one can handle with it?


@Radmin_85wrote:

 

i have read this in the Internet.How one can handle with it?


Not the answer you want to hear, but there is no solution. For SMB and other connections in system context you will not have user-ip-port mappings. If you really want to restrict connections from terminalservers to user connections you have to deny these connections (except the ones that that are required like SMB to Domaincontroller, Profileshares, ...) somewhere (on other external firewalls or with the local firewall.

But how about internet traffic

Is it possible to identify separate users who go to Internet

This definately is possible. What output does the following command show you: "show user ip-port-user-mapping all"?

Screenshot_1.pngthe output shows doman name\usernames

so it is ok

are you seeing these same source ports appear in your firewall's sessions from that server's IP address ?

 

except for a handful of 'system' services like SMB, every normal user session should be sourced from those source ports. if you see different source ports, you may need to check if htere's a proxy, webfiltering or AV service installed on the server that could intercept outgoing connections and alter the source port once more

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I will check it
I also used to ping 8.8.8.8 by logging in with one of the users credentials .But in logs i only see the source ip of terminal server and no user

well ... ping is a system service .... 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Ok...
But what is best way to check it? Just type something in browser?make http request ?

yes, try browsing to a common website like cnn or wikipedia

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

 

do you remember the last situation of this problem ? were you able to solve it ?(and how)

 

Regards

 

 

  • 4874 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!