Nxfilter and IP Virtualization on Terminal Server

[Eduardo]

Hello, I'm with a problem, in terminal server 2008, I use the nxfilter, with the resource 'ip virtualization' enabled, to give a each session an IP , I run in the logon script the "Nxlogon.exe ipdnsserver" , but I don't have the parameters (variables) availables like: "uname" and "categories" ,   if I disable the ip virtualization, all works well. Anyone have some tricks to this ? Thanks!

[Jinhee]

Hi Eduardo,

Do you mean that your NxLogon works fine without IP virtualization.
But when you enable it you don't get username on NxFilter log?
What's with 'category' then?
Are you not talking about group?

Firstly we need to see your IP virtualization works against NxFilter.
Try to create an IP user based an IP from your terminal server IP virtualization.
If it works you have a problem with NxLogon picking up a username.

Did you look into /log/nxd.log file?
You're supposed to have this kind of log when everything's working.

  INFO ({Thread-18} LoginListener.java[_deal_login]:44) [2014-05-12 22:55:28] - New login session by nxlogon request for 192.168.0.103, jinhee

And I am working on another method of single sign-on against AD.
It doesn't require NxLogon or GPO.
You just need to install a program on your DC which is called NxMapper.
It will grab the IP-username map and send it to NxFilter.

Jinhee

[Eduardo]

Hey Jinhee, thanks for return ,

I'm sorry I used the wrong variable, was not "uname" and "categories", and yes "# {domain}", "# {reason}" and "# {user}". 

I analyzed the log that you commented me, and nxlogon and login page correctly send the virtual ip, but navigating it registers as "no-user". 

here what happening :

User: indep 

Virtual IP: 192.168.5.85 

Physical IP: 192.168.5.5 

Sites surveyed: 

http://www.indepinfo.com.br (is in the whitelist) 

http://www.clicrbs.com.br (not on the whitelist but is released to the user) 

The sites that are on the whitelist function normally. 

The other sites are always blocked and will not appear in the log NxFilter 

In the Log file nxd.log the data is correct (user = Indep    and   IP = 192.168.5.85) 

In logging within NxFilter data appear wrong (user =no-user   and    IP = 192.168.5.5) 

In blocking page  the  variables are as follows 

# {domain} - OK 

# {reason} - Null 

# {user} - Null

I attached two pictures to facilitate see .

I Wait your help, the nxfiler is fantastic tool, but in every situation arise different details, what good you exist to help , the posts only help to improve and prestige the program.

Thanks for While.

[Jinhee]

One of the possibilities is that your browser sends the different IP or your terminal server IP.
Was it your terminal server IP? 192.168.5.5.
Or DNS query might not using that virtual session.
In that case I guess there might be something you can setup for those programs.

Jinhee

[Eduardo]

Yes the terminal server ip is 192.168.5.5 , and virtual ip for session is 192.168.5.85

I don't know if browser has this possibilities of configuration , I'm using microsoft hyper-v, I will try use the Vm-ware  and will post the result. Thanks for While.

[Eduardo]

Hello again Jinhee , I've been using microsoft traffic monitor, and found in the log that the virtual ip that the browser uses is correct, the tcp traffic is all right, but the dns traffic that uses the physical ip computer to talk with nxfilter, several "query dns" communicating through the physical ip were found.

Is for this reason that the login-page works and send the correct ip, and then sending status through  nxlogon.exe uses another ip and logs with "no-user", the nxfilter not find the User-ip-based because the ip is not the same used at login. Correct me if I'm wrong.

Can you imagine an correction for this? Or your new method through nxmapper uses other form to communicate it? I think this situation will become increasingly common because virtualization is being used more often all over the place.

I hope you get a solution for this, if you can test in your lab in order to find a solution, I would appreciate it immensely.

[Jinhee]

I thought your nxlogon.exe working correct but your dns query uses your 192.168.5.5.
But can't test it on my side. I don't have windows 2008 server.

When you do the browsing what's the IP address on NxFilter log view.
Is it 192.168.5.5?

What if you use nslookup then?
Is it 192.168.5.5 as well?

So what you need to do is making these things using 192.168.5.85, your virtual IP.
If your nxlogon.exe is the wrong one then NxMapper might be working.
But in this case nxlogon.exe is fine and the other ones making problems.

This virtual IP on terminal server.
I guess you can assign a different IP to a different user.
But can you setup a different DNS to a different user?
We need to know that DNS queries using the physical IP or the virtual IP.

Jinhee

[Eduardo]

When I  browsing , the IP address on NxFilter log view Is  192.168.5.5 !

And nslookup return 192.168.5.4  , that is the nxfilter server ip. All seem correct.

I will send you the adress of an virtual server 2008 I have tested, If you have a time to test , I will send to you in your e-mail.

[Jinhee]

Yeah, send me the detail over email.
Terminal server and your NxFilter address as well.
And the password to NxFilter.

email : support at nxfilter.org

Might have some time tomorrow.

Jinhee

[Jinhee]

Thanks for giving me an opportunity for learning Portuguese. I spent almost
an hour on your system.

I attached a screenshot from you NxFilter log view. I logged in using
the login-page. As you see roberta from 192.168.5.81 and angelica from
192.168.5.89.

However you have some problem with angelica. My request from browser doesn't
appear on your log view. Only from nslookup. This is because you have a proxy
setup. So I removed all the proxy setup but still agelica's browser doesn't use
NxFilter as its DNS server. Do you have any web-proxy in your network?

