6.7. Terminal Server Users

A terminal server is used to provide remote access to a desktop or console for users. Generally, one terminal server provides service to multiple users, sometimes even dozens or hundreds of users. Identifying terminal server users is a problem because all server users have the same IP address, and UserGate cannot correctly identify the network connections of the individual users. As a solution to this problem, use of a dedicated terminal server agent is offered. Each user is allocated a port range that is used for their connection, i.e., the original ports are substituted with the ports from the range allocated to the user.

The terminal server agent must be installed on all terminal servers that need user identification. The agent is a service that transmits information to the UserGate server about the users of the terminal server and their network connections. Due to the way TCP/IP works, a terminal server agent can only identify user traffic that utilizes the TCP and UDP protocols. Protocols other than TCP/UDP, such as ICMP, do not allow identification.

For correct user identification when Active Directory authentication is used on the terminal servers, an active Active Directory connector server is required.

To start using terminal server user identification, follow these steps:

Task

Description

Step 1. Allow the authorization agent service in the desired zone.

In the Network --> Zones section, allow the Authorization agent service for the zone on the terminal servers' side.

Step 2. Set a password for terminal server agents.

In the UserGate console, go to the UserGate --> General settings --> Modules section, click the Configure button next to the Password for terminal server agent entry, and set a password for terminal server agents.

Step 3. Install the terminal server agent.

Install the terminal server agent on all servers that require user identification. During the installation, specify the UserGate server IP address and the password set at the previous step.

Step 4. Add the desired servers in the UserGate console.

In the Users and devices --> Terminal servers section, add the terminal server agents, specifying the host name and address. After receiving the data from the host specified in the settings, provided that the password set at Step 2 is correct, user authorization will be enabled automatically.

On a UserGate version update, the terminal server agents that were displayed earlier in the web console will continue working.

UserGate will now receive user information.

The terminal server agent enables not only domain users to be authenticated but also local users of a terminal server by adding the following parameter to its configuration file (%ALLUSERSPROFILE%\Entensys\Terminal Server Agent\tsagent.cfg):

LocalDomain = 1

After editing the configuration file, make sure to restart the terminal agent service.

In addition, these users need to be added to UserGate as local users. For details on adding users, see the section Users. When adding a user, specify the Login in the format "computer name_username", without a password.

Note

Only letters, numbers, and the underscore character are allowed in the computer name; hyphens are prohibited.

You can change the settings of a terminal server by editing the configuration file of the terminal server authorization agent. After making the changes, make sure to restart the authentication agent.

The settings that can be configured in the tsagent.cfg file are listed below:

  • TimerUpdate: the time interval in seconds between updates.

  • MaxLogSize: the maximum size of the service log in MB.

  • SharedKey: the password for connecting the agent.

  • SystemAccounts: can take values of 0 or 1. SystemAccounts=1 enables transmission of information about the connections of the system accounts (system, local service, network service) and the connection ports they use to the UserGate device.

  • FQDN: can take values of 0 or 1. FQDN=1 indicates that a FQDN (Fully Qualified Domain Name) is used, e.g., "example.com" as opposed to "example".

  • ServerPort: the port number on the UserGate device that accepts the connection from the authorization agent. By default, UDP port 1813 is used.

  • ServerAddress: the IP address of the UserGate device that accepts the connection from the authorization agent.

  • UserCount: the maximum number of users to create.

  • BlockDNS: can take values of 0 or 1. With BlockDNS=1, the source port is substituted with a free port from the user-allocated port range when sending DNS requests (UDP:53); with BlockDNS=0, DNS traffic is sent without port substitution.

  • BlockUDP: can take values of 0 or 1. With BlockUDP=1, the source port is substituted with a free port from the user-allocated port range when sending UDP traffic; with BlockUDP=0, the traffic is sent without port substitution.

  • ExcludeIP: if multiple IP addresses are configured on the terminal server, they will all be used for user authentication. The ExcludeIP parameter allows restriction of users' Internet access from certain IP addresses used by the terminal server. The IP addresses from which traffic is to be restricted are specified as a comma-separated list: ExcludeIP=IP1,IP2.

  • ExcludePorts: the range of ports to be excluded from being substituted with ports from the user-allocated port range. Specified as ExcludePorts=port1-port2.

  • NAT_IP: required when there is a NAT between the terminal server and UserGate. The terminal server's IP address is substituted with an address from the specified range. The IP addresses are specified as NAT_IP="12.3.4-1.1.1.1;2.2.2.2-5.5.5.5".