Filtering Terminal Services Users

rated by 0 users
Not Answered This post has 0 verified answers | 3 Replies | 1 Follower

Not Ranked
2 Posts
CMowl posted on 9 May 2012 12:57 PM

Here is our environment, approximately 400 users about half on a Terminal Services farm and the other half running PCs or laptops. We have Cisco ASA firewalls, which has been integrated to a Websense filtering server. All PCs/laptop users are being filtered & logged appropriately.

Our issue is the Terminal Services users, we have a farm of about 10 Windows 2008 R2 Terminal/RDS Servers, all users need to be filtered and more specifically logged.  We do not have Microsoft ISA or Proxy server in our environment. Our preferred option would of course just get logged through the ASA but I understand that won't identify the specific users.

I understand we should be able to use Squid as a proxy for the Terminal Servers, and stand up another Websense filtering server integrated with squid, running the DC agent on that box and capture the specific user information.

That said, squid is installed, all TS servers pointing to squid as the proxy which is integrated with a filtering service on a Windows box running DC agent. We are still not getting logging to work, the majority of the hits are being logged as the ip address of the squid server. What can be done to mitigate this? The logging is imparative for us.  Why a simple plug-in doesn't exist a'la Citrix is baffling.

Note: We have Chrome, IE, & Firefox browsers and having the users authenticate with a username/password for squid is impratical and will not be an option in this environment

|

All Replies

Top 10 Contributor
986 Posts
Trusted Users (MVP)

Did you integrate that 2nd Filtering Service with the Squid proxy?  Also, DC Agent won't do you any good with your Terminal Servers.  The whole reason you have to use a proxy in the first place is because DC Agent only supports 1 person per IP address.  I'm not as familiar with Squid proxy deployments but I imagine there's a different identification method to be used with it to tell the users apart.

|
Not Ranked
2 Posts

The second filtering service is integrated with Squid. I hear you on the 1 person/IP address for the DC agent but am completely unsure how to make this solution work then.....

Squid supports 4 authentication mechanisms within its config.

Anonymous, which naturally gives you zero logging ability

Basic Authentication, which in theory COULD work, but forcing the users to enter logon credentials each time they open a browser will not be an acceptable option

Digest Authentication, which of course just scrambles the cleartext but still has the same issue as Basic of forcing the users to manually authenticate each time they open a browser

Integrated Windows Authentication, which **should** transparently work for IE (which would be great) - except - we are forced to also use Chrome & Firefox which puts us right back in the manual authentication for opening the other browsers

We need to do some sort of Transparent identification, although frankly I would be estatic if there was a plug-in I could install on the Terminal Servers to make this work a'la Citrix and I could kiss this entire squid thing good-bye and stick with just the one ASA integrated filtering service which would be ideal

|
Top 10 Contributor
986 Posts
Trusted Users (MVP)

I'd ask your SE or open a ticket with Support about Squid authentication... unfortunately I have no experience with it.

That aside -- I believe Firefox (and I bet Chrome too) CAN do transparent IWA but it requires a configuration change (I believe you need to .tell it what your domain name is)

|
Page 1 of 1 (4 items)