Anyway it seems working but I don't know why angelica's browser not using NxFilter
as its DNS server. You'd better watch it from console while you're browsing.

About nxlogon.exe if it's not working firstly just try to make it working with
the login-page first.

Jinhee

[Eduardo]

Hehe, good, like the Portuguese? is a bit tricky for those who have the first contact, sorry again my friend, my partner was testing with an alternative proxy to solve our problem, I think he forgot to remove the settings. But the dns filter is the best way. 

We customize the block page, and in the "Motivo:" should fill with the variable "# {reason}"  , but not.

I created a shortcut on the desktop of the administrator's session to the folder of nxfilter to access the nxd.log, I tested again and still registering with the ip 192.168.5.5, it looks like you worked a bit but we do not, I'll with your help if you have more time to test. 

There are many other users that you can use to test, as janine, eloiza, helena,

do you maybe a different way ?   

I  log to the domain,  open the browser at  login.nxfilter.org ,log  with the domain login,  close the browser,  open the browser again and navigate !

detail , without the ip virtual, the filed "motivo:"  appear with the correct information "#reason" , 

I don't have a proxy on my lan, it were configured only for test 

 Thanks again, i wait you.

[Jinhee]

Actually it was interesting to test Windows 2008 with virtual IP. As I don't have Windows 2008 and it's not possible
to have Windows 2008 on vmware with virtual IP as far as I know. But after I tested your server I think it's possible
to have authentication against AD with the terminal server if it's Windows 2008. Only we don't know howto in a solid
way. I want to help you but since I don't have Windows 2008 it's very difficult on my side. Like I told you try it with
that login-page way. It's always my choice going with the simplest way and then move onto the next step.

Jinhee

[Eduardo]

I can leave a machine available for your tests, if you find it convenient , I really need solve this details, because the stations are ok, but with this terminal server that around 5 ~10 users will connect , I would like to have the control of navigation per each user, and not the same blocks and whitelist to all users for this machine. Thanks for your attention, and we are willing to contribute financially if necessary . thanks.

[Eduardo]

I took some print screen, do not know if you saw, regarding dns communication passing through the ip 192.168.5.5, which is not the corresponding virtual session in use. 

And another print that has something ssl, but I think this is not related, I'm now not so deep so that subject to learn.

[Jinhee]

What you need to do is finding out the difference between the working one and the not working one.
In my test roberta was fine. So you need to test roberta account to confirm it. If you see it working
then try to find out the difference between roberta and angelica.

Jinhee

[Eduardo]

Ok, i go to test, but what i want to say is the roberta Login Worked  only with you, because we was testing the same thing ,with the same configs for more than 1 Day and didnt Work ,only the login-page register with virtual IP, the rest of navigation continues  registering with 192.168.5.5 and "no-user". I'm boring, hehe, still trying.

[Jinhee]

That's weird. When I test it I tested both browser and nslookup. All worked fine.
Did you install your terminal server on vmware?
I think I read it somewhere telling that virtual IP not working with vmware or other vm.

[Eduardo]

Well,I  imagine you have done all the procedure same as me, I'm using microsoft hyper-v to virtual machine, did you only use nslookup to verify if the dns is correct? or used some command? Because like I said, I test and re-test, and always gives the same result, login ok but navigation not, I don't know more what to do. 

When you connected , at block's page, appeared the "#reason" right side of "Motivo:" ? 

[Jinhee]

No reason was not there. I thought it's weird but I couldn't see the debug message on NxFilter side.
Did you try to enable debug option? On /conf/cfg.properties file change INFO to DEBUG.
And you run your NxFilter on the command line by clicking /bin/startup.bat file.
And watch it as you are using roberta's account.

I was using chrome as well. Not just nslookup.

Jinhee

[Eduardo]

Ok, I'll test with debug option, I've seen the log and found this line "  INFO [05-15 08:47:24] - unclassified domain, 4.5.168.192.in-addr.arpa"  what is the reverse,   it appears only one time, just  when you acessed and tested, because this i asked if you did some command before tests, a nslookup with parameters maybe.

[Eduardo]

Hello Jinhee , I came across an interesting situation, did some testing and do appear  the same log line I wrote in the previous post when you has acessed, I noted that the sites  accessed only  register and work properly with the virtual ip after I take a "nslookup www.yotube.com "for example, in each ,before accessing it. It seems like just a kind of internal table is created, you have some sugestion why that?

[Eduardo]

Good news friend, later I deactivate dns service on the ts machine, all works fine. It's perfect.

[Jinhee]

Very good. So it's about the DNS server running on terminal server. And this ip-session is working well with the virtual IP from Windows 2008. Now we know NxFilter works with terminal serverl. Thanks Edurdo.

Jinhee

[Eduardo]

That's right, almost everything working now, both with login-page and nxlogon, only the "https" websites do not show the block page, but are blocked according to the blocking rules, and if they are not blocked by the rules or are in the whitelist, they  open normally . Any suggestions about this detail of https?

I wanted to thank your help, and congratulate you for the outstanding design that is nxfilter, you are to be congratulated, great tool.

[Jinhee]

It's because when we redirect a browser to NxFilter there needs to be something waiting for the browser.
On 80 port there's a block-page. But not on 443. NxFilter uses 9443 port as a default option for HTTPS.

However even if you change it to 443 you don't get the block-page. Instead you get a warning message
from your browser about certification error. It doesn't look good so I made it 9443.

Read this,

  https://groups.google.com/forum/?fromgroups=&hl=en#!topic/nxfilter200/bA3fuYVrif8

They are also talking about HTTPS blocking.

Jinhee