Tips & Tricks: Considerations for TS Agent and User-ID Agent in a Mixed Environment
Environment
- Termninal Server (TS) Agent
- User ID Agent
- Active Directory
Resolution
In an environment where both Terminal Services (TS) Agent and User Identification (User-ID) Agent are used to ascertain which users are logged on to certain systems, some precautions need to be taken to prevent incorrect mapping of users, mainly regarding the terminal servers, where multiple users can be logged on at the same time.
Both agents achieve user mapping in their own distinct way:
- The User-ID Agent maps a single user to a single IP by reading login events from the Active Directory, determining a logged-in-user by performing a netbios or WMI probe, access to a network drive, or an API call from an integrated AP.
- The TSAgent is only active on the system it is installed on and works by assigning source port ranges (it actively participates in the network stack) to logged-in users, informing the firewall which source ports are used by each user.
If both clients are active in the same environment, and the TSAgent installed hosts are part of the same network as the regular clients, some conflicts may occur. Most commonly, a double mapping could be created where both the TSAgent and UIDAgent have a user mapping for a single IP address.
> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.192.16.98 vsys1 UIA pantac\administrator 3590 3590 > show user ip-port-user-mapping all Global max host index 1, host hash count 1 TS-Agent 10.192.16.98 Vsys 1, Flag 3 Port range: 20000 - 39999, port count 20000 Number of ports allocated per user terminal session: 200; max 2000 Number of user terminal sessions (port block count): 100 20000-20199: pantac\eng 20200-20399: pantac\tpiens
This overlap, in most cases, is harmless: typically the logged-in users will be assigned a source port by the TSAgent and be identified as such by the firewall, while service accounts could be triggering UIDAgent login events -- picked up from the AD security log -- generating a UID entry in the ip-user-mapping. Any outgoing connections from such service accounts would be identified by the ip-user-mapping instead of the ip-port-mapping.
In some scenarios, it may be undesirable to allow ip-user-mapping to occur for a terminal server, as this mapping can be triggered by several processes and is hard to control (drive mapping to a server with a UID agent installed, performing remote tasks with different usernames), especially in a mixed environment where users with highly different privileges access the same terminal server.
From a security best practices perspective, it is recommended to exclude the terminal servers from the UIDAgent's discovery. This will prevent any regular ip-user-mapping to occur for the IPs associated with the terminal server farm, preventing accidental misidentification of a service account's activities with a known user who happened to perform a task that elicits identification by the UIDAgent:
NOTE: If you add Exclude profiles without adding any Include profiles, the User-ID agent excludes all subnetworks, not just the ones you added.
Alternatively or additionally, users can be added to the ignore user list to prevent these from being mapped by the UIDAgent altogether:
How to Add/Delete Users from Ignore User List using Agentless User-ID
How to Ignore Users in User-ID Agent