Configuring Terminal Servers

Deploying the Terminal Servers Identity Awareness Solution

To deploy Terminal Servers Endpoint Identity Agent:

Install a Terminal Servers Endpoint Identity Agent - You install this agent on the application server that hosts the Terminal/Citrix services after you enable the Terminal Servers identity source in the Identity Awareness Gateway object and install the Access Policy.
Go to sk134312 to download the Terminal Servers Endpoint Identity Agent.

Make sure you open the link from a location defined in the Terminal Servers Accessibility setting (Identity Awareness Gateway properties > Identity Awareness > Terminal Servers > Settings > Edit).
Configure a Shared Secret - You must configure the same password on the Terminal Servers Endpoint Identity Agent and the Identity Awareness Gateway. This password is used to secure the established trust between them.

Upgrading a Terminal Servers Endpoint Identity Agent

There is no option to upgrade the Terminal Servers Endpoint Identity Agent when you upgrade a Security Gateway to a newer version. You must manually install the new version of the Terminal Servers Endpoint Identity Agent on the Citrix or Terminal Server.

Configuring the Shared Secret

You must configure the same password as a shared secret in the Terminal Servers Endpoint Identity Agent on the application server that hosts the Terminal/Citrix services and on the Security Gateway enabled with Identity Awareness. The shared secret enables secure communication and lets the Security Gateway trust the application server with the Terminal Servers functionality.

The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no more than three consecutive digits, and must be eight characters long. In SmartConsole, you can automatically generate a shared secret that matches these conditions.

To configure the shared secret on the Identity Awareness gateway:

Log in to SmartConsole.
From the left Navigation Toolbar, click GATEWAYS & SERVERS.
Double-click the Check Point Security Gateway that has Identity Awareness enabled.
In the left tree, go to the Identity Awareness page.
In the Identity Sources section, select Terminal Servers and click Settings.
To automatically configure the shared secret:
1. Click Generate to automatically get a shared secret that matches the string conditions.
  The generated password is shown in the Pre-shared secret field.
2. Click OK.
To manually configure the shared secret:
1. Enter a password that matches the conditions in the Pre-shared secret field.
  Note the strength of the password in the Indicator.
2. Click OK.

To configure the shared secret on the application server:

Open the Terminal Servers Endpoint Identity Agent.
The Check Point Endpoint Identity Agent - Terminal Servers main window opens.
In the Advanced section, click Terminal Servers Settings.
In Identity Server Shared Secret, enter the shared secret string.
Click Save.

Configuring Terminal Servers Accessibility

Log in to SmartConsole.
From the left Navigation Toolbar, click GATEWAYS & SERVERS.
Double-click the Check Point Security Gateway that has Identity Awareness enabled.
In the left tree, go to the Identity Awareness page.
Click Terminal Servers - Settings.
In the Accessibility section, click Edit to select from where the Terminal Servers Endpoint Identity Agent can connect.
The options are based on the topology configured for the gateway:
- Through all interfaces
- Through internal interfaces
  - Including undefined internal interfaces
  - Including DMZ internal interfaces
  - Including VPN encrypted interfaces
- According to the Firewall policy - Select this, if there is a rule that states who can access the portal.

Terminal Servers Endpoint Identity Agent Users Tab

The Users tab in the Terminal Servers Endpoint Identity Agent main window shows a table with information about all users that are actively connected to the application server that hosts the Terminal/Citrix services.

Table Field	Description
ID	The SID of the user.
User	The user and domain name. The format used: `<domain>\<user>`
TCP Ports	The ports allocated to the user for TCP traffic.
UDP Ports	The ports allocated to the user for TCP traffic.
Authentication Status	Indicates whether this user is authenticated on the gateway.

The ID and User field information is automatically updated from processes running on the application server. The Terminal Servers Endpoint Identity Agent assigns TCP and UDP port ranges for each connected user.

Multi-User Host (MUH) Advanced Settings

In the Terminal Servers Endpoint Identity Agent main window, click Advanced > Terminal Servers Settings.

Advanced uses can change these settings when necessary.

Best Practice - We highly recommend that you keep the default values, if you are not an advanced user.

Changes are applied to new users that log in to the application server after the settings are saved in the Terminal Servers Endpoint Identity Agent. Users that are currently logged in, will stay with the older settings.

Advanced Setting	Description
Excluded TCP Ports	Ports included in this range will not be assigned to any user for TCP traffic. This field accepts a port range or list of ranges (separated with a semicolon).
Excluded UDP Ports	Ports included in this range will not be assigned to any user for UDP traffic. This field accepts a port range or list of ranges (separated with a semicolon).
Maximum Ports Per User	The maximum number of ports that can be assigned to a user in each of the TCP and UDP port ranges.
Ports Reuse Timeout (seconds)	The number of seconds the system waits until it assigns a port to a new user after it has been released by another user.
Errors History Size	N/A
Gateway Shared Secret	The same password that is set on the gateway that enables trusted communication between the Security Gateway and the application server.