Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 39 subscribers
  • Views 22025 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple RDP Connections to a Host with differents Web Filtering content by user/group

VitorBoga

Hello everyone,

Is it possible for Sophos XG Firewall to support multiple RDP connections from multiple computers to a single computer and apply multiple policies per user/groups for web content filtering ?

I tried to use SSO, Client Authentication but it doesnt seems to work.

Anyone has an idea if it is possible to do it ?

Thanks



This thread was automatically locked due to age.
  • 0

    Hi Vitor,

    What you are looking for is the Sophos Authentication for Thin Clients (SATC), this agent which is installed on the terminal server will update the XG appliance with user information in such a way that you get session based authentication. This allows you to manage and report on individual users traffic in the terminal server.

    Please note that it does require the base active directory integration to be configure on the SF-OS appliance so that the appliance can validate the user information provided and map users to different AD groups.

    The regular SSO mechanism and Client Authentication application identify users by IP Address, which as you have discovered does not differentiate between users in a multi-user environment like Terminal Servers.

    Leon

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • 0 in reply to Leon.Friend

    Hi Leon,

    I installed SATC and I noticed on the logs when i log with multiple users that SATC detects the users.

    But, if I want to create some policies to restrict web access of a few websites for each user, how can I create the policies ? it seems that SATC separates the users, but into the firewall web interface the policies doesnt appear the username of the RDP session/user

    Thanks

  • 0 in reply to VitorBoga
    Hi Vitor, So I assume you are saying that the different users are appearing as live users on the XG/SF-OS Appliance. From there you would create a user rule in your policy base that links to the desired web filter/application filter. The rule selection can be based on the individual AD user or an AD group, which one you use will depend on your requirements and preferences. Remember if matching by AD group, you will need to import the AD groups you are interested in using into the appliance configuration. Additionally the appliance checks the group membership every time it sees a authentication event for the user. If you want to go by user, once the appliance performs its first authentication the user ID remains on the appliance so you can use it to define policies. Hope this helps, Leon

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

  • 0 in reply to Leon.Friend

    Hi Leon, Live users is empty.

    I installed SATC on the terminal server, and each time I log in by RDP if I open SATC and I click Open in View Log or View Logging Events I can see there is some info about the user that I logged in, but on Sophos Live Users section is empty.

    Thanks

  • 0 in reply to VitorBoga

    Vitor,


    can you share the log you see from SATC?

    Also can you share you policy rule?


    Luk

  • 0 in reply to lferrara

    Hello,

    This is a part of the log that I see after opening SATC and clicking in Logging Events:

    MSG [0x1338] 07/03/2016 17:44:07 : -------------------------- Logging Events --------------------------

    MSG [0x1338] 07/03/2016 17:44:07 : --------------------------------------------------------------------

    MSG [0x112c] 07/03/2016 17:44:14 : --------------------------------------------------------------------

    MSG [0x112c] 07/03/2016 17:44:14 : -------------------------- Logging Events --------------------------

    MSG [0x112c] 07/03/2016 17:44:14 : --------------------------------------------------------------------

    MSG [0x112c] 07/03/2016 17:45:49 : SSS: LOGIN #New User CRSessionID:3

    DEBUG [0x112c] 07/03/2016 17:45:49 : ********** Sending login **********

    DEBUG [0x112c] 07/03/2016 17:45:49 : LoginCode: 96

    DEBUG [0x112c] 07/03/2016 17:45:49 : SessionID: 768

    DEBUG [0x112c] 07/03/2016 17:45:49 : SourcePort: 4087 , 63247

    DEBUG [0x112c] 07/03/2016 17:45:49 : DestinationPort: 34049 , 389

    DEBUG [0x112c] 07/03/2016 17:45:49 : UserName: vitor

    DEBUG [0x112c] 07/03/2016 17:45:49 : DomainName:

    MSG [0x112c] 07/03/2016 17:47:11 : SSS: Sending LOGIN # For already Logged in user 3

    DEBUG [0x112c] 07/03/2016 17:47:11 : ********** Sending login **********

    DEBUG [0x112c] 07/03/2016 17:47:11 : LoginCode: 96

    DEBUG [0x112c] 07/03/2016 17:47:11 : SessionID: 768

    DEBUG [0x112c] 07/03/2016 17:47:11 : SourcePort: 4599 , 63249

    DEBUG [0x112c] 07/03/2016 17:47:11 : DestinationPort: 14348 , 3128

    DEBUG [0x112c] 07/03/2016 17:47:11 : UserName: vitor

    DEBUG [0x112c] 07/03/2016 17:47:11 : DomainName:

    It seems the SATC is detecting each use when I RPD to this machine, but on sophos appliance on log viewer in authentication it doesnt appear nothing, so I didnt create any Policy yet.

    Am I doing something wrong ? Its only needed to install SATC on the Terminal Server right ?

    Thanks

  • 0 in reply to VitorBoga

    Vitor,

    can you show the output of this command from XG console?

    system auth thin-client show

    Luk

  • 0 in reply to lferrara

    Thats the Output,

    Citrix Server IP :

    console>

    Its empty.

    Thanks

  • 0 in reply to VitorBoga

    Ok. Add the terminal server ip using the command:

    system auth thin-client add citrix-ip 192.168.0.1 (your terminal server ip).

    Luk

  • 0 in reply to lferrara

    Thanks Luk,

    Its working as I wanted. I set up the policies and everything is going perfect. The Terminal Server can separate the different RDP connections form different users.

    Thank you very much.

Unfiltered HTML