Traffic control for Terminal server

AlphacomItalia
Here to help

Traffic control for Terminal server

Hi, all my company work on terminal server, i need to control internet traffic, normally i can go on single client and see Application traffic. But can i do that wit Terminal Server? i have active directory authentication for some firewall rules. Can activate some other? i have netflow on PRTG too, but i can't see by User traffic too.

 

THX

12 Replies 12
CptnCrnch
Kind of a big deal
Kind of a big deal

Guess you're out of luck with this one. You'd need some kind of "Terminal Server agent" installed on that machine that translates the ports for a specific user into controllable traffic.

 

Even Active Directory integration is useless because it only creates a user to IP mapping where the IP is the one used by the terminal server. Therefore, no further filtering is possible.

 

Cisco legacy provides you with a solution, unfortunately I'm unaware that Meraki supports this.

AlphacomItalia
Here to help

 Try to open a support case. 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You need to use RDP IP Virtualisation.

https://social.technet.microsoft.com/wiki/contents/articles/15230.rds-ip-virtualization-in-windows-s... 

 

Basically, you create a pool of IP addresses.  Each user that logs into an RDS session gets allocated a seperate IP address.  They use that IP address to talk to things.

You can then use AD authentication and per-user controls again.

 

 

Another option (next time you upgrade) is to change to using Remote Desktop Virtualization Hosts.  It looks like RDP, but each user gets a virtual machine instead.

 

cmr
Kind of a big deal
Kind of a big deal

@PhilipDAth the page you linked to has links that simply return 404s.  We use (used before we were closed by Covid) Citrix XenApp on top of Terminal services and the TS agents are always a bit flakey so I'm pretty interested in an IP per session.  Have you used it and is it reliable?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal

I found another guide that still works, looks promising 😎

 

http://www.virtualizationblog.in/why-we-need-remote-desktop-services-ip-virtualization/

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't personally used it (outside of my normal area), but I have had clients use it so they could track the individual RDS users using the Meraki Dashboard.

AlphacomItalia
Here to help

it's ok, now i can have traffic by IP/session, now my problem is hot to bind user/session/ip or how i can retrive this information. Today a session of "laura" have 192.168.10.10, tomorrow she can have 192.168.10.15, if i want to investigate after a week how i can find traffic generated by Laura?

AlphacomItalia
Here to help

This weekend i created group policies to restrict internet browsing and assigning it to active directory groups in merki console.
I have activated the virtual ip on all 6 of my terminal servers, the sessions are correctly split by IP (i can see that on windows logs and packet capture) and apparently it seems  the various sessions are correctly recognized from mearki and apply the correct policy for the different users.I did several tests and everything seemed to work.

 

This morning, that all the users are in the office, at one point a colleague, who did not have restrictive policies, tells me that she no longer navigates to some sites. I check in the event log of the "pages blocked by content filtering" and I see that the calls of my colleague were mapped in meraki with the AD name of another user who instead had a navigation policy. So i cechk other 10 users and i see the problem with 80% of them.

 

Wwe choose Meraki beacuse we see a fnatastic demo with policy, navigation control, content filtering, but now I am in the situation where I no longer know which way to turn to work with a Groups content filtering and Terminal servers.

 

 Anyone at any suggestions or a walkaround?

thanks

ChristophW
Here to help

We have this same issue for one of our networks. Do you have an workaround for it yet? Or did you buy something else wich supports terminalserver agents?
Or does the mapping work now?

AlphacomItalia
Here to help

to date, I have unfortunately given up. Although Active Directory is correctly synchronized with the DC, the match with the logs to map IPs and Network Users "messes". I tried several times through the support to solve the problem but without success. At the moment I haven't looked for other solutions and I'm not restricting AD groups.

the only walkaround thought of, but don't want to use, is creating xx Terminal Servers based on numbers of restriction groups. And manage rdp accesses via an RDP Gateway in order to have a single access at xx TS and single RDP access to configure client side (so if you want to migrate user from one to another TS you haven't re-configure client side).

For me is a powerful solution for manage multiple TS (but much configuration need) but can't be a solution for resolve problem with navigation restriction of Meraki.

 

 

AlphacomItalia
Here to help

Somebody have some news?

ChristophW
Here to help

I think there is nothing new here. We gave up on a solution for the terminal-server. Our customer created a new vlan for different group-policies. How they want to handle it on the terminal-server i do not know that. Maybe a second port with the different ips or something.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels