You are here: Cookbook > Authentication > Allowing Internet Access via TS Agent

Allowing Internet Access via TS Agent

This example introduces how to configure TS Agent to allow users to access the Internet.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. Internal users connect to a Windows server through thin clients. After the TS Agent is configured, when users log in the Windows server using remote desktop services, the Hillstone Terminal Service Agent will allocate port ranges to users and send the port ranges and users information to the system. At the same time, the system will create the mappings of traffic IPs, port ranges and users. With the user-based security policy, only user 1 can access the Internet, while user 2 cannot access the Internet, and user 3 can access the Web service based on HTTP or HTTPS.

Preparation

Before configuring the TS Agent function, prepare the following first:

  • The Windows server has been set up according to the user network environment. Windows Server 2008 R2, Windows Server 2016, and Windows Server 2019 are currently supported. Windows Server 2008 R2 Service Pack 1 and KB3033929 must be installed if Windows Server 2008 R2 is used.
  • The SNAT rule has been configured on the security device, and all the internal users can access the Internet. For the detailed configuration method, please see Allowing Private Network to Access Internet Using SNAT.

Configuration Steps

Step 1: Installing and configuring Hillstone Terminal Service Agent in Windows server.

1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-tsagent to download a Hillstone Terminal Service Agent installation program, and copy it to the Windows server.

2. Double-click HSTSAgent.exe to open it and follow the installation wizard to install it.

3. Double-click the Hillstone Terminal Service Agent shortcut, and the Hillstone Terminal Service Agent dialog pops up.

4. Click the Agent config tab.

  • Listening Address IPv4: 0.0.0.0
  • Listening Port (1025-65534):5019
  • Heartbeat Interval (1-30s): 5
  • Heartbeat Timeout (10-300s): 60

Click Save to save the configurations.

5. Click the Port config tab.

  • User Allocable Port Range (1025-65534): 20000-39999
  • User Port Block Size (20-2000): 200
  • User Port Block Max (1-256): 1
  • Passthrough when user port exhausted: Select the check box

Click Save to save the configurations.

Step 2: Configuring TS Agent parameters in StoneOS via WebUI and CLI.
WebUI

Select Object > SSO Client > TS Agent, and click New .

  • Name: tsagent1
  • Status: Select the Enable check box
  • HOST: 10.1.1.1
  • Virtual Router: trust-vr
  • Port: 5019
  • AAA Server: local
  • Disconnection Timeout: 300
  • Traffic IP: Enter 10.1.1.1, and click Add

Click OK to save the configurations.

 

CLI

host-name(config)# user-sso client ts-agent tsagent1

host-name(config-ts-agent)# host 10.1.1.1

host-name(config-ts-agent)# aaa-server local

host-name(config-ts-agent)# traffic-ip 10.1.1.1

host-name(config-ts-agent)# enable

host-name(config-ts-agent)# exit

Step 3: Configuring policies in StoneOS via WebUI and CLI.
WebUI

Configuring a policy to allow all DNS traffic to get through.

Because DNS traffic is system traffic of the Windows Server, not the traffic of one specific user, configure a policy to allow all DNS traffic to get through first.

Select Policy > Security Policy, and click New.

  • Name: DNS
  • Source
    • Zone: any
    • Address: any
  • Destination
    • Zone: any
    • Address: any
    • Service: DNS
    • Action: Permit

Configuring a policy to allow user 1 to access the Internet.

Select Policy > Security Policy, and click New.

  • Name: User1
  • Source
    • Zone: trust
    • Address: any
    • User: user1
  • Destination
    • Zone: untrust
    • Address: any
    • Action: Permit

Configuring a policy to allow user 3 to access the Web service based on HTTP or HTTPS

Select Policy > Security Policy, and click New.

  • Name: User3
  • Source
    • Zone: trust
    • Address: any
    • User: user3
  • Destination
    • Zone: untrust
    • Address: any
    • Service: HTTP, HTTPS
    • Action: Permit

CLI

host-name(config)# rule name DNS from any to any service DNS permit

Rule id 2 is created.

host-name(config)# rule name User1 user local user1 from any to any from-zone trust to-zone untrust permit

Rule id 3 is created.

host-name(config)# rule name User3 user local user3 from any to any from-zone trust to-zone untrust service HTTP permit

Rule id 4 is created.

host-name(config)# rule id 4

host-name(config-policy-rule)# service HTTPS

host-name(config-policy-rule)# exit

Step 4: Verifying result  

After all the above configurations are finished, only user 1 can access the Internet, while user 2 cannot access the Internet, and user 3 can access the Web service based on HTTP or HTTPS.