Solved: Re: The Windows user remotes into a workstation with RDS/Remote Desktop that is on a different VLAN ...

AndrewWestPMP60307 · ‎01-29-2020

The Windows user remotes into a workstation with RDS/Remote Desktop that is on a different VLAN than what the user belongs to. The user's remote desktop connection is then dropped, and they have to reestablish RDS/Remote Desktop the connection. Please provide some configuration changes and solutions to this scenario.

RDS/Remote Desktop connection is dropped

Colby LeMaire · ‎01-29-2020

What behavior are you wanting it to do? Do you want it to stay in its current VLAN (i.e. 666)? Or do you want it to change based on the user but NOT drop the RDP connection? The challenge with that is anytime you change VLAN's, you are also changing subnets. The IP on the PC changes and the RDP connection drops. There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue. A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address. Downloadable ACL's are more appropriate. I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

View solution in original post

Jason Kunst · ‎01-29-2020

@Colby LeMaire wrote:

What behavior are you wanting it to do? Do you want it to stay in its current VLAN (i.e. 666)? Or do you want it to change based on the user but NOT drop the RDP connection? The challenge with that is anytime you change VLAN's, you are also changing subnets. The IP on the PC changes and the RDP connection drops. There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue. A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address. Downloadable ACL's are more appropriate. I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

Agree, nothing besides switching to ACLs or start using Scalable Group Tags (SGT) which are even more recommended

View solution in original post

Colby LeMaire · ‎01-29-2020

What behavior are you wanting it to do? Do you want it to stay in its current VLAN (i.e. 666)? Or do you want it to change based on the user but NOT drop the RDP connection? The challenge with that is anytime you change VLAN's, you are also changing subnets. The IP on the PC changes and the RDP connection drops. There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue. A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address. Downloadable ACL's are more appropriate. I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

AndrewWestPMP60307 · ‎01-29-2020

Users workstations are placed into the appropriate VLAN depending on their ISE group membership. The workstation is either in the quarantine VLAN or in a VLAN other than the users final VLAN. With the initial connection, traffic flows between the RDS/ Remote Desktop(RDP) PC and the workstation on the old IP address. The workstation then goes through the ISE authentication process and ends up changing the IP address. When this happens, the already established connection is lost as the workstation's IP address has changed. First, the device will attempt to reestablish the connection automatically and will succeed. The user will see the screen go black and they will see the reestablishing connection prompt and will get back to their device once it reconnects. The second possibility is that the connection will drop, and the device will not be able to reestablish the connection automatically. This will requires the RDS/ Remote Desktop(RDP) user to reestablish the connection manually as well as enter their credentials again.

Colby LeMaire · ‎01-29-2020

Yes, that would be expected behavior as I explained in my earlier response. Whether the reconnect happens automatically or the user has to connect again manually is likely dependent on how quickly Dynamic DNS is updated to the PC's new IP address. As long as it happens before the RDP timeout, then the connection can re-establish.

Jason Kunst · ‎01-29-2020

@Colby LeMaire wrote:

What behavior are you wanting it to do? Do you want it to stay in its current VLAN (i.e. 666)? Or do you want it to change based on the user but NOT drop the RDP connection? The challenge with that is anytime you change VLAN's, you are also changing subnets. The IP on the PC changes and the RDP connection drops. There is really no way around that.

I personally don't recommend doing any VLAN assignments on Windows machines because of this issue. A normal user logging in and switching VLAN's can cause GPOs, login scripts, drive mappings, etc. to all fail because of the change of IP address. Downloadable ACL's are more appropriate. I also really don't recommend doing user authentication unless you absolutely need to differentiate access based on who the user is.

Agree, nothing besides switching to ACLs or start using Scalable Group Tags (SGT) which are even more recommended

The Windows user remotes into a workstation with RDS/Remote Desktop that is on a different VLAN than what the user belongs to. Connection is dropped