Watchguard SSO and Terminal Service Agent

ashrobbo · 10 Feb 2012 at 12:55

From what im reading this doesn't work?

Each TS user has to login using firebox Auth (port 4100) which will then identify who they are on the Terminal Server and apply correct policies etc.

Was hoping the agent could decipher who they are without having to sign in and report back to the XTM?

Am I being stupid or is this just the case?

DustyMiller · 10 Feb 2012 at 13:23

Is this an external connection into a TS Box, if so once you have established a VPN connection he protocol should traverse the firewall withou any issue. I can establish a VPN connetion an RDP through which is the same ports as TS sureley

ashrobbo · 10 Feb 2012 at 13:51

DustyMiller said:
Is this an external connection into a TS Box, if so once you have established a VPN connection he protocol should traverse the firewall withou any issue. I can establish a VPN connetion an RDP through which is the same ports as TS sureley

No internal connection,

have 40 sales users, all working over 3 terminal servers.

According to watchguard you cannot use SSO and the TS Agent as the watchguard cant differentiate users on a box.

A member of staff should get a more restrictive filtering policy than say a manager. But the Manager is getting the more restrictive policy (further down the policy list.

The Firebox treats anything from IP 10.x.x.113 as the first user who logged on,

Visiting the web interface and logging in solves the issue but its a PITA for each person to have to login each session.

Peace · 12 Feb 2012 at 09:28

Nope you cannot use SSO with the TS agent. That's just how it works on Watchguard.

ashrobbo · 12 Feb 2012 at 10:25

Peace said:
Nope you cannot use SSO with the TS agent. That's just how it works on Watchguard.

Ahh Bugger, next step is to have users log on using the https port4100 page, i've tried following this guide

http://www.watchguard.com/help/docs/wsm/11_5-XTM/en-US/index.html

but it doesnt appear to auto redirect the users when they try and surf? I just get a white screen on the browser? If i manually goto :4100 it works fine after then.

Would I need to add my TS servers as exceptions on the SSO Agent?

ashrobbo · 14 Feb 2012 at 18:15

Ok answered a couple of my own questions, Heres what I found:

Auto-redirect doesnt work with Terminal Server.
SSO Doesn't work with terminal server, full stop.

Watchguards workaround:

Set users homepage to https://watchguard ip:4100
set a desktop icon they can use to logon with

Really really poor TS Support to be honest, especially when sonicwall have it all working. I have submitted a feature request for SSO with TS so hopefully it will surface at some point.

We have had to implement a additional proxy server (freeproxy, pah!) to log internet history and allow all traffic from the TS IP's to go through a restricted HTTP Proxy.

scratch · 16 Feb 2012 at 13:50

We've had this issue with Watchguard products not being able to see specific users on terminal servers for years, so I wouldn't hold out any hope in them fixing it! The Watchguard just sees traffic from the IP of the TS and has no way of knowing which user generated that traffic if they're not authenticated to the firewall.

We ended up installing a Barracuda web filter as a proxy to allow us to log internet history, but even that only works because it authenticates users through AD.