This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

UserID issue when using RDP via GlobalProtect client

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

UserID issue when using RDP via GlobalProtect client

GeorgeAPH
L1 Bithead

‎01-13-2021 02:46 AM - edited ‎01-13-2021 02:50 AM

Hello,

I have the following issue when using RDP via GlobalProtect client.

Situation:

  • PaloAlto 820 with PAN-OS 9.0.9, GloablProtect Client 5.2.4, Windows 2016 Active Directory
  • For remote access we use GlobalProtect with Active Directory accounts (RADIUS authentication to AD)
  • User-ID is used utilizing an UserID agent installed on the DC
  • User-based policies are used

Issue:

When a user connects via Global Protect it's traffic is associated with the domain user name used for establishing VPN connection. It has all access allowed for that user name. At some point, user makes RDP connection to some server or workstation, and logs into it using the same user name (it is his own domain user name, the only one he has). From that moment that user name is mapped to the IP address of remote computer, and is no longer mapped to the IP address he/she was assigned when VPN connection was established. As a result, traffic coming from that user via VPN connection is no longer associated with it's user name, and he/she can't create new connections allowed by user based policies. For example user can't establish second RDP session! 

 

Used Solution:

We make different IP pools, assign GP users IP addresses from pools according to group membership, and create policies based on IP address. So we don't use user id based policies for VPN users. However, this "solution" is not good for us.

 

Other possible solutions we see:

Use different User ID for GlobalProtect only. That would be problematic for users, which would need to have one more user/password combination. It will also make administration of policies harder, as we have to use two different usernames for the same user - one for VPN related policies, and another - for other policies.

 

If you have any ideas, or if you I'm getting wrong the reason for that effect, please let me know. Thank you!

(1)
1 REPLY 1

Mick_Ball
L7 Applicator

‎01-13-2021 04:42 AM - edited ‎01-13-2021 04:46 AM

 Have you tried increasing the user ID timeout.

The default is 45 mins so after that time the original GP auth mapping will be lost.

 

Users can then connect to many devices within the same GP connection.

 

I would prefer to place users in different groups and then use group membership in the policies.

0 Likes Likes
  • 2897 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks