Setting up UIA Agent for usage with Terminal Server (10.x)

Security Gateway Articles and How to's
Locked
daed
Posts: 1
Joined: 23 Feb 2012, 07:44
Location: Clavister HQ, Ornskoldsvik
Contact:

Setting up UIA Agent for usage with Terminal Server (10.x)

Post by daed » 18 Oct 2012, 16:13

Setting up UIA Agent for usage with Terminal Server

This applies to:

Clavister Security Gateway 10.x

Scenario:

• I have a Clavister Security Gateway and a Microsoft Windows domain, and a Terminal Server (Server 2008 R2)
• I want to be able to use UIA on the Terminal Server as well as the Domain controller.

Requirements:

Clavister User Identity Awareness Agent v1.00.02.01 or later (You need to login to be able to download)
• Microsoft Windows Server 2008 R2
• Role: Remote Desktop Session Host
IP Virtualization set to Per Session

Install the UIA Agent on the Terminal server using Domain admin, or account with similar rights.
Image
Make sure to tick the tick box "Remote Desktop IP Virtualization"

Then go to the Clavister WebUI.

Go to: Objects -> key Ring, Create a Pre-Shared Key. Give it a proper name like: "auth_agent_psk". Copy the Encryption key that you have generated from the UIA Agent.
Image

Go to: Policies -> Authentication Rules -> Authentication Agents. Click add "Authentication Agents". Give it a proper name like "auth_agent_terminal_server".
Select or type the IP of the terminal server. Select the port (default is 9999). Select the auth_agent_psk.
Image

Save and Activate these changes.

Go to: Status -> Authentication Agent. And make sure that the "auth_agent_terminal_server" is in the LISTENING mode.
Image


To be able to test this out I will show you an example of rules.

Go to: Objects -> Address Book. Create an IP4 Address, give it a name like: "auth_client_net" and specify the network that you want to use.
Image

Then click the "User Authentication" tab. And add the users or group there, Click OK.
Image

Go to: Policies -> Firewalling, create rules like this:
[img]hhttp://s30.postimg.org/rot9usp34/Main_IP_Rules.jpg[/img]
Please note that: the IP used for DNS lookups is preformed with the IP of the terminal server and not the session ip assigned to the Client's session. So you need to make rules so that DNS lookup works form the terminal server.

Save and Activate these changes.

Now do a log in to the terminal server with the user you have specified earlier.

Go to: Status -> User Authentication Status. You should now see the user signed on. You should now be able to surf the web. Test this out by forcibly logging out the client. Then you should not be able to surf the web.
Image

For more details please see the latest administration guide

Locked