Showing results for 
Search instead for 
Did you mean: 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

SGT mapping to pxGrid learned users (Citrix TS agent example)

Dear Colleagues,

I learned yesterday that our Terminal Services agent actually CAN put 'IP:port«»user' mapping data into pxGrid and WSA 11.8 is going to be able to read and use that data along AD group info taken through pxGrid 2.0. At least as far as I understood from the CX NPI training.

However as far as I understood SGT is not mapped to the user. I know that in TrustSec SGT can only be mapped to IP. But if the customer is using SGT aware Firewall or WSA Access rules where SGT is queried along with the user anyway, could we make ISE possible to add SGTs to these TS Agent published mappings somehow? Or could we make TS agent able to handle multiple SGTs and IP addresses and PAT the Virtual Desktop to the IP:SGT pair based on user attributes.

It might be a roadmap item to consider. 


Cisco Employee

Re: SGT mapping to pxGrid learned users (Citrix TS agent example)

Istvan, very good question. As you said we are working towards a solution or rather I call an agent which would work with MS term sever or Citrix Environment where multiple users coming with a single IP would be allocated an IP per user from the proposed agent. ISE can then assign the SGTs for the users and in turn share those IP-SGT mappings via SXP and pxGrid to the rest of the network.

As far as timelines are concerned I cannot provide an estimate but it is in development.