Hopefully the session-based ntlm in 3.1 will be a good workaround/replacement for when you cannot use ts-agent.
Today the PAN will do the ntlm caching based on ip which along with terminalservers is a very bad thing because you usually have more than one user per terminalserver. The bad thing is that the wrong user is being logged (the PAN unit believes that traffic from one terminalserver is only one user where in fact it can be several users).
The workaround until 3.1 is released could be to enable ntlm auth in captive portal and setup policy to allow only the ad-group of users you want to be able to surf (or set it to "known-users"). However note that the logging of which user who did what will be incorrect (but it will work in terms of blocking users who are not allowed to surf).
In 3.1 the User mapping is still to IP Address when using NTLM. The Session cookie is to help prevent multiple challenges for Captive Portal on timeout and also to provide "roaming" (IP Address Change) support.
So this will not help with the TS 2008 conundrum. Therefore Mike's comments will still stand as to "late this year" I'm afraid.
Hmpf that was bad to hear since I have an ongoing case where ts-agent is failing after a few hours and a sufficient workaround for that case would be to use ntlm auth instead. However this will fail as long as the PAN unit does the ntlm auth caching per ip instead of per session (which was what both me and the company we have for support believed that the session cookie thingy enhancement in 3.1 would solve regarding ntlm auth).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!