Terminal Services User-ID Agent Flaw

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Terminal Services User-ID Agent Flaw

L1 Bithead

A new customer during deployment was wanting to test how well the TS User ID agent was working at identifying users. We logged on as User A and started a specific ping. We search the log file, and there was the ping. We had it running continuous for several minutes. During a refresh, we started to notice that other users were also pinging this exact same address from the same TS. This was very unlikley, so we logged in User B. As soon as we logged in, the log indicated the User B was responsible for the pings, even though we could clearly see this was not the case. After explaining these results to Support, here was the explanation:

Since the TS User-ID agent uses port ranges to identify each user, it only is capable of identifying the traffic for a user if the protocol tcp/udp (because they are port based).

My customer is a Bank, and they consider the feature unusable, because  the last user to login, may not be allowed to ping, or gre, or whatever.

Has anyone else noticed this behavior? Any workarounds or fixes in the mix?

4 REPLIES 4

L3 Networker

I'm not sure why they would consider it "unusable?"  The main purpose of the TS UserID function is to enable you to do per-user web filtering from a Terminal Server, without having to use virtual IPs per each individual.

I would never allow my users to do anything that would involve GRE from a terminal server.  That could do $deity knows what to other people on the same terminal server and is not a good idea.

Ping is ICMP so it isn't tracked by UserID, but really, is that something you are concerned about?  Our users can't even access the command line on our terminal servers, so they don't really have any way to ping.

I suppose that's fine if you only want web filtering, however, that is not the case here.

@dpayne:

As you have learned from your call to Technical Support the Terminal Services agent works by restricting the source port on a per user basis for TCP and UDP protocols. For applications that use other network protocols the Terminal Services agent will be unable to perform any function.

If you wish to see the Terminal Services agent support protocols other than TCP and UDP you will need to have your sales team submit a feature request.

-Benjamin

Yes, I have done so. Personally, I can work around it, and hopefully the custoemr can as well. I was just kind of surprised is all.

Thanks,

  • 2756 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!