(1) No. "Users" are

Christopher Bell · ‎01-12-2016

I've seen a few posts that skim around this but I want to get a clear answer. We are trying to figure out two things:

Can the Firepower URL filter on an ASA (when properly licensed) do user based URL filtering for Terminal Server users.

If it can, is some sort of agent or proxy needed on the Terminal Server or possibly between the Terminal Server and the SFR module?

Assuming it can't, is it possible to configure a separate URL filtering policy that will be applied to a source IP address regardless of the user?
If number one is 'no', is this planned for a future release?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Philip D'Ath · ‎01-13-2016

(1) No. "Users" are associated with IP addresses.

(2). Not completely sure. 75% yes.

Marvin Rhoads · ‎01-13-2016

1. If you do a captive portal (FirePOWER 6.0) you can require users (terminal server-based or otherwise) to provide their credentials to the FirePOWER module to access web-based resources.

2. You can alternatively create a URL Filtering policy with "networks" (could be individual /32s) as one of the criteria for the policy.

Christopher Bell · ‎01-18-2016

The captive portal suggestion is an interesting idea, but the little I've read about it suggests that the purpose wasn't to distinguish users who utilize a single IP (Terminal Server Clients) but rather to supplement the SFUA. [@mrhoads-cco] do you happen to have a link to some literature that supports that? I'd love to read it.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Marvin Rhoads · ‎01-18-2016

Christopher,

I see your point about TS users using a single IP address. that may break tha captive portal assumption that once as user authenticated via the portal that links the IP address with the identity. I'm not sure how the details work - the configuraiton guide is silent on that detail.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/User_Identity_Sources.html#concept_6E7BBA97DD5D4883AA55185B6FEEE9BA

Also, captive portal requires a routed mode IPS whereas most deployments I've seen are inline (transparent).

I was thinking more along the lines of a Citrix VDI infrastructure where the users get desktops with individual unique IP addresses. Fro that use case, we can differentiate access as we do with ISE per the following Guide:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/CMWSwC/CMWSwCConfig.html

Guillaume BARBEROT · ‎10-13-2016

Hello

i am looking for TS agent on version 6.1

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/User_Identity_Sources.html#task_70A1D11CEE7E4F7F84CF90777F8E195F__step_CC061C4B3251440EBF5DD66D471889FC

says : ... see the Cisco Terminal Services (TS) Agent Guide => which i cannot find anywhere

i have also found that : The TS Agent feature (VDI Identity Support) is available in a limited availability program adjacent to Version 6.1.

Does anyone managed to find some docs and ressources ?

Thanks

Guillaume

Marvin Rhoads · ‎10-13-2016

[@guillaume.barberot] ,

The supporting documentation for the limited availability is only available to the customers participating in the program.

Once it is opened up (hopefully with 6.2 in the next month or so), it will be made publicly available.

Jetsy Mathew · ‎10-13-2016

Hello Team,

It is in limited availability.

You have to contact the accounts team who should be able to help them out.

If your are interested in being beta customers,you have to contact the Accounts team.

Rate and mark if the post helps you.

Regards

Jetsy

Terminal Server / URL Filtering / ASA Firepower