UTM Appliance for Terminal Server

Hi,
I'm hoping for suggestions to replace a Watchguard Firebox currently
in use.
The site has many restrictions/rules in place and until recently the
Firebox was effective in limiting access to certain web sites.
Unfortunately the Watchguard system authenticates the user and records
the IP address of the computer the user was on at the time of
authentication.
Now that we have moved to TS2008 and all users have the IP address of
the Terminal Server the Firebox authentication system is useless.

I'm looking for a Terminal Server friendly system that will allow us
to control what web sites a user is permitted to access and to log
those visits.

I've had a cursory look at Sonicwall, Astaro, Endian. It is not clear
if TS is supported and if they use the same authentication method as
Watchguard of associating a user with an IP address.

Any ideas welcome.

TIA
David

 

David,

Hi. I'm Corey Nachreiner, and I'm the Sr. Network Security Strategist at WatchGuard. You're not the first to run into the issue of authenticating users on a terminal server. However, it doesn't have a simple solution when you are talking about a network-level or perimeter device. Without creating some sort of complex solution, the only way for a network-level device like our UTM to associate a user to his traffic is by associating the IP of the device to the user using it; and as you point out, terminal servers kind of ruin this concept since many users login to the device at once.

However, if you are using the Terminal Services that come with Windows Server 2008 R2 (I think they call it Remote Desktop Host server now), I believe Microsoft has created an easy solution for you. The feature is called Remote Desktop IP Virtualization, and you can read more about it in this blog post:



Essentially, if you setup this feature, your Terminal Server can assign a new IP to each new session, or even each seperate program. If you make it so each user's IE session gets a new IP, I believe your users can then use our authentication normally and will show up with different IPs for monitoring.

As an aside, since they are all network level devices, I think you will find all out competitor UTM devices will offer the same issue. Without using something like "Remote Desktop IP Virtualization" to get the Terminal Server to give different IPs, the network-level device will see all the users as the same IP.

Hope this helps.

Best Regards, Corey Nachreiner

 

On Sep 24, 9:08 am, dmh <f...@noemailsplease.invalid> wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi,
> I'm hoping for suggestions to replace a Watchguard Firebox currently
> in use.
> The site has many restrictions/rules in place and until recently the
> Firebox was effective in limiting access to certain web sites.
> Unfortunately the Watchguard system authenticates the user and records
> the IP address of the computer the user was on at the time of
> authentication.
> Now that we have moved to TS2008 and all users have the IP address of
> the Terminal Server the Firebox authentication system is useless.
>
> I'm looking for a Terminal Server friendly system that will allow us
> to control what web sites a user is permitted to access and to log
> those visits.
>
> I've had a cursory look at Sonicwall, Astaro, Endian. It is not clear
> if TS is supported and if they use the same authentication method as
> Watchguard of associating a user with an IP address.
>
> Any ideas welcome.
>
> TIA
> David<!--colorc--><!--/colorc-->

I am currently running a Sonicwall with content filtering in my
terminal services environment. The Sonicwall works perfectly for our
network design. The way ours is configured it filters all users and if
someone needs access to a filtered site (IE: HR, Management) they log
in as a user on the firewall and are able to bypass the content
filtering. We are not in a domain but I think you can authenticate
users through the domain to the Sonicwall and give them the
appropriate rights automatically.

 

Hi Corey,

This is good news. I had read that Citrix had this feature but the
cost was prohibitive.
Pleased to see that MS will be rolling it out in R2. Thanks for the
link and for saving me learning another product.

David.



