UserID issue when using RDP via GlobalProtect client
cancel
Showing results for 
Search instead for 
Did you mean: 

UserID issue when using RDP via GlobalProtect client

L1 Bithead

Hello,

I have the following issue when using RDP via GlobalProtect client.

Situation:

  • PaloAlto 820 with PAN-OS 9.0.9, GloablProtect Client 5.2.4, Windows 2016 Active Directory
  • For remote access we use GlobalProtect with Active Directory accounts (RADIUS authentication to AD)
  • User-ID is used utilizing an UserID agent installed on the DC
  • User-based policies are used

Issue:

When a user connects via Global Protect it's traffic is associated with the domain user name used for establishing VPN connection. It has all access allowed for that user name. At some point, user makes RDP connection to some server or workstation, and logs into it using the same user name (it is his own domain user name, the only one he has). From that moment that user name is mapped to the IP address of remote computer, and is no longer mapped to the IP address he/she was assigned when VPN connection was established. As a result, traffic coming from that user via VPN connection is no longer associated with it's user name, and he/she can't create new connections allowed by user based policies. For example user can't establish second RDP session! 

 

Used Solution:

We make different IP pools, assign GP users IP addresses from pools according to group membership, and create policies based on IP address. So we don't use user id based policies for VPN users. However, this "solution" is not good for us.

 

Other possible solutions we see:

Use different User ID for GlobalProtect only. That would be problematic for users, which would need to have one more user/password combination. It will also make administration of policies harder, as we have to use two different usernames for the same user - one for VPN related policies, and another - for other policies.

 

If you have any ideas, or if you I'm getting wrong the reason for that effect, please let me know. Thank you!

1 REPLY 1

L7 Applicator

 Have you tried increasing the user ID timeout.

The default is 45 mins so after that time the original GP auth mapping will be lost.

 

Users can then connect to many devices within the same GP connection.

 

I would prefer to place users in different groups and then use group membership in the policies.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!