Configuring the TS Agent authentication method on the SNS firewall

Go to Configuration > Users > Authentication> Available methods tab.

The TS Agent method appears directly in the list of enabled authentication methods to the left of the screen. Click on the TS Agent method to view its details.

Creating TS Agents

In the TS Agent list on the right side of the screen:

1. Click on Add.
2. As for the status (ON/OFF switch), you are advised to leave the TS Agent inactive (OFF) to avoid generating unnecessary alarms and logs.
   It will be enabled when the agent is deployed on the RDS/Citrix server.
3. In the TS Agent name field, indicate the name you want to give this agent (e.g., RDS-1-TS-AGENT).
4. In the TS server field, select or create the object corresponding to the RDS/Citrix server on which the TS agent will be installed (e.g., RDS-1-SERVER).

5. The object agent_ts (TCP/1303) is suggested by default in the Port field. This port is also entered in the TS Agent's default configuration.

   You can select or create another object corresponding to the dialogue port between the firewall and the TS Agent. You will then need to edit the corresponding ServerPort parameter on the TS Agent to enter the new selected port (see the section Identifying/editing TS Agent operating settings).

6. Enter and confirm the Pre-shared key used during the exchanges between the Firewall and the TS Agent. It must meet the minimum entropy set on the firewall (Configuration > General configuration tab, Password policy section). This key can be changed later.

   You will also need to enter this key in the settings of the TS Agent in question:

   • Either during its installation (see the section Installing or updating the TS Agent),
   • Or after editing the PSK parameter (see the section Identifying/editing TS Agent operating settings).
7. Confirm by clicking on Apply.
   The TS Agent is added to the TS Agent list.
   

Repeat steps 1 to 7 for each TS Agent to be created on the firewall (maximum 100 TS Agents per firewall).

Excluding administration accounts (optional)

For each TS Agent configured, administration accounts can be excluded from the TS Agent authentication mechanism.

In this case, even when traffic initiated by the selected administrator accounts matches filter rules that allow the TS Agent method, the firewall will block such traffic.

To add an administration account to ignore:

1. Expand the Advanced properties section,
2. In the Ignored administration accounts grid, click on Add,
3. Select a TS Agent configured earlier,
4. Enter the name of the administration account to ignore.

Adding the TS Agent authentication method to the authentication policy

NOTE
The external Microsoft Active Directory LDAP, to which the users who must be authenticated via the TS Agent belong, must be defined beforehand on the firewall.
More information on configuring directories on an SNS firewall.

Go to Configuration > Users > Authentication> Authentication policy tab, then:

1. Click on New rule and select Standard rule.
2. In the Users menu: select a user or user group that is allowed to use the TS Agent method.
   
3. In the Source menu, add the network interfaces on which the RDS/Citrix servers or objects/groups representing the networks or RDS/Citrix servers are connected (e.g., RDS-1-SERVER).
4. In the Authentication methods menu, add the TS Agent method.
   

IMPORTANT
The TS Agent method cannot be combined with another authentication method in the same authentication rule.


5. Confirm the creation of the authentication rule by clicking on OK.
   The rule will be added to the authentication policy but will not be enabled by default.
6. In the authentication rule grid, double click on the status of the rule to enable it.

During authentication, rules will be scanned in the order of their appearance in the list.
As such, you are advised to organize them using the Up and Down buttons when necessary.