- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-13-2021 02:46 AM - edited 01-13-2021 02:50 AM
Hello,
I have the following issue when using RDP via GlobalProtect client.
Situation:
Issue:
When a user connects via Global Protect it's traffic is associated with the domain user name used for establishing VPN connection. It has all access allowed for that user name. At some point, user makes RDP connection to some server or workstation, and logs into it using the same user name (it is his own domain user name, the only one he has). From that moment that user name is mapped to the IP address of remote computer, and is no longer mapped to the IP address he/she was assigned when VPN connection was established. As a result, traffic coming from that user via VPN connection is no longer associated with it's user name, and he/she can't create new connections allowed by user based policies. For example user can't establish second RDP session!
Used Solution:
We make different IP pools, assign GP users IP addresses from pools according to group membership, and create policies based on IP address. So we don't use user id based policies for VPN users. However, this "solution" is not good for us.
Other possible solutions we see:
Use different User ID for GlobalProtect only. That would be problematic for users, which would need to have one more user/password combination. It will also make administration of policies harder, as we have to use two different usernames for the same user - one for VPN related policies, and another - for other policies.
If you have any ideas, or if you I'm getting wrong the reason for that effect, please let me know. Thank you!