All Windows Server versions from Windows Server 2008R2 and above (both 32 bit and 64 bit) are supported. From R77.20, Windows 8.1 is supported. In addition, the following desktop Operating Systems are supported - Vista, Win7, Win8.

Notes: 

• Windows 2016 R2 is not supported. 
• Windows 2016 is supported, but only for R80.10

Yes, installation of an Identity Agent is required. The Terminal Servers (TS) Identity Agent will control the connections from the TS/Citrix in a way that will allow the Identity Gateway to identify the user behind each connection. The agent will also install a TDI driver.

No, the agent installation is only required on the Terminal Server itself and not on the clients.

The TS Identity Agent can be downloaded from a link provided in the SmartDashboard. Open the gateway object of the Identity Server and you should be able to see the link.

The installation file size of the TS Identity Agent is about 8 MB.

The required disk space for TS Identity Agent installation is ~14 MB.

Installing the TS Identity Agent requires administrative privileges.

Yes.

Enable the TS/Citrix feature in SmartDashboard, from the 'Gateway Properties > Identity Awareness' tab. After the feature is enabled, configure the pre-shared secret and also set it in the TS Identity Agent Controller on the terminal server[s]. Detailed installation steps can be found in the R75.40 Identity Awareness Administration Guide.

The solution works by identifying the owner of the source process of each connection and controls the connection in a way that identifies the source user to the Identity Gateway. As a result, any remote application server software should work just fine.

It is highly recommended to reboot the system, but it is not mandatory

 

Once the installation of the TS Identity Agent is complete, all new connections will be identified and properly enforced. All other connections that were already opened, will not be under the control of the TS Identity Agent, and thus it cannot detect from which user they originated.

Therefore:

1. Rebooting will insure that the origins of all connections will be detected since the TDI driver will exist before the creation of these connections.
2. User logouts close all connections and terminate processes. The TDI driver catches users upon their next login to the system.

It is highly recommended to reboot the system, but it is not mandatory.

 

After the uninstall process ends, the TDI driver remains resident, but functions as a pass-through driver to allow the system to function properly without interruption. After rebooting, the TDI driver is removed.
If an installation is initiated before the reboot, the TS Identity Agent will refuse to complete and request a reboot.

Agent compatibility: there is full compatibility between agents of version R76 or newer and gateways of version R76 or newer. For example: R77.20 agent will work with R76 gateway, and R77.20 gateway will work with R76 agent. In the same way, agents and gateways of R75.4x versions are compatible (e.g. R75.47 gateway with R75.40 agent).

The MUH agent can be installed either by using the prepackaged muhAgent.exe binary available on the gateway, or by using the MSI file with the “Terminal Server” flavor. Notice that MUH agent installation requires an additional step of configuring a shared secret used for safe communication with the gateway.

To explain it simply, the TS Identity Agent that is installed on the Terminal Server communicates to the Identity Server how it will control the connections for each user (explained below). This information is later used when the traffic reaches the Identity Gateway.

The TS Agent communicates with the gateway over SSL (usually port 443 unless configured differently).

The solution is in fact based on source ports. The TS Identity Agent installs a TDI driver that intercepts all requests from any process that requests a new connection. Once the request reaches the TDI driver, it queries the system to fetch the requesting user behind this new connection and chooses a source port from a pool of port ranges that is allocated for this specific user.

Two different users will have two different port range pools, thus allowing the Identity Gateway to distinguish between the different connection owners.

Unfortunately, the solution does not support non-port based protocols. The solution supports TCP and UDP protocols only.

For unsupported protocols, the TS Identity Agent won't be able to control the network connections and therefore the Identity Server will not be aware of the user that is initiating these connections.

The Endpoint Identity Agent authenticates to the Identity Server either with a username and password or via a Kerberos Ticket. For the TS Identity Agent, the authentication of users is not issued the same way, and thus for the Identity Server to trust the other end, a shared secret is used. This is to remove the possibility that a user may use this ability to claim that he is running a Terminal Server and indicate a false user.

Non-admin users can access the Controller of the TS Identity Agent, but only in read-only mode. Thus, they will be able to see the connection statistics and port assignment information, but won't be able to change anything.

Known limitations are:

 

1. The solution supports TCP and UDP protocols only, therefore it will not support other protocols like ICMP, file shares, etc.
2. There is a limited number of users that can use the TS server at the same time and have network access. The number of users varies, and depends on the maximum number of ports the system is configured to assign to a user. In any case, the upper boundary is 1024 users per Terminal Server.

Yes. If you decide to use AD Query for users’ PCs, the best practice is to exclude the Terminal Servers’ IP addresses from AD Query. This will prevent unexpected agents’ disconnections and PDPD daemon high CPU utilization (see: sk86560 for instructions).

Processes running under SYSTEM and other local user accounts are all assigned source ports within a special port range that is not assigned any user identity. Enforcement for those users can be done through the machine identity (available through Kerberos SSO authentication).
Any user accounts that belong to an Active Directory domain, including service accounts, can be identified by the TS agent.

Only identity sharing between the gateways. You can set sharing across different CMAs using sk65404 - Establishing SIC trust between Identity Awareness entities managed by different Security Management Servers / Domain Management Servers.

If there is software used on the Terminal Server that uses a certain range of ports, there is a chance that it will conflict with our mechanism. Once you exclude those from this feature's usage (and the TS is rebooted), those ports will not be used.

• muhagent
• Multi-User Host Agent
• Multi User Host Agent
• MUH Agent
• Terminal Servers Identity Agent