Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Terminal Server
  •  
patrickl

Messages: 5
Karma: 0
Send a private message to this user
Hi everyone,

I got Winroute installed on another machine running Windows XP and filtering web traffic by requiring users to authenticate before accessing the web. All of my users are running their apps in Terminal Server session and the problem i have is that the first user to logon to the server and starting is web browser is required to logon into Winroute and after that all other users web traffic is log the the name of the first user to logon into Winroute.

Is there any other way to force all Terminal Server user to logon with their own name ?

Thanks!
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Do all TS clients get their own IP address or do they al work with the IP address of the TS server?

In the latter case: I think you can't have seperate logins for every user...
  •  
patrickl

Messages: 5
Karma: 0
Send a private message to this user
Yes they are using the internet within their Terminal Server session so they all use the same ip adress.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Hmm... curious situation.

I think KWF dicriminates between different users based on their different IP address. Maybe you can configure the TS server differently to do give each session its own IP address?

I don't know a thing about TS, so I guess I am not of too much help...
  •  
catoxpress

Messages: 82
Karma: 0
Send a private message to this user
KWF will not handle this in it's present version. We have a TS farm with about 150 users and I had tried to figure out how to make this work some time ago without success.

We turned to IPRISM by St. Bernard for our solution. It allows transparent AD authentication and you can set up groups so users have varying access schemas. It works at the domain account level instead of the IP address level.

I don't know whether Kerio is planning to add this to KWF in the future. For now, this is a great solution for our company.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
You can use "Internet Explorer Authentication" in KWF, maybe this will also do the trick in a TS environment?

See manual here: http://www.kerio.com/manual/kwf/en/ch21s02.html
"WinRoute supports automatic user authentication by the NTLM method (authentication from Web browsers). Users once authenticated fot the domain are not asked for username and password."
  •  
bengkel

Messages: 7
Karma: 0
Send a private message to this user
Hi patrickl,
I have tried these settings below:

IN KWF
Under Authentication Options in users and groups,
Check -> Always Require Users to be authenticated
Check -> Force non-transparent proxy server authentication
Check -> Apply to these IP Address ( select your terminal host )
Check -> Enabled users authentication automatically performed by web browser.
Under Proxy Server in Content Filtering->HTTP Policy
Check -> Enable non transparent proxy server ,with default port is 3128

ON YOUR TERMINAL SERVER - BROWSERS
IF USING Internet EXPLORER
Force all your users to use proxy server, IN INTERNET OPTION,change into proxy server -> proxy address, with 3128 port
check-> bypass proxy server for local address

you can use GPO in terminal server in order to lock IE proxy settings from unauthorized users.

IF USING FIREFOX
try to googling it, how to lock firefox proxy settings, because i haven't try it.

RESULT from my experiment
1. Everytime your terminal users launch browser, it will ask for username and password , either from local user database or windows AD/Domain.
2. for some HTTPS issue might occur in IE, but works in FIREFOX
3. All user activities will be logged for the next 15-30 minutes. not in realtime.
4. If you set quota limit, it might not works.
5. Download will not works on some websites.
6. HTTP Policy->URL RULES is works perfectly.
7. If you found a solutions for above (3-5), let me know, i'm just as curious as you are.

Cheers,
Bengkel
Previous Topic: TS/CITRIX Internet Control
Next Topic: VPN Client to Site
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 16 23:51:07 CEST 2017

Total time taken to generate the page: 0.00459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.