Terminal Services and Citrix servers provides the ability for multiple, simultaneous client sessions to be hosted on a single server. The client sessions hosted on these servers share a single IP address, the one belonging to the host machine.
Umbrella Active Directory (AD) integration with virtual appliances (VAs) rely on unique user-to-IP address mappings in order to work correctly. When multiple logged-in users are sharing the same IP address and using the VAs for DNS resolution, this results in mappings where multiple users are mapped to the same IP address. This can adversely affect policy application and reporting.
In short, Umbrella is unable to determine who the exact user is that's logged on at any given time in a Terminal Services environment. This is a very common problem for traditional hardware Internet proxies as well as any service attempting to identify a single user from a machine with multiple user sessions.
Applies to: Windows Terminal Services and Remote Desktop Services, Citrix XenApp and XenDesktop
Using Terminal Services with AD integration and VAs
The best way to tackle this problem is to configure a unique policy for the Terminal Services servers or Citrix servers on your network. You can complete this using the following steps:
- Navigate to the Policy Wizard and create a new policy
- In the Select Identities section, select the terminal servers in question
- Configure the policy as you normally would
- After you have created the policy for your Terminal Services servers, be sure to order this policy at the top of the list of policies so it will take precedence over any user-based policies.
Finally, due to the way in which the VA expires host-to-IP mappings, if you plan on using host-based policies as described above, please contact Umbrella Support to have your VAs configured in a way which optimizes host-to-IP mappings.
Using Terminal Services with Roaming Client + AD Identity
VDI-type deployments, where there are multiple thin or virtual clients running on a terminal server and each client is able to run its own isolated software, may still receive AD user identities when the roaming client is installed on each thin client.
However, RDS-type terminal server deployments are not supported since the RDS server is one server OS sharing resources across multiple users who are logged in at once.