Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
How to open different Terminal Servers based on user’s parameters in Active Directory
Created by forefrontsupport on 10/13/2010 9:39:10 PM

Authors: Idan Plotnik, Security Engineer AND Ofer Nissim, Solution Architect, HP

Date: 11/11/2008

Before you begin

The following article explains the technical procedures need to implement so you will be able to open different Terminal Servers connection base on user's parameters in Active Directory

Why this article is so important? Think about this scenario for example:

You have 1000 users in your organization, and you want to allow each user to securely access his computer from home

Important to know!

The Terminal Server name/IP in the custom script below (in the Configuration Procedure section) is set according to the value of an attribute inside Active Directory but you can use other repositories / databases as well (you will need to change the code of the script to do it).

Prerequisites

You need to create Trunk / Portal before implementing the configurations below

Configuration Procedures

Step 1: Create "Microsoft Windows XP / VISTA Terminal Services Client" Client/Server and Legacy Application

  1. In the Trunk / Portal, in the Applications section, click "Add" and Choose "Microsoft Windows XP / VISTA Terminal Services Client" then press "Next"

  2. Choose your "Application Name" and press "Next"

  3. In the "Terminal Servers" set the IP/DNS value to: "254.254.254.254" (this value tell the IAG to use variables), in the "Initial Server" set the value to: "254.254.254.254" and leave the port 3389

    Note! If you want to open the Terminal Server Application in full screen or with /console argument please read the following article

    http://www.ForefrontSecurity.org/default.aspx?ctype=Articles&id=A00000002&name=How-to-create-custom-Client/Server-SSLVPN-template-for-Remote-Desktop-with-FULL-SCREEN-and-/Console

  4. In the "Portal Link" window please press "Finish"

Step 2: Create a PostPostValidate.inc script

  1. Create a new file based on the following name syntax:

    < portal name > + <0 or 1 (0 for HTTP trunk and 1 for HTTPS) > + <"PostPostValidate.inc">

     

    Put this file in the following folder c:\Whale-Com\e-Gap\von\internalsite\inc\CustomUpdate\

    For example if your portal name is "it" and its HTTPS portal, the file name should be "it1PostPostValidate.inc"

  2. Download this script and save it in the file you created

    <%

        set p1 = Server.CreateObject("UserMgrComLayer.Param")

        ' P1 holds the attribute name to retrieve from the active directory.

        p1.Name = "facsimileTelephoneNumber"

        ' Search for the value set in P1 above in the AD

        set user_information = GetUserInformation(repository,user_name,domain,Array(p1))

        set p1 = Nothing

            if TypeName(user_information) = "Nothing" then

                LIGHT_TRACE "ERROR: Failed to get the user [" & user_name & "] domain [" & omain & "] repository [" & repository & "] information [mailserver,mailfile]"

                ClearSessionVariables

                response.redirect GetSiteErrorPage() & "?error_code=108"

            end if

        dim param_vec

        param_vec = user_information.ParamVec

        set user_information = Nothing

        RDPComputer = param_vec(0).Value

    ' sets the redirect value for the RDP application

    setSessionParam g_cookie,"RelayPort3389",RDPComputer

    %>

    Important to know! PostPostValidate.inc is "hook" which will be activated before the PostValidate.asp reaches the client side and runs after the authentication phase, this means that if you change the value of the attribute in your Active Directory the users will need to logout and login again

    You can set the TS value as you like. Just enter a proper value for 'strTSServer', for example:

    strCookie = GetSessionCookie()

    strTSServer = "192.168.10.10"

    SetSessionParam strCookie , "RelayPort3389", strTSServerd

  3. Activate you settings

  4. In this script the Terminal Server Name/IP will be taken from the Active Directory attribute ("facsimileTelephoneNumber" which is the FAX number field in the Users and Computers ) of the user

  5. Note! you can change the name of the attribute according to user needs, to do so please change this line:

    p1.Name = "facsimileTelephoneNumber"

Step 4: Validate your configurations

Access your portal remotely, authenticate and choose the application, after you connect to the terminal server validate that this is the terminal server according to the value in the users' attribute

Step 5: Troubleshooting

If the script below cannot access Active Directory (from some reason) or cannot find the proper value inside the "facsimileTelephoneNumber" attribute you will get the following error page after the authentication phase

To troubleshoot this scenario please follows these steps

  1. Check the value inside the attribute of the user in Active Directory, if you configure it properly please move to server side debugging phase
  2. Because we are using UserMgrCom object you will need to enable tracing for that object, please follow the instructions:
    1. Open the file trace.ini which is locate in this path c:\Whale-Com\e-Gap\common\conf

    2. Add the following lines into the end of this file and save it

      [trace\UserMgrCom]

      *=xheavy

    3. After 30 seconds you will see the new log file in the following directory c:\Whale-Com\e-Gap\Logs

    4. Open the browser on the client side and try to login to the portal
    5. Open the Log file and search for "GetUserInformation" and validate the information in the parameters (see the print screen below), in additional please check for "failed to"

If you have any issues with this configuration please go to IAG Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

powered by metaPost

print
rating
 Comments