Enabling TS Agents and configuring the filter policy

This section explains how to enable TS Agents and configure the filter policy on the SNS firewall.

Enabling TS Agents

On the firewall, go to Configuration > Users > Authentication> Available methods tab:

  1. In the TS Agent list found on the right side of the screen, double-click on the status of every TS Agent that you wish to enable, to change it from off to on.
  2. Click on Apply to apply the change to the configuration.

Creating filter rules

You must create rules so that users authenticated via the TS Agent method can access the various resources allowed. These rules can apply to user groups or individual users.

It is also important to prepare "exception" rules allowing RDS/Citrix servers to access security updates (Microsoft Windows and antivirus updates, for example) without the need for prior authentication.

A set of rules meeting these criteria may look like this:

Exception rule regarding server updates

In the module Configuration > Security policy > Filter - NAT:

  1. Select the security policy to modify.
  2. Go the rule under which you want to create a new filter rule.
    You can move this rule later using the arrows found in the action bar.
  3. Click on New rule and select Single rule.
  4. Double-click in the Action column in this new rule.
    The editing window of the rule opens.
  5. Click on the General menu on the left.
  6. In the Status field, set the value to On.
    You can add a comment if you wish.
  7. Click on the Action menu on the left.
  8. In the General tab, select pass for the Action field.
  9. Click on the Source menu on the left.
  10. In the General tab, in the Source hosts field, select the servers or server groups allowed to access security update services (the servers RDS-1-SERVER, RDS-2-SERVER, CITRIX-1-SERVER and CITRIX-2-SERVER in this example).
  11. Click on the Destination menu on the left.
  12. In the General tab, in the Web services and IP reputations field, select the objects Microsoft public IPs, Windows update and Microsoft Azure.
  13. Click on the Port - Protocol menu on the left.
  14. In the Destination port field, select the http and https objects.
  15. Confirm the creation of the filter rule by clicking on OK.

Rule applying to a user group or individual user authenticated via the TS Agent method

In the module Configuration > Security policy > Filter - NAT:

  1. Select the security policy to modify.
  2. Go the rule under which you want to create a new filter rule.
    You can move this rule later using the arrows found in the action bar.
  3. Click on New rule and select Single rule.
  4. Double-click in the Action column in this new rule.
    The editing window of the rule opens.
  5. Click on the General menu on the left.
  6. In the Status field, set the value to On.
    You can add a comment if you wish.
  7. Click on the Action menu on the left.
  8. In the General tab, select pass for the Action field.
  9. Click on the Source menu on the left.
  10. In the General tab, in the User field, select the user or user group authenticated via the TS Agent method (user group RDS-USERS@documentation.org or CITRIX-USERS@documentation.org or individual user john.doe@documentation.org in this example).

    11. NOTE
    A single user or a single user group can be selected in such rules.
    In this case, you must create as many rules as the number of user groups or individual users authenticated via the TS Agent method, and allowed to access the same resources.

  11. Click on the Destination menu on the left.
  12. In the General tab, in the Destination hosts field, select the hosts that will be accessible to users authenticated via the TS Agent method (host ERP-SERVER in this example).
  13. Click on the Port - Protocol menu on the left.
  14. In the Destination port field, select the objects corresponding to the ports to be allowed (objects http and https in this example).
  15. Confirm the creation of the filter rule by clicking on OK.

Repeat the process to create the other filter rules that will apply to users authenticated via the TS Agent method.

Rule when a firewall is placed between users that must authenticate via the TS Agent and RDS/Citrix servers

In this case, you must create a rule on this firewall to allow the networks of the users in question to reach:

  • RDS servers on port TCP/3389 (object microsoft-ts on an SNS firewall),
  • Citrix servers on port 1494 corresponding to the Citrix ICA protocol (object citrix on an SNS firewall).