Configuring Terminal Servers

Deploying the Terminal Servers Identity Awareness Solution

To deploy Terminal Servers Identity Agent:

• Install a Terminal Servers Identity Agent - You install this agent on the application server that hosts the Terminal/Citrix services after you enable the Terminal Servers identity source in the Identity Awareness Gateway object and install the Access Policy.

  Go to sk134312 to download the Terminal Servers Identity Agent.

  Make sure you open the link from a location defined in the Terminal Servers Accessibility setting (Identity Awareness Gateway properties > Identity Awareness > Terminal Servers > Settings > Edit).

• Configure a Shared Secret - You must configure the same password on the Terminal Servers Identity Agent and the Identity Awareness Gateway. This password is used to secure the established trust between them.

Upgrading a Terminal Servers Identity Agent

There is no option to upgrade the Terminal Servers Identity Agent when you upgrade a Security Gateway to a newer version. You must manually install the new version of the Terminal Servers Identity Agent on the Citrix or Terminal Server.

Configuring the Shared Secret

You must configure the same password as a shared secret in the Terminal Servers Identity Agent on the application server that hosts the Terminal/Citrix services and on the Identity Awareness Gateway. The shared secret enables secure communication and lets the Security Gateway trust the application server with the Terminal Servers functionality.

The shared secret must contain at least 1 digit, 1 lowercase character, 1 uppercase character, no more than three consecutive digits, and must be eight characters long. In SmartConsole, you can automatically generate a shared secret that matches these conditions.

To configure the shared secret on the Identity Awareness Gateway:

1. Log in to SmartConsole.
2. From the left navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, go to the Identity Awareness page.
5. In the Identity Sources section, select Terminal Servers and click Settings.
6. To automatically configure the shared secret:
   1. Click Generate to get a shared secret automatically that matches the string conditions.

      The generated password is shown in the Pre-shared secret field.

   2. Click OK.
7. To manually configure the shared secret:
   1. Enter a password that matches the conditions in the Pre-shared secret field.

      Note the strength of the password in the Indicator.

   2. Click OK.

To configure the shared secret on the Application Server:

1. Open the Terminal Servers Identity Agent.

   The Check Point Identity Agent - Terminal Servers main window opens.

2. In the Advanced section, click Terminal Servers Settings.
3. In Identity Server Shared Secret, enter the shared secret string.
4. Click Save.

Configuring Terminal Servers Identity Agent Accessibility

1. Log in to SmartConsole.
2. From the left navigation Toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, go to the Identity Awareness page.
5. Click Terminal Servers - Settings.
6. In the Accessibility section, click Edit to select from where the Terminal Servers Identity Agent can connect.

   The options are based on the topology configured for the gateway:

   • Through all interfaces
   • Through internal interfaces
     • Including undefined internal interfaces
     • Including DMZ internal interfaces
     • Including VPN encrypted interfaces
   • According to the Firewall policy - Select this, if there is a rule that states who can access the portal.

Configuring Terminal Servers Authentication Settings

On Identity Awareness Gateway, the Authentication Settings for Terminal Servers Identity Agents are now stored separately from the Authentication Settings for Identity Agents. This lets the administrator configure different authentication settings for different Identity Agents.

To configure Terminal Servers Identity Agents Authentication Settings with all Active Directories:

1. Log in to SmartConsole.
2. From the left navigation toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, go to the Identity Awareness page.
5. Near the Terminal Servers, click Settings.
6. In the Authentication Settings section, click Settings.
7. Select All Gateway's Active Directories (under Security Gateway -> Other - > User Directory).
8. Click OK to close the Active Directories window.
9. Click OK to close the Terminal Servers window.
10. Configure the Account Units Query settings:
    1. In the left tree of the Security Gateway object, click on the [+] near the Other pane.
    2. Click the User Directory pane.
    3. In the Account Units Query section, select All.
11. Click OK to close the Gateway Properties window.
12. Install the Access Policy.

To configure Terminal Servers Identity Agents Authentication Settings with a specific Active Directory:

1. Log in to SmartConsole.
2. From the left navigation toolbar, click Gateways & Servers.
3. Open the Identity Awareness Gateway object.
4. In the left tree, go to the Identity Awareness page.
5. Near the Terminal Servers, click Settings.
6. In the Authentication Settings section, click Settings.
7. Select Specific.
8. Click on the green [+] > select the correct LDAP Account Unit object.
9. Click OK to close the Active Directories window.
10. Click OK to close the Terminal Servers window.
11. Configure the Account Units Query settings:
    1. In the left tree, click on the [+] near the Other pane.
    2. Click the User Directory pane.
    3. In the Account Units Query section, select Selected Account Units list > select the same LDAP Account Unit object that you selected in Step 7.
12. Click OK to close the Gateway Properties window.
13. Install the Access Policy.

Terminal Servers Identity Agent Users Tab

The Users tab in the Terminal Servers Identity Agent main window shows a table with information about all users that are actively connected to the application server that hosts the Terminal/Citrix services.

Table Field	Description
ID	The SID of the user.
User	The user and domain name. The format used: <domain>\<user>
TCP Ports	The ports allocated to the user for TCP traffic.
UDP Ports	The ports allocated to the user for TCP traffic.
Authentication Status	Indicates whether this user is authenticated on the gateway.

The ID and User field information is automatically updated from processes running on the application server. The Terminal Servers Identity Agent assigns TCP and UDP port ranges for each connected user.

Multi-User Host (MUH) Advanced Settings

In the Terminal Servers Identity Agent main window, click Advanced > Terminal Servers Settings.

Advanced uses can change these settings when necessary.

Best Practice - We highly recommend that you keep the default values, if you are not an advanced user.

Changes are applied to new users that log in to the application server after the settings are saved in the Terminal Servers Identity Agent. Users that are currently logged in, will stay with the older settings.

Advanced Setting	Description
Excluded TCP Ports	Ports included in this range will not be assigned to any user for TCP traffic. This field accepts a port range or list of ranges (separated with a semicolon).
Excluded UDP Ports	Ports included in this range will not be assigned to any user for UDP traffic. This field accepts a port range or list of ranges (separated with a semicolon).
Maximum Ports Per User	The maximum number of ports that can be assigned to a user in each of the TCP and UDP port ranges.
Ports Reuse Timeout (seconds)	The number of seconds the system waits until it assigns a port to a new user after it has been released by another user.
Errors History Size	N/A
Gateway Shared Secret	The same password that is set on the gateway that enables trusted communication between the Security Gateway and the application server.