locked
Restrict user IP access in a RemoteApp RRS feed

  • Question

  • Can anyone confirm whether I am able to restrict user access in a RemoteApp on a per published application basis?

    For example I have putty configured as a remoteapp. I would like to give third parties access to putty but I would like to lock down this particular third party application so any users who launch it can only access a specific IP address through putty via port 443.

    I don't want to apply this at a server\host level on the RDS server as some users will require SSH access to other IP addresses and I dont want to start creating separate VMs for each third party that we have a specific requirement to lockdown.

    I would like to have multiple instances of the same putty application, published via different group memberships, for different users depending on the IP addresses they need to connect to.

    Is the UAG this granular?

    Any ideas?

    Thanks


    • Edited by glloyd78 Thursday, June 28, 2012 5:43 PM
    Thursday, June 28, 2012 5:42 PM

Answers

  • Hi,

    Yes this is a downfall to my proposed solution but using RemoteApp would limit what you are able to do as the Putty application is actually running on your RemoteApp Host and not the client.

    Another mechanism you can use would be the 'Generic Client Application' or the 'Enhanced Generic Client Application' templates which basically tunnel traffic to a specified destination(s). 

    If you used 'Generic Client Application' then the user would launch this application in the UAG portal (this would open the tunnel to your backend server and specified port ONLY) and then the user would manually open Putty on their client machine and manually connect to the IP and port in your network.

    If you used 'Enhanced Generic Client Application' then when you launched the application on the UAG portal, Once the tunnel to your backend server was formed it would try to auto-launch Putty with specific command line arguments (but with Putty normally not being an installed application just a exe somewhere you would need all clients to have the Putty application stored in the same location on the client - e.g. C:\Putty.exe)

    Using this mechanism you need to have Putty on the client machine but it would give you the protection you require as even if the user started a new session from the Putty console they could not access any other locations as the UAG only open a tunnel to your specified server and port.  You would still need to create a separate application for each server and port combination, along with the authorisation for each application.

    Regards,

    Sean.


    Sean Seaman

    IT Security Consultant

    Sapphire


    • Edited by Sean Seaman Friday, June 29, 2012 7:17 AM
    • Marked as answer by glloyd78 Friday, June 29, 2012 10:30 AM
    Friday, June 29, 2012 7:16 AM

All replies

  • Hi,

    There is a way to achieve what I think you are after.  They way to do this would be to create multiple Putty applications on the RemoteApp server. After you have created each Putty application in RemoteApp Manager, edit the RemoteApp application and specify 'Always use these command line arguments' and enter the IP and port of the server you want the application to access (e.g. 10.0.0.11 8443).  Once you have created all of the separate Putty applications export the new .tspub file and then create a new RemoteApp application in UAG for each of the Putty RemoteApp Putty applications (only adding the one specific Putty application).

    You will get an message saying that if you create multiple RemoteApp applications from the same server they MUST have the same endpoint policies.  This is because UAG will only apply the endpoint policies on the first occurrence of a RemoteApp per RemoteApp Session Host so all others RemoteApps from the same Session Host will be ignored.

    Now you have all of the separate applications you can set individual authorisation for each application.  I have not tested this but see no reason why it should not work.

    I hope this is what you are after.

    Regards,

    Sean.

    Thursday, June 28, 2012 7:28 PM
  • Hi Sean,

    Thanks for the feedback.

    The problem with putty is that even though I can pass an argument in the command line to force the user to connect to a particular server at application launch, all the 3rd party needs to do, if they were so inclined, is to right-click the putty console and select new session and then they could enter any IP address they want.

    What I need to be able to do, as well as passing the argument, is to apply a firewall policy locking down access to, e.g. 10.1.1.1 on a per application basis.

    This is what I am struggling to do - grant access to (or lock down access to) particular IP addresses and protocols while a user is using the application.

    Friday, June 29, 2012 7:00 AM
  • Hi,

    Yes this is a downfall to my proposed solution but using RemoteApp would limit what you are able to do as the Putty application is actually running on your RemoteApp Host and not the client.

    Another mechanism you can use would be the 'Generic Client Application' or the 'Enhanced Generic Client Application' templates which basically tunnel traffic to a specified destination(s). 

    If you used 'Generic Client Application' then the user would launch this application in the UAG portal (this would open the tunnel to your backend server and specified port ONLY) and then the user would manually open Putty on their client machine and manually connect to the IP and port in your network.

    If you used 'Enhanced Generic Client Application' then when you launched the application on the UAG portal, Once the tunnel to your backend server was formed it would try to auto-launch Putty with specific command line arguments (but with Putty normally not being an installed application just a exe somewhere you would need all clients to have the Putty application stored in the same location on the client - e.g. C:\Putty.exe)

    Using this mechanism you need to have Putty on the client machine but it would give you the protection you require as even if the user started a new session from the Putty console they could not access any other locations as the UAG only open a tunnel to your specified server and port.  You would still need to create a separate application for each server and port combination, along with the authorisation for each application.

    Regards,

    Sean.


    Sean Seaman

    IT Security Consultant

    Sapphire


    • Edited by Sean Seaman Friday, June 29, 2012 7:17 AM
    • Marked as answer by glloyd78 Friday, June 29, 2012 10:30 AM
    Friday, June 29, 2012 7:16 AM
  • Thats more like it, thanks Sean.

    Its not as clean as I would have liked, but that will do for now.

    Cheers

    Friday, June 29, 2012 10:30 AM