Terminal Server Users

A terminal server is used to provide remote access to a desktop or console for users. Generally, one terminal server provides service to multiple users, sometimes even dozens or hundreds of users. Identifying terminal server users is a problem because all server users have the same IP address, and NGFW cannot correctly identify the network connections of the individual users. As a solution to this problem, use of a dedicated terminal server agent is offered. Each user is allocated a port range that is used for their connection, i.e., the original ports are substituted with the ports from the range allocated to the user.

The terminal server agent must be installed on all terminal servers that need user identification. The agent is a service that transmits information to UserGate NGFW about the users of the terminal server and their network connections. Due to the way TCP/IP works, a terminal server agent can only identify user traffic that utilizes the TCP and UDP protocols. Protocols other than TCP/UDP, such as ICMP, do not allow identification.

For correct user identification when Active Directory authorization is used on the terminal servers, an active Active Directory connector server is required.

To start using terminal server user authentication, follow these steps:

Name

Description

Step 1. Allow the Authentication agent service in the desired zone.

In the Network ➜ Zones section, allow the Authentication agent service for the zone on the terminal servers' side.

Step 2. Set a password for terminal server agents.

In the NGFW console, go to the UserGate ➜ General settings ➜ Modules section, click the Configure button next to the Password for terminal server agent entry, and set a password for terminal server agents.

Step 3. Install the terminal server agent.

Install the terminal server agent on all servers that require user identification. During the installation, specify the NGFW IP address and the password set at the previous step.

Step 4. Add the desired servers in the NGFW console.

In the Users and devices ➜ Terminal servers section, add the terminal server agents, specifying the host name and address. After receiving the data from the host specified in the settings, provided that the password set at Step 2 is correct, user authentication will be enabled automatically.

On a NGFW version update, the terminal server agents that were displayed earlier in the web console will continue working.

UserGate will now receive user information.

The terminal server agent enables not only domain users to be authenticated but also local users of a terminal server by adding the following parameter to its configuration file (%ALLUSERSPROFILE%\Entensys\Terminal Server Agent\tsagent.cfg):

LocalDomain = 1

After editing the configuration file, make sure to restart the terminal agent service.

In addition, these users need to be added to NGFW as local users. For details on adding users, see the Users section. When adding a user, specify the Login in the format: «computer name_username», without a password.

Note Only letters, numbers, and the underscore character are allowed in the computer name; hyphens are prohibited.

You can change the settings of a terminal server by editing the configuration file of the terminal server authorization agent. After making the changes, make sure to restart the authentication agent.

The settings that can be configured in the tsagent.cfg file are listed below:

  • TimerUpdate: the time interval in seconds between updates.

  • MaxLogSize: the maximum size of the service log in MB.

  • SharedKey: the password for connecting the agent.

  • SystemAccounts: can take values of 0 or 1. SystemAccounts=1 enables transmission of information about the connections of the system accounts (system, local service, network service) and the connection ports they use to NGFW.

  • FQDN: can take values of 0 or 1. FQDN=1 indicates that a FQDN (Fully Qualified Domain Name) is used, e.g., "example.com" as opposed to "example".

  • ServerPort: the port number on NGFW that accepts the connection from the authorization agent. By default, UDP port 1813 is used.

  • ServerAddress: the IP address of the UserGate device that accepts the connection from the authorization agent.

  • UserCount: the maximum number of users to create.

  • BlockDNS: can take values of 0 or 1. With BlockDNS=1 the source port is substituted with a free port from the user-allocated port range when sending DNS requests (UDP:53); with BlockDNS=0, DNS traffic is sent without port substitution.

  • BlockUDP: can take values of 0 or 1. With BlockUDP=1, the source port is substituted with a free port from the user-allocated port range when sending UDP traffic; with BlockUDP=0, the traffic is sent without port substitution.

  • ExcludeIP: if multiple IP addresses are configured on the terminal server, they will all be used for user authentication. The ExcludeIP parameter allows restriction of users' Internet access from certain IP addresses used by the terminal server.

    • IP addresses in the x.x.x.x format and/or subnet addresses in the x.x.x.x/n format are specified separated by semicolons (for example, ExcludeIP=x.x.x.x/n; x.x.x.x ).

    • Spaces are allowed between addresses in the list, they are ignored (for example, ExcludeIP=x.x.x.x/n; x.x.x.x;y.y.y.y ).

    • If there are spelling errors in the addresses in the line, they will be reflected in the logs when the agent starts. Only correctly specified addresses will be used. The number of used addresses from the list is written to the log when the agent starts.

    • If, as a result of filtering, all addresses are excluded from the distribution, then a log entry is made (once) in the form: GetIPAddressList: IP list is blocked by ExceptIP. If a non-empty distribution is later generated, a log entry is made in the form: GetIPAddressList: IP list is not blocked by ExceptIP anymore.

  • ExcludePorts: the range of ports to be excluded from being substituted with ports from the user-allocated port range. Specified as: ExcludePorts=port1-port2.

  • NAT_IP: required when there is a NAT between the terminal server and UserGate. The terminal server's IP address is substituted with an address from the specified range. The IP addresses are specified as: NAT_IP="12.3.4-1.1.1.1;2.2.2.2-5.5.5.5".

To exclude certain addresses and/or subnets from distribution by the terminal agent, in addition to adding the ExcludeIP parameter to the tsagent.cfg configuration file, it can also be activated in the server registry as follows:

  • Added as a string parameter to the Windows registry key [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client]. In this case, the parameter settings will only apply to this user.

  • Added as a string parameter to the Windows registry key [HKEY_LOCAL_MACHINE\Software\Policies\Entensys\Auth Client]. In this case, the parameter settings will apply to all users of this system.

The order of searching for ExcludeIP parameter settings in the system is as follows: first, the parameter is searched in the registry key [HKEY_LOCAL_MACHINE\Software\Policies\Entensys\Auth Client], then in the registry key [HKEY_CURRENT_USER\Software\Policies\Entensys\Auth Client], then in the tsagent.cfg file.