01-13-2021 02:46 AM - edited 01-13-2021 02:50 AM
I have the following issue when using RDP via GlobalProtect client.
When a user connects via Global Protect it's traffic is associated with the domain user name used for establishing VPN connection. It has all access allowed for that user name. At some point, user makes RDP connection to some server or workstation, and logs into it using the same user name (it is his own domain user name, the only one he has). From that moment that user name is mapped to the IP address of remote computer, and is no longer mapped to the IP address he/she was assigned when VPN connection was established. As a result, traffic coming from that user via VPN connection is no longer associated with it's user name, and he/she can't create new connections allowed by user based policies. For example user can't establish second RDP session!
We make different IP pools, assign GP users IP addresses from pools according to group membership, and create policies based on IP address. So we don't use user id based policies for VPN users. However, this "solution" is not good for us.
Other possible solutions we see:
Use different User ID for GlobalProtect only. That would be problematic for users, which would need to have one more user/password combination. It will also make administration of policies harder, as we have to use two different usernames for the same user - one for VPN related policies, and another - for other policies.
If you have any ideas, or if you I'm getting wrong the reason for that effect, please let me know. Thank you!
01-13-2021 04:42 AM - edited 01-13-2021 04:46 AM
Have you tried increasing the user ID timeout.
The default is 45 mins so after that time the original GP auth mapping will be lost.
Users can then connect to many devices within the same GP connection.
I would prefer to place users in different groups and then use group membership in the policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!