Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
883
Views
0
Helpful
3
Replies

IBFW with a MS terminal server

P. Muilman
Level 1
Level 1

‎07-04-2013 05:21 AM - edited ‎03-10-2019 08:37 PM

Hello,

Does someone know how to implement IBFW with a Microsoft Terminal server.

I'm trying to install this in my LAB. (https://supportforums.cisco.com/docs/DOC-20366)

But it doesn't seem to be working well with the cisco AD agent.

Network.jpg

TS.jpg                  

I had a working situation with all Windows 2008 servers.

But the AD Agent couldn't work with different users on the MS terminal server.

It attaches the user to an IP. If more then one user connects via the same IP the ACL rules don't work anymore.

Rules.jpg

We found this as a possible solution.

http://blogs.msdn.com/b/rds/archive/2009/07/09/configuring-remote-desktop-ip-virtualization-part-1.aspx

But after upgrade DMZ server to win2k8r2 it doesn't work at all, when connecting from the DMZ.

Stange IP connectivity. (ping to IIS on the inside works / http-https not. And this did work before implementing IP virt.)

Also a strange ipconfig in the RDP session:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.173.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 169.254.57.119
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   IPv4 Address. . . . . . . . . . . : 169.254.150.193
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 192.168.173.1

And the AD client doesn't see the user's logged in....

Can anyone help with this.

Do you have this working? Or another Cisco solution? F.e. a MS terminal server AD agent like SonicWall can do.

Regards, Peter

Labels:
0 Helpful
3 Replies 3

P. Muilman
Level 1
Level 1

‎07-05-2013 12:24 AM

Installed the DHCP server role on the TS.

It gives the user a address from the pool (.11 - .254), but the AD agent can't correlate this to the user.

There is only one user active and not with the pool address, but with the TS address.

With 2 users with a TS session the ipconfig shows:

TS IP 192.168.173.10 and two pool addresses .11 and .12

This does the ASA see:

0 Helpful

P. Muilman
Level 1
Level 1

‎07-05-2013 05:44 AM

Wireshark in the TS session shows that the session uses different source addresses.

F.e. I'm seeing source 192.168.173.10 to 10.192.142.29. And to the internet / and to 10.192.142.28 (IIS) it uses source address 192.168.173.13!???

0 Helpful

P. Muilman
Level 1
Level 1
In response to P. Muilman

‎07-16-2013 05:57 AM

Answer Cisco:

If you mean that CDA is used for identity FW and you also are using sessions from a TS through the ASA... this won't work. As discussed above: the TS users, use the same source IP. The CDA can't make a user-IP mapping.

IBFW on the ASA works only for users, logged on to PC's in a MS domain.

0 Helpful
Customers Also Viewed These Support Documents