On Fri, 25 Sep 2009 13:17:30 -0500, CoreyNach
<CoreyNach.3z38vb@news.home.local> wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
>David,
>
>Hi. I'm Corey Nachreiner, and I'm the Sr. Network Security Strategist
>at WatchGuard. You're not the first to run into the issue of
>authenticating users on a terminal server. However, it doesn't have a
>simple solution when you are talking about a network-level or perimeter
>device. Without creating some sort of complex solution, the only way for
>a network-level device like our UTM to associate a user to his traffic
>is by associating the IP of the device to the user using it; and as you
>point out, terminal servers kind of ruin this concept since many users
>login to the device at once.
>
>However, if you are using the Terminal Services that come with Windows
>Server 2008 R2 (I think they call it Remote Desktop Host server now), I
>believe Microsoft has created an easy solution for you. The feature is
>called Remote Desktop IP Virtualization, and you can read more about it
>in this blog post:
>
>'Remote Desktop Services (Terminal Services) Team Blog : Configuring
>Remote Desktop IP Virtualization: Part 1' ()
>
>Essentially, if you setup this feature, your Terminal Server can assign
>a new IP to each new session, or even each seperate program. If you make
>it so each user's IE session gets a new IP, I believe your users can
>then use our authentication normally and will show up with different IPs
>for monitoring.
>
>As an aside, since they are all network level devices, I think you will
>find all out competitor UTM devices will offer the same issue. Without
>using something like "Remote Desktop IP Virtualization" to get the
>Terminal Server to give different IPs, the network-level device will see
>all the users as the same IP.
>
>Hope this helps.
>
>Best Regards, Corey Nachreiner<!--colorc--><!--/colorc-->

 

In article <1984e754-71f6-438e-b6ee-
f2744ab1ebda@e18g2000vbe.googlegroups.com>, jphallett@gmail.com says...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I am currently running a Sonicwall with content filtering in my
> terminal services environment. The Sonicwall works perfectly for our
> network design. The way ours is configured it filters all users and if
> someone needs access to a filtered site (IE: HR, Management) they log
> in as a user on the firewall and are able to bypass the content
> filtering. We are not in a domain but I think you can authenticate
> users through the domain to the Sonicwall and give them the
> appropriate rights automatically.
> <!--colorc--><!--/colorc-->

Have you tried that for two different users on the terminal server at
the same time - meaning once user A opens the firewall, can user B get
access to blocked sites that were opened by user A's firewall
authentication?

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)

 

In article <CoreyNach.3z38vb@news.home.local>,
CoreyNach.3z38vb@news.home.local says...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> David,
>
> Hi. I'm Corey Nachreiner, and I'm the Sr. Network Security Strategist
> at WatchGuard. You're not the first to run into the issue of
> authenticating users on a terminal server. However, it doesn't have a
> simple solution when you are talking about a network-level or perimeter
> device. Without creating some sort of complex solution, the only way for
> a network-level device like our UTM to associate a user to his traffic
> is by associating the IP of the device to the user using it; and as you
> point out, terminal servers kind of ruin this concept since many users
> login to the device at once.
>
> However, if you are using the Terminal Services that come with Windows
> Server 2008 R2 (I think they call it Remote Desktop Host server now), I
> believe Microsoft has created an easy solution for you. The feature is
> called Remote Desktop IP Virtualization, and you can read more about it
> in this blog post:
>
> 'Remote Desktop Services (Terminal Services) Team Blog : Configuring
> Remote Desktop IP Virtualization: Part 1' ()
>
> Essentially, if you setup this feature, your Terminal Server can assign
> a new IP to each new session, or even each seperate program. If you make
> it so each user's IE session gets a new IP, I believe your users can
> then use our authentication normally and will show up with different IPs
> for monitoring.
>
> As an aside, since they are all network level devices, I think you will
> find all out competitor UTM devices will offer the same issue. Without
> using something like "Remote Desktop IP Virtualization" to get the
> Terminal Server to give different IPs, the network-level device will see
> all the users as the same IP.
>
> Hope this helps.
>
> Best Regards, Corey Nachreiner<!--colorc--><!--/colorc-->

I've been using WG firewalls across the USA and outside for many moons,
since the first FB was produced - and it's good for me to have caught
this explanation of yours - I have many terminal servers and we've never
been able to come up with a plan until you described the above - thanks.

--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam999free@rrohio.com (remove 999 for proper email